Re: [secdir] Secdir review of draft-ietf-dime-erp-16

Vincent Roca <vincent.roca@inria.fr> Mon, 28 January 2013 13:57 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DC6921F8507; Mon, 28 Jan 2013 05:57:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.249
X-Spam-Level:
X-Spam-Status: No, score=-110.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHKFZ+-xNqN7; Mon, 28 Jan 2013 05:57:24 -0800 (PST)
Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by ietfa.amsl.com (Postfix) with ESMTP id 40ACC21F8464; Mon, 28 Jan 2013 05:57:23 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.84,551,1355094000"; d="scan'208";a="191646072"
Received: from geve.inrialpes.fr ([194.199.24.116]) by mail1-relais-roc.national.inria.fr with ESMTP/TLS/AES128-SHA; 28 Jan 2013 14:57:10 +0100
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset=us-ascii
From: Vincent Roca <vincent.roca@inria.fr>
In-Reply-To: <5103D12D.8060906@gmail.com>
Date: Mon, 28 Jan 2013 14:57:08 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <71CC8695-F92F-43ED-A9C3-6B5C02195172@inria.fr>
References: <939DADEE-28DB-4A4B-AD0D-057AEB863250@inria.fr> <50FF9D1C.9070501@cisco.com> <5103D12D.8060906@gmail.com>
To: Glen Zorn <glenzorn@gmail.com>
X-Mailer: Apple Mail (2.1085)
Cc: Benoit Claise <bclaise@cisco.com>, IESG IESG <iesg@ietf.org>, draft-ietf-dime-erp.all@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-dime-erp-16
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jan 2013 13:57:25 -0000

Hi Glen and others,

> I responded to Vincent's original review some time ago (see below); I am interested in hearing my co-authors' opinion.

Oups, I've just found it. Sorry. So let me answer.

[...]
>>> One more point. In introduction, the authors say:
>>> "  Security considerations for this key distribution are detailed in Salowey, et al. [RFC5295]."
>>> This reference is not mentioned in the Security Section!

I  don't think you've answered here.


[...]
>>>> The security section of this document is pretty simple as it refers to
>>>> the security section of 4 related documents and that's all. On the
>>>> opposite, each of these 4 documents includes a very detailed security
>>>> analysis.  The contrast is extremely important!
>>> 
>>> Why?
>>> 
>>>> 
>>>> This is all the more annoying as draft-ietf-dime-erp-14 introduces new
>>>> mechanisms, and thereby new potential threats and issues (it's usually
>>>> the case).
>>> 
>>> From a Diameter POV, a Diameter ERP "server" is actually just a form of Diameter agent and the Diameter ERP client is just a standard Diameter client; a new application is only required to ensure the correct routing of Diameter messages.  So I'm not sure what the new mechanisms you refer to are; perhaps you can elucidate?

I'm not an expert and didn't hear about ERP before this. I must admit I
have no clue on how all these things work, and I cannot judge whether
there are security issues or not.

But when I read the abstract, I understand that a certain number of
things are introduced: 
	- extensions to EAP, 
	- a new Diameter ERP application,
	- a set of new AVPs.
This is what I mean by "new mechanisms". 
If you say that it's more a  specialization of existing components (if I understand
correctly) than new mechanisms, then I believe you.


>>>> What should I understand? Is the proposal guaranteed to be secure?
>>> 
>>> There are no guarantees in life, let alone security .
>>> 
>>>> Or have all the potential weaknesses been already addressed in the
>>>> 4 related documents?
>>> 
>>> It would seem that that is the very strong implication.
>>> 
>>>> I can not conclude after reading this security section
>>>> and this is a problem.
>>> 
>>> It seems as if the big problem is that the draft doesn't tell you what to think about the security properties of the protocol but I don't think that is really a problem with the document.  As I mentioned above, it appears to me that the authors believe that security-related issues are dealt with in the Security Considerations sections of RFCs 4072, 6696, 6733 and 6734.  Is that the case?  If not, please point out a security problem with this protocol that is not covered by those texts.

You got my point. 

You introduce new things (I called them mechanisms, but it's perhaps 
inappropriate) without telling me **explicitly** whether or not you believe
they introduce new risks. And it's not obvious to me whether the security
sections of these 4 RFCs also encompass the new things introduced here.

If you add a sentence saying that the authors believe that all security aspects
are already dealt with the above 4 RFCs, plus another sentence explaining why
you believe so, then I'll be happy. That's the kind of things to discuss in a security
section.

Does it make sense? In any case, I don't want to annoy anybody. I'm just trying
to provide a complementary view.

Cheers,

   Vincent