Re: [homenet] Kathleen Moriarty's Discuss on draft-ietf-homenet-dncp-09: (with DISCUSS and COMMENT)

[Kathleen Moriarty]

Thanks, Markus.  inline.

On Thu, Sep 17, 2015 at 11:53 AM, Markus Stenberg
 wrote:
> On 16.9.2015, at 22.46, Kathleen Moriarty  
> wrote:
>> I just have one thing I'd like to discuss that should be easy enough to
>> resolve.
>>
>> Section 8 mentions that DTLS or TLS MAY be used and that it is up to the
>> DNCP profile.  I'd be interested to see the security considerations that
>> would lead to a recommendation of using session transport for the DNCP
>> profiles.  If it is in another RFC, could you add a pointer?  If it is
>> not, could this be added to the security considerations section since it
>> could be an important consideration?
>
> Thanks for the comment.
>
> I am actually planning to write one more appendix to the text for -10; it 
> will contain datagram(=e.g. UDP) <> stream(=e.g. TCP) pros and cons as I have 
> been thinking about it every now and then, and I think it would make life of 
> someone else defining a DNCP-based protocol bit easier.
>
> From the security standpoint, there isn’t much of a difference, as the 
> TLS/DTLS state is more or less same for both cases. You will anyway need 
> either up to date sessions (TLS(+DTLS)) and-or long lived session caching 
> (DTLS(+TLS)), as you cannot afford too many new sessions that actually 
> involve the authz step per given time interval. So essentially even DTLS is 
> session-based transport in this case from my point of view.
>
> The rest, I will write it tomorrow and you (and Brian H. who also raised 
> interest on the different transport options) can check it once we publish -10 
> if it matches the requirements; we plan to publish -10 either tomorrow or on 
> Monday.

Great, if you could put a couple of lines in the security
considerations section as general guidance, I think that would be very
helpful.  I'm taking tomorrow off (and the rest of today), so Monday
is fine for me.

Thanks,
Kathleen

>
>> --
>> COMMENT:
>> --
>>
>> Thanks for your detailed work on this draft to provide all of the
>> security related options in section 8.
>
> Thanks ;) Section 8.3 is actually somewhat novel I think, the others 
> (8.1/8.2) are relatively .. mundane.
>
> Cheers,
>
> -Markus



-- 

Best regards,
Kathleen

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Kathleen Moriarty's Discuss on draft-ietf-homenet-dncp-09: (with DISCUSS and COMMENT)

[Markus Stenberg]

On 16.9.2015, at 22.46, Kathleen Moriarty  
wrote:
> I just have one thing I'd like to discuss that should be easy enough to
> resolve.
> 
> Section 8 mentions that DTLS or TLS MAY be used and that it is up to the
> DNCP profile.  I'd be interested to see the security considerations that
> would lead to a recommendation of using session transport for the DNCP
> profiles.  If it is in another RFC, could you add a pointer?  If it is
> not, could this be added to the security considerations section since it
> could be an important consideration?

Thanks for the comment.

I am actually planning to write one more appendix to the text for -10; it will 
contain datagram(=e.g. UDP) <> stream(=e.g. TCP) pros and cons as I have been 
thinking about it every now and then, and I think it would make life of someone 
else defining a DNCP-based protocol bit easier.

From the security standpoint, there isn’t much of a difference, as the TLS/DTLS 
state is more or less same for both cases. You will anyway need either up to 
date sessions (TLS(+DTLS)) and-or long lived session caching (DTLS(+TLS)), as 
you cannot afford too many new sessions that actually involve the authz step 
per given time interval. So essentially even DTLS is session-based transport in 
this case from my point of view.

The rest, I will write it tomorrow and you (and Brian H. who also raised 
interest on the different transport options) can check it once we publish -10 
if it matches the requirements; we plan to publish -10 either tomorrow or on 
Monday.

> --
> COMMENT:
> --
> 
> Thanks for your detailed work on this draft to provide all of the
> security related options in section 8.

Thanks ;) Section 8.3 is actually somewhat novel I think, the others (8.1/8.2) 
are relatively .. mundane.

Cheers,

-Markus
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet