Skip to main content

Authorization for NSIS Signaling Layer Protocols
draft-ietf-nsis-nslp-auth-07

Revision differences

Document history

Date Rev. By Action
2012-08-22
07 (System) post-migration administrative database adjustment to the No Objection position for Sean Turner
2012-08-22
07 (System) post-migration administrative database adjustment to the No Objection position for Tim Polk
2012-08-22
07 (System) post-migration administrative database adjustment to the No Objection position for Russ Housley
2010-10-22
07 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2010-10-22
07 (System) IANA Action state changed to Waiting on RFC Editor from In Progress
2010-10-22
07 (System) IANA Action state changed to In Progress from Waiting on Authors
2010-10-22
07 (System) IANA Action state changed to Waiting on Authors from In Progress
2010-10-18
07 Cindy Morgan State changed to RFC Ed Queue from Approved-announcement sent by Cindy Morgan
2010-10-15
07 (System) IANA Action state changed to In Progress
2010-10-15
07 Amy Vezza IESG state changed to Approved-announcement sent
2010-10-15
07 Amy Vezza IESG has approved the document
2010-10-15
07 Amy Vezza Closed "Approve" ballot
2010-10-15
07 Lars Eggert State changed to Approved-announcement to be sent from IESG Evaluation::AD Followup by Lars Eggert
2010-10-14
07 Russ Housley
[Ballot discuss]
Please respond to the Gen-ART Review by Ben Campbell on 2010-08-31.
  At a minimum, please address these points:

  Section 3.2.7, 2nd …
[Ballot discuss]
Please respond to the Gen-ART Review by Ben Campbell on 2010-08-31.
  At a minimum, please address these points:

  Section 3.2.7, 2nd para: "The creator of this attribute lists every
  NSLP object..."  Is there an order requirement? At least, the order
  in this list must match the order in the signature, right?

  Section 4.1.1, 2nd para: Is HMAC-MD5 still a reasonable choice for a
  single mandatory-to-implement algorithm?

  Section 6.4, 1st para: This paragraph seems to conflate authentication
  with authorization. Integrity protection provides authentication, from
  which one can apply authorization policy. But it's not authorization
  policy in itself.

  Section 7, 3rd para: This seems to conflict with 3.2.7 and 3.2.8,
  which only conditionally require AUTHENTICATION_DATA to be included.
2010-10-14
07 Russ Housley [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley
2010-09-28
07 Tim Polk [Ballot Position Update] Position for Tim Polk has been changed to No Objection from Discuss by Tim Polk
2010-09-28
07 Sean Turner [Ballot Position Update] Position for Sean Turner has been changed to No Objection from Discuss by Sean Turner
2010-09-22
07 (System) Sub state has been changed to AD Follow up from New Id Needed
2010-09-22
07 (System) New version available: draft-ietf-nsis-nslp-auth-07.txt
2010-09-14
07 Sean Turner
[Ballot comment]
Updated #4 to be more specific.

1) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored …
[Ballot comment]
Updated #4 to be more specific.

1) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored upon
  reception.

NEW:

rsv: reserved bits and MUST be set to 0 (zero) and ignored upon
  reception.

2) Sec 3.7, MUST?

OLD:

... they must be delivered
  via the GIST API and normalized to ...

NEW:

... they MUST be delivered
  via the GIST API and normalized to ...

3) Figure in Sec 4.3 only shows PGP_CERT.  Should it also show X509_V3_CERT?  Also shouldn't the other figures in the draft include "Figure #"?

4) Sec 4.4: Replace recommended with RECOMMENDED (x2)?

5) Sec 4.4: hash algorithm must be chosen vs hash algorithm MUST be chosen?
2010-09-14
07 Sean Turner
[Ballot discuss]
This is an updated DISCUSS.  I retained the original numbering scheme but removed the discuss positions that have been resolved via email.

