Re: [secdir] secdir review of draft-ietf-v6ops-mobile-device-profile-04
Fred Baker <fred@cisco.com> Sun, 01 September 2013 21:55 UTC
Return-Path: <fred@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE21411E8263; Sun, 1 Sep 2013 14:55:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ETxSCzHBOEh; Sun, 1 Sep 2013 14:55:47 -0700 (PDT)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 89C6511E8252; Sun, 1 Sep 2013 14:55:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3610; q=dns/txt; s=iport; t=1378072547; x=1379282147; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=vUeBn4o3K3dbEocATBjQUtmkC3EDLIwl9ceamp+UACk=; b=fE7J+FZx6digRiXnc4aTqxfphyafkFYIxEa5/MnyXNfAVHljzlheC8ht XPMWeCWdxjFMJjKr3j6s1CF4KCVPkgFe5MJCrrS2ZKMVb/TS+nO9Kchin PGAkpMkJvAiZ78PQ3tg4oEvsV/Ak1qZSsBomxIPX2rPsbin8KlDNI90ni U=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiMFAM22I1KrRDoJ/2dsb2JhbABbgwfBc4EeFnSCJAEBAQMBeQULC0ZXGYd8BbkRj38HFoMHgQADiTWGbodSkWaDQBw
X-IronPort-AV: E=Sophos; i="4.89,1003,1367971200"; d="asc'?scan'208"; a="90816814"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-2.cisco.com with ESMTP; 01 Sep 2013 21:55:46 +0000
Received: from sjc-vpn1-751.cisco.com (sjc-vpn1-751.cisco.com [10.21.98.239]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r81Lrmwv001482 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 1 Sep 2013 21:55:45 GMT
Content-Type: multipart/signed; boundary="Apple-Mail=_A2ECCDDF-A037-481A-A258-6B386A170966"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Fred Baker <fred@cisco.com>
In-Reply-To: <20130831232125.19f0ceb6@latte.josefsson.org>
Date: Sun, 01 Sep 2013 14:54:56 -0700
Message-Id: <9845B0E6-61E5-4AB8-8639-543226B58432@cisco.com>
References: <20130831232125.19f0ceb6@latte.josefsson.org>
To: draft-ietf-v6ops-mobile-device-profile.all@tools.ietf.org
X-Mailer: Apple Mail (2.1508)
Cc: iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-v6ops-mobile-device-profile-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Sep 2013 21:55:53 -0000
Wearing shepherd hat... I assume you'll have an updated document posted soon. Please work with Simon and make sure he's satisfied with the updates. On Aug 31, 2013, at 2:21 PM, Simon Josefsson <simon@josefsson.org> wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This (informational) document list a set of features a 3GPP device is > supposed to be compliant with. The document contain pointers to other > protocols/specifications which contains the real security > considerations for those protocols. As such, I don't think there could > be any significant security issue with this document. Hence my take > is that the document is Ready with nits (see below). > > A notable point is that there is no discussion or references to IPSec > in the document, nor any of the IPv6 "bugs" (e.g., RFC 5722 and RFC > 6946). There may be other document that could be referenced that would > lead to improved security, but it is hard to list them all. > > This document seems related to draft-ietf-v6ops-rfc3316bis which > describe another IPv6 profile for 3GPP hosts. The utility of having > two different IPv6 profiles for 3GPP hosts could be discussed, but it > is only a security issue in the marginal sense that complexity often > leads to poor security. > > The security considerations of this document is only pointers to > the security considerations of RFC3316bis, RFC6459, and RFC6092 which > feels underwhelming to me -- especially since the RFC3316bis security > consideration is for the particular profile that RFC3316bis defines. > The security considerations of RFC3316bis wouldn't automatically apply > to the profile defined by draft-ietf-v6ops-mobile-device-profile since > the profiles are different. > > Other notes: > > * The document uses RFC 2119 language "for precision", although I don't > understand what it means for an Informational document to contain > MUST languages. > > * The document really really should reference RFC 2460. > > * The security consideration contains normative text (REQ#34) that > typically go into the core part of a document. > > * I found REQ#32 a bit too generalized. I believe it is common for > applications to be aware of whether connections are over IPv4 or IPv6 > and behave differently. >> REQ#32: Applications MUST be independent of the underlying IP >> address family. This means applications must be IP version >> agnostic. > > /Simon If at first the idea is not absurd, then there is no hope for it. Albert Einstein
- [secdir] secdir review of draft-ietf-v6ops-mobile… Simon Josefsson
- Re: [secdir] secdir review of draft-ietf-v6ops-mo… Fred Baker
- Re: [secdir] secdir review of draft-ietf-v6ops-mo… mohamed.boucadair
- Re: [secdir] secdir review of draft-ietf-v6ops-mo… Simon Josefsson
- Re: [secdir] secdir review of draft-ietf-v6ops-mo… mohamed.boucadair