Security Threats for Next Steps in Signaling (NSIS)
draft-ietf-nsis-threats-06
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Scott Hollenbeck |
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Ted Hardie |
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
2005-06-10
|
06 | (System) | This was part of a ballot set with: draft-ietf-nsis-fw |
2005-01-03
|
06 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2004-12-23
|
06 | Amy Vezza | IESG state changed to Approved-announcement sent |
2004-12-23
|
06 | Amy Vezza | IESG has approved the document |
2004-12-23
|
06 | Amy Vezza | Closed "Approve" ballot |
2004-12-22
|
06 | Allison Mankin | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Allison Mankin |
2004-12-22
|
06 | Scott Hollenbeck | [Ballot Position Update] Position for Scott Hollenbeck has been changed to No Objection from Discuss by Scott Hollenbeck |
2004-11-02
|
06 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
2004-10-26
|
06 | (System) | New version available: draft-ietf-nsis-threats-06.txt |
2004-09-28
|
06 | (System) | Removed from agenda for telechat - 2004-09-27 |
2004-09-27
|
06 | Amy Vezza | State Changes to IESG Evaluation::AD Followup from IESG Evaluation by Amy Vezza |
2004-09-27
|
06 | Ted Hardie | [Ballot Position Update] Position for Ted Hardie has been changed to No Objection from Discuss by Ted Hardie |
2004-09-27
|
06 | Ted Hardie | [Ballot comment] [2004-09-24] in the Framework document, section 3.1.5 says  A session is an application layer concept for a (unidirectional) flow  of information … [Ballot comment] [2004-09-24] in the Framework document, section 3.1.5 says  A session is an application layer concept for a (unidirectional) flow  of information between two endpoints, for which some network state is  to be allocated or monitored. (Note that this use of the term  'session' is not identical to the usage in RSVP. It is closer to the  session concept of, for example, the Session Initiation Protocol.) While I don't doubt that a higher-layer concept for the set of flows that makes up one half of an exchange is useful, I don't think session is the right term here, and I think suggesting it maps to that may do harm as further development in the applications' interaction with the signalling plane. The Session of SIP, for example, seems to me explictly the full exchange "There are many applications of the Internet that require the creation and management of a session, where a session is considered an exchange of data between an association of participants." (3261, Section 1). I wish I had a catchy phrase for the concept you do want; I don't. But I am concerned about re-using session here, and I'd like to discuss it. |
2004-09-27
|
06 | Alex Zinin | [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin |
2004-09-27
|
06 | Steven Bellovin | [Ballot comment] The security analysis and considerations sections (4.7 and 7) in draft-ietf-nsis-fw are weak. This is a framework document, so that's (marginally) acceptable, … [Ballot comment] The security analysis and considerations sections (4.7 and 7) in draft-ietf-nsis-fw are weak. This is a framework document, so that's (marginally) acceptable, but there's a lot of hard work ahead in this security arena. In particular, you're likely going to need a separate security mechanisms document that relates back to the threats document. |
2004-09-27
|
06 | Steven Bellovin | [Ballot Position Update] New position, No Objection, has been recorded for Steve Bellovin by Steve Bellovin |
2004-09-27
|
06 | Harald Alvestrand | [Ballot comment] Reviewed by Mary Barnes, Gen-ART Her review: Summary: -------- Both drafts are ready to publish as Informational with the correction of the following … [Ballot comment] Reviewed by Mary Barnes, Gen-ART Her review: Summary: -------- Both drafts are ready to publish as Informational with the correction of the following editorial nits. Nits (nsis-threats): -------------------- - Section 3.1: There's a formatting problem in this section with the identation OR the phrase "following two cases:" on the top of page 10 should read "following three cases:" - Section 3.1: First paragraph following the idented parts (page 11), beginning with "Finally, we conclude a description". The word "conclude" needs to be changed to "include" or "conclude with". - Section 3.1: Page 11, Last paragraph, last sentence. "A malicious NSIS can be detected..." needs to change to "A malicious NSIS node can be detected..." - Section 4.10: Page 24. Reference to "Figure 3" should be "Figure 4". Nits (nsis-fw): --------------- - Abstract: It's longer than the guidelines recommendation of typically 5-10 lines, but no more than 20 lines. I would suggest a change from: "The Next Steps in Signaling working group is considering protocols for signaling information about a data flow along its path in the network. Based on existing work on signaling requirements, this document proposes an architectural framework for such signaling protocols. This document provides a model for the network entities that take part in such signaling, and the relationship between signaling and the rest of network operation. We decompose the overall signaling protocol suite into a generic (lower) layer, with separate upper layers for each specific signaling application. An initial proposal for the split between these layers is given, describing the overall functionality of the lower layer, and discussing the ways that upper layer behavior can be adapted to specific signaling application requirements. This framework also considers the general interactions between signaling and other network layer functions, specifically routing, mobility, and address translators. The different events that impact signaling operation are described, along with how their handling should be divided between the generic and application-specific layers. Finally, an example signaling application (for Quality of Service) is described in more detail." to (adding the second sentence for clarity) and removing alot of unnecessary detail: "The Next Steps in Signaling working group is considering protocols for signaling information about a data flow along its path in the network. The NSIS suite of protocols is envisioned to support various signaling applications that need to install and/or manipulate state in the network. Based on existing work on signaling requirements, this document proposes an architectural framework for such signaling protocols. This document provides a model for the network entities that take part in such signaling, and the relationship between signaling and the rest of network operation. We decompose the overall signaling protocol suite into a generic (lower) layer, with separate upper layers for each specific signaling application." - Section 2 Terminology - Signaling application. I think the term "service" should be "signaling application" ? - Section 3.2.6 - Per the statement in 3.1.2 that path de-coupled is out of scope at this time, it would be useful to re-iterate that the information in this section is provided for completeness and to capture for future reference. I would suggest adding a statement something like the following to the beginning of this section: "Although, support of path de-coupled operation is not part of the initial goals of this NSIS Framework, this section is included for completeness and to caputure some initial considerations for future reference." - Section 5.1.2: last paragraph, page 36. Change "traffic))" to "traffic)" |
2004-09-27
|
06 | Harald Alvestrand | [Ballot Position Update] New position, No Objection, has been recorded for Harald Alvestrand by Harald Alvestrand |
2004-09-27
|
06 | Bert Wijnen | [Ballot comment] Document: draft-ietf-nsis-fw-06.txt Top of page 20: application level. In this sense, up/down notifications are advisories which … [Ballot comment] Document: draft-ietf-nsis-fw-06.txt Top of page 20: application level. In this sense, up/down notifications are advisories which allow faster reaction to events in the network, but shouldn't be built into NSLP semantics. (This is essentially the same distinction - with the same rationale - as SNMP makes between traps and normal message exchanges.) Would be better to s/traps/notifications/ |
2004-09-27
|
06 | Bert Wijnen | [Ballot Position Update] New position, Undefined, has been recorded for Bert Wijnen by Bert Wijnen |
2004-09-27
|
06 | David Kessens | [Ballot comment] From ops directorate by Pekka Savola regarding draft-ietf-nsis-threats-05.txt: It seems that a few more of the NSIS documents should be normative references, … [Ballot comment] From ops directorate by Pekka Savola regarding draft-ietf-nsis-threats-05.txt: It seems that a few more of the NSIS documents should be normative references, e.g., the framework ? |
2004-09-27
|
06 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
2004-09-27
|
06 | Bill Fenner | [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner |
2004-09-26
|
06 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
2004-09-24
|