3) …
[Ballot discuss]
This is an updated DISCUSS.  I retained the original numbering scheme but removed the discuss positions that have been resolved via email.

3) Doesn't Sec 6.2.3 and 6.3.3 need bullets in the "verify message integrity" stage for hmac-signed?  It's the mandatory to implement mechanism - isn't it?

4) Please add something in the security considerations about considerations for:

4a) Symmetric Key: Keeping the symmetric key secret is central to preserving the security of the system.  Disclosure of the symmetric key can lead to

4b) Public Keys: Point to RFC 5280 for security considerations for X.509 certificate.  Point to RFC 4880 for PGP.

4c) For HMAC-signed, need to say something about keeping the shared key secret too.
2010-09-09
07 Amy Vezza State changed to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza
2010-09-09
07 Peter Saint-Andre [Ballot Position Update] New position, No Objection, has been recorded by Peter Saint-Andre
2010-09-09
07 Gonzalo Camarillo [Ballot Position Update] New position, No Objection, has been recorded by Gonzalo Camarillo
2010-09-09
07 Tim Polk [Ballot comment]
1. Assuming HMAC_SIGNED bring new functionality, why only support HMAC?

2. Is there a compelling reason to specify HMAC-MD5 instead of HMAC-SHA1?
2010-09-09
07 Tim Polk
[Ballot discuss]
This is a discuss-discuss.  I need further information before I can sort out which pieces of this are appropriate or
actionable.

As far …
[Ballot discuss]
This is a discuss-discuss.  I need further information before I can sort out which pieces of this are appropriate or
actionable.

As far as I can tell, this document applies the session policy element paradigm from RFC 3520 to nsis with two
extensions: a new X-type, NSLP_OBJECT_LIST, and a new AUTH_ENT_ID subtype HMAC_SIGNED.

I am having a very hard time sorting out the differences between HMAC_SIGNED and the various symmetric key
options carried over from 3520.  HMAC is of course a symmetric key authentication option, and Section 4.1.1
identifies HMAC-MD-128 as the mandatory to implement.  Section 3.2.1 explicitly notes that HMAC_SIGNED is
calculated over the NSLP objects in the NSLP_OBJECT_LIST, but my reading of the AUTHENTICATION_DATA attribute (3.2.8, "signs all data in the policy element up to the AUTHENTICATION DATA" and AUTHENTICATION
DATA "MUST be the last attribute in the list").

As I understand section 2, NSIS relies on a hop-by-hop security architecture although some things can be end-to-end.
Is the point here that we are layering end-to-end authorization on top of the hop-by-hop architecture?  The last
paragraph in section 2 seems to indicate that some authorization will be end-to-end and others hop-by-hop.
Which mechanisms apply in the different cases?
2010-09-09
07 Tim Polk [Ballot Position Update] New position, Discuss, has been recorded by Tim Polk
2010-09-09
07 Sean Turner
[Ballot comment]
1) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored upon
  reception.

NEW:

rsv: reserved …
[Ballot comment]
1) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored upon
  reception.

NEW:

rsv: reserved bits and MUST be set to 0 (zero) and ignored upon
  reception.

2) Sec 3.7, MUST?

OLD:

... they must be delivered
  via the GIST API and normalized to ...

NEW:

... they MUST be delivered
  via the GIST API and normalized to ...

3) Figure in Sec 4 only shows PGP_CERT

4) Sec 4.4: Replace recommended with RECOMMENDED (x2)?

5) Sec 4.4: hash algorithm must be chosen vs hash algorithm MUST be chosen?
2010-09-09
07 Sean Turner
[Ballot discuss]
1) This document is eerily similar to RFC 3520 (in some cases a direct copy).  I'm all for text reuse, but copying sections …
[Ballot discuss]
1) This document is eerily similar to RFC 3520 (in some cases a direct copy).  I'm all for text reuse, but copying sections can introduce issues when trying to ensure that the text remains aligned (e.g., an errata is submitted against 3520 - it won't be reflected here).  Wouldn't it be best to just point to RFC 3520, except where you've changed things?

1a) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address (sec 3.2.3), one destination address (sec 3.2.4) not in RFC 3520.  The rest looks like a verbatim copy.

1b) Sec 4 (modulo 4.2 and 4.4) is pretty much the same as 3520.

2) Aren't the values for X-type, START_TIME, END_TIME already defined as well as all but one AUTH_ENT_ID, SOURCE_ADDR, and DEST_ADDR (http://www.iana.org/assignments/cops-parameters)?  Is this a new registry or just updating the existing one?

3) Doesn't Sec 6.2.3 and 6.3.3 need bullets in the "verify message integrity" stage for hmac-signed?  It's the mandatory to implement mechanism - isn't it?

4) Please add something in the security considerations about considerations for:

4a) Symmetric Key: Keeping the symmetric key secret is central to preserving the security of the system.  Disclosure of the symmetric key can lead to

4b) Public Keys: Point to RFC 5280 for security considerations for X.509 certificate.  Point to RFC 4880 for PGP.

4c) For HMAC-signed, need to say something about keeping the shared key secret too.

5) For the format of the SESSION_AUTH, couldn't you assign ranges for the type to achieve the same thing as the first four bits?  That way you could reuse the exact format from 3520?
2010-09-09
07 Sean Turner
[Ballot comment]
1) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored upon
  reception.

NEW:

rsv: reserved …
[Ballot comment]
1) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored upon
  reception.

NEW:

rsv: reserved bits and MUST be set to 0 (zero) and ignored upon
  reception.

3) Sec 3.7, MUST?

OLD:

... they must be delivered
  via the GIST API and normalized to ...

NEW:

... they MUST be delivered
  via the GIST API and normalized to ...

3) Sec 4.4: Replace recommended with RECOMMENDED (x2)?

4) Sec 4.4: hash algorithm must be chosen vs hash algorithm MUST be chosen?
2010-09-09
07 Sean Turner
[Ballot discuss]
1) This document is eerily similar to RFC 3520 (in some cases a direct copy).  I'm all for text reuse, but copying sections …
[Ballot discuss]
1) This document is eerily similar to RFC 3520 (in some cases a direct copy).  I'm all for text reuse, but copying sections can introduce issues when trying to ensure that the text remains aligned (e.g., an errata is submitted against 3520 - it won't be reflected here).  Wouldn't it be best to just point to RFC 3520, except where you've changed things?

1a) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address (sec 3.2.3), one destination address (sec 3.2.4) not in RFC 3520.  The rest looks like a verbatim copy.

1b) Sec 4 (modulo 4.2 and 4.4) is pretty much the same as 3520.

2) Aren't the values for X-type, START_TIME, END_TIME already defined as well as all but one AUTH_ENT_ID, SOURCE_ADDR, and DEST_ADDR (http://www.iana.org/assignments/cops-parameters)?  Is this a new registry or just updating the existing one?

3) Doesn't Sec 6.2.3 and 6.3.3 need bullets in the "verify message integrity" stage for hmac-signed?  It's the mandatory to implement mechanism - isn't it?

4) Please add something in the security considerations about considerations for:

4a) Symmetric Key: Keeping the symmetric key secret is central to preserving the security of the system.  Disclosure of the symmetric key can lead to

4b) Public Keys: Point to RFC 5280 for security considerations for X.509 certificate.  Point to RFC 4880 for PGP.

