[secdir] Secdir Review of draft-ietf-hip-rfc5205-bis-08

Tina TSOU <Tina.Tsou.Zouting@huawei.com> Mon, 04 January 2016 18:30 UTC

Return-Path: <Tina.Tsou.Zouting@huawei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id CF38C1A0302; Mon, 4 Jan 2016 10:30:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Ffn2FzUd3_p8; Mon, 4 Jan 2016 10:30:11 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 563BC1A02F1; Mon, 4 Jan 2016 10:30:10 -0800 (PST)
Received: from (EHLO lhreml403-hub.china.huawei.com) ([]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CGI48577; Mon, 04 Jan 2016 18:30:07 +0000 (GMT)
Received: from LHREML708-CAH.china.huawei.com ( by lhreml403-hub.china.huawei.com ( with Microsoft SMTP Server (TLS) id; Mon, 4 Jan 2016 18:30:06 +0000
Received: from SZXEML427-HUB.china.huawei.com ( by lhreml708-cah.china.huawei.com ( with Microsoft SMTP Server (TLS) id; Mon, 4 Jan 2016 18:30:06 +0000
Received: from szxeml557-mbs.china.huawei.com ([]) by szxeml427-hub.china.huawei.com ([]) with mapi id 14.03.0235.001; Tue, 5 Jan 2016 02:30:00 +0800
From: Tina TSOU <Tina.Tsou.Zouting@huawei.com>
To: "Org Secdir@Ietf." <secdir@ietf.org>, "draft-ietf-hip-rfc5205-bis.all@ietf.org" <draft-ietf-hip-rfc5205-bis.all@ietf.org>, "Org Iesg@Ietf." <iesg@ietf.org>
Thread-Topic: Secdir Review of draft-ietf-hip-rfc5205-bis-08
Thread-Index: AQHRRx3rdmz2/NeS50O5q3NB4825KA==
Date: Mon, 4 Jan 2016 18:29:59 +0000
Message-ID: <EEC5E160-9F9A-449C-99D9-CE7C23C89D0D@huawei.com>
References: <568A94BF.4000004@si6networks.com>
In-Reply-To: <568A94BF.4000004@si6networks.com>
Accept-Language: en-US
Content-Language: zh-CN
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.568ABA30.010D, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 0d68602873392bc2c3feb5a5c235de25
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/pQmD_i7koM9rcbOICINhpL06B20>
Subject: [secdir] Secdir Review of draft-ietf-hip-rfc5205-bis-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jan 2016 18:30:13 -0000

Dear all,

Happy New Year 2016!

I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just like any other last call comments.

** Technical **

* Section 8:

You refer to IPSECKEY RR [RFC4025] to note some of the possible threats
for HIP RRs. I think you should spell these out, and discuss them

** Editorial **

* Section 3, page 4:
>  In the following, we assume that the Initiator first queries for HIP
>  resource records at the Responder FQDN.


* Section 3, page 4:
> and further queries for the same owner name SHOULD NOT be
>  made.

What's an "owner name"? Maybe this should be "domain name", instead?

* Section 3, page 5:
>  Note that storing HIP RR information in the DNS at an FQDN that is
>  assigned to a non-HIP node might have ill effects on its reachability
>  by HIP nodes.


* Section 4.2, page 9:
> The RVS
>  information may be copied and aligned across multiple RRs, or may be
>  different for each one; a host MUST check that the RVS used is
>  associated with the HI being used, when multiple choices are
>  present."

There's no matching quote sign for this one.

Thank you,