06 | Ted Hardie | [Ballot discuss] in the Framework document, section 3.1.5 says A session is an application layer concept for a (unidirectional) flow of information between … [Ballot discuss] in the Framework document, section 3.1.5 says A session is an application layer concept for a (unidirectional) flow of information between two endpoints, for which some network state is to be allocated or monitored. (Note that this use of the term 'session' is not identical to the usage in RSVP. It is closer to the session concept of, for example, the Session Initiation Protocol.) While I don't doubt that a higher-layer concept for the set of flows that makes up one half of an exchange is useful, I don't think session is the right term here, and I think suggesting it maps to that may do harm as further development in the applications' interaction with the signalling plane. The Session of SIP, for example, seems to me explictly the full exchange "There are many applications of the Internet that require the creation and management of a session, where a session is considered an exchange of data between an association of participants." (3261, Section 1). I wish I had a catchy phrase for the concept you do want; I don't. But I am concerned about re-using session here, and I'd like to discuss it. |
2004-09-24
|
06 | Ted Hardie | [Ballot Position Update] New position, Discuss, has been recorded for Ted Hardie by Ted Hardie |
2004-09-24
|
06 | Russ Housley | [Ballot discuss] Section 4.6 of draft-ietf-nsis-threats-05 calls for non-repudiation. I am not convinced by the discussion in that section that a non- repudiation … [Ballot discuss] Section 4.6 of draft-ietf-nsis-threats-05 calls for non-repudiation. I am not convinced by the discussion in that section that a non- repudiation service is needed. Non-repudiation is needed when proof is to be provided to a third party. Yet, the discussion in this section do not include a third party. The ability to present an authentic request to the other party for their own validation is sufficient for the scenarios discussed. |
2004-09-24
|
06 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley |
2004-09-21
|
06 | Scott Hollenbeck | [Ballot discuss] The security considerations section of draft-ietf-nsis-fw says this: "These functions can most likely be provided by some kind of channel security mechanism using … [Ballot discuss] The security considerations section of draft-ietf-nsis-fw says this: "These functions can most likely be provided by some kind of channel security mechanism using an external key management mechanism based on mutual authentication." I found the document to be extremely well written and detailed, but this looks like a bit of hand waving. Does this imply that there are no appropriate security protocols that can be used today? I can understand if that's the case given what's written in draft-ietf-nsis-threats. Some additional text to explain why no such mechanism is described in the document would be helpful. |
2004-09-21
|
06 | Scott Hollenbeck | [Ballot Position Update] New position, Discuss, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
2004-09-20
|
06 | Allison Mankin | [Ballot Position Update] New position, Yes, has been recorded for Allison Mankin |
2004-09-20
|
06 | Allison Mankin | Ballot has been issued by Allison Mankin |
2004-09-20
|
06 | Allison Mankin | Created "Approve" ballot |
2004-09-20
|
06 | (System) | Ballot writeup text was added |
2004-09-20
|
06 | (System) | Last call text was added |
2004-09-20
|
06 | (System) | Ballot approval text was added |
2004-09-20
|
06 | Allison Mankin | State Changes to IESG Evaluation from AD Evaluation by Allison Mankin |
2004-09-20
|
06 | Allison Mankin | Placed on agenda for telechat - 2004-09-27 by Allison Mankin |
2004-09-17
|
06 | Allison Mankin | State Changes to AD Evaluation from Publication Requested by Allison Mankin |
2004-09-17
|
06 | Allison Mankin | State Change Notice email list have been change to john.loughney@nokia.com, hannes.tschofenig@siemens.com from john.loughney@nokia.com |
2004-09-13
|
06 | Dinara Suleymanova | Draft Added by Dinara Suleymanova in state Publication Requested |
2004-06-24
|
05 | (System) | New version available: draft-ietf-nsis-threats-05.txt |
2004-02-17
|
04 | (System) | New version available: draft-ietf-nsis-threats-04.txt |
2003-10-28
|
03 | (System) | New version available: draft-ietf-nsis-threats-03.txt |
2003-07-02
|
02 | (System) | New version available: draft-ietf-nsis-threats-02.txt |
2003-01-27
|
01 | (System) | New version available: draft-ietf-nsis-threats-01.txt |
2002-10-31
|
00 | (System) | New version available: draft-ietf-nsis-threats-00.txt |