Security at the Attribute-Value Pair (AVP) Level for Non-neighboring Diameter Nodes: Scenarios and Requirements
draft-ietf-dime-e2e-sec-req-05
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2016-09-19
|
05 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2016-08-24
|
05 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2016-07-27
|
05 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2016-07-22
|
05 | (System) | IANA Action state changed to No IC from In Progress |
2016-07-22
|
05 | (System) | RFC Editor state changed to EDIT |
2016-07-22
|
05 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2016-07-22
|
05 | (System) | Announcement was received by RFC Editor |
2016-07-22
|
05 | (System) | IANA Action state changed to In Progress |
2016-07-22
|
05 | Cindy Morgan | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2016-07-22
|
05 | Cindy Morgan | IESG has approved the document |
2016-07-22
|
05 | Cindy Morgan | Closed "Approve" ballot |
2016-07-22
|
05 | Cindy Morgan | Ballot writeup was changed |
2016-07-22
|
05 | Cindy Morgan | Ballot approval text was generated |
2016-07-22
|
05 | Cindy Morgan | Summary The document shepherd is Lionel Morand. The responsible Area Director is Stephen Farrell. If Diameter provides a hop-by-hop security (using TLS, DTLS or IPSec) … Summary The document shepherd is Lionel Morand. The responsible Area Director is Stephen Farrell. If Diameter provides a hop-by-hop security (using TLS, DTLS or IPSec) between peers, the Diameter base protocol does not provide a mechanism for end-to-end security. This document describes a set of requirements for providing Diameter security at the level of individual Attribute-Value Pairs. Intended Status: Informational This document will be used to evaluate future candidate solutions. |
2016-07-22
|
05 | Stephen Farrell | Ballot writeup was changed |
2016-07-22
|
05 | Stephen Farrell | This draft is ready to move from this end to the RFC editor's end and there are no RFC editor notes needed. Please ship it! … This draft is ready to move from this end to the RFC editor's end and there are no RFC editor notes needed. Please ship it! Thanks, S. |
2016-07-22
|
05 | Stephen Farrell | IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::Point Raised - writeup needed |
2016-07-03
|
05 | Stephen Farrell | Tardy AD asked authors/chairs if they'd considered all the IESG ballot comments. Once told "yes" I'll send approval message as all is well otherwise. |
2016-06-08
|
05 | Jouni Korhonen | IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed |
2016-06-08
|
05 | Jouni Korhonen | New version available: draft-ietf-dime-e2e-sec-req-05.txt |
2016-06-02
|
04 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation |
2016-06-02
|
04 | Jari Arkko | [Ballot comment] There was a Gen-ART review with some minor but good questions about clarifications. There was no revision or a response previously, but the … [Ballot comment] There was a Gen-ART review with some minor but good questions about clarifications. There was no revision or a response previously, but the authors have now responded, and I assume edits will be done. Thanks. |
2016-06-02
|
04 | Jari Arkko | [Ballot Position Update] Position for Jari Arkko has been changed to No Objection from Discuss |
2016-06-02
|
04 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2016-06-02
|
04 | Benoît Claise | [Ballot comment] Please engage with Qin, who reviewed this document part of the OPS-DIR directorate. This document discusses requirements for providing end to end security … [Ballot comment] Please engage with Qin, who reviewed this document part of the OPS-DIR directorate. This document discusses requirements for providing end to end security to protect Attribute-Value Pairs between non-neighboring Diameter nodes and I think it is almost ready for publication. But I have a few editorial comments as follows: 1. Section 3, 1st paragraph: AAA broker is usually referred to intermediate node that support AAA functionality, I am not sure one network can be labeled as AAA broker. Change AAA broker into AAA broker network? 2. Section 3, 1st bullet on eavesdropping In 1st bullet, it mentions AAA broker network. It will be nice to give a definition of AAA broker and AAA broker network in the terminology section. 3. Section 3, 2nd bullet on Injection and Manipulation s/and inject/manipulate/to inject or manipulate 4. Section 4, the 2nd ,3rd, 4th scenarios How do you prevent man in middle attack by introducing Diameter proxy? How Diameter Proxy establish trust relationship with either Diameter client or Diameter Server? Is there security requirements for this? 5. Section 4, last paragraph It looks these paragraph discusses security consideration and should be moved to section 6. 6. Section 5, requirement 4 Is there any authorization approval before delegate security functionality to another entity? |
2016-06-02
|
04 | Benoît Claise | [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise |
2016-06-02
|
04 | Jari Arkko | [Ballot discuss] There was a Gen-ART review with some minor but good questions about clarifications. I believe there should be a revision or a response. |
2016-06-02
|
04 | Jari Arkko | [Ballot Position Update] New position, Discuss, has been recorded for Jari Arkko |
2016-06-02
|
04 | Alexey Melnikov | [Ballot Position Update] New position, Yes, has been recorded for Alexey Melnikov |
2016-06-01
|
04 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2016-06-01
|
04 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2016-06-01
|