4c) For HMAC-signed, need to say something about keeping the shared key secret too.
2010-09-09
07 Sean Turner [Ballot Position Update] New position, Discuss, has been recorded by Sean Turner
2010-09-09
07 Dan Romascanu [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu
2010-09-09
07 Ralph Droms [Ballot comment]
Why is this doc being published as Experimental?
2010-09-09
07 Ralph Droms [Ballot Position Update] New position, No Objection, has been recorded by Ralph Droms
2010-09-08
07 Sean Turner
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address …
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address (sec 3.2.3), one destination address (sec 3.2.4) not in RFC 3520.  The rest looks like a verbatim copy.  I'm all for text reuse, but copying sections can introduce issues when trying to ensure that the text remains aligned (e.g., an errata is submitted against 3520 - it won't be reflected here).

2) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored upon
  reception.

NEW:

rsv: reserved bits and MUST be set to 0 (zero) and ignored upon
  reception.

3) Sec 3.7, MUST?

OLD:

... they must be delivered
  via the GIST API and normalized to ...

NEW:

... they MUST be delivered
  via the GIST API and normalized to ...

4) Sec 4 (modulo 4.2 and 4.4) is pretty much the same as 3520.  Can't you just have a section that says here's the new bits in addition to those in 3520?

5) Sec 4.4: Replace recommended with RECOMMENDED (x2)?

6) Sec 4.4: hash algorithm must be chosen vs hash algorithm MUST be chosen?

7) Aren't the values for X-type, START_TIME, END_TIME already defined as well as all but one AUTH_ENT_ID, SOURCE_ADDR, and DEST_ADDR (http://www.iana.org/assignments/cops-parameters)?  Is this a new registry or just updating the existing one?

8) Doesn't Sec 6.2.3 and 6.3.3 need bullets in the "verify message integrity" stage for hmac-signed?  It's the mandatory to implement mechanism - isn't it?

9) Please add something in the security considerations about considerations for

a) Symmetric Key: Keeping the symmetric key secret is central to preserving the security of the system.  Disclosure of the symmetric key can lead to

b) Public Keys: Point to RFC 5280 for security considerations for X.509 certificate.  Point to RFC 4880 for PGP.

c) For HMAC-signed, need to say something about keeping the shared key secret too.
2010-09-08
07 Sean Turner
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address …
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address (sec 3.2.3), one destination address (sec 3.2.4) not in RFC 3520.  The rest looks like a verbatim copy.  I'm all for text reuse, but copying sections can introduce issues when trying to ensure that the text remains aligned (e.g., an errata is submitted against 3520 - it won't be reflected here).

2) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored upon
  reception.

NEW:

rsv: reserved bits and MUST be set to 0 (zero) and ignored upon
  reception.

3) Sec 3.7, MUST?

OLD:

... they must be delivered
  via the GIST API and normalized to ...

NEW:

... they MUST be delivered
  via the GIST API and normalized to ...

3) Sec 4 (modulo 4.2 and 4.4) is pretty much the same as 3520.  Can't you just have a section that says here's the new bits in addition to those in 3520?

4) Sec 4.4: Replace recommended with RECOMMENDED (x2)?

5) Sec 4.4: hash algorithm must be chosen vs hash algorithm MUST be chosen?

6) Aren't the values for X-type, START_TIME, END_TIME already defined as well as all but one AUTH_ENT_ID, SOURCE_ADDR, and DEST_ADDR (http://www.iana.org/assignments/cops-parameters)?  Is this a new registry or just updating the existing one?

7) Doesn't Sec 6.2.3 and 6.3.3 need bullets in the "verify message integrity" stage for hmac-signed?  It's the mandatory to implement mechanism - isn't it?

8) Please add something in the security considerations about considerations for

a) Symmetric Key: Keeping the symmetric key secret is central to preserving the security of the system.  Disclosure of the symmetric key can lead to

b) Public Keys: Point to RFC 5280 for security considerations for X.509 certificate.  Point to RFC 4880 for PGP.

c) For HMAC-signed, need to say something about keeping the shared key secret too.
2010-09-08
07 Sean Turner
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address …
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address (sec 3.2.3), one destination address (sec 3.2.4) not in RFC 3520.  The rest looks like a verbatim copy.  I'm all for text reuse, but copying sections can introduce issues when trying to ensure that the text remains aligned (e.g., an errata is submitted against 3520 - it won't be reflected here).

2) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored upon
  reception.

NEW:

rsv: reserved bits and MUST be set to 0 (zero) and ignored upon
  reception.

3) Sec 3.7, MUST?

OLD:

... they must be delivered
  via the GIST API and normalized to ...

NEW:

... they MUST be delivered
  via the GIST API and normalized to ...

3) Sec 4 (modulo 4.2 and 4.4) is pretty much the same as 3520.  Can't you just have a section that says here's the new bits in addition to those in 3520?

4) Sec 4.4: Replace recommended with RECOMMENDED (x2)?

5) Sec 4.4: hash algorithm must be chosen vs hash algorithm MUST be chosen?

6) Aren't the values for X-type, START_TIME, END_TIME already defined as well as all but one AUTH_ENT_ID, SOURCE_ADDR, and DEST_ADDR (http://www.iana.org/assignments/cops-parameters)?  Is this a new registry or just updating the existing one?
2010-09-08
07 Sean Turner
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address …
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address (sec 3.2.3), one destination address (sec 3.2.4) not in RFC 3520.  The rest looks like a verbatim copy.  I'm all for text reuse, but copying sections can introduce issues when trying to ensure that the text remains aligned (e.g., an errata is submitted against 3520 - it won't be reflected here).

2) Sec 3.2.7: MUST?

OLD:

rsv: reserved bits and must be set to 0 (zero) and ignored upon
  reception.

NEW:

rsv: reserved bits and MUST be set to 0 (zero) and ignored upon
  reception.

3) Sec 4 (modulo 4.2 and 4.4) is pretty much the same as 3520.  Can't you just have a section that says here's the new bits in addition to those in 3520?

4) Sec 4.4: Replace recommended with RECOMMENDED (x2)?

5) Sec 4.4: hash algorithm must be chosen vs hash algorithm MUST be chosen?

6) Aren't the values for X-type, START_TIME, END_TIME already defined as well as all but one AUTH_ENT_ID, SOURCE_ADDR, and DEST_ADDR (http://www.iana.org/assignments/cops-parameters)?  Is this a new registry or just updating the existing one?
2010-09-08
07 Robert Sparks [Ballot Position Update] New position, No Objection, has been recorded by Robert Sparks
2010-09-08
07 Russ Housley
[Ballot discuss]
Please respond to the Gen-ART Review by Ben Campbell on 2010-08-31.
  At a minimum, please address these points:

  Section 3.2.7, 2nd …
[Ballot discuss]
Please respond to the Gen-ART Review by Ben Campbell on 2010-08-31.
  At a minimum, please address these points:

  Section 3.2.7, 2nd para: "The creator of this attribute lists every
  NSLP object..."  Is there an order requirement? At least, the order
  in this list must match the order in the signature, right?

  Section 4.1.1, 2nd para: Is HMAC-MD5 still a reasonable choice for a
  single mandatory-to-implement algorithm?

  Section 6.4, 1st para: This paragraph seems to conflate authentication
  with authorization. Integrity protection provides authentication, from
  which one can apply authorization policy. But it's not authorization
  policy in itself.

  Section 7, 3rd para: This seems to conflict with 3.2.7 and 3.2.8,
  which only conditionally require AUTHENTICATION_DATA to be included.
2010-09-08
07 Russ Housley [Ballot Position Update] New position, Discuss, has been recorded by Russ Housley
2010-09-08
07 Sean Turner
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address …
[Ballot comment]
1) Sections 3.2 (modulo 3.2.7): As far as I can tell, these sections define one authorizing entity identifier (sec 3.2.1), one source address (sec 3.2.3), one destination address (sec 3.2.4) not in RFC 3520.  The rest looks like a verbatim copy.  I'm all for text reuse, but copying sections can introduce issues when trying to ensure that the text remains aligned (e.g., an errata is submitted against 3520 - it won't be reflected here).

