Re: [sfc] [Last-Call] Secdir last call review of draft-ietf-sfc-nsh-integrity-04
"Joel M. Halpern" <jmh@joelhalpern.com> Sun, 14 March 2021 20:45 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 9F9A03A1506;
Sun, 14 Mar 2021 13:45:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001,
RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id FRRfslofk9HC; Sun, 14 Mar 2021 13:45:16 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 539643A1504;
Sun, 14 Mar 2021 13:45:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by maila2.tigertech.net (Postfix) with ESMTP id 4DzBQ11dgfz6G99X;
Sun, 14 Mar 2021 13:45:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com;
s=2.tigertech; t=1615754713;
bh=PMHsi5ww9P9bwOpfFJp26xUVj7TI/K99sGQLHNJSH1M=;
h=Subject:To:Cc:References:From:Date:In-Reply-To:From;
b=FOMlomNz+lsjMr90q9/6hmGEQrnU4ZP+rHWHJN8JH3XnGn2iHS3W/390Lzlp7HPIG
0DkncjXEJFZQpCf6tPZH6KhSXHgivGptLZg0NGkZsuypZm1bAErigxehDtiWmcVzKK
iRXa885nnpRmnQ+3G0iIvkL7Pfbm2sz6fyidk0nU=
X-Quarantine-ID: <dWEavVt40R3Q>
X-Virus-Scanned: Debian amavisd-new at a2.tigertech.net
Received: from [192.168.128.43] (unknown [50.225.209.66])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by maila2.tigertech.net (Postfix) with ESMTPSA id 4DzBQ03Lm4z6G7Yk;
Sun, 14 Mar 2021 13:45:12 -0700 (PDT)
To: Steve Hanna <steve@hannas.com>, secdir@ietf.org
Cc: last-call@ietf.org, draft-ietf-sfc-nsh-integrity.all@ietf.org, sfc@ietf.org
References: <161575334102.7815.17455725704291920094@ietfa.amsl.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <84648dcd-4318-f411-82ed-6eea0d5c37ac@joelhalpern.com>
Date: Sun, 14 Mar 2021 16:45:10 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
Thunderbird/78.8.1
MIME-Version: 1.0
In-Reply-To: <161575334102.7815.17455725704291920094@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/WnC3u2fBBKCwpg_e3amgAQtEJyk>
Subject: Re: [sfc] [Last-Call] Secdir last call review of
draft-ietf-sfc-nsh-integrity-04
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>,
<mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>,
<mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Mar 2021 20:45:18 -0000
Thank you Steve. Joel On 3/14/2021 4:22 PM, Steve Hanna via Datatracker wrote: > Reviewer: Steve Hanna > Review result: Ready > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like any other > last call comments. > > This document adds integrity and optional encryption of sensitive metadata > directly to the Network Service Header (NSH) protocol defined in RFC 8300, thus > reducing or eliminating several attack vectors against Service Function > Chaining (SFC). The document is well written and seems adequate for the goals > articulated here and elsewhere in the SFC document suite. > > All of the issues, questions, and nits that I raised in my earlier secdir > review > (https://datatracker.ietf.org/doc/review-ietf-sfc-nsh-integrity-01-secdir-early-hanna-2020-12-24) > have been well addressed in draft-ietf-sfc-nsh-integrity-04. From my > perspective (as a security expert who has not previously worked with SFC), this > latest version of that document seems to address all relevant security issues > in an appropriate manner. I have no remaining concerns regarding this document > and support its approval. > > >
- [sfc] Secdir last call review of draft-ietf-sfc-n… Steve Hanna via Datatracker
- Re: [sfc] [Last-Call] Secdir last call review of … Joel M. Halpern