Early Review of draft-ietf-tictoc-security-requirements-05
review-ietf-tictoc-security-requirements-05-secdir-early-emery-2013-10-31-00
| Request | Review of | draft-ietf-tictoc-security-requirements |
|---|---|---|
| Requested revision | No specific revision (document currently at 12) | |
| Type | Early Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2014-08-19 | |
| Requested | 2013-10-03 | |
| Authors | Tal Mizrahi | |
| I-D last updated | 2013-10-31 | |
| Completed reviews |
Genart Last Call review of -10
by Dan Romascanu
(diff)
Genart Telechat review of -11 by Dan Romascanu (diff) Secdir Early review of -05 by Shawn M Emery (diff) Secdir Last Call review of -10 by Shawn M Emery (diff) |
|
| Assignment | Reviewer | Shawn M Emery |
| State | Completed | |
| Request | Early review on draft-ietf-tictoc-security-requirements by Security Area Directorate Assigned | |
| Reviewed revision | 05 (document currently at 12) | |
| Result | Has issues | |
| Completed | 2013-10-31 |
review-ietf-tictoc-security-requirements-05-secdir-early-emery-2013-10-31-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This internet-draft describes the threat analysis for time protocols, such as Precision Time Protocol (PTP) and the Network Time Protocol (NTP). The draft itself discusses security considerations. I believe the draft adequately covers the various threats and how to mitigate such attacks. I just have a few comments below: In regards to this paragraph in section 5.1.3: Authentication of slaves prevents unauthorized clocks from receiving time services. Preventing the master from serving unauthorized clocks can help in mitigating DoS attacks against the master. Note that the authentication of slaves might put a higher load on the master than serving the unauthorized clock, and hence this requirement is a SHOULD. I think that this requirement of whether to allow for unauthorized clocks should be a MAY (as does the prior text in this section) and should state that the decision to do this should be based on the environment in which the master and slaves are deployed. In regards to this paragraph in section 5.2.1: The requirement level of the first requirement is 'SHOULD' since in the presence of recursive authentication (Section 5.1.2.) this requirement may be redundant. This should state that this is the "second requirement", not the "first requirement". In section 5.5.1 what's the difference between a replay and playback attack? If there is such a difference then playback needs to be defined. In section 5.8, interception attacks is never explicitly described. I don't understand this sentence: The erroneous time may expose cryptographic algorithms that rely on time to prevent replay attacks. Does this mean to say "security protocols" instead of "cryptographic algorithms"? General comments: None. Editorial comments: s/if a slave is/if a slave/ s/(Section 3.2.4. )/(Section 3.2.4.)/ s/Additional measure/Additional measures/ Looks like this sentence was truncated: The requirements in this subsection address MITM attacks such as the 3.2.1.). s/necessarily possible/possible/ s/5.1. ,/Section 5.1.,/ s/in the literature/in literature/ s/in [1588IPsec] and [Tunnel]/[1588IPsec] and [Tunnel]/ Shawn. --