Re: [Taps] AD review of draft-ietf-taps-transport-security-08

"Philipp S. Tiesel" <philipp@tiesel.net> Thu, 26 September 2019 19:03 UTC

Return-Path: <philipp@tiesel.net>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90778120168; Thu, 26 Sep 2019 12:03:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sVp68hJhVGiT; Thu, 26 Sep 2019 12:03:40 -0700 (PDT)
Received: from einhorn-mail.in-berlin.de (einhorn-mail.in-berlin.de [217.197.80.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5718012087E; Thu, 26 Sep 2019 12:03:39 -0700 (PDT)
X-Envelope-From: philipp@tiesel.net
Received: from x-berg.in-berlin.de (x-change.in-berlin.de [217.197.86.40]) by einhorn.in-berlin.de with ESMTPS id x8QJ3Zb8021806 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 26 Sep 2019 21:03:35 +0200
Received: from [2001:bf0:c801:101:c4df:10da:c44d:3333] by x-berg.in-berlin.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <philipp@tiesel.net>) id 1iDZ0u-0007lR-LC; Thu, 26 Sep 2019 21:01:16 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: "Philipp S. Tiesel" <philipp@tiesel.net>
In-Reply-To: <DB7PR07MB57363FEBD350EBB0A73A7F9695860@DB7PR07MB5736.eurprd07.prod.outlook.com>
Date: Thu, 26 Sep 2019 21:03:34 +0200
Cc: "draft-ietf-taps-transport-security.all@ietf.org" <draft-ietf-taps-transport-security.all@ietf.org>, "taps@ietf.org" <taps@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <0C2D8588-2C38-4BF4-916F-117CA30AA2F7@tiesel.net>
References: <DB7PR07MB57363FEBD350EBB0A73A7F9695860@DB7PR07MB5736.eurprd07.prod.outlook.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/-fpaaPJnk8au0XkgoSBhpzU9azg>
Subject: Re: [Taps] AD review of draft-ietf-taps-transport-security-08
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2019 19:03:58 -0000

Hi, 

> On 26. Sep 2019, at 10:01, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote:
> 
> Hi,
>  
> Sorry about the delay in getting the AD review done. Below are my comments and questions. Note the questions are truly questions and after answering we can discuss if there needed to be any changes or not. 
>  
>  
> 1. Section 4.1: Is there a reason to use TLS 1.2 specification (RFC5246) rather than TLS 1.3 as the general reference?
>  
> 2. Comment on the writeup: Considering that ID nits results in the below relevant references warning I would expect some comment in the writeup if they are intentional.

Sorry, that is my fault. I checked these and discussed them with the authors, but did not include the discussion in the writeup, as it was not clear to me that this needs to be part of the writeup.
I wait for further comments on your review and will add a note to the writeup on the intentional references to deprecated documents.

> If not please update the references. If they are intentional, please update the writeup to note them. 
>  
>  
>   -- Obsolete informational reference (is this intentional?): RFC 2385
>      (Obsoleted by RFC 5925)

necessary - the RFC is deprecated, but the mechanism still exists and is used. Its primary use (in BGP) has been deprecated, but is still widely used.

>  
>   -- Obsolete informational reference (is this intentional?): RFC 4474
>      (Obsoleted by RFC 8224)

This is a mistake and has been fixed on github. I did not insist on publishing a new revision for the AD review.

>  
>   -- Obsolete informational reference (is this intentional?): RFC 5246
>      (Obsoleted by RFC 8446)

This is intentional in Section 9, but debatable in Section 4.1

>  
>   -- Obsolete informational reference (is this intentional?): RFC 7539
>      (Obsoleted by RFC 8439)

This is a mistake and has been fixed on github. I did not insist on publishing a new revision for the AD review.

>  
> 3.  Section 4.1.2: Is there a point to mention that TLS forward secrecy are dependent on cipher suit for the key exchange and not ensured prior to 1.3? 
>  
> 4. Section 4.1.2: Second to last paragraph: Broken reference to DTLS 1.3 draft: “(Note that this extension is only supported in
>    DTLS 1.2 and 1.3 {{?I-D.ietf-tls-dtls13}.)”
>  
> 5. Section 4.3.3: “QUIC transport relies on UDP.” Although QUIC is targeting UDP as its main deployment vessel, isn’t QUIC in fact dependent on a unreliable datagram service. But, maybe writing UDP is more straightforward?
>  
> 6. Section 4.5.4: When it comes to variants of SRTP. I think referencing RFC 7201 would actually be reasonable, as in the many different options hide some transport security options that so far is not discussed in this document. Like securing multicasted / broadcasted RTP. 
>  
> 7. Section 4.5.4: So are ZRTP included as variant because it provides new security features? Is that session continuity, or something else? 
>  
> 8. Section 11: There are a number of references here that I don’t think meets the requirement for references. These are the ones that only have a title and n.d. All these could include a URL a date when these pages was visited and contained the information you want to reference. 
>  
>  
> Cheers
>  
> Magnus Westerlund

--  
Philipp S. Tiesel
https://philipp.tiesel.net/