Re: [secdir] Secdir Review of draft-ietf-hip-rfc5205-bis-08
Julien Laganier <julien.ietf@gmail.com> Mon, 01 February 2016 00:31 UTC
Return-Path: <julien.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27AFC1A6FDA; Sun, 31 Jan 2016 16:31:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNZPivpRz3p8; Sun, 31 Jan 2016 16:31:07 -0800 (PST)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 947971A6FD8; Sun, 31 Jan 2016 16:31:07 -0800 (PST)
Received: by mail-oi0-x231.google.com with SMTP id r14so79545475oie.0; Sun, 31 Jan 2016 16:31:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=CbojxUlO/kI50ti4Xrt35fr03QBebrjwkJ1pHnOlEPM=; b=vbS7jH37G1tsSHCBt5KOD5ayIWfPl7WIT0mNNXJl35Xrlr3pgn1bMTRj7+aZl9MyFa j8WopVUin9LJaRfUWsIzgv4uE4fCwi9Pkmd4WLSNElsweVnJCGtWL8CcYvWzdww5vwWM 2Iu/Q9WEsXzxphyykWyFwEjqt5bNtIid6MFAjtRQZqhUsnhJy/BbIe5LHiD8ZMBkcoj+ 6v4YAfCB+94LOZzjKMnPI3eORG1ovifPahMu3YdlGE5KPK3QQrbu9BWmtum4cgFnEqjD oizECZmR3S0+IQqIEDbyOMfUEhKoAlVx43r/3LOgqpqpR8liP5QydVcix4G0CjmZ0g7b utXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=CbojxUlO/kI50ti4Xrt35fr03QBebrjwkJ1pHnOlEPM=; b=I6cwrkdUl7it0wo5CL+/dZ/IBTG4+SLRDeALjuvKcfFj1rYM6ulgYxCAZG++QIaQs+ xIqJdvDzGSsvvF/nYObsjm/5Tul2Q4kIMvPpMPDyklNkzGESypGpR2Fvf0h0RHpqJsTL i+TXmMDjC/ZcZq4vdtYl0434GzRrINT/7gJGcD3u2w4ZXHdUgjArcjovkpoGyrkwMluK jwB5mlR/9WdU4UBY5p27+XZqDugexN8wi3Y6fbGy3mtCbOL9+mbKHr7ZJ8HY6qYR8Wju jVQ04xrqyrDJABi9cWJJWBHGWYQDpQL6xB/XC373u9QQjMtUl/juu0TGlhtSXqFdMmUn Iojg==
X-Gm-Message-State: AG10YOTRIwL21cgFbVrsJQsJK7f13CP+8DJSjNtZorYlAB+5ro8FD4hiLEJfcY5kIWZs7U+8TytawrKzcmWZkA==
MIME-Version: 1.0
X-Received: by 10.202.195.18 with SMTP id t18mr15154994oif.80.1454286666985; Sun, 31 Jan 2016 16:31:06 -0800 (PST)
Received: by 10.157.26.28 with HTTP; Sun, 31 Jan 2016 16:31:06 -0800 (PST)
In-Reply-To: <EEC5E160-9F9A-449C-99D9-CE7C23C89D0D@huawei.com>
References: <568A94BF.4000004@si6networks.com> <EEC5E160-9F9A-449C-99D9-CE7C23C89D0D@huawei.com>
Date: Sun, 31 Jan 2016 16:31:06 -0800
Message-ID: <CAE_dhjuDZYUwXBCwoCR2mAzZGQXoenkJ6aQD7=t=DEM=wY5Xmg@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Tina TSOU <Tina.Tsou.Zouting@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/xx9KDMzmslZIZOpP40ky6ovXcH0>
Cc: "draft-ietf-hip-rfc5205-bis.all@ietf.org" <draft-ietf-hip-rfc5205-bis.all@ietf.org>, "Org Iesg@Ietf." <iesg@ietf.org>, "Org Secdir@Ietf." <secdir@ietf.org>
Subject: Re: [secdir] Secdir Review of draft-ietf-hip-rfc5205-bis-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2016 00:31:10 -0000
Tina, Happy new year, and thank you for reviewing the draft. My apologies for the belated reply. Please find my answers to your comments inlined below: On Mon, Jan 4, 2016 at 10:29 AM, Tina TSOU <Tina.Tsou.Zouting@huawei.com> wrote: > [...] > ** Technical ** > > * Section 8: > > You refer to IPSECKEY RR [RFC4025] to note some of the possible threats > for HIP RRs. I think you should spell these out, and discuss them > explicitly. The intent was to provide an informative statement regarding the broad similarity between threats applying to the IPSECKEY RR and threats applying to the HIP RR. The remainder of the section does explicitly discuss the threats pertaining to the HIP RR. I have clarified the text such that the intent is communicated more clearly: In a manner similar to the IPSECKEY RR [RFC4025], the HIP DNS Extension allows for the provision of two HIP nodes with the public keying material (HI) of their peer. These HIs will be subsequently used in a key exchange between the peers. Hence, the HIP DNS Extension is subject, as the IPSECKEY RR, to threats stemming from attacks against unsecured HIP RRs, as described in the remainder of this section. > ** Editorial ** > > * Section 3, page 4: >> In the following, we assume that the Initiator first queries for HIP >> resource records at the Responder FQDN. > > s/at/for/ The use of "at" is consistent with the language found in RFC1035, e.g.: The first step a resolver takes is to transform the client's request, stated in a format suitable to the local OS, into a search specification for RRs _at_ a specific name which match a specific QTYPE and QCLASS. Thus I believe no change need to be made. > * Section 3, page 4: >> and further queries for the same owner name SHOULD NOT be >> made. > > What's an "owner name"? Maybe this should be "domain name", instead? As per RFC1035, a DNS RR is defined as containing a NAME which is defined as "an owner name, i.e., the name of the node to which this resource record pertains.", thus I believe no change need to be made. > * Section 3, page 5: >> Note that storing HIP RR information in the DNS at an FQDN that is >> assigned to a non-HIP node might have ill effects on its reachability >> by HIP nodes. > > s/a/an/ If you're referring to the "a" in "a non-HIP node", I believe that this is the correct spelling since the "non" syllable begins with a consonant onset "n". > * Section 4.2, page 9: >> The RVS >> information may be copied and aligned across multiple RRs, or may be >> different for each one; a host MUST check that the RVS used is >> associated with the HI being used, when multiple choices are >> present." > > There's no matching quote sign for this one. Good catch. I fixed that. Thanks again for the review, and best regards. --julien
- [secdir] Secdir Review of draft-ietf-hip-rfc5205-… Tina TSOU
- Re: [secdir] Secdir Review of draft-ietf-hip-rfc5… Julien Laganier