[secdir] SecDir Review of draft-ietf-nfsv4-multi-domain-fs-reqs-09

Russ Housley <housley@vigilsec.com> Thu, 25 August 2016 15:03 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8ECD12D0F6 for <secdir@ietfa.amsl.com>; Thu, 25 Aug 2016 08:03:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level:
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYf1fWU4D7vd for <secdir@ietfa.amsl.com>; Thu, 25 Aug 2016 08:03:26 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D86012D0DC for <secdir@ietf.org>; Thu, 25 Aug 2016 08:03:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 745673005AE for <secdir@ietf.org>; Thu, 25 Aug 2016 10:57:23 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id HY3KZy-od3Ia for <secdir@ietf.org>; Thu, 25 Aug 2016 10:57:22 -0400 (EDT)
Received: from [192.168.2.100] (pool-108-51-128-219.washdc.fios.verizon.net [108.51.128.219]) by mail.smeinc.net (Postfix) with ESMTPSA id 02C35300293; Thu, 25 Aug 2016 10:57:21 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Thu, 25 Aug 2016 10:57:26 -0400
Message-Id: <E7A67E4A-103A-4DCD-A1FF-B3920B201C0D@vigilsec.com>
To: draft-ietf-nfsv4-multi-domain-fs-reqs.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ii3Lx8qWac-SNe1mBhUIGWhEaG0>
Cc: IESG <iesg@ietf.org>, IETF SecDir <secdir@ietf.org>
Subject: [secdir] SecDir Review of draft-ietf-nfsv4-multi-domain-fs-reqs-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 15:03:27 -0000

I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Version reviewed: draft-ietf-nfsv4-multi-domain-fs-reqs-09


Summary: Ready

Thank you for rewriting the Abstract and Introduction.  They are much
improved.


Major Concerns:  None.


Minor Concerns:

The first paragraph in Section 3 includes: "The issues with multi-domain
deployments described in this document apply ...".  I do not think that
"issues" is the right word.  To be consistent with the title of the
document, it should be talking about guidance or deployment
alternatives.

In Section 6.2.1, it says:

   Multiple security services per NFSv4 Domain is allowed, and brings
   the issue of mapping multiple Kerberos 5 principal@REALMs to the same
   local ID.  Methods of achieving this are beyond the scope of this
   document.

I think it would be better to use "need" instead of "issue".


Nits:

Please change "internet" to "Internet" throughout the document.

In Section 2, "Stringified UID or GID" definition:  Please add "of" to
the last sentence, so that it reads: "See Section 5.9 of [RFC5661]."