Re: [secdir] Secdir review of draft-baker-ietf-core-03.txt
Fred Baker <fred@cisco.com> Sat, 21 November 2009 13:08 UTC
Return-Path: <fred@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F0D83A686C; Sat, 21 Nov 2009 05:08:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.419
X-Spam-Level:
X-Spam-Status: No, score=-106.419 tagged_above=-999 required=5 tests=[AWL=0.179, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jw0AWSNw-iax; Sat, 21 Nov 2009 05:08:57 -0800 (PST)
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id CDCE03A682E; Sat, 21 Nov 2009 05:08:57 -0800 (PST)
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqIEAMN0B0tAaHte/2dsb2JhbACCIi65cZddhDwEgXCBEQ
X-IronPort-AV: E=Sophos; i="4.47,264,1257120000"; d="scan'208,217"; a="107575571"
Received: from hkg-core-1.cisco.com ([64.104.123.94]) by sj-iport-5.cisco.com with ESMTP; 21 Nov 2009 13:08:53 +0000
Received: from [192.168.24.77] (tky-vpn-client-230-1.cisco.com [10.70.230.1]) by hkg-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id nALD8p5p024076; Sat, 21 Nov 2009 13:08:52 GMT
Message-Id: <0A395F99-B665-43DC-BE24-CD4F69169913@cisco.com>
From: Fred Baker <fred@cisco.com>
To: Charlie Kaufman <charliek@microsoft.com>
In-Reply-To: <D80EDFF2AD83E648BD1164257B9B0912082E2E08@TK5EX14MBXC115.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-86--818626926"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sat, 21 Nov 2009 22:08:50 +0900
References: <D80EDFF2AD83E648BD1164257B9B0912082E2E08@TK5EX14MBXC115.redmond.corp.microsoft.com>
X-Mailer: Apple Mail (2.936)
Cc: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-baker-ietf-core-03.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2009 13:08:59 -0000
Thanks. I'll review your comments next week when I'm at home :-) On Nov 21, 2009, at 1:41 PM, Charlie Kaufman wrote: > I am reviewing this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Others should treat these comments just > like any other last call comments. Feel free to forward to any > appropriate forum. > > This document (proposed as an Informational RFC) summarizes the core > protocols on which the Internet operates. It is specifically > targeted at NIST in the context of the Smart Grid discussion. They > are looking to “profile” a subset of the Internet Protocol Suite. > Since the audience for this review is security focused, I’ll talk > about security first. But since I read it all, I’ll include comments > on the rest too. I would encourage others to read the document. It’s > both informative and could generate a lively discussion about what > constitutes “the core”. > > As a truly informational document, this document has no security > implications, though it does talk about security. It considers > IPsec, TLS, and S/MIME to be the core security protocols. I would > consider adding DNSSEC to that list, and possibly removing S/MIME, > but these three are certainly a reasonable place to start. > > Section 3.1 attempts to explain why it’s natural for IPsec and TLS > to both exist, and reminded me how much each has encroached onto the > territory of the other making that task more difficult. I believe > that the original distinction was that IPsec was designed to be > implemented in operating systems or networking infrastructure in a > way that was transparent to applications, while SSL was designed to > be implemented in applications in a way that was transparent to > operating systems and networking infrastructure. That’s not a bits > on the wire distinction, but I believe all the other differences > derive from that. But TLS has now been extended to protect datagrams > and IPsec to authenticate users with SecurID cards. I don’t know > which is the more natural fit for Smart Grid, but I doubt it’s both. > > Comments on the whole document: > > Section 1 para 3: re: picking a subset of protocols rather than > protocol subsets. This makes sense for “old” protocols, like TCP, > that have few options. It doesn’t for “new” protocols, like PKIX, > which allow variation without end. > > Section 2.1.3.1: The Internet Layer here is what you called the > Network Layer on the previous page (I think). Fragmentation and > reassembly is only part of this layer any more if you hold your head > just right. I’m not sure “identifying” a datagram’s source and > destination is properly the roll of this layer. “Finding” the > destination is more like it. This section describes the part of the > IP layer implemented by endnodes. Most of IP is