On 16.9.2015, at 22.46, Kathleen Moriarty <[email protected]> wrote: > I just have one thing I'd like to discuss that should be easy enough to > resolve. > > Section 8 mentions that DTLS or TLS MAY be used and that it is up to the > DNCP profile. I'd be interested to see the security considerations that > would lead to a recommendation of using session transport for the DNCP > profiles. If it is in another RFC, could you add a pointer? If it is > not, could this be added to the security considerations section since it > could be an important consideration?
Thanks for the comment. I am actually planning to write one more appendix to the text for -10; it will contain datagram(=e.g. UDP) <> stream(=e.g. TCP) pros and cons as I have been thinking about it every now and then, and I think it would make life of someone else defining a DNCP-based protocol bit easier. From the security standpoint, there isn’t much of a difference, as the TLS/DTLS state is more or less same for both cases. You will anyway need either up to date sessions (TLS(+DTLS)) and-or long lived session caching (DTLS(+TLS)), as you cannot afford too many new sessions that actually involve the authz step per given time interval. So essentially even DTLS is session-based transport in this case from my point of view. The rest, I will write it tomorrow and you (and Brian H. who also raised interest on the different transport options) can check it once we publish -10 if it matches the requirements; we plan to publish -10 either tomorrow or on Monday. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for your detailed work on this draft to provide all of the > security related options in section 8. Thanks ;) Section 8.3 is actually somewhat novel I think, the others (8.1/8.2) are relatively .. mundane. Cheers, -Markus _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
