Re: [Last-Call] Secdir last call review of draft-ietf-ippm-encrypted-pdmv2-05

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Chris,

Thanks you very much for your valuable comments, I agree with them.
We’ll incorporate them asap, with only one minor change - RFC 9250 is "DNS over Dedicated QUIC Connections”, so I guess you meant 8250 :)

Cheers,

T.


On 15 Jan 2024, at 16:11, Chris Lonvick via Datatracker <noreply@xxxxxxxx> wrote:

Reviewer: Chris Lonvick
Review result: Ready

Hi,

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

The summary of the review is Ready.

The document explains the use of a lightweight handshake and encryption
protocol for the PDM destination option. I found it to be readable and to
explain how to use the protocol.

I found a few nits that the authors may wish to review.

Second paragraph in Section 1
Current: a timing attack MAY be launched against
Proposed: a timing attack may be launched against
(This isn't a directive in the protocol so doesn't fall under BCP 14.)

Second paragraph of Section 5.4
Current:
  Our choice is to use the HPKE framework that incorporates key
  encapsulation mechanism (KEM), key derivation function (KDF) and
  authenticated encryption with associated data (AEAD).  These multiple
  schemes are more robust and significantly efficient than the
  traditional schemes and thus lead to our choice of this framework.
  We recommend default encryption algorithm for HPKE AEAD as AES-
  128-GCM, however this is an implementation choice and can be
  negotiated between the communicating parties.
Proposed:
  It is RECOMMENDED to use the HPKE framework that incorporates key
  encapsulation mechanism (KEM), key derivation function (KDF) and
  authenticated encryption with associated data (AEAD).  These multiple
  schemes are more robust and significantly more efficient than other
  schemes. While the schemes may be negotiated between communicating
  parties, it is RECOMMENDED to use default encryption algorithm for
  HPKE AEAD as AES-128-GCM.

Somewhere in Section 6.3
Current:
     This field is also used in the Encrypted PDMv2 as the encryption
     nonce.
Proposed:
     This field is also used in the Encrypted PDMv2 as the encryption
     nonce. The nonce MUST NOT be reused in different sessions.

New paragraph in the Security Considerations section
Proposed:
Security considerations about HPKE are addressed in RFC 9180. Security
considerations about PDM are addressed in RFC 9250. Security considerations
about destination objects are addressed in RFC 8200.



--------------------------------------------------------------

``... anyone can do any amount of work, provided it isn't the
  work he is supposed to be doing at that moment.''
-- Robert Benchley, in Chips off the Old Benchley, 1949

--------------------------------------------------------------

Tommaso Pecorella - Ph.D.

Associate professor
Dpt. Ingegneria dell'Informazione
Università di Firenze

CNIT - Università di Firenze Unit

via di S. Marta 3
50139, Firenze
ITALY

email: tommaso.pecorella@xxxxxxxx
       tommaso.pecorella@xxxxxxx

phone : +39-055-2758540
mobile: +39-320-4379803
fax   : +39-055-2758570











-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux