[anonsec] AD Review: Probably and Applicability Statement

Yu-Shun Wang wang.yushun at gmail.com
Mon May 21 00:22:55 PDT 2007 

Hi Sam,

Thanks for the reviews. Some comments inline.

Sam Hartman wrote:
> 
> Hi, folks.  I've finished reviewing the Problem and Applicability 
> Statement draft.
> 
> I'd like to thank the authors for a lot of good work.
> 
> Several of the comments I made in my first review of the document 
> still haven't been fixed.  Terms like flash crowd, DDOS, zombies are 
> not defined before they are used.

Unless someone can provide citations, I am going to replace
these terms as below:

s/flash crowd/unexpected surge of legitimate requests/
s/zombies/compromised systems/
s/DDoS/distributed denial of service/

(Seriously, do we still have to explain DDoS here? Or we
just need to spell it out?)

> Section 5.3 claims that passwords over anonymous channels are 
> inappropriate.  I don't think there is an ietf consensus behind this.
>  Replace old: Therefore, CBB must not be used with higher layer
> protocols that may expose sensitive information during authentication
> exchange.
> 
> with new: Therefore, CBB must not be used with higher layer protocols
>  that may expose sensitive information during authentication exchange
> where  the exposure of this information presents an unacceptable
> security risk.

Will do. Thanks for the text.

> I wonder if the working group has adequately reviewed section 5.7.
> In particular do we actually have a strong consensus that caching of
> BTNS credentials is inappropriate?  We certainly have a lot of issues
> to work through before we can recommend this caching. But if there is
> no caching how is that leap of faith at all?

At our original draft draft, I left it as "?" (or TBD)
We can change it back to TBD.

The text (as I remembered) deliberately does NOT take a
position on the debate of what LoF is between the two
mechanisms: accepting the unauth ID vs. caching it (and
treating it differently next time). We just explained
what the two mechanisms are and stated the status of
our understanding. I am personally neutral to this.
It's the WG's call.

By the way, we (the authors) went through a lot of discussion
to keep the position neutral, stating the issues involved
and what will need to happen (at a very high level) to make
it work or secure. IIRC we didn't shut the door so to speak.

> If there is such a consensus then Section 5.7 should be removed and a
>  section added to the applicability statement saying that leap of 
> faith/credential caching is out of scope.

I'd appreciate if such text doesn't involve why it's out of
scope. Otherwise we'd be repeating the current 5.7 again.

> Section 6 rules mobility, nat and multihoming out of scope.  Please 
> provide an argument that btns does not make issues associated with
> nat and multihoming worse.  IN particular think about address
> selection for inner addresses with anonymous open services and show
> that this problem is not worse in a BTNS universe.

I am no expert to all of those. Text suggestion?

(I thought those were not in the charter, didn't realize
  we have to explain why they are not in the charter.)

> If you can do that then you can attempt to rule NAT and 
> multihoming/mobility out of scope.  I'll still call it out in the
> IETF last call message and confirm that the community is willing to
> let you rule this out of scope.

Sure.

Thanks,

yushun

More information about the ANONSEC mailing list