[secdir] secdir review of draft-ietf-ntp-dhcpv6-ntp-opt-04.txt

"Glen Zorn" <gwz@net-zen.net> Tue, 25 August 2009 02:32 UTC

Return-Path: <gwz@net-zen.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 94F1228C367 for <secdir@core3.amsl.com>; Mon, 24 Aug 2009 19:32:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.598
X-Spam-Level:
X-Spam-Status: No, score=-1.598 tagged_above=-999 required=5 tests=[AWL=1.001, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xw6gjWsblxwc for <secdir@core3.amsl.com>; Mon, 24 Aug 2009 19:32:03 -0700 (PDT)
Received: from smtpauth16.prod.mesa1.secureserver.net (smtpauth16.prod.mesa1.secureserver.net [64.202.165.22]) by core3.amsl.com (Postfix) with SMTP id 7282B28C34F for <secdir@ietf.org>; Mon, 24 Aug 2009 19:32:03 -0700 (PDT)
Received: (qmail 1996 invoked from network); 25 Aug 2009 02:31:51 -0000
Received: from unknown (71.231.55.1) by smtpauth16.prod.mesa1.secureserver.net (64.202.165.22) with ESMTP; 25 Aug 2009 02:31:51 -0000
From: "Glen Zorn" <gwz@net-zen.net>
To: <iesg@ietf.org>, <secdir@ietf.org>, "'Benoit Lourdelet \(blourdel\)'" <blourdel@cisco.com>, <richard.gayraud@free.fr>, "'Brian Haberman'" <brian@innovationslab.net>, "'Karen O'Donoghue'" <kodonog@pobox.com>
Date: Mon, 24 Aug 2009 19:31:26 -0700
Organization: Network Zen
Message-ID: <016001ca252c$25904100$70b0c300$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcolLCTTApFFO1pSRNWe+MFZxKd61g==
Content-Language: en-us
Subject: [secdir] secdir review of draft-ietf-ntp-dhcpv6-ntp-opt-04.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2009 02:32:03 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.



EDITORIAL

Global: s/an NTP/a NTP/
        s/an FQDN/a FQDN/


In section 2., the acronym "DHCPv6" should be expanded on first usage.

The first paragraph of section 2.1 says:

   When using DHCPv6 to offer NTP Server location, and if
   there is a need to distribute a device with a hardcoded
   configuration, this configuration MUST NOT include server location
   that is not part of the organization that distribute this device.

s/distribute/distributes in the last line.
I don't understand what device is under discussion.  Is it a DHCP server?  A
DHCP client?  Also,

   Typical usage of this option is to specify an NTP Server that is part
   of the organization that operates the DHCPv6 server.

This seems less clear than it should be to me; suggest rephrasing, perhaps
as 

  This option will typically be used by the organization operating the
DHCPv6 
  server to provide data regarding the location of its own NTP server.


The second paragraph of section 2.1 says:

   DNS can be used to redirect misconfigured clients
   to an unexisting IPv6 address instead of having to change the address
   of the NTP server itself.

I don't know exactly what an "unexisting IPv6 address" is, nor why it would
be a good thing to redirect misconfigured clients to one.  Also, the acronym
"FQDN" should be expanded on first usage.


The third paragraph of section 2.1 says: "The DHCPv6 option for NTP is then
restricted to server location."  This construction is a little bit clumsy, I
think; suggest changing to "The DHCPv6 option for NTP is therefore
restricted to server location."


In the first paragraph of section 3.0, the acronym "SNTP" should be expanded
upon first usage; suggest changing "This option serves as a container for
all the information related to one NTP server or SNTP server." to "This
option serves as a container for all the information related to one NTP or
Simple Network Time Protocol (SNTP) [RFC4335] server."  This will also take
care of one of the unused references mentioned below.


The second paragraph of section 3.0 says:

   While the FQDN option offers the most deployment
   flexibility, resiliency as well as security, the IP address options
   are defined to cover cases where a dependancy to DNS is not
   desirable.

I think that the readability of this sentence could be improved; suggest
changing to 

   While the FQDN option offers the most deployment Flexibility and 
   resiliency as well as security, the IP address options are defined 
   to cover cases where a DNS dependency is not desirable.


The last paragraph of section 3.0 says:

   This document does not define any priority between the client's
   embedded configuration and the NTP servers or SNTP servers discovered
   via this option.  

Suggest changing to 

   This document does not define any priority relationship between the
client's
   embedded configuration (if any) and the NTP or SNTP servers discovered
   via this option.  


In the heading of section 4, capitalize "use" or just change the heading
from "Examples of use" to "Examples".


Section 4 seems somewhat less than useful to me, especially since the
examples are inconsistent: the FQDN example uses the exact encoding of the
FQDN, but the unicast and multicast address examples do not.  I suggest
either making the examples consistent by putting the actual address encoding
of the addresses in the address examples or just getting rid of section 4
altogether.


The references to RFC 4075 and RFC 4330 are defined but never used.

Hope this helps.

~gwz