2) Sec 4 (modulo 4.2 and 4.4) is pretty much the same as 3520.  Can't you just have a section that says here's the new bits in addition to those in 3520?

3) Sec 4.4: Replace recommended with RECOMMENDED (x2)?

4) Sec 4.4: hash algorithm must be chosen vs hash algorithm MUST be chosen?

5) Aren't the values for X-type, START_TIME, END_TIME already defined as well as all but one AUTH_ENT_ID, SOURCE_ADDR, and DEST_ADDR (http://www.iana.org/assignments/cops-parameters)?  Is this a new registry or just updating the existing one?
2010-09-08
07 Ron Bonica [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica
2010-09-08
07 Stewart Bryant [Ballot Position Update] New position, No Objection, has been recorded by Stewart Bryant
2010-09-08
07 Adrian Farrel [Ballot Position Update] New position, No Objection, has been recorded by Adrian Farrel
2010-09-01
07 Amy Vezza State changed to IESG Evaluation from In Last Call by Amy Vezza
2010-08-30
07 Amanda Baber
IANA comments:

Upon approval of this document, IANA understands that there are seven
IANA Actions that need to be completed.

First, in the NSLP Message …
IANA comments:

Upon approval of this document, IANA understands that there are seven
IANA Actions that need to be completed.

First, in the NSLP Message Objects subregistry of the NSIS Signaling
Layer Protocol (NSLP) Parameters located at:

http://www.iana.org/assignments/nslp-parameters/nslp-parameters.xml

a new value is to be added to the subregistry as follows:

Value Description Reference
----- --------------------------------------- ---------
tbd1 SESSION_AUTH_OBJECT RFC-to-be

Second, a new subregistry of the NSIS Signaling Layer Protocol (NSLP)
Parameters located at:

http://www.iana.org/assignments/nslp-parameters/nslp-parameters.xml

is to be created. The new "SESSION_AUTH Object X-Type" subregistry will
have the following registration procedures:

Range Registration Procedures
----- ---------------------------
0-127 Specification Required
128-255 Private or Experimental Use

The new "SESSION_AUTH X-Type" subregistry will have the following
initial values:

X-Type Description
-------- -------------------
0 Reserved
1 AUTH_ENT_ID
2 SESSION_ID
3 SOURCE_ADDR
4 DEST_ADDR
5 START_TIME
6 END_TIME
7 NSLP_OBJECT_LIST
8 AUTHENTICATION_DATA
9-127 Unassigned
128-255 Reserved

Third, a new subregistry of the NSIS Signaling Layer Protocol (NSLP)
Parameters located at:

http://www.iana.org/assignments/nslp-parameters/nslp-parameters.xml

is to be created. The new "AUTH_ENT_ID (X-Type 1) SubType values"
subregistry will have the following registration procedures:

Range Registration Procedures
---------- -----------------------
0-127 Specification Required
128-255 Private or Experimental Use

The new "AUTH_ENT_ID (X-Type 1) SubType values" subregistry will have
the following initial values:

Registry:
SubType Description
-------- -------------
0 Reserved
1 IPV4_ADDRESS
2 IPV6_ADDRESS
3 FQDN
4 ASCII_DN
5 UNICODE_DN
6 URI
7 KRB_PRINCIPAL
8 X509_V3_CERT
9 PGP_CERT
10 HMAC_SIGNED
11-127 Unassigned
128-255 Reserved

Fourth, a new subregistry of the NSIS Signaling Layer Protocol (NSLP)
Parameters located at:

http://www.iana.org/assignments/nslp-parameters/nslp-parameters.xml

is to be created. The new "SOURCE_ADDR (X-Type 3) SubType values"
subregistry will have the following registration procedures:

Range Registration Procedures
---------- -----------------------
0-127 Specification Required
128-255 Private or Experimental Use

The new "SOURCE_ADDR (X-Type 3) SubType values" subregistry will have
the following initial values:

Registry:
SubType Description
-------- -------------
0 Reserved
1 IPV4_ADDRESS
2 IPV6_ADDRESS
3 UDP_PORT_LIST
4 TCP_PORT_LIST
5 SPI
6-127 Unassigned
128-255 Reserved

Fifth, a new subregistry of the NSIS Signaling Layer Protocol (NSLP)
Parameters located at:

http://www.iana.org/assignments/nslp-parameters/nslp-parameters.xml

is to be created. The new "DEST_ADDR (X-Type 4) SubType values"
subregistry will have the following registration procedures:

Range Registration Procedures
---------- ------------------------
0-127 Specification Required
128-255 Private or Experimental Use

The new "DEST_ADDR (X-Type 4) SubType values" subregistry will have the
following initial values:

Registry:
SubType Description
-------- -------------
0 Reserved
1 IPV4_ADDRESS
2 IPV6_ADDRESS
3 UDP_PORT_LIST
4 TCP_PORT_LIST
5 SPI
6-127 Unassigned
128-255 Reserved

Sixth, a new subregistry of the NSIS Signaling Layer Protocol (NSLP)
Parameters located at:

http://www.iana.org/assignments/nslp-parameters/nslp-parameters.xml

is to be created. The new "START_TIME (X-Type 5) SubType values"
subregistry will have the following registration procedures:

Range Registration Procedures
---------- -----------------------
0-127 Specification Required
128-255 Private or Experimental Use

The new "START_TIME (X-Type 5) SubType values" subregistry will have the
following initial values:

Registry:
SubType Description
-------- -------------
0 Reserved
1 NTP_TIMESTAMP
2-127 Unassigned
128-255 Reserved

Seventh, a new subregistry of the NSIS Signaling Layer Protocol (NSLP)
Parameters located at:

http://www.iana.org/assignments/nslp-parameters/nslp-parameters.xml

is to be created. The new "END_TIME (X-Type 6) SubType values"
subregistry will have the following registration procedures:

Range Registration Procedures
---------- -----------------------
0-127 Specification Required
128-255 Private or Experimental Use

The new "END_TIME (X-Type 6) SubType values" subregistry will have the
following initial values:

Registry:
SubType Description
-------- -------------
0 Reserved
1 NTP_TIMESTAMP
2-127 Unassigned
128-255 Reserved

IANA understands that there are no SubType value subregistries for
X-Type 2. X-Type 7 and X-Type 8. Further, IANA understands that the
seven actions above are all the IANA actions required upon approval of
the document.
2010-08-17
07 Cindy Morgan Telechat date has been changed to 2010-09-09 from None by Cindy Morgan
2010-08-17
07 Amy Vezza Last call sent
2010-08-17
07 Amy Vezza State changed to In Last Call from Last Call Requested by Amy Vezza
2010-08-17
07 Lars Eggert Placed on agenda for telechat - 2010-09-09 by Lars Eggert
2010-08-17
07 Lars Eggert [Note]: changed to 'Martin Stiemerling (martin.stiemerling@neclab.eu) is the
document shepherd.' by Lars Eggert
2010-08-17
07 Lars Eggert [Ballot Position Update] New position, Yes, has been recorded for Lars Eggert
2010-08-17
07 Lars Eggert Ballot has been issued by Lars Eggert
2010-08-17
07 Lars Eggert Created "Approve" ballot
2010-08-17
07 Lars Eggert Last Call was requested by Lars Eggert
2010-08-17
07 Lars Eggert State changed to Last Call Requested from AD Evaluation::AD Followup by Lars Eggert
2010-08-17
07 (System) Ballot writeup text was added
2010-08-17
07 (System) Last call text was added
2010-08-17
07 (System) Ballot approval text was added
2010-08-02
07 (System) Sub state has been changed to AD Follow up from New Id Needed
2010-08-02
06 (System) New version available: draft-ietf-nsis-nslp-auth-06.txt
2010-07-29
07 Lars Eggert State changed to AD Evaluation::Revised ID Needed from AD Evaluation by Lars Eggert
2010-07-29
07 Lars Eggert State changed to AD Evaluation from Publication Requested by Lars Eggert
2010-07-29
07 Cindy Morgan
(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he …
(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