04 | Ben Campbell | [Ballot comment] Substantive: - I am concerned about the de-emphasis of privacy requirements. While there's a mention of confidentiality in Requirement 2, other text suggests … [Ballot comment] Substantive: - I am concerned about the de-emphasis of privacy requirements. While there's a mention of confidentiality in Requirement 2, other text suggests that integrity is more important (implying privacy is less important). There are no privacy considerations. Finally, the {AVP}k convention does not distinguish hinders discussion about how the set of confidentiality-protected AVPs and integrity-protected AVPs might not be the same. [Note: I almost balloted DISCUSS over this point. I did not, because I don't want to force the working group to add requirements it doesn't believe in. But I'd like to see some discussion about this.] - The "middle to *" models may be useful, but they are not end-to-end. Given the focus on those models, I find the title of the draft to border on disinformation. The description in the introduction about protecting AVPs between "non-neighbor" nodes is more accurate. - I find it odd to find 2119 keywords in the "motivation" sections. I suspect that most of those are statements of fact. If some are really requirements, they should be presented as such. - 4: The listed advantages of the middle-middle model (and also middle-to-end and end-to-middle) seem to assume that the number of "middles" is smaller than the number of "ends". While this may be true, especially for clienty ends, it should probably be explicitly stated. -- "firewalling Diameter proxy" needs a definition or reference. - Requirement 1: Does this need discussion on deprecating algorithms when vulnerabilities become known? - Requirement 2: Please elaborate on backwards-compatibiltiy with existing applications. Is this intended to motivate the models with "middles"? - Requirement 7: This (along with some text in the introduction) implies that non-repudiation is a requirement. If so, that should be listed and elaborated as a requirement. Editorial and Nits: - 1, first paragraph: "mechanisms independent of Diameter (e.g., IPsec) is used." s/is/are - Requirement 3: The last sentence seems to ask the reader to draw a conclusion that wall-clock time can be used for anti-replay protection. If that's the intent, please say so explicitly. |
2016-06-01
|
04 | Ben Campbell | [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell |
2016-05-31
|
04 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2016-05-31
|
04 | Suresh Krishnan | [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan |
2016-05-31
|
04 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2016-05-31
|
04 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2016-05-30
|
04 | Deborah Brungard | [Ballot Position Update] New position, Yes, has been recorded for Deborah Brungard |
2016-05-30
|
04 | Mirja Kühlewind | [Ballot Position Update] New position, Yes, has been recorded for Mirja Kühlewind |
2016-05-27
|
04 | Kathleen Moriarty | [Ballot comment] Radia raised some very good questions in her SecDir review and I don't see a response yet, so I'm guessing you didn't see … [Ballot comment] Radia raised some very good questions in her SecDir review and I don't see a response yet, so I'm guessing you didn't see her message. https://www.ietf.org/mail-archive/web/secdir/current/msg06573.html I'd like to see her questions addressed. Is her second question the result of a typo or does air interface refer to a wireless interface or diameter term? I'll switch to a yes after these are addressed. thanks. |
2016-05-27
|
04 | Kathleen Moriarty | [Ballot Position Update] New position, No Objection, has been recorded for Kathleen Moriarty |
2016-05-19
|
04 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Radia Perlman. |
2016-05-16
|
04 | Gunter Van de Velde | Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Qin Wu. |
2016-05-13
|
04 | Stephen Farrell | Placed on agenda for telechat - 2016-06-02 |
2016-05-13
|
04 | Stephen Farrell | Changed consensus to Yes from Unknown |
2016-05-13
|
04 | Stephen Farrell | IESG state changed to IESG Evaluation from Waiting for Writeup |
2016-05-13
|
04 | Stephen Farrell | Ballot has been issued |
2016-05-13
|
04 | Stephen Farrell | [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell |
2016-05-13
|
04 | Stephen Farrell | Created "Approve" ballot |
2016-05-13
|
04 | Stephen Farrell | Ballot writeup was changed |
2016-05-12
|
04 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2016-05-07
|
04 | Christer Holmberg | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Christer Holmberg. |
2016-05-06
|
04 | (System) | IANA Review state changed to IANA OK - No Actions Needed from IANA - Review Needed |
2016-05-06
|
04 | Sabrina Tanamal | (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-dime-e2e-sec-req-04.txt, which is currently in Last Call, and has the following comments: We understand that this … (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-dime-e2e-sec-req-04.txt, which is currently in Last Call, and has the following comments: We understand that this document doesn't require any IANA actions. While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, IANA does not object. If this assessment is not accurate, please respond as soon as possible. Thank you, Sabrina Tanamal IANA Specialist ICANN |
2016-05-06
|
04 | Peter Yee | Request for Last Call review by GENART is assigned to Christer Holmberg |
2016-05-06
|
04 | Peter Yee | Request for Last Call review by GENART is assigned to Christer Holmberg |
2016-05-05
|
04 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Radia Perlman |
2016-05-05
|
04 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Radia Perlman |
2016-04-28
|
04 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Qin Wu |
2016-04-28
|
04 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Qin Wu |
2016-04-28
|
04 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2016-04-28
|
04 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: draft-ietf-dime-e2e-sec-req@ietf.org, lionel.morand@orange.com, dime@ietf.org, dime-chairs@ietf.org, stephen.farrell@cs.tcd.ie Reply-To: ietf@ietf.org … The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: draft-ietf-dime-e2e-sec-req@ietf.org, lionel.morand@orange.com, dime@ietf.org, dime-chairs@ietf.org, stephen.farrell@cs.tcd.ie Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Diameter AVP Level Security End-to-End Security: Scenarios and Requirements) to Informational RFC The IESG has received a request from the Diameter Maintenance and Extensions WG (dime) to consider the following document: - 'Diameter AVP Level Security End-to-End Security: Scenarios and Requirements' as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2016-05-12. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This specification discusses requirements for providing Diameter security at the level of individual Attribute-Value Pairs. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-dime-e2e-sec-req/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-dime-e2e-sec-req/ballot/ No IPR declarations have been submitted directly on this I-D. |
2016-04-28
|
04 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2016-04-28
|
04 | Stephen Farrell | Last call was requested |
2016-04-28
|
04 | Stephen Farrell | Ballot approval text was generated |
2016-04-28
|
04 | Stephen Farrell | Ballot writeup was generated |
2016-04-28
|
04 | Stephen Farrell | IESG state changed to Last Call Requested from Publication Requested |
2016-04-28
|
04 | Stephen Farrell | Last call announcement was generated |
2016-04-26
|
04 | Kathleen Moriarty | Shepherding AD changed to Stephen Farrell |
2016-03-03
|
04 | Lionel Morand | 1. Summary The document shepherd is Lionel Morand. The responsible Area Director is Kathleen Moriarty. If Diameter provides a hop-by-hop security (using TLS, DTLS or … 1. Summary The document shepherd is Lionel Morand. The responsible Area Director is Kathleen Moriarty. If Diameter provides a hop-by-hop security (using TLS, DTLS or IPSec) between peers, the Diameter base protocol does not provide a mechanism for end-to-end security. This document describes a set of requirements for providing Diameter security at the level of individual Attribute-Value Pairs. Intended Status: Informational This document will be used to evaluate future candidate solutions. 2. Review and Consensus The document provides a description of various security threats in typical Diameter deployments. Based on the threat analysis and the deployment scenarios, a set of requirements is given that a solution should fulfil for providing end-to-end protection of Diameter Attribute-Value Pairs (AVPs). The document received a large support for adoption when initiated and it has been reviewed multiple times, with detailed comments and corrections. The version -03 addresses the last comments received after the WGLC process. There is a strong WG consensus on the content of this document, with a broad range of people, including key experts. 3. Security Considerations The entire document is about existing security threats and defining requirements for a solution for securing Diameter AVPs selectively between non-neighboring nodes. 4. IANA considerations As this document does not define any solution, there is no required IANA action required. 5. Intellectual Property The author and contributor have confirmed conformance with IETF IPR rules (RFCs 3979, 4879, 3669, and 5378). There are no IPR disclosures on the document. 6. ID Nits There are small warnings that can be handled with a rev of the document when publishing the document; Miscellaneous warnings: ---------------------------------------------------------------------------- == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (January 13, 2016) is 50 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-05) exists of draft-ietf-aaa-diameter-cms-sec-04 7. Other points The document defines a set a security requirements for E2E protection of AVP over Diameter. The DIME WG is confident in the requirements listed in the document and can use these requirements to define a solution for Diameter. However, the SEC-DIR should carefully review these security requirements to validate them and see if nothing is missing. |
2016-03-03
|
04 | Lionel Morand | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2016-03-03
|
04 | Lionel Morand | IESG state changed to Publication Requested |
2016-03-03
|
04 | Lionel Morand | IESG process started in state Publication Requested |
2016-03-03
|
04 | Lionel Morand | Changed document writeup |
2016-03-03
|
04 | Lionel Morand | Intended Status changed to Informational from None |
2016-03-03
|
04 | Lionel Morand | The version -04 addresses all the remaining comments. The document is ready for IESG submission. |
2016-03-03
|
04 | Lionel Morand | IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call |
2016-01-13
|
04 | Jouni Korhonen | New version available: draft-ietf-dime-e2e-sec-req-04.txt |
2015-06-17
|
03 | Jouni Korhonen | New version available: draft-ietf-dime-e2e-sec-req-03.txt |
2015-04-02
|
02 | Lionel Morand | IETF WG state changed to In WG Last Call from WG Document |
2015-01-27
|
02 | Benoît Claise | Shepherding AD changed to Kathleen Moriarty |
2015-01-26
|
02 | Hannes Tschofenig | New version available: draft-ietf-dime-e2e-sec-req-02.txt |
2014-02-25
|
01 | Benoît Claise | Document shepherd changed to Lionel Morand |
2013-11-07
|
01 | Lionel Morand | Set of documents this document replaces changed to draft-tschofenig-dime-e2e-sec-req from None |
2013-10-20
|
01 | Hannes Tschofenig | New version available: draft-ietf-dime-e2e-sec-req-01.txt |
2013-09-26
|
00 | Hannes Tschofenig | New version available: draft-ietf-dime-e2e-sec-req-00.txt |