[secdir] Secdir review of draft-ietf-eman-rfc4133bis-06

Vincent Roca <vincent.roca@inria.fr> Tue, 19 February 2013 20:34 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 80F5621F8856; Tue, 19 Feb 2013 12:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.138
X-Spam-Status: No, score=-110.138 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id q3ammZKlnocC; Tue, 19 Feb 2013 12:34:58 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr []) by ietfa.amsl.com (Postfix) with ESMTP id 91F9021F87B6; Tue, 19 Feb 2013 12:34:57 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.84,697,1355094000"; d="scan'208";a="3607439"
Received: from dom38-1-82-236-155-50.fbx.proxad.net (HELO []) ([]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES128-SHA; 19 Feb 2013 21:34:55 +0100
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Tue, 19 Feb 2013 19:27:26 +0100
Message-Id: <0F853B07-BBF2-462A-9081-F67DB87BCADA@inria.fr>
To: IESG <iesg@ietf.org>, draft-ietf-eman-rfc4133bis.all@tools.ietf.org, secdir@ietf.org
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
Subject: [secdir] Secdir review of draft-ietf-eman-rfc4133bis-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2013 20:34:58 -0000


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.


This document is an update of RFC4311. It therefore inherits, updates
and improves the security considerations section of that RFC.
This section seems well written and accurate. I just have a small comment.

I see there's a wide range of techniques to secure communication with MIBs.
This document specifies a Mandatory To Implement solution (USM with AES),
mentions a SHOULD  support solution (security features of RFC3410), as well
as a MAY support approach (TSM with SSH/TLS).That's a lot.
I imagine there are good reasons (I don't know the SNMP/MIB domain) to do