Martin Stiemerling (martin.stiemerling@neclab.eu) is the
document shepherd. I have reviewed the document and it is
read for taking the next steps towards publication.

(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

It has been review by the NSIS WG. There has been a WGLC
with good comments and no controversial issues.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization or XML?

It may be good to get a review from the security community
as the document is mainly about security.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here. Has an IPR disclosure related to this document
been filed? If so, please include a reference to the
disclosure and summarize the WG discussion and conclusion on
this issue.

No issues.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

There is strong WG consensus behind this document.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

No.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See the Internet-Drafts Checklist
and http://tools.ietf.org/tools/idnits/). Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type and URI type reviews?

Yes, it does.

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

Yes, it does.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC5226]. If the
document describes an Expert Review process has Shepherd
conferred with the Responsible Area Director so that the IESG
can appoint the needed Expert during the IESG Evaluation?

Yes, it does.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

There are no such sections in this document.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary
Relevant content can frequently be found in the abstract
and/or introduction of the document. If not, this may be
an indication that there are deficiencies in the abstract
or introduction.

Signaling layer protocols specified within the NSIS framework may
rely on the GIST (General Internet Signaling Transport) protocol to
handle authorization. Still, the signaling layer protocol above GIST
itself may require separate authorization to be performed when a node
receives a request for a certain kind of service or resources. This
draft presents a generic model and object formats for session
authorization within the NSIS Signaling Layer Protocols. The goal of
session authorization is to allow the exchange of information between
network elements in order to authorize the use of resources for a
service and to coordinate actions between the signaling and transport
planes.

Working Group Summary
Was there anything in WG process that is worth noting? For
example, was there controversy about particular points or
were there decisions where the consensus was particularly
rough?

This draft is an outcome of the NSIS WG.

Document Quality
Are there existing implementations of the protocol? Have a
significant number of vendors indicated their plan to
implement the specification? Are there any reviewers that
merit special mention as having done a thorough review,
e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If
there was a MIB Doctor, Media Type or other expert review,
what was its course (briefly)? In the case of a Media Type
review, on what date was the request posted?

There is an implementation made by University of Karlsruhe
(Roland Bless,
https://projekte.tm.uni-karlsruhe.de/trac/NSIS/wiki/SessionAuthorizationObject)
2010-07-29
07 Cindy Morgan Draft Added by Cindy Morgan in state Publication Requested
2010-07-29
07 Cindy Morgan [Note]: 'Martin Stiemerling (martin.stiemerling@neclab.eu) is the
document shepherd.' added by Cindy Morgan
2010-07-28
05 (System) New version available: draft-ietf-nsis-nslp-auth-05.txt
2010-07-28
04 (System) New version available: draft-ietf-nsis-nslp-auth-04.txt
2010-07-15
07 Samuel Weiler Request for Early review by SECDIR is assigned to Julien Laganier
2010-07-15
07 Samuel Weiler Request for Early review by SECDIR is assigned to Julien Laganier
2010-07-09
03 (System) New version available: draft-ietf-nsis-nslp-auth-03.txt
2010-05-15
02 (System) New version available: draft-ietf-nsis-nslp-auth-02.txt
2010-03-07
01 (System) New version available: draft-ietf-nsis-nslp-auth-01.txt
2010-02-10
00 (System) New version available: draft-ietf-nsis-nslp-auth-00.txt