Skip to main content

Last Call Review of draft-hardie-privsec-metadata-insertion-05
review-hardie-privsec-metadata-insertion-05-secdir-lc-nir-2017-02-07-00

Request Review of draft-hardie-privsec-metadata-insertion
Requested revision No specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-02-21
Requested 2017-01-24
Authors Ted Hardie
I-D last updated 2017-02-07
Completed reviews Opsdir Last Call review of -05 by Ron Bonica (diff)
Genart Last Call review of -06 by Stewart Bryant (diff)
Secdir Last Call review of -05 by Yoav Nir (diff)
Tsvart Last Call review of -05 by Michael Tüxen (diff)
Genart Telechat review of -06 by Stewart Bryant (diff)
Genart Telechat review of -07 by Stewart Bryant (diff)
Assignment Reviewer Yoav Nir
State Completed
Request Last Call review on draft-hardie-privsec-metadata-insertion by Security Area Directorate Assigned
Reviewed revision 05 (document currently at 08)
Result Has nits
Completed 2017-02-07
review-hardie-privsec-metadata-insertion-05-secdir-lc-nir-2017-02-07-00
Hi

The document is well-written and understandable, but a few things about it seem
wrong:

Section 3 describes data minimization as "one of the core mitigations for the
loss of confidentiality". However, the only example given where data
minimization is used to mitigate confidentiality loss is when browsers suppress
cookies in private mode. The rest of the examples given (HTTP proxies,
recursive DNS, VPN) are such where the data minimization is incidental to some
other function. Nobody deployed the HTTP proxy or the DNS server in order to
enhance privacy.

The HTTP proxy example in particular is not convincing. HTTP is designed to
work without proxies. Any data minimization provided incidentally by a proxy is
nothing that can be counted on, so a prohibition on restoring said data
(especially in the case of a server-side load balancer) is just not convincing.
OTOH in DNS recursive resolvers that hide the origin IP of the client are the
norm - Authoritative servers hardly ever get to see real addresses of clients.
In that case exposing the real IP address of the client shows data that was not
there before.

I believe the text should differentiate between cases where a network element
is not part of the normal function of the protocol and works to undo the
accidental data minimization that it causes, and cases where the network
element is expected in the protocol and thus the minimization is expected as
well. I think the prescription in the text applies to the latter. I am not
convinced about the former

The VPN example is a strange one. If the subject is a corporate VPN, then
restoring the original IP addresses is the function of the VPN.  If, OTOH, VPN
is that service that allows people to watch Hulu outside of the US, then
restoring the IP address would be counter-productive. It is also strange to see
VPN used as an example of "systems whose primary function is not to provide
confidentiality"