[secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
Samuel Weiler <weiler+secdir@watson.org> Wed, 23 May 2012 23:12 UTC
Return-Path: <weiler+secdir@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F69411E8072; Wed, 23 May 2012 16:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ouNN4g+fyEJk; Wed, 23 May 2012 16:12:19 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 897D121F8603; Wed, 23 May 2012 16:12:19 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id q4NNCItk072501; Wed, 23 May 2012 19:12:18 -0400 (EDT) (envelope-from weiler+secdir@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id q4NNCHjx072494; Wed, 23 May 2012 19:12:17 -0400 (EDT) (envelope-from weiler+secdir@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Wed, 23 May 2012 19:12:17 -0400
From: Samuel Weiler <weiler+secdir@watson.org>
X-X-Sender: weiler@fledge.watson.org
To: secdir@ietf.org, ietf@ietf.org, draft-sakane-dhc-dhcpv6-kdc-option@tools.ietf.org
Message-ID: <alpine.BSF.2.00.1205231837020.9762@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Wed, 23 May 2012 19:12:18 -0400 (EDT)
Subject: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2012 23:12:20 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This doc specifies several DHCPv6 options for carrying Kerberos config info. There are obvious risks to doing this, but they're discussed reasonably well in this and similar cited docs (e.g. RFC3634, which specifies a much more limited option for DHCPv4). The doc explains by DNS service discovery isn't ideal for some environments. With that said, there are some things that need clarification, and the doc sorely needs an editorial pass. As-is, the doc is not ready for publication. I will be happy to review the doc again once it's been thoroughly edited. Things that need clarification or consideration: For the transport type field, would it be better to use a bitmask? Then one could use a single DHCPv6 option to specify a KDC that's reachable over both TCP and UDP, rather than needing two DHCPv6 options. Section 7 uses the term "TGT" without expansion. In the Kerberos world I can't imagine someone not knowing what this is, but it's not clear to the layman. It probably needs to be expanded. The algorithm in section 4.1 needs work. The obvious thing is to read it linearly. Doing that, one would prefer DHCP over DNS SVR info (per step 2), which is not what step 6 and the graphic say. Saying "no answer from the DNS server" is probably not the desired semantic. In 3.4, the option-len field is ambiguous. It says "24-octet + the length of the realm-name field in octets." But it looks to me like this option is 27 octets + length of realm name. Perhaps it would be better to just count the length of the realm name? And here are some examples of wording that needs work. There are many more -- I quit copying them into this review after the first few: 3.2 "This option informs a DHCPv6 server of which realm the client want to access, ..." 7 "... a rogue KDC that does not know the client access." What is "the client access"? "The incorrect KDC is not be able to proceed any further state of the client." "The considerable situation is that the support of an unconfigured workstation used by multiple users, which obtains its KDC information and default realm via DHCP."
- [secdir] secdir review of draft-sakane-dhc-dhcpv6… Samuel Weiler
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-sakane-dhc-dh… t.p.
- Re: [secdir] secdir review of draft-sakane-dhc-dh… tglassey
- Re: [secdir] secdir review of draft-sakane-dhc-dh… t.p.
- Re: [secdir] secdir review of draft-sakane-dhc-dh… t.p.
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Sam Hartman
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Masahiro =Rhythm Drive= Ishiyama
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-sakane-dhc-dh… Masahiro =Rhythm Drive= Ishiyama