[secdir] SECDIR review of draft-ietf-trill-directory-assist-mechanisms
Daniel Franke <dfoxfranke@gmail.com> Tue, 17 January 2017 17:52 UTC
Return-Path: <dfoxfranke@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B5591293D8; Tue, 17 Jan 2017 09:52:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UzjQaMMgQavH; Tue, 17 Jan 2017 09:52:26 -0800 (PST)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F256A127077; Tue, 17 Jan 2017 09:52:25 -0800 (PST)
Received: by mail-qt0-x229.google.com with SMTP id v23so169970053qtb.0; Tue, 17 Jan 2017 09:52:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=aOiNmPXYBV49qD0p79dlOTzyLlsUYDk2xUxrbNGc5WE=; b=W1SeOfit1tXWHTzZh4H1LJ+qo2exRb4tbuBC/+AbXwaFQonJkcIJfys5AAQ2qHnvNA w2FHIiJMrDFBx3du5J0SyMA0SxC4or5FD7SlQF7AOB/sDalyrEqX74NWyJ+NUXd8dd7k jmeClNarzc0tuG1EFHDGGjOpPnrnEbhOeu3qvVwawKgmtC1YW9jflEiMcSOpv+ypLD+T xJ3Z8tfqQqSpw5ReW5Rqs1l35JQw5b55hiTRbq5jLbKmt9G/p1+1zJQD5NVvrvuF8FE1 DBL4qLyh6mup3BFlDAoKQxMrD4knelMhuttPIEVLsfA8oyGC09ffH4S0qlpY+H4F9/dl 51SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=aOiNmPXYBV49qD0p79dlOTzyLlsUYDk2xUxrbNGc5WE=; b=GwIp+hWtzBWEzON9Ly3eQ1rK4pFLoiDvG131KiHm7nxJL6iluWIEk8+jmBg7osJAXM ws2wQ4e02A+nvRVxOvMKGqSkZXB41JiNAlqKf695WhLDLDrao0csWoIp2Avp0Pr/mTqs 22uhKdelFxBjxXXectIqA8w8lmfWKmO4DxJ6Piz5DCySkCEDe6ngkntZ3iViixgu5hvP 7ABiZCcAUyMEOmD/+v04XNbiZqMRzR6nwUHJaE4yTPgBFVP8hqmLNGJALJt0risNy9/v CX3L5MeC3aA0fnMJ9arpot0rUAyozGIzhQpiR1qP9I27t+aHMxaXgrzYqHMT0FjX2O5Z DeIw==
X-Gm-Message-State: AIkVDXK1foh3nkbb91qZBVCmBajDk+BLzBaoOOaewvjQOD30i71BRRGXX7Nza5vJjPkMDlqY6umyVEj1pvgmgA==
X-Received: by 10.237.53.162 with SMTP id c31mr37548355qte.55.1484675545096; Tue, 17 Jan 2017 09:52:25 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.157.206 with HTTP; Tue, 17 Jan 2017 09:52:24 -0800 (PST)
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Tue, 17 Jan 2017 12:52:24 -0500
Message-ID: <CAJm83bCdcDHomk3EJKEnbmdW6U22GGN5cyHPrdJC1H967v5OGw@mail.gmail.com>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-trill-directory-assist-mechanisms-all@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/jY9zGWR-wHMetdUjQkwR5bYapgw>
Subject: [secdir] SECDIR review of draft-ietf-trill-directory-assist-mechanisms
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 17:52:27 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I believe this document is READY WITH NITS. I'm satisfied with its normative content but the Security Considerations section could use a bit of elaboration. I had never heard of TRILL prior to being assigned this review and the tree of normative references is a bit daunting, so these comments will necessarily be based only on an extremely high-level view of the system. draft-ietf-trill-directory-assist-mechanisms proposes to augment TRILL by adding directory servers which cache information about network topology, allowing RBridges to sometimes shortcut the usual learning algorithm that they would use to discover this information. Here are the fundamental points which the Security Considerations section either addresses or ought to address: 1. There are three relevant security goals: a. Availability: packets should reach their intended destination b. Confidentiality: packets should not reach unintended destinations c. Privacy: metadata concerning network presence should not be shared more widely than necessary 2. Access control to directory servers can be enforced using pre-existing cryptographic mechanisms specified in RFCs 5304, 5310, and 7978. 3. Principals authorized (duly or otherwise) to read directory data can violate privacy. 4. Principals authorized to modify directory data can violate availability and confidentiality. 5. Directory servers must therefore take care to implement and enforce access control policies which are not overly permissive. The current text of the Security Considerations section directly addresses points 1a, 1b, 2, and 4. The paragraph added in version 11 of the draft obliquely implies points 1c and 3 but I wish they'd be stated more explicitly. But the major omission is point 5: what does a correct authorization predicate look like? What sort of access must necessarily be authorized in order for protocol execution to succeed? What sort of access generally ought *not* be authorized?
- [secdir] SECDIR review of draft-ietf-trill-direct… Daniel Franke
- Re: [secdir] SECDIR review of draft-ietf-trill-di… Donald Eastlake
- Re: [secdir] SECDIR review of draft-ietf-trill-di… Donald Eastlake