[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: Review of draft-ietf-radext-rfc3576bis-09.txt

To: radiusext@ops.ietf.org
Subject: FW: Review of draft-ietf-radext-rfc3576bis-09.txt
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Mon, 17 Sep 2007 10:34:44 -0700
Bcc:

From: Paul Hoffman <paul.hoffman@vpnc.org>
To: secdir@mit.edu
CC: mchiba@cisco.com, gdommety@cisco.com, meklund@cisco.com,dmitton@circularnetworks.com, bernarda@microsoft.com,radext-chairs@tools.ietf.org, radext-ads@tools.ietf.org, iesg@ietf.org
Subject: Review of draft-ietf-radext-rfc3576bis-09.txt
Date: Mon, 17 Sep 2007 10:19:50 -0700
I am reviewing this document as part of the security directorate's ongoingeffort to review all IETF documents being processed by the IESG. Thesecomments were written primarily for the benefit of the security areadirectors. Document editors and WG chairs should treat these comments justlike any other last call comments. Feel free to forward to any appropriateforum.
This document is a revision of RFC 3576, an Informational RFC describing aprotocol to allow unsolicited messages sent from a RADIUS server to aNetwork Access Server.
The protocol is Informational because there were existing implementationsbefore RFC 3576 was published that would not work with the published spec.This new document inherits that status, although I question the need to dothat four years later, particularly because some of the changes made in theearlier RFC and in this revision are for better security. I do not knowwhether or not this was discussed in the WG.
This revision consists mostly of terminology changes and clarifications,all of which seemed fine. The few protocol changes all seem to enhancesecurity or at least be security-neutral. The changes to the SecurityConsiderations section (Section 6) are good. One note is that Section 6.3gives SHOULD-level recommendations to IKEv1 but doesn't mention IKEv2.Section 6.4, on replay protection, is significantly expanded.
On a stylistic note, Section 6 contains many MUSTs and SHOULDs. Doing thisin the Security Considerations section instead of the body of the protocolmakes it seem like these are "only for security", not really for theprotocol. It would be nice if protocols would put security-related MUSTsand SHOULDs in the body of the protocol to give them equal footing in themind of developers.
--Paul Hoffman, Director
--VPN Consortium




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Re: Frag & Tag questions
Next by Date: Protocol Action: 'Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes' to Proposed Standard
Previous by thread: Frag & Tag questions
Next by thread: Protocol Action: 'Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes' to Proposed Standard
Index(es):
- Date
- Thread