Kerberos Options for DHCPv6
draft-sakane-dhc-dhcpv6-kdc-option-18

[Ballot comment]
Would you mind rewriting the Abstract for clarity? Something like...

  This document defines four new options for the Dynamic Host
  Configuration Protocol for IPv6 (DHCPv6).  These options are used to
  carry coniguration information for Kerberos.

[Ballot comment]
Updated based on email exchange with Sam.

1) a: r/defines new four/defines four new

2) s2: If you going to have the following:

It is assumed that the readers are familiar with the terms and
concepts described in DHCPv6 [RFC3315].

You might as well throw in [RFC2782], [RFC3315], and [RFC4120] ;)

3) s3: r/DHCP configuration parameters/DHCPv6 configuration parameters

4) s3.3: You need to leave a marker for IANA to fill for the number it assigns:

OLD:

The option-code of this option is OPTION_KRB_DEFAULT_REALM_NAME.

NEW:

The option-code of this option is OPTION_KRB_DEFAULT_REALM_NAME (TBD by IANA).

5) s3.4: should DTLS be in the list?

6) s3.4: r/realm- name/realm-name

7) app a: It's unclear to me why you need this appendix.  The reason is clearly stated in s1.


If the app a remains:

8) app a, s1: It's probably be better to say:

  This appendix gives reasons why DHCP-based KDC discovery
  *can be* more appropriate for industrial systems
  than DNS-based KDC discovery (as described
  in RFC4120 - the "RFC4120-way").

I'm suggesting this because I'm not entirely sure it always "is" better to use DHCP over DNS in an industrial system.

and:

  *Some* Industrial systems have their own name spaces and
  naming systems which are not based on FQDN and DNS.

Do they all have their own?

9) app a, s1: What kind of server are we getting rid of if we're using DHCP-based KDC discovery over DNS-based discovery.

  DHCP-based KDC discovery is more efficient because
  reducing the number of servers reduces the number of
  messages, improves reliability and reduces management cost.

Also the above seems a bit lit marketing to me.

10) app a, s2 & s3: Not sure why these paragraphs are here.  The heart of matter is in s4 - fielded devices don't support FQDN/DNS hence you need a DHCP mechanism.  You're goal is to not replace all the currently fielded devices because it's too darn expensive.

In s2 it might be worth making the following change before the bullets:

  Field devices currently deployed where DHCP-based KDC discovery can be more
  appropriate than DNS-based KDC discovery have the following
  characteristics:

In s3: Why is this paragraph needed at all.  It doesn't fit under the heading of "Why DNS is not acceptable in some environments".  Seems like marketing to me.

11) app a, s5: How are less servers being implemented?

12) app a, s6: There's a whole 'lotta references in Appendix A that need to be added in s8.2.

[Ballot comment]
[updated, as the IANA part takes care all of stuff to be registered.]

Please reply to these comments, as they are substantial for the document:

Section 3., paragraph 7:

>    With the exception of the Kerberos KDC Option, none of these options
>    may appear more than once in a DHCPv6 message.

  Shouldn't this read 'MUST NOT appear'?


Appendix B., paragraph 1:

>    When no criteria have been specified and the client could get the
>    Kerberos information from either the DNS server or the DHCPv6 server,
>    then the information from DNS should be preferred.  The following is
>    the guideline for the client in such an environment.

  This appendix is not meant to be the standard, but rather
  informational, isn't it? If it is this way, please state it
  explicitly!

[Ballot discuss]
Does Appendix A really need to be part of this draft, that is can't it just be removed from the draft?  Some of wording seems awfully strong/inflammatory ... like "DHCP-based KDC discovery is more appropriate ..." is it always?  Further, the reason why this draft is needed is because the currently fielded devices don't support DNS, and that's okay. But, that really means you only need s4 of Appendix A - and that's already in s1.

[Ballot comment]
1) a: r/defines new four/defines four new

2) s2: If you going to have the following:

It is assumed that the readers are familiar with the terms and
concepts described in DHCPv6 [RFC3315].

You might as well throw in [RFC2782], [RFC3315], and [RFC4120] ;)

3) s3: r/DHCP configuration parameters/DHCPv6 configuration parameters

4) s3.3: You need to leave a marker for IANA to fill for the number it assigns:

OLD:

The option-code of this option is OPTION_KRB_DEFAULT_REALM_NAME.

NEW:

The option-code of this option is OPTION_KRB_DEFAULT_REALM_NAME (TBD by IANA).

5) s3.4: should DTLS be in the list?

6) s3.4: r/realm- name/realm-name

7) app a, s1: If the appendix remains, then it's probably be better to say:

  This appendix gives reasons why DHCP-based KDC discovery
  *can be* more appropriate for industrial systems
  than DNS-based KDC discovery (as described
  in RFC4120 - the "RFC4120-way").

I'm suggesting this because I'm not entirely sure it always "is" better to use DHCP over DNS in an industrial system.  It's only better now because all of the currently fielded devices don't support DNS.

and:

  *Some* Industrial systems have their own name spaces and
  naming systems which are not based on FQDN and DNS.

8) app a, s1: What kind of server are we getting rid of if we're using DHCP-based KDC discovery over DNS-based discovery.

  DHCP-based KDC discovery is more efficient because
  reducing the number of servers reduces the number of
  messages, improves reliability and reