Re: [Dime] rfc3588bis version number

To: Mark Jones <Mark.Jones at bridgewatersystems.com>
Subject: Re: [Dime] rfc3588bis version number
From: Stefan Winter <stefan.winter at restena.lu>
Date: Tue, 07 Apr 2009 09:18:46 +0200
Cc: "dime at ietf.org" <dime at ietf.org>
Delivered-to: dime at core3.amsl.com
In-reply-to: <D6824C8074596B4E9CA38F6A62454F5C0A40013CEC at exchange02.bridgewatersys.com>
List-archive: <http://www.ietf.org/mail-archive/web/dime>
List-help: <mailto:dime-request@ietf.org?subject=help>
List-id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-post: <mailto:dime@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
References: <49D393C2.8060200 at tari.toshiba.com><7DBAFEC6A76F3E42817DF1EBE64CB0260656E7F5 at ftrdmel2> <49D40EBE.2010208 at nict.go.jp> <7DBAFEC6A76F3E42817DF1EBE64CB0260656E97E at ftrdmel2> <49D57490.2000606 at nict.go.jp> <49D5A94F.3030309 at restena.lu> <D6824C8074596B4E9CA38F6A62454F5C0A40013CEC at exchange02.bridgewatersys.com>
User-agent: Thunderbird 2.0.0.19 (X11/20081227)

Hi,

> The original plan for 3588bis was sound and is still required. IMO the decision to address TLS negotiation in bis knowing that the fix was not backwards compatible was our error. I vote we deprecate this feature in 3588bis, move the proposed solution to a new draft (Diameter v2 if required) and get 3588bis out the door.
>

Deprecating what? Use of TLS altogether? IIRC, the use of IPSec is not
mandatory to implement any more in bis:

2.2. Securing Diameter Messages

Connections between Diameter peers SHOULD be protected by TLS. All
Diameter base protocol implementations MUST support the use of TLS.
If desired, alternative security mechanisms that are independent of
Diameter, such as IPsec [RFC4301 <http://tools.ietf.org/html/rfc4301>], can be deployed to secure
connections between peers. The Diameter protocol MUST NOT be used
without any security mechanism.

So, with TLS being deprecated and IPsec being optional, one can not be
sure to have *any* interoperable security profile. A suggestion to
deprecate TLS would have to make IPSec mandatory again.

NB: There's a superfluous condition in 2.1, the wording could be cleared:

When connecting to a peer and either zero or more transports are
specified, TCP SHOULD be tried first, followed by SCTP. See Section
5.2 for more information on peer discovery.

"either zero or more transports are specified" : this condition always
evaluates to TRUE. You cannot by definition define a negative amount of
transports. The sentence can be shortened to:

When connecting to a peer, TCP SHOULD be tried first, followed by SCTP. See Section
5.2 for more information on peer discovery.

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

References:
- [Dime] rfc3588bis version number
  - From: Victor Fajardo
- Re: [Dime] rfc3588bis version number
  - From: lionel.morand
- Re: [Dime] rfc3588bis version number
  - From: Sebastien Decugis
- Re: [Dime] rfc3588bis version number
  - From: lionel.morand
- Re: [Dime] rfc3588bis version number
  - From: Sebastien Decugis
- Re: [Dime] rfc3588bis version number
  - From: Stefan Winter
- Re: [Dime] rfc3588bis version number
  - From: Mark Jones

Prev by Date: Re: [Dime] rfc3588bis version number
Next by Date: [Dime] Meeting Minutes - DIME IETF#74
Previous by thread: Re: [Dime] rfc3588bis version number
Next by thread: Re: [Dime] rfc3588bis version number
Index(es):
- Date
- Thread

Re: [Dime] rfc3588bis version number

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.