Last Call Review of draft-ietf-ipfix-anon-
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.
This document presents a mechanism for representing anonymized data within IPFIX [RFC5101] and guidelines for using it. The document in general is well-written and no security issues were detected. Adequate background information is included in section 1 which aids in the overall readability of the document. Since the purpose of the document is to anonymize flow information, it is itself a security function for the IPFIX protocol.
The document covers the range of fields that are recommended for anonymization. The draft contains adequate explanations as to how the fields might be used to detect either the entities responsible for the flows or information about the hosts sending or receiving the flows. The fields recommended for anonymization include the IP address, MAC address (can be used to construct IPv6 addresses or may be possible to trace a device to an entity), port numbers (host OS identification techniques), timestamps and counters (can reveal host behavior information). Methods to anonymize each field are provided in the draft, including the advantages of using some techniques for anonymization and remaining gaps if alternate techniques are selected.
The security section of the document further clarifies the purpose of this draft versus that of the existing IPFIX standards for confidentiality (not covered in this draft). Encryption for confidentiality is covered in other drafts such as using TLS for transport, this draft is specific to anonymization. The security section is adequate for this draft.
Note: While I majored in Math undergrad and actually enjoyed ring and field theory, I could be missing something in the evaluation as it seems like that was a long time ago! I do not see any problems with the options presented for anonymization as it appears to be quite thorough.
Introduction: Grammar nit: 2nd paragraph, anonymisable is not a word. Maybe replace this with Anonymize as it still reads fine and I think has the same intent.