[secdir] Secdir review of draft-ietf-mipshop-mos-dns-discovery-06
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 23 June 2009 17:52 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B3F4428C3D5; Tue, 23 Jun 2009 10:52:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.293
X-Spam-Level:
X-Spam-Status: No, score=-0.293 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pJZ95KEOY6OR; Tue, 23 Jun 2009 10:52:48 -0700 (PDT)
Received: from mail.newbay.com (87-198-172-198.ptr.magnet.ie [87.198.172.198]) by core3.amsl.com (Postfix) with ESMTP id B443028C306; Tue, 23 Jun 2009 10:52:41 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.newbay.com (Postfix) with ESMTP id B18F81003F504; Tue, 23 Jun 2009 18:52:56 +0100 (IST)
X-Virus-Scanned: amavisd-new at newbay.com
Received: from mail.newbay.com ([127.0.0.1]) by localhost (mail.newbay.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fWsYdNHXGaNm; Tue, 23 Jun 2009 18:52:56 +0100 (IST)
Received: from [192.168.3.171] (unknown [192.168.3.171]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.newbay.com (Postfix) with ESMTP id 5AEA91003F51A; Tue, 23 Jun 2009 18:52:54 +0100 (IST)
Message-ID: <4A411679.4020009@cs.tcd.ie>
Date: Tue, 23 Jun 2009 18:52:57 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.21 (X11/20090302)
MIME-Version: 1.0
To: sec-ads@ietf.org, secdir@ietf.org, draft-ietf-mipshop-mos-dns-discovery@tools.ietf.org, mipshop-chairs@tools.ietf.org, IESG <iesg@ietf.org>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: [secdir] Secdir review of draft-ietf-mipshop-mos-dns-discovery-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 17:52:48 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document defines a way to find IEEE 802.21 servers using NAPTR resource records. Since I'm not familiar with IEEE 802.21 I've no idea how security sensitive one ought be about getting told which server to use. Perhaps there's a general 802.21 security considerations reference that should be pointed to from the security considerations here? I guess the concern would be if this way of finding servers introduced some new way to e.g. eavesdrop on calls/sessions but since I don't know 802.21 I can't tell if that's the case or not (as it happens I suspect there'd be easier ways to cheat if that were the case). Other than that, the security considerations seem fine. This is of course yet another spec that needs DNSSEC to get data origin authentication. Hopefully that'll be possible soon. A couple of non-security things that I noticed: - There's a MUST about what the MN does when in its home domain but I'm not sure how a MN would know that. Perhaps that's covered in some other mipshop document? - I didn't see where allowed values for the NAPTR flags field were defined but the examples show "s" - are other values allowed? Does "s" mean the replacement indicates an SRV lookup? - Are the order and pref values in the example NAPTR records correct? - The document discourages the use of the regexp field but if there's no need for it, why not say that the regexp MUST be empty? Stephen.
- [secdir] Secdir review of draft-ietf-mipshop-mos-… Stephen Farrell