Skip to main content

Last Call Review of draft-ietf-tvr-use-cases-04
review-ietf-tvr-use-cases-04-secdir-lc-turner-2024-02-15-00

Request Review of draft-ietf-tvr-use-cases
Requested revision No specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-02-15
Requested 2024-02-01
Authors Edward J. Birrane , Nicolas Kuhn , Yingzhen Qu , Rick Taylor , Li Zhang
I-D last updated 2024-02-15
Completed reviews Genart Last Call review of -04 by Behcet Sarikaya (diff)
Secdir Last Call review of -04 by Sean Turner (diff)
Tsvart Last Call review of -04 by Michael Scharf (diff)
Intdir Telechat review of -05 by Pascal Thubert (diff)
Iotdir Telechat review of -07 by Charles E. Perkins (diff)
Secdir Telechat review of -05 by Sean Turner (diff)
Assignment Reviewer Sean Turner
State Completed
Request Last Call review on draft-ietf-tvr-use-cases by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/_GWqgqDn9-kyG4yccka2Y1m4CAQ
Reviewed revision 04 (document currently at 09)
Result Has issues
Completed 2024-02-15
review-ietf-tvr-use-cases-04-secdir-lc-turner-2024-02-15-00
Hi! Thanks for the well written document.  Two issues:

# Security considerations

While this document is purely about use cases and does not define a protocol
per se, I could see why you might think there are no security considerations.
So, two things on this:

1. I tend to think that there is at least one security consideration! Don't you
to at least have to at least mention the one issue that affects all of the
protocols: time synchronization? If I control your clock, I can make this not
work or work at times you didn't want it to.  There has to be some text you can
refer to in NTP?

2. I also went and looked at the security considerations sections in other
"pure" use case RFCs. YMMV, but many non-security related use case RFCs
included text something like:

  This document does not specify a mechanism, it merely motivates TVR.
  Therefore, security considerations are described elsewhere, including
  in TVR requirements [TVR-REQ] as well as in forthcoming documents
  for specific routing protocols.

Totally not wed to the words above and assumes there will be at least one
security consideration related to time.

# Possibly an inconsistency.

The last para in s1 includes this text:

  Non-deterministic scenarios such as vehicle-to-vehicle
  communication is out of the scope of the document.

The 1st para of s5.3 includes this text:

  There are a significant number of mobile node use cases, to include
  vehicle-to-vehicle communications, swarms of unmanned aerial and
  underwater vehicles, ships in shipping lanes, airplanes following
  flight plans, and trains and subways.

I was surprised to see “vehicle-to-vehicle” in s5.3 if that’s out of scope. 
But, it also made me wonder what is a deterministic scenario and if putting
vehicle-to-vehicle in s5.3 make the entire exemplar (and section) out of scope.
 Can you explain?