implemented (today) > in intermediate nodes. Would OSPF be a core protocol, or do you > assume these systems run atop an existing infrastructure? > > Section 2.2.1: Physical security: It’s worth mentioning that many > systems assume physical security within some subnet (like a machine > room or a corporate intranet) and reflect that in believing that > source and destination IP addresses are authentic if they are both > in a controlled range. One might question whether this is wise, but > it is certainly common. Protocols often reflect assumptions about > physical failures and attacks in the timeout/retry parameters they > choose. > > Section 2.2.2: The last paragraph seems to have fallen into this > document from somewhere else. Does it belong elsewhere? > > Section 2.3: DNS seems like a critical piece of making the Internet > work. There might be applications that could live without it, but > not many. > > Section 2.3.1: DNS also supports limited slow mobility. A service > can move and change IP address if everyone references it by DNS name. > > Section 3.1.2: It’s misleading to say that IPsec implemented between > the routing and transport layer. That’s true in transport mode, but > in tunnel mode there is an IP header before and after the IPsec > header (putting it in the middle of routing). > > Section 3.1.2: In the RFC list RFC4304 is the right RFC to reference > but it is not ISAKMP. RFC4309 specifies AES CCM mode, which I > believe is not the most commonly used cryptographic algorithm. > > Section 3.1.4: I’d be surprised if S/MIME was originally an > extension to SMTP. Even when S/MIME was PEM, it was largely > transport independent (and designed to pass over X.400, which was a > contender in those days). S/MIME – and more generally CMS – is not > really a networking protocol at all. It is designed to protect data > at rest. I can take a CMS protected file and send the pile of bits > to you by floppy disk or paper tape. Years later, if you can still > read the media, you can still process it. It’s a tough call whether > it is an Internet Core Protocol. It’s certainly an important IETF > protocol. > > Section 3.2: “the IPv6 space” -> “the size of the IPv6 address space” > > Section 3.2: “in the near term.” -> “in the near term if > interoperability with existing IPv4-only systems is important.” > > Section 3.2.1.1: It’s worth noting that IPv4 addresses are typically > administratively assigned in blocks, which then get subdivided, and > that they are commonly handed out individually to client nodes using > DHCP but that servers typically need permanent IPv4 addresses so > that other nodes can find them in DNS. > > Section 3.2.1.3: Avoid a common confusion by explaining that > reliable in this case means that retries are automatic and that > failures are reliably detected. Reliable Multicast can’t get the > data there if the network is broken. > > Section 3.2.2.1: IPv6 also hands out addresses administratively in > blocks which are then subdivided. Autoconfiguration is only > different from DHCP in that you’re “guaranteed” not to run out. > > Section 3.2.2.2: Mention that addresses are hierarchical when handed > out administratively in order to keep routing tables from exploding > in size. > > Between section 3.2.3 and 3.3: This would be a good place to remind > people of the “hourglass”: many protocols above, many below, but a > single IP in the middle. (Well IPv4 and IPv6, but that’s “temporary”). > > Section 3.3.1, para 1: I would claim that UDP is a perfectly valid > transport protocol. It only appears not to be because it is the > native mode of IP and therefore seems natural. Running over X.25, > TCP would seem like the null protocol and UDP would be interesting > and novel. > > Section 3.3.1, para 2: UDP has problems because it does not play > well with others in terms of congestion backoff. Does it have > problems other than that? > > Section 3.4.1, para 1, line 6: “all” -> “allow” > > Middle of page 22: “address/aport” -> “address/port”
- Re: [secdir] Secdir review of draft-baker-ietf-co… Steven Bellovin
- [secdir] Secdir review of draft-baker-ietf-core-0… Charlie Kaufman
- Re: [secdir] Secdir review of draft-baker-ietf-co… Fred Baker
- Re: [secdir] Secdir review of draft-baker-ietf-co… Steven Bellovin
- Re: [secdir] Secdir review of draft-baker-ietf-co… Phillip Hallam-Baker
- Re: [secdir] Secdir review of draft-baker-ietf-co… Fred Baker
- Re: [secdir] Secdir review of draft-baker-ietf-co… Paul Hoffman