[secdir] secdir review of draft-ietf-pcp-proxy-08
Samuel Weiler <weiler@watson.org> Mon, 06 July 2015 00:53 UTC
Return-Path: <weiler@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480911B29D3; Sun, 5 Jul 2015 17:53:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.79
X-Spam-Level:
X-Spam-Status: No, score=0.79 tagged_above=-999 required=5 tests=[BAYES_50=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lpyYAjghfpFL; Sun, 5 Jul 2015 17:53:44 -0700 (PDT)
Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2C4F91B29D5; Sun, 5 Jul 2015 17:53:41 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [198.74.231.63]) by cyrus.watson.org (Postfix) with ESMTPS id A2BE846BB5; Sun, 5 Jul 2015 20:53:40 -0400 (EDT)
Received: from fledge.watson.org (weiler@localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.9/8.14.9) with ESMTP id t660reQN083464; Sun, 5 Jul 2015 20:53:40 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.9/8.14.9/Submit) with ESMTP id t660reKm083461; Sun, 5 Jul 2015 20:53:40 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Sun, 05 Jul 2015 20:53:40 -0400
From: Samuel Weiler <weiler@watson.org>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-pcp-proxy@tools.ietf.org
Message-ID: <alpine.BSF.2.11.1507050720440.50023@fledge.watson.org>
User-Agent: Alpine 2.11 (BSF 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (fledge.watson.org [127.0.0.1]); Sun, 05 Jul 2015 20:53:40 -0400 (EDT)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/UaMWsqy-r_Wb0y7i7uOUsIOX8lA>
Subject: [secdir] secdir review of draft-ietf-pcp-proxy-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 00:53:45 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: document is ready for publication (with mild reservation). My thanks to the document editors for producing a readable document. Mild reservation: when I look at the use cases for PCP Proxy in this document (e.g. a consumer router doing NAT, connected to hotel NAT, connected to carrier NAT), it's hard to imagine that operational environment often fitting within the description of PCP's "simple threat model" (RFC6887, section 18.1). And once you reject the simplifying assumptions in that "simple threat model", RFC6877 says PCP needs a security mechanism (section 18.2 of RFC6877). Maybe this document should explicity reinforce that need, perhaps citing and blocking on draft-ietf-pcp-authentication?
- [secdir] secdir review of draft-ietf-pcp-proxy-08 Samuel Weiler
- Re: [secdir] secdir review of draft-ietf-pcp-prox… mohamed.boucadair