[secdir] SECDIR Review of draft-ietf-pce-rfc7150bis-01
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 24 December 2014 15:52 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E72F1A8A83 for <secdir@ietfa.amsl.com>; Wed, 24 Dec 2014 07:52:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d4oLh9n6aHQT for <secdir@ietfa.amsl.com>; Wed, 24 Dec 2014 07:52:53 -0800 (PST)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4CD81A8A82 for <secdir@ietf.org>; Wed, 24 Dec 2014 07:52:52 -0800 (PST)
Received: by mail-lb0-f175.google.com with SMTP id u10so7072309lbd.34 for <secdir@ietf.org>; Wed, 24 Dec 2014 07:52:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=QWAfPcpXj0NTftADcDUXPmhuQb59j9a3u+9hnz8vitI=; b=G4D+U9n5P6xFyTQ8dQW7/mYU3yVeXIzdhc/IZ32/L/T77IwK339rUdc/cBHSfNWuBC rCX8inZj+7m0WJc6SegMc+1mKmHd6oVAYzdcklmaWZLmr6v8e4ySgpYeslS+NQdvjxMY s+vcVfnnuOyZ4rFcpy1iXEHd/3GDTRliFU1OMLxQ0giAhSlJoMw0q0vXAu6EPApwVOCz V+b+km7TCZYQJt7zg4LYrt8iRmX2gConZHsCY0+e8hKkyjdZr63b5z+sVAoEWHXmTk7q qY/UyP5X6BxGoBTsN9EgaSzqRTUWniDqvPuewbHpm3hU7RiiUGPije4tgCktn4jhsHC2 QbQw==
MIME-Version: 1.0
X-Received: by 10.112.162.226 with SMTP id yd2mr34719293lbb.1.1419436371061; Wed, 24 Dec 2014 07:52:51 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Wed, 24 Dec 2014 07:52:50 -0800 (PST)
Date: Wed, 24 Dec 2014 15:52:50 +0000
X-Google-Sender-Auth: FY8iQ_6CmQSkUiNSWSGi9Mf1LMc
Message-ID: <CAMm+LwhopKiZNGs-Uj+jZ7JaSih2JXt7yceKEPMvTNv1qwqrWg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "secdir@ietf.org" <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="089e0112c86cadb2c0050af84892"
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/dUEKDgN0FrJEqfWhqAiMXElCnFE
Subject: [secdir] SECDIR Review of draft-ietf-pce-rfc7150bis-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 15:52:54 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document is making an essentially syntactic modification to an existing specification so that the suite of specifications applies a uniform approach to extension syntax. As such, the proposal does not raise new security concerns beyond the normal concerns raised by syntax. One concern that is raised is the risk of attack through construction of an attribute with a Tag-Length-Value such that the specified length is invalid being either negative (in signed arithmetic) or greater than the size of the enclosing construct. While both concerns can be avoided through appropriate coding techniques, a note to remind implementers that caution is required is appropriate.
- [secdir] SECDIR Review of draft-ietf-pce-rfc7150b… Phillip Hallam-Baker