Re: [secdir] [drinks] Secdir review of draft-ietf-drinks-spp-framework

Hello Paul,

Thanks for the review.

Below is a response to your comments:

==Your Comment==
SPPF is a protocol for provisioning session establishment data into data registries and SIP service providers. Well, actually it's not. It is a description of the data format and some handwaving about how to transport that data. The mandatory-to-implement transport is listed in a different document, draft-ietf-drinks-spp-protocol-over-soap (for which there is no reference in this document...).
================

Response ->

Agree with your point, but the line "SPPF is a protocol..." is not present in the current version of the framework draft (http://tools.ietf.org/html/draft-ietf-drinks-spp-framework-02) (assuming this line was taken from the document that was reviewed). Below is an excerpt from the "Abstract" that the framework document currently has to describe SPPF:

   This document specifies the data model and the overall structure for
   a framework to provision session establishment data into Session Data
   Registries and SIP Service Provider data stores.  The framework is
   called the Session Peering Provisioning Framework (SPPF).

Let us know if you have a further comment on the above text.

We will add a reference to the spp-protocol-over-soap document to the "Normative References" section in the framework document.

==Your Comment==
The transport protocol requirements listed in section 4 of this document are fairly generic, as are the security requirements. The descriptions of the transport requirements are fine. The security requirements are not so great: while servers MUST be able to authenticate clients, confidentiality and integrity protection SHOULD be provided. Given that the mandatory-to implement transport is SOAP, this approximately translates to "must do some sort or minimal client authentication, should consider using TLS but lots of clients and servers probably won't actually do it". I think that undershoots moderns security practices, which would have TLS be mandatory.
================

Response ->

Your point is valid. TLS is a MUST as mentioned in section 11.1 of the SOAP document (http://tools.ietf.org/html/draft-ietf-drinks-spp-protocol-over-soap-02). It seems to be an oversight to not have this requirement as a MUST in the framework. We shall replace existing text in the "Confidentiality and Integrity" section of the framework document as below:

"Any conforming transport protocol specification MUST provide means to protect the confidentiality and integrity of any data transmitted between SPPF client and server. "

For easy reference, below is the existing text (which shall be replaced with the above one liner):

"4.6. Confidentiality and Integrity

   In some deployments, the SPPF objects that an SPPF registry manages
   can be private in nature.  As a result it MAY NOT be appropriate to
   for transmission in plain text over a connection to the SPPF
   registry.  Therefore, the transport protocol SHOULD provide means for
   end-to-end encryption between the SPPF client and server.

   For some SPPF implementations, it may be acceptable for the data to
   be transmitted in plain text, but the failure to detect a change in
   data after it leaves the SPPF client and before it is received at the
   server, either by accident or with a malicious intent, will adversely
   affect the stability and integrity of the registry.  Therefore, the
   transport protocol SHOULD provide means for data integrity"
   protection."

Thanks,
Vikas

-----Original Message-----
From: drinks-bounces@ietf.org [mailto:drinks-bounces@ietf.org] On Behalf Of Paul Hoffman
Sent: Saturday, August 18, 2012 9:19 PM
To: drinks@ietf.org
Cc: secdir
Subject: [drinks] Secdir review of draft-ietf-drinks-spp-framework

Greetings. I have been requested to review draft-ietf-drinks-spp-framework for the Security Directorate. This review is being done during WG Last Call instead of IETF Last Call as a special request. I note that literally no one has spoken up in the WG during WG Last Call since it began three weeks ago.

SPPF is a protocol for provisioning session establishment data into data registries and SIP service providers. Well, actually it's not. It is a description of the data format and some handwaving about how to transport that data. The mandatory-to-implement transport is listed in a different document, draft-ietf-drinks-spp-protocol-over-soap (for which there is no reference in this document...).

The transport protocol requirements listed in section 4 of this document are fairly generic, as are the security requirements. The descriptions of the transport requirements are fine. The security requirements are not so great: while servers MUST be able to authenticate clients, confidentiality and integrity protection SHOULD be provided. Given that the mandatory-to implement transport is SOAP, this approximately translates to "must do some sort or minimal client authentication, should consider using TLS but lots of clients and servers probably won't actually do it". I think that undershoots moderns security practices, which would have TLS be mandatory.

Even though this is a security review, I cannot resist a non-security question: SOAP? In 2012? Really? <sigh>

--Paul Hoffman

_______________________________________________
drinks mailing list
drinks@ietf.org
https://www.ietf.org/mailman/listinfo/drinks

This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.