Ballot for draft-ietf-regext-epp-quic
Discuss
Yes
No Objection
No Record
Summary: Has 2 DISCUSSes. Needs 5 more YES or NO OBJECTION positions to pass.
Please find below a blocking DISCUSS points (easy to address), some non-blocking COMMENT points/nits (replies would be appreciated even if only for my own education). As noted in https://datatracker.ietf.org/doc/statement-iesg-handling-ballot-positions-20220121/, a DISCUSS ballot is a request to have a discussion on the point below, which I expect will be very easy to resolve: ## The current text says: "Operators are encouraged to provision network paths with appropriate MTU sizes to avoid packet fragmentation for EPP message delivery." - I don't really understand what this is asking for and what is needed, please clarify. - When I started reading I assumed this was the standard QUIC datagram size (as in section 14), but maybe this means to say more, or I was just thrown by the term "MTU" here? - And please explain what is the fragmentation described here? ## Please consider and respond to Zahed's review comment: RFC 9000 defines max_ideal_timeout ( https://datatracker.ietf.org/doc/html/rfc9000#idle-timeout ), section 3 of this draft does not relate to usage of that max_ideal_timeout but states -"the server MAY end the QUIC connection immediately". How is it supposed to work with the max_ideal_timeout if that is negotiated at the connection setup? ## Section 4 says - A server SHOULD limit a client to a maximum number of QUIC streams per QUIC connection based on server capabilities and operational load. How do you do that via RFC9000? Or is this something new? If you are using RFC9000, then add a reference to the concurrency control described in RFC9000. or explain how your intent to enforce the SHOULD. ## Section 10.6 says - EoQ servers MUST utilize the QUIC Retry Packet mechanism described in Section 8.1.2 of [RFC9000]. As RFC9000 does not apply MUST to use QUIC Retry Packets for address validation, what is the justification for the MUST here?
Thank you for submitting this document, I have the following (non-blocking) comments: ## I couldn't really understand why this RFC is specifying transport over QUIC, but expect there was some specific need. I think that ought to be clearer. ## The security properties of QUIC do differ to those of TLS/TCP, in as much as QUIC us an encrypted transport - see 21.1 in the security considerations of RFC9000. # Please address the issues raised by Zahed as a part of his TSVART review: ## Even though section 3 explains it the correct way, in section 6, it says - The EoQ Connection Start Packet is written by the client after creating a QUIC stream to signal to the server to create the QUIC stream. This is inaccurate when client-initiated bi-directional streams are used. The server does not create streams; it just uses the streams created by the client. The snipped emphasizes that "signal to the server to create stream " that needs to be fixed. If there are no specific explanations, then it would suggest to rewrite the sentence to -- The EoQ Connection Start Packet is sent by the client after creating a QUIC connection to signal to the server, on the client-initiated stream, respond with EPP<greeting>. # Nits - - Section 7 : the references to RFC9000 are out of order in the description of "Stateful Nature". RFC 9000 section 2 is about streams and section 5 is about connections. Best wishes, Gorry
Section 8.8, 0-RTT and Session Resumption: 472 > Using 0-RTT for EoQ allows clients to establish connections and 473 > initiate EPP transactions without round-trip delay, enabling servers 474 > to use shorter idle timers and reduce connection overhead. Session 475 > resumption and 0-RTT introduce privacy and replay risks. EoQ 476 > implementations SHOULD follow [RFC8446] and [RFC9001] guidance to 477 > balance performance and risk mitigation. Failure to do so increases 478 > privacy exposure and replay attack risks. RFC 9001 Section 5.6 states: "An application protocol that uses QUIC MUST include a profile that defines acceptable use of 0-RTT; otherwise, 0-RTT can only be used to carry QUIC frames that do not carry application data." EoQ defines no such profile. Directing implementers to "SHOULD follow [RFC8446] and [RFC9001] guidance" is not a substitute for defining that profile, and this document therefore does not satisfy the MUST from RFC 9001. The absence is made more serious by the text above asserting that 0-RTT allows clients to "initiate EPP transactions." If EoQ defines no profile permitting EPP application data in 0-RTT, RFC 9001 prohibits exactly that use. The text and the RFC 9001 requirement are directly contradictory. EPP commands, including <login> itself, are not safe to replay without application-layer protections that this document does not specify. In my view, this section must be revised. At a minimum, the document should either: (a) explicitly prohibit EPP application data (including <login>) from being carried in 0-RTT data, specifying only the EoQ Connection Start Packet as a candidate for 0-RTT, or (b) define a specific 0-RTT profile — including which EPP messages may be included, what replay mitigations are required, and how session authentication state interacts with resumed sessions — thereby satisfying the RFC 9001 MUST.
