Re: [secdir] secdir review of draft-ietf-rmt-pi-norm-revised-11
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 13 May 2009 12:16 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A49353A6C16 for <secdir@core3.amsl.com>; Wed, 13 May 2009 05:16:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.214
X-Spam-Level:
X-Spam-Status: No, score=-6.214 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01w-qzAkUD0P for <secdir@core3.amsl.com>; Wed, 13 May 2009 05:16:09 -0700 (PDT)
Received: from mailgw3.ericsson.se (mailgw3.ericsson.se [193.180.251.60]) by core3.amsl.com (Postfix) with ESMTP id 5E6C83A6F8D for <secdir@ietf.org>; Wed, 13 May 2009 05:15:47 -0700 (PDT)
X-AuditID: c1b4fb3c-b7b2bae000003e37-e4-4a0aba43c7e1
Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw3.ericsson.se (Symantec Mail Security) with SMTP id 8A.D9.15927.34ABA0A4; Wed, 13 May 2009 14:17:07 +0200 (CEST)
Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 May 2009 14:17:02 +0200
Received: from [153.88.50.61] ([153.88.50.61]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 May 2009 14:17:02 +0200
Message-ID: <4A0ABA3D.6090803@ericsson.com>
Date: Wed, 13 May 2009 14:17:01 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: David Harrington <ietfdbh@comcast.net>
References: <05a401c9ccf6$67ac3550$0600a8c0@china.huawei.com>
In-Reply-To: <05a401c9ccf6$67ac3550$0600a8c0@china.huawei.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 13 May 2009 12:17:02.0035 (UTC) FILETIME=[B8914A30:01C9D3C4]
X-Brightmail-Tracker: AAAAAA==
Cc: secdir@ietf.org, tim.polk@nist.gov, Pasi.Eronen@nokia.com, adamson@itd.nrl.navy.mil, M.Handley@cs.ucl.ac.uk, cabo@tzi.org, 'Joe Macker' <macker@itd.nrl.navy.mil>, 'Lorenzo Vicisano' <lorenzo@vicisano.net>
Subject: Re: [secdir] secdir review of draft-ietf-rmt-pi-norm-revised-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2009 12:16:10 -0000
Hi David, Thanks for your review. I forwarded your message to the WG. We have other documents with similar security considerations that needs to be clarified. I am taking your feedback serious and tries the WG to provide feedback on your comments. I think there will be a benefit in clarifying the implementation requirements for these solutions. Cheers Magnus David Harrington skrev: > Hi, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > The document specifies a protocol (or an update to a protocol) that > provides end-to-end reliable transport of bulk data objects or streams > > over multicast routing and forwarding services. It also provides a > congestion control scheme. It is designed to permit different > upper layer services to utilize its services in different ways. > > I previousaly reviewed the -09- revision, where I asked that the > specification tighen up requirements, ala RFC2119, especially in the > Security Considerations. That was done to a degree. > > More should be done. There are places with text like "It is expected > that ..." > that might be better expressed as SHOULDs. There are lower case > must/should/may/require uses. > > Since this is a requested early review, let me also comment on > document clarity. > > I found some of the paragraphs have conditionals in them, often > following a > statement of MUST or SHOULD compliance. I think the "However ..." > conditionals > really hurt the clarity of the specification. For example: > Large NORM group sizes will necessitate some form of key management > that does rely upon shared secrets. The GDOI and GSAKMP protocols > mentioned here allow for certificate-based authentication. It is > RECOMMENDED these certificates use IP addresses for authentication > although it may alternatively possible to have authentication > associated with pre-assigned NormNodeId values. However, it is > likely that available group key management implementations will not > be NORM-specific. > > Is the information after "RECOMMENDED these certificates use IP > addresses for authentication" really needed here? > If I alternately have authentication associated with re-assigned > NormNodeId values, and do not support IP adresses for authentication, > am I still compliant? > > A pet peeve - "it should be noted that" is almost always not needed. > Just make the statement, > which effectively notes the point. Nothing "should" about it! > > The same pet peeve variations: unnecessary introductory phrases or > clauses in sentences: > > s/The principal issue is that configuration > and operation of IPsec typically requires privileged user > authorization./Configuration > and operation of IPsec typically requires privileged user > authorization./ > s/It is expected that additional specifications may/ > Additional specifications MAY/ > > Some words to look at whether they are really necessary: > Additionally > However > Thus > It is expected that > As previously noted, > Note that > also > as always > as mentioned in section x.x > as noted > > > > > > > David Harrington > dbharrington@comcast.net > ietfdbh@comcast.net > dharrington@huawei.com > -- Magnus Westerlund IETF Transport Area Director & TSVWG Chair ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [secdir] secdir review of draft-ietf-rmt-pi-norm-… David Harrington
- Re: [secdir] secdir review of draft-ietf-rmt-pi-n… Magnus Westerlund
- Re: [secdir] secdir review of draft-ietf-rmt-pi-n… Brian Adamson