[secdir] SECDIR Review of draft-ietf-pce-rfc7150bis-01

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 24 December 2014 15:52 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E72F1A8A83 for <secdir@ietfa.amsl.com>; Wed, 24 Dec 2014 07:52:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d4oLh9n6aHQT for <secdir@ietfa.amsl.com>; Wed, 24 Dec 2014 07:52:53 -0800 (PST)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4CD81A8A82 for <secdir@ietf.org>; Wed, 24 Dec 2014 07:52:52 -0800 (PST)
Received: by mail-lb0-f175.google.com with SMTP id u10so7072309lbd.34 for <secdir@ietf.org>; Wed, 24 Dec 2014 07:52:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=QWAfPcpXj0NTftADcDUXPmhuQb59j9a3u+9hnz8vitI=; b=G4D+U9n5P6xFyTQ8dQW7/mYU3yVeXIzdhc/IZ32/L/T77IwK339rUdc/cBHSfNWuBC rCX8inZj+7m0WJc6SegMc+1mKmHd6oVAYzdcklmaWZLmr6v8e4ySgpYeslS+NQdvjxMY s+vcVfnnuOyZ4rFcpy1iXEHd/3GDTRliFU1OMLxQ0giAhSlJoMw0q0vXAu6EPApwVOCz V+b+km7TCZYQJt7zg4LYrt8iRmX2gConZHsCY0+e8hKkyjdZr63b5z+sVAoEWHXmTk7q qY/UyP5X6BxGoBTsN9EgaSzqRTUWniDqvPuewbHpm3hU7RiiUGPije4tgCktn4jhsHC2 QbQw==
MIME-Version: 1.0
X-Received: by 10.112.162.226 with SMTP id yd2mr34719293lbb.1.1419436371061; Wed, 24 Dec 2014 07:52:51 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Wed, 24 Dec 2014 07:52:50 -0800 (PST)
Date: Wed, 24 Dec 2014 15:52:50 +0000
X-Google-Sender-Auth: FY8iQ_6CmQSkUiNSWSGi9Mf1LMc
Message-ID: <CAMm+LwhopKiZNGs-Uj+jZ7JaSih2JXt7yceKEPMvTNv1qwqrWg@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "secdir@ietf.org" <secdir@ietf.org>
Content-Type: multipart/alternative; boundary=089e0112c86cadb2c0050af84892
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/dUEKDgN0FrJEqfWhqAiMXElCnFE
Subject: [secdir] SECDIR Review of draft-ietf-pce-rfc7150bis-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Dec 2014 15:52:54 -0000

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.


The document is making an essentially syntactic modification to an existing
specification so that the suite of specifications applies a uniform
approach to extension syntax.

As such, the proposal does not raise new security concerns beyond the
normal concerns raised by syntax.

One concern that is raised is the risk of attack through construction of an
attribute with a Tag-Length-Value such that the specified length is invalid
being either negative (in signed arithmetic) or greater than the size of
the enclosing construct.

While both concerns can be avoided through appropriate coding techniques, a
note to remind implementers that caution is required is appropriate.