RE: secdir review of draft-ietf-csi-dhcpv6-cga-ps-04.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 Hi, Stephen,

Sorry for the late reply. We was in Chinese National Holiday. Please see my reply below.

Best regards,

Sheng 

> -----Original Message-----
> From: Stephen Hanna [mailto:shanna@xxxxxxxxxxx] 
> Sent: Saturday, October 02, 2010 10:56 AM
> To: ietf@xxxxxxxx; iesg@xxxxxxxx; secdir@xxxxxxxx; 
> draft-ietf-csi-dhcpv6-cga-ps@xxxxxxxxxxxxxx
> Subject: secdir review of draft-ietf-csi-dhcpv6-cga-ps-04.txt
> 
> I have reviewed this document as part of the security 
> directorate's ongoing effort to review all IETF documents 
> being processed by the IESG. These comments were written 
> primarily for the benefit of the security area directors. 
> Document editors and WG chairs should treat these comments 
> just like any other last call comments.
> 
> This document discusses several ways that DHCPv6 can be used 
> with Cryptographically Generated Addresses (CGA), pointing 
> out benefits and concerns. While the document does discuss 
> security issues in several places, it often lapses into vague 
> terminology like "one should carefully consider the impact on 
> security". Given that the primary benefit of using CGAs is to 
> improve security by providing address validation without 
> complex key distribution, carefully analyzing security issues 
> seems necessary for this document.
> 
> On the other hand, the Document Shepherd Write-up for this 
> document says "The WG was not very energetic on this 
> document. The document describes possible applications of 
> CGAs and DHCP interaction and when the WG was asked whether 
> there was enough interest to work on solutions, the reply was 
> silence. As such, the consensus is based on most of the WG 
> being indifferent." So maybe this document is only intended 
> as a sketch of possible issues that can be explored later in 
> a more in-depth document if someone is interested in doing 
> so. If that's the case, maybe it's OK to not fully analyze 
> all the security implications. However, in that case, I think 
> the Security Considerations section should state clearly that 
> this document does not contain a complete security analysis 
> and any further work in this area should include such an 
> analysis. Nobody should implement the techniques described in 
> this document without conducting that more thorough analysis.

I guess that's the case. I am fine to add the statement you suggested into the security
considerations.
 
> I noticed a few typos. On page 6, the word "certificated" 
> should be "certified". Three sentences later, "depend on 
> policies" should be "depending on policies". And the draft 
> names in the Change Log say "dhacpv6" instead of "dhcpv6".

Thanks. We will fix it with other comments in the future version.

Regards,

Sheng
 
> Thanks,
> 
> Steve
> 

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]