Thanks for your response, Ken.
Removing the last sentence that you quoted would make things worse.
Readers of this draft should definitely familiarize themselves with
the security considerations related to priority. We should make that
easier, not harder. The fact that those considerations also apply to
other RFCs does not remove the fact that they apply to this one also.
You cannot publish a document whose security considerations section
says (as this one effectively does today), "There are lots of security
considerations related to this document. To understand them, please
dig through all the referenced documents and figure it out yourself."
Doing that digging and analysis is the job of the document editors.
In order to ease the burden on you, I think a reasonable compromise
would be for YOU to review the documents referenced and decide which
have the most relevant security considerations. Then you could list
those explicitly in the last paragraph of the Security Considerations.
Thanks,
steve
-----Original Message-----
From: carlberg(_at_)g11(_dot_)org(_dot_)uk
[mailto:carlberg(_at_)g11(_dot_)org(_dot_)uk]
Sent: Tuesday, July 26, 2011 6:42 AM
To: Stephen Hanna
Cc: ietf(_at_)ietf(_dot_)org; secdir(_at_)ietf(_dot_)org;
draft-ietf-dime-priority-
avps(_dot_)all(_at_)tools(_dot_)ietf(_dot_)org;
lionel(_dot_)morand(_at_)orange-ftgroup(_dot_)com
Subject: re: secdir review of draft-ietf-dime-priority-avps-04
Hi Steve,
Thanks for the review.
<snip>
This standards track document defines Diameter AVPs that can be
used to convey a variety of priority parameters. While the Security
Considerations section of this document properly requires that
implementers review the Security Considerations section in the
Diameter protocol specification and consider the issues described
there, it does not include any analysis of the specific security
issues related to priority systems. The authors should review other
Security Considerations sections relating to priority systems
(e.g. the one in RFC 4412) and add text that describes the
special security issues that arise with priority systems and
the countermeasures that may be employed.
You raise an interesting issue and we actually had a discussion about
this on the DIME list
<http://www.ietf.org/mail-archive/web/dime/current/msg04773.html>
And just for the sake of completeness, here is the security
considerations text of the dime-priority-avps draft in question:
This document describes the extension of Diameter for conveying
Quality
of Service information. The security considerations of the
Diameter
protocol itself have been discussed in [I-D.ietf-dime-rfc3588bis].
Use
of the AVPs defined in this document MUST take into consideration
the
security issues and requirements of the Diameter base protocol.
The authors also recommend that readers should familiarize
themselves
with the security considerations of the various protocols listed in
the Normative References listed below.
In a nutshell, the authors and the chair disagreed with the need for
extending the security considerations to include an analysis with
other protocols (eg, rfc-4412) because these protocols operate outside
of the DIAMETER protocol. The dime-priority-avps draft is an
extension of I-D.ietf-dime-rfc3588bis, and thus is subject to the same
security considerations to the bis draft. And its also important to
keep in mind that the dime-priority-avps draft does not inject
prioritization into the exchange of DIAMETER messages. It simply
defines AVPs that correlate to some priority fields of other protocols.
If it was the last sentence (above) in the dime-priority-avps security
considerations that has triggered your comment about further analysis,
then I'd prefer just removing that text.
cheers,
-ken
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf