Re: [secdir] secdir review of draft-ietf-pcp-proxy-08
<mohamed.boucadair@orange.com> Mon, 06 July 2015 05:48 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A4DA1A87CB; Sun, 5 Jul 2015 22:48:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dCTF-2DnR_zm; Sun, 5 Jul 2015 22:48:37 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias245.francetelecom.com [80.12.204.245]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87BD91A87B3; Sun, 5 Jul 2015 22:48:37 -0700 (PDT)
Received: from omfeda06.si.francetelecom.fr (unknown [xx.xx.xx.199]) by omfeda14.si.francetelecom.fr (ESMTP service) with ESMTP id 9DE8D2ACB0F; Mon, 6 Jul 2015 07:48:33 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.18]) by omfeda06.si.francetelecom.fr (ESMTP service) with ESMTP id 7B1E3C805C; Mon, 6 Jul 2015 07:48:33 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM34.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0235.001; Mon, 6 Jul 2015 07:48:33 +0200
From: mohamed.boucadair@orange.com
To: Samuel Weiler <weiler@watson.org>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-pcp-proxy@tools.ietf.org" <draft-ietf-pcp-proxy@tools.ietf.org>
Thread-Topic: secdir review of draft-ietf-pcp-proxy-08
Thread-Index: AQHQt4Y9L/3mYbO23E6RJFYfa2cppp3N6zZQ
Date: Mon, 06 Jul 2015 05:48:32 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933005355010@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <alpine.BSF.2.11.1507050720440.50023@fledge.watson.org>
In-Reply-To: <alpine.BSF.2.11.1507050720440.50023@fledge.watson.org>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.1]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.7.6.52416
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/q1-qTsyISp03hoko8ksis_6M9xY>
Subject: Re: [secdir] secdir review of draft-ietf-pcp-proxy-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 05:48:39 -0000
Dear Samuel, Many thanks for the review. FWIW, PCP auth is not cited in this document because we followed the same approach as in RFC6887 and RFC6970. Blocking on draft-ietf-pcp-authentication is not justified IMHO because the proxy can be enabled with ACLs enabled at the client, server and the network in between. Cheers, Med > -----Message d'origine----- > De : Samuel Weiler [mailto:weiler@watson.org] > Envoyé : lundi 6 juillet 2015 02:54 > À : secdir@ietf.org; iesg@ietf.org; draft-ietf-pcp-proxy@tools.ietf.org > Objet : secdir review of draft-ietf-pcp-proxy-08 > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > Summary: document is ready for publication (with mild reservation). > > My thanks to the document editors for producing a readable document. > > Mild reservation: when I look at the use cases for PCP Proxy in this > document (e.g. a consumer router doing NAT, connected to hotel NAT, > connected to carrier NAT), it's hard to imagine that operational > environment often fitting within the description of PCP's "simple > threat model" (RFC6887, section 18.1). And once you reject the > simplifying assumptions in that "simple threat model", RFC6877 says > PCP needs a security mechanism (section 18.2 of RFC6877). Maybe this > document should explicity reinforce that need, perhaps citing and > blocking on draft-ietf-pcp-authentication?
- [secdir] secdir review of draft-ietf-pcp-proxy-08 Samuel Weiler
- Re: [secdir] secdir review of draft-ietf-pcp-prox… mohamed.boucadair