Telechat Review of draft-ietf-dime-priority-avps-
review-ietf-dime-priority-avps-secdir-telechat-hanna-2011-12-04-00

Request Review of draft-ietf-dime-priority-avps
Requested rev. no specific revision (document currently at 06)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2011-11-29
Requested 2011-11-08
Authors Ken Carlberg, Tom Taylor
Draft last updated 2011-12-04
Completed reviews Genart Telechat review of -?? by Joel Halpern
Genart Telechat review of -?? by Joel Halpern
Secdir Last Call review of -?? by Steve Hanna
Secdir Telechat review of -?? by Steve Hanna
Assignment Reviewer Steve Hanna
State Completed
Review review-ietf-dime-priority-avps-secdir-telechat-hanna-2011-12-04
Review completed: 2011-12-04

Review
review-ietf-dime-priority-avps-secdir-telechat-hanna-2011-12-04

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This standards track document defines Diameter AVPs that can be
used to convey a variety of priority parameters.

In July 2011, I conducted a secdir review of a previous revision
of this document (-04) and found that the Security Considerations
section was inadequate because it did not include any analysis of
the specific security issues related to priority systems.

I'm pleased to say that the authors have attempted to address this
issue in their new draft. They added a reference to the Security
Considerations section of RFC 5866, which is thorough and sound.
In addition, they explicitly identify one threat: unauthorized
changes to QoS parameters in transit. However, the countermeasure
proposed is confusing. The document now says "integrity protected
values SHOULD be ignored". I would expect the reverse. Values
that are not integrity protected SHOULD be ignored. Am I wrong?

I'm concerned that the other threats described in RFC 5866 are
not addressed in this document. Lack of authentication and
confidentiality protection for QoS parameters can have serious
negative impacts, as described in RFC 5866.

In the IETF spirit of "send text", I suggest the following
paragraph be added to the Security Considerations section
of this draft:

   As described in [RFC5866], failure to provide adequate
   authentication and confidentiality protection for QoS
   parameters may result in serious failures that undermine
   the very purpose of QoS. Countermeasures such as Diameter
   communication security should be employed as appropriate.

I will supply a further optional suggestion to clarify the
text recently added regarding integrity. I recommend that
the first paragraph of the Security Considerations section
be stripped to just its first sentence and that the following
paragraph be used in place of the new text that was added at
the end of that paragraph:

   The values in the AVPs defined in this draft are not supposed
   to be changed by any of the Diameter servers or any other
   intermediaries. In fact, changes to these AVPs in transit
   could result in serious problems such as inability to
   complete high-priority emergency phone calls. Therefore,
   source integrity protection SHOULD be employed for those
   AVPs (e.g., the use of S/MIME with the SIP RPH, or an INTEGRITY
   object within a POLICY_DATA object).

The text that I wrote may well be incorrect or misguided.
I'm just trying to provide helpful suggestions from a
security perspective. If the authors would like to have
a further chat about this topic, I'd be glad to do so.
And if they want to keep the text that they added on
integrity protection, that's OK. I just found it a bit
lacking in describing the threat and its consequences
and in providing an effective countermeasure.

Thanks,

Steve