[lisp] RTG-DIR REVIEW: draft-ietf-lisp-crypto-06.txt
Danny McPherson <danny@tcb.net> Wed, 24 August 2016 21:06 UTC
Return-Path: <danny@tcb.net>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24BB712D66B; Wed, 24 Aug 2016 14:06:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.448
X-Spam-Level:
X-Spam-Status: No, score=-102.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0ABSQd0Yj9O; Wed, 24 Aug 2016 14:06:54 -0700 (PDT)
Received: from mail.tcb.net (mail.tcb.net [64.78.239.75]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18EB612D124; Wed, 24 Aug 2016 14:06:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.tcb.net (Postfix) with ESMTP id 7489FB4; Wed, 24 Aug 2016 15:06:52 -0600 (MDT)
X-Virus-Scanned: Debian amavisd-new at mailnew.seatmates.net
Received: from mail.tcb.net ([127.0.0.1]) by localhost (mail.chasingbugles.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Gsll8NEmclQ; Wed, 24 Aug 2016 15:06:50 -0600 (MDT)
Received: from mail.tcb.net (localhost [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tcb.net (Postfix) with ESMTPSA id 8BEFDA1; Wed, 24 Aug 2016 15:06:50 -0600 (MDT)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_70df0451b26e0c235c7c2cca8ba7f0fa"
Date: Wed, 24 Aug 2016 17:06:50 -0400
From: Danny McPherson <danny@tcb.net>
To: rtg-ads@ietf.org, lisp@ietf.org, farinacci@gmail.com, bew@cisco.com
In-Reply-To: <BY2PR0201MB1910FCA59BA7C67C18DFA47E84370@BY2PR0201MB1910.namprd02.prod.outlook.com>
References: <BY2PR0201MB1910FCA59BA7C67C18DFA47E84370@BY2PR0201MB1910.namprd02.prod.outlook.com>
Message-ID: <9a0ab6afeff3fc8b86cc320a757ccbf8@tcb.net>
X-Sender: danny@tcb.net
User-Agent: Roundcube Webmail/0.9.5
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/9YkhMnvvP-DT4xAdXyB635upXFw>
Cc: Jonathan Hardwick <Jonathan.Hardwick@metaswitch.com>, zhang.xian@huawei.com, jon.hudson@gmail.com
Subject: [lisp] RTG-DIR REVIEW: draft-ietf-lisp-crypto-06.txt
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2016 21:06:56 -0000
RTG-DIR REVIEW: draft-ietf-lisp-crypto-06.txt Hello, I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft. Document: draft-ietf-lisp-crypto-06.txt Reviewer: Danny McPherson Review Date: August 24, 2016 Intended Status: Experimental Summary: I have some minor concerns about this document that should be considered before publication. Comments: I believe the draft is technically sound. Major Issues: I have no "Major" issues with this I-D. Minor Issues: In the Security Considerations section a small amount of text might be useful that discusses end-end v. encryption from middle boxes, and the risks therein. There are clearly benefits to this over no encryption, but there are risks about assumptions that may be made thereafter as well. Nits: S.1: s/typically not modified. Which means/typically not modified, which means/ S.1: Is there in fact a case where asymmetries result in the *same* egress xTRs but different keys are used? I believe this would just apply to "different xTRs", no? : However, return traffic uses the same procedures but with different key values by the same xTRs or potentially different xTRs when the paths between LISP sites are asymmetric. S.1: Regarding "[t]his document has the following requirements for the solutions space", it might be useful to reference some general IETF privacy work, even RFC 6973 or the like. Given that it's Experimental I think it's fine as is, but some references for the broader community may be in order. In particular, references to not requiring a separate PKI (and therefore external or circular dependencies!), avoiding third party trust anchor, rekeying as good operational practice, not just compromises, and other such arguments might be reinforced. S.3: Could include LCAF here, perhaps. S.4: You could probably strike this entire sentence and lessen confusion: "When an ETR (when it is also an ITR) encapsulates packets to this ITR (when it is also an ETR), a separate key exchange and shared-secret computation is performed." S.7: It's unclear what constitutes "Diffie-Hellman *group*". S.7: s/the the/the/ S.7: s/integrity-check/integrity check/ S.8: Editors note to strike text in last paragraph here, unclear what resolution was from this text. S.12.1: A reference to the SAAG comments might be useful here? S 13: Are you sure you want a default FCFS allocation policy here and not a slightly higher bar? Throughout: Consistent hyphenation in the document would help (e.g., "network-byte" ..). Throughout: Expanding on first use of each acronym would be useful, perhaps with references.
- [lisp] RTG-DIR REVIEW: draft-ietf-lisp-crypto-06.… Danny McPherson
- Re: [lisp] RTG-DIR REVIEW: draft-ietf-lisp-crypto… Dino Farinacci
- Re: [lisp] RTG-DIR REVIEW: draft-ietf-lisp-crypto… Dino Farinacci
- Re: [lisp] RTG-DIR REVIEW: draft-ietf-lisp-crypto… Danny McPherson
- Re: [lisp] RTG-DIR REVIEW: draft-ietf-lisp-crypto… Dino Farinacci