Section 5, Data Unit Format: 305 > The EPP data unit contains two fields: a 32-bit header that describes 306 > the total length of the data unit, and the EPP XML instance. The 307 > length of the EPP XML instance is determined by subtracting four 308 > octets from the total length of the data unit. A receiver must 309 > successfully read that many octets to retrieve the complete EPP XML 310 > instance before processing the EPP message. The 32-bit Total Length field permits a declared length of up to approximately 4 GB. The SECDIR review (thanks, Mike) against -09 raised this concern. RFC 5734 is equally silent on length-field bounds checking for the identical framing it defines. In my opinion, the Security Considerations section should recommend that implementations validate the declared length against a locally configured maximum before allocating memory or attempting to read the declared number of octets. Without such guidance, a single crafted packet with an oversized length field can exhaust a receiver's memory. I would suggest adding a sentence to Section 11 to this effect. --- Section 6, EoQ Connection Start Packet, error handling: 337 > Absent processing errors or local policy, the server accepts the 338 > QUIC stream, reads the EoQ Connection Start Packet, and returns 339 > the EPP <greeting> to the client on same QUIC stream. The document specifies that a valid EoQ Connection Start Packet MUST be exactly 24 octets containing the literal string "EoQ Connection Start" (Section 6). However, it does not specify what the server MUST or SHOULD do if it receives a stream-opening packet that does not conform to this format — for example, if the Total Length field is not 24, or if the payload does not match the expected constant. Section 7 addresses error handling for malformed EPP commands, but not for a malformed EoQ Connection Start Packet. In my opinion, the document should specify the required server behavior in this case (e.g., close the QUIC stream, with or without returning an error). --- Section 4, Message Exchange, stream limiting: 229 > A server SHOULD limit a client to a maximum number of QUIC 230 > streams per QUIC connection based on server capabilities and 231 > operational load. Absent such limit, a server may be subject to 232 > overload and resource exhaustion. RFC 9000 Section 4.6 defines the normative QUIC mechanism for this: servers use the max_streams transport parameter and MAX_STREAMS frames to limit the number of streams a peer may open, and endpoints MUST NOT exceed the limit set by their peer. In my opinion, this section should reference that mechanism explicitly, so that implementers understand both how to enforce the limit and the QUIC-level error (STREAM_LIMIT_ERROR) that results from a client exceeding it. The TSV-ART review against -09 also noted this gap. --- Section 3, Session Management, max_idle_timeout: 207 > The max_idle_timeout transport parameter defined in 208 > Section 18.2 of [RFC9000] MUST NOT be set to a non-zero value by the 209 > client or server. Once the last QUIC stream for a QUIC connection is 210 > closed, the server MAY end the QUIC connection immediately. I understand the intent. However, a consequence of setting max_idle_timeout to 0 is that a QUIC connection with no open streams can remain open indefinitely. The server is permitted but not required to close the connection when the last stream closes. In my opinion, the document should say something about the expected behavior in this state, perhaps elevating the "MAY end the QUIC connection immediately" to SHOULD, to help operators avoid accumulating zombie connections. --- Section 9.2, Registration of Port Number: 511 > This document requests IANA to update that entry so that it is 512 > reassigned to EPP and add a reference to this document. The phrase "reassigned to EPP" is confusing because port 700/UDP is already assigned to the EPP service (service name "epp"). What the document is requesting is an update to the Description field (from the current generic EPP text to "EPP run over QUIC") and the addition of this RFC as an additional reference alongside [RFC5734]. The IANA request should be stated precisely: for example, "This document requests IANA to update the Description field of the EPP UDP/700 entry to 'EPP run over QUIC' and to add this document as an additional Reference alongside [RFC5734]."
# Éric Vyncke INT AD comments for draft-ietf-regext-epp-quic-10 CC @evyncke Thank you for the work put into this document. Special thanks to Med Boucadair, the responsible AD, to point me to the last paragraph of section 7 (which could use a MUST though) to handle my previously [DISCUSS ballot](https://mailarchive.ietf.org/arch/msg/regext/4zJiC7I3GlGPdjPuVqXi5smwYpQ/) Please find below some non-blocking COMMENT points/nits (replies would be appreciated even if only for my own education). I hope that this review helps to improve the document, Regards, -éric Note: this ballot comments follow the Markdown syntax of https://github.com/mnot/ietf-comments/tree/main, i.e., they can be processed by a tool to create github issues. ## COMMENTS (non-blocking) ### Gorry's DISCUSS I second Gorry's DISCUSS issues as they are sensible ### Why QUIC in Section 1 I failed to find why using QUIC is useful, especially with `EPP sessions use a single QUIC stream for all command and response exchanges` especially when reading section 3 `This means that a single QUIC connection may support multiple EoQ sessions.` The introduction should probably state that there could be several EPP sessions (for different domains ?) over a single QUIC connection. ### Section 3 `As shown in Figure 1 in Section 4,` it is painful for the reader to scroll down. Suggest moving the figure in section 3. s/on a well-known UDP port number assigned by IANA/on *the* well-known UDP port number assigned by IANA/ (if there is only one) ### Section 4 Why not a "MUST" in `Absent local policy, a server SHOULD end an EoQ session and close the QUIC stream if a well-formed command is not received within the time limit` ? Also note https://datatracker.ietf.org/doc/statement-iesg-statement-on-clarifying-the-use-of-bcp-14-key-words/ (and thanks for the guidance provided for previous "SHOULD") ### Section 5 s/The 32 bits total length/The *32-bit* total length/ ### Use of SVG graphics To make a much nicer HTML rendering, suggest using the aasvg tool to generate SVG graphics. It is worth a try especially if the I-D uses the Kramdown file format ;-)
No Routing associated observations
Thank you to Joel Halpern for the GENART review.