Last Call Review of draft-hardie-privsec-metadata-insertion-05
review-hardie-privsec-metadata-insertion-05-secdir-lc-nir-2017-02-07-00

Team Security Area Directorate (secdir)
Title Last Call Review of draft-hardie-privsec-metadata-insertion-05
Request Last Call - requested 2017-01-24
Reviewer Yoav Nir
Review result Has Nits
Posted at https://mailarchive.ietf.org/arch/msg/secdir/8HUERYkgms4StPr_OVQKtRE3Y_A
Last updated 2017-02-07

Review
review-hardie-privsec-metadata-insertion-05-secdir-lc-nir-2017-02-07

Hi

The document is well-written and understandable, but a few things about it seem wrong:

Section 3 describes data minimization as "one of the core mitigations for the loss of confidentiality". However, the only example given where data minimization is used to mitigate confidentiality loss is when browsers suppress cookies in private mode. The rest of the examples given (HTTP proxies, recursive DNS, VPN) are such where the data minimization is incidental to some other function. Nobody deployed the HTTP proxy or the DNS server in order to enhance privacy.

The HTTP proxy example in particular is not convincing. HTTP is designed to work without proxies. Any data minimization provided incidentally by a proxy is nothing that can be counted on, so a prohibition on restoring said data (especially in the case of a server-side load balancer) is just not convincing. OTOH in DNS recursive resolvers that hide the origin IP of the client are the norm - Authoritative servers hardly ever get to see real addresses of clients. In that case exposing the real IP address of the client shows data that was not there before.

I believe the text should differentiate between cases where a network element is not part of the normal function of the protocol and works to undo the accidental data minimization that it causes, and cases where the network element is expected in the protocol and thus the minimization is expected as well. I think the prescription in the text applies to the latter. I am not convinced about the former

The VPN example is a strange one. If the subject is a corporate VPN, then restoring the original IP addresses is the function of the VPN.  If, OTOH, VPN is that service that allows people to watch Hulu outside of the US, then restoring the IP address would be counter-productive. It is also strange to see VPN used as an example of "systems whose primary function is not to provide confidentiality"