Re: [secdir] secdir review of draft-ietf-v6ops-mobile-device-profile-04
<mohamed.boucadair@orange.com> Tue, 03 September 2013 05:52 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4404111E817F; Mon, 2 Sep 2013 22:52:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.235
X-Spam-Level:
X-Spam-Status: No, score=-2.235 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, HELO_EQ_FR=0.35, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHlzYT2uKFHd; Mon, 2 Sep 2013 22:52:25 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias92.francetelecom.com [193.251.215.92]) by ietfa.amsl.com (Postfix) with ESMTP id A787B11E817B; Mon, 2 Sep 2013 22:52:21 -0700 (PDT)
Received: from omfedm05.si.francetelecom.fr (unknown [xx.xx.xx.1]) by omfedm14.si.francetelecom.fr (ESMTP service) with ESMTP id 0DA5822C6E8; Tue, 3 Sep 2013 07:52:18 +0200 (CEST)
Received: from PUEXCH51.nanterre.francetelecom.fr (unknown [10.101.44.31]) by omfedm05.si.francetelecom.fr (ESMTP service) with ESMTP id E1EAC35C048; Tue, 3 Sep 2013 07:52:17 +0200 (CEST)
Received: from PUEXCB1B.nanterre.francetelecom.fr ([10.101.44.12]) by PUEXCH51.nanterre.francetelecom.fr ([10.101.44.31]) with mapi; Tue, 3 Sep 2013 07:52:17 +0200
From: mohamed.boucadair@orange.com
To: Simon Josefsson <simon@josefsson.org>
Date: Tue, 03 Sep 2013 07:52:16 +0200
Thread-Topic: secdir review of draft-ietf-v6ops-mobile-device-profile-04
Thread-Index: Ac6n6R9plQc+60qVQA6IOYRwo45VGwAgE3Gw
Message-ID: <94C682931C08B048B7A8645303FDC9F36EF033600D@PUEXCB1B.nanterre.francetelecom.fr>
References: <20130831232125.19f0ceb6@latte.josefsson.org> <94C682931C08B048B7A8645303FDC9F36EF0335DAE@PUEXCB1B.nanterre.francetelecom.fr> <20130902163118.0a0e1cb2@latte.josefsson.org>
In-Reply-To: <20130902163118.0a0e1cb2@latte.josefsson.org>
Accept-Language: fr-FR
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.8.27.90030
Cc: "draft-ietf-v6ops-mobile-device-profile.all@tools.ietf.org" <draft-ietf-v6ops-mobile-device-profile.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-v6ops-mobile-device-profile-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2013 05:52:29 -0000
Hi Simon, Ok to move rfc3316bis to the normative references. I implemented all the changes we agreed. FWIW, I will send you a message when the new revision is available online. Many thanks for your review. Much appreciated. Cheers, Med >-----Message d'origine----- >De : Simon Josefsson [mailto:simon@josefsson.org] >Envoyé : lundi 2 septembre 2013 16:31 >À : BOUCADAIR Mohamed IMT/OLN >Cc : secdir@ietf.org; iesg@ietf.org; draft-ietf-v6ops-mobile-device- >profile.all@tools.ietf.org >Objet : Re: secdir review of draft-ietf-v6ops-mobile-device-profile-04 > >You wrote: > >> >A notable point is that there is no discussion or references to IPSec >> >> [Med] IPsec is not explicitly mentioned in this document as it is >> discussed in these two references cited in the "Security >> Considerations" section: rfc3316bis and rfc6092. Is there any >> particular change you want us make in the "Security Considerations" >> section? Thanks. > >No -- that was a general observation. However both rfc3316bis and >rfc6092 are informative references in your document, so what you say >above combined with... > >> >in the document, nor any of the IPv6 "bugs" (e.g., RFC 5722 and RFC >> >6946). There may be other document that could be referenced that >> >would lead to improved security, but it is hard to list them all. >> >> [Med] We didn't included explicit references to RFC5722 and RFC6980 >> as those are already cited in rfc3316bis. "Security Considerations" >> refers explicitly to rfc3316bis. Is there any particular change you >> want us to make in "Security Considerations" section? Thanks. > >...what you say here makes it sounds as if rfc3316bis should be a >normative reference to me. It seems like reading rfc3316bis is >essential to get a good understanding of this document. > >> >This document seems related to draft-ietf-v6ops-rfc3316bis which >> >describe another IPv6 profile for 3GPP hosts. The utility of having >> >two different IPv6 profiles for 3GPP hosts could be discussed, but it >> >is only a security issue in the marginal sense that complexity often >> >leads to poor security. >> > >> >The security considerations of this document is only pointers to >> >the security considerations of RFC3316bis, RFC6459, and RFC6092 which >> >feels underwhelming to me -- especially since the RFC3316bis security >> >consideration is for the particular profile that RFC3316bis defines. >> >The security considerations of RFC3316bis wouldn't automatically >> >apply to the profile defined by >> >draft-ietf-v6ops-mobile-device-profile since the profiles are >> >different. >> >> [Med] The relationship between the two documents is explained in the >> introduction; in particular: >> >> This document defines a different profile than the one for general >> connection to IPv6 mobile networks defined in >> [I-D.ietf-v6ops-rfc3316bis]; in particular: >> >> o It lists an extended list of required features while >> [I-D.ietf-v6ops-rfc3316bis] identifies issues and explains how >> to implement basic IPv6 features in a cellular context. >> >> o It identifies also features to ensure IPv4 service delivery over >> an IPv6-only transport. >> >> Because of this difference, this document points to the security >> considerations of rfc3316bis security section and to RFC6092 because >> Cellular Devices with LAN capabilities are within the scope of this >> document. > >OK. > >> >Other notes: >> > >> >* The document uses RFC 2119 language "for precision", although I >> >don't >> > understand what it means for an Informational document to contain >> > MUST languages. >> >> [Med] This use is not specific to this document; see for example: >> http://tools.ietf.org/html/rfc6092#section-1.2. A note was added to >> the document to explain this usage. > >OK. > >> >* The document really really should reference RFC 2460. >> >> [Med] Done. > >Thanks. Having a normative reference to 2460 also takes care of my >concern about not referring to RFC 5722 and RFC 6946. > >> [Med] I made this change: >> >> OLD: >> The security considerations identified in >> [I-D.ietf-v6ops-rfc3316bis] and [RFC6459] are to be taken into >> account. >> >> REQ#34: If the cellular device provides LAN features, it SHOULD be >> compliant with the security requirements specified in >> [RFC6092]. >> >> NEW: >> The security considerations identified in >> [I-D.ietf-v6ops-rfc3316bis] and [RFC6459] are to be taken into >> account. >> >> Security-related considerations that apply when the cellular device >> provides LAN features are specified in [RFC6092]. >> >> RFC6092 is already called out in the core part of the document. > >Thanks, this seems clearer to me. > >> >* I found REQ#32 a bit too generalized. I believe it is common for >> > applications to be aware of whether connections are over IPv4 or >> > IPv6 and behave differently. >> > >REQ#32: Applications MUST be independent of the underlying IP >> > > address family. This means applications must be IP version >> > > agnostic. >> > >> >> [Med] I agree this is a too generalized requirements. We have it on >> purpose to encourage applications devs to avoid making assumptions on >> the underlying available connectivity. FWIW, our teams tested devices >> that support IPv6 connectivity... but that embed applications which >> are broken when IPv6 connectivity is enabled (e.g., ip address >> literals). An education effort is still needed to avoid this kind of >> brokenness. > >I understand and completely agree! > >/Simon
- [secdir] secdir review of draft-ietf-v6ops-mobile… Simon Josefsson
- Re: [secdir] secdir review of draft-ietf-v6ops-mo… Fred Baker
- Re: [secdir] secdir review of draft-ietf-v6ops-mo… mohamed.boucadair
- Re: [secdir] secdir review of draft-ietf-v6ops-mo… Simon Josefsson
- Re: [secdir] secdir review of draft-ietf-v6ops-mo… mohamed.boucadair