Re: [secdir] Secdir last call review of draft-ietf-ipsecme-split-dns-12

Paul Wouters <paul@nohats.ca> Sun, 19 August 2018 19:08 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C06D9130E97; Sun, 19 Aug 2018 12:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2C2BuA2D8ZK; Sun, 19 Aug 2018 12:08:55 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2772A130DD6; Sun, 19 Aug 2018 12:08:55 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 41tmgk1QYYzF1G; Sun, 19 Aug 2018 21:08:50 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1534705730; bh=cLlHkqbI0WvWvX5IUJF8tor+t4io2iTwxqE7LMxce74=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Mma7pO1PDuCZX2xO0clW99DXLJLJJ5hWJzfhKqSBKJ6ovqFa4NDWnMZxj4V0awl4y /LR8O1Ss3BAu+Llb61grqeDxdM1gYYcSaXtIPYmqq03N/1hfhrO/RfPIx+EWajpWTu gXCwb6TOXJVjkW2NGUw/7BjrRU8ZrJzV2I0O1hLI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id q7TQHIh6Kjxe; Sun, 19 Aug 2018 21:08:48 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 19 Aug 2018 21:08:47 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 71F9EB379D; Sun, 19 Aug 2018 15:08:46 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 71F9EB379D
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6779340D6EB6; Sun, 19 Aug 2018 15:08:46 -0400 (EDT)
Date: Sun, 19 Aug 2018 15:08:46 -0400
From: Paul Wouters <paul@nohats.ca>
To: Stefan Santesson <stefan@aaa-sec.com>
cc: secdir@ietf.org, ipsec@ietf.org, draft-ietf-ipsecme-split-dns.all@ietf.org, ietf@ietf.org
In-Reply-To: <153470157533.21344.975291793985145087@ietfa.amsl.com>
Message-ID: <alpine.LRH.2.21.1808191500340.21687@bofh.nohats.ca>
References: <153470157533.21344.975291793985145087@ietfa.amsl.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/bAJTWTfWM1vp5yOBjhfVDz-adW0>
Subject: Re: [secdir] Secdir last call review of draft-ietf-ipsecme-split-dns-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Aug 2018 19:08:57 -0000

On Sun, 19 Aug 2018, Stefan Santesson wrote:

> Reviewer: Stefan Santesson
> Review result: Has Nits

Thanks for your review.

> In agreement with nit comments in the Gen-Art review.
>
> 1) Section 2. Background seems to be a duplication with the introduction
> section and could probably be merged with this section.

I agree. It is so small we can pull it into the Introduction.

> 2) In general I wander wether the requirement level "SHOULD" is to week in some
> places. The concern (and question) here is whether this may lead to uncertainty
> whether a Split-DNS configuration always will provide the expected level of
> security (or fail), or wether such configuration may lead to successful
> communication without the expected level of security ( in compliance with this
> specification).

Unfortunately, this is the case because of the original text regarding
CFG requests and replies that basically allow each party to omit or send
these completely ignoring which of these CFG's the other party decided
to include. We actually had to loosen up the language or otherwise we
would be modifying the behaviour specified in 5996/7296.

Paul