Re: [secdir] Secdir telechat review of draft-ietf-core-resource-directory-25

Roman Danyliw <rdd@cert.org> Thu, 13 August 2020 12:47 UTC

Return-Path: <rdd@cert.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E21D3A0BEF for <secdir@ietfa.amsl.com>; Thu, 13 Aug 2020 05:47:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LX7pYNha1VgU for <secdir@ietfa.amsl.com>; Thu, 13 Aug 2020 05:47:37 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C351F3A0BEB for <secdir@ietf.org>; Thu, 13 Aug 2020 05:47:37 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 07DClaTq003106 for <secdir@ietf.org>; Thu, 13 Aug 2020 08:47:36 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 07DClaTq003106
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1597322856; bh=mG6bggYfsgr+E8U8FeMauqDJmXPj1xkGoHLUa4qDtnI=; h=From:To:Subject:Date:From; b=hsbuVvpwLhZhtl4WQSS9c6k+jTtnO0P22DujNddHAhqyA4d1n1PL6RFM5GGZf9kD1 /P5yxaV6mHZZfRPvqPbnidUucY225CIimTqJicyr0BPpeAzIsKw2jNheSOTCX9zXEH Q4iao/88LZw+5+xzDoci9gHseqPj10YTwz8pOdhc=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu [147.72.252.46]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 07DClW2q032316 for <secdir@ietf.org>; Thu, 13 Aug 2020 08:47:32 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Thu, 13 Aug 2020 08:47:32 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Thu, 13 Aug 2020 08:47:32 -0400
From: Roman Danyliw <rdd@cert.org>
To: "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Re: [secdir] Secdir telechat review of draft-ietf-core-resource-directory-25
Thread-Index: AdZxb5EXK+5N8onPSPuPwGspzjjcbg==
Date: Thu, 13 Aug 2020 12:47:31 +0000
Message-ID: <548bf542802f48cf994bf97119111757@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.173]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/iTSDeNwQKiXP0WyIQEwmMQ2AJ0Y>
Subject: Re: [secdir] Secdir telechat review of draft-ietf-core-resource-directory-25
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 12:47:40 -0000

Hi Valery, thank you for the review!  

I had a few concerns with the authorization model so I entered a Discuss ballot.

Regards,
Roman

> -----Original Message-----
> From: Valery Smyslov via Datatracker <noreply@ietf.org>
> Sent: Mon, 10 August 2020 06:47 UTC
> To: secdir@ietf.org
> Subject: [secdir] Secdir telechat review of draft-ietf-core-resource-directory-25
>
> Reviewer: Valery Smyslov
> Review result: Ready
>
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written primarily for the benefit of the security area directors.
> Document editors and WG chairs should treat these comments just like any other
> last call comments.

> The -24 version of this draft was reviewed by Adam Montville. I looked over his
> review and I think that the issue he raised about possible  mitigation of DDoS
> amplification attacks has been addressed in this version. I personally think
> that sentences describing how DNS and NTP are vulnerable to amplification
> attacks are redundant in this document, but that's a matter of taste and
> doesn't hurt.

> It is my impression, that Security Considerations were mostly written having in
> mind that (D)TLS is always used, however it is only "SHOULD" in this draft (or
> even "MAY" if we look at RFC6690 which Security Considerations this draft
> refers to). I think that adding a few words describing which consequences for
> security not using (D)TLS would have and in which cases it is allowed will make
> the Security Considerations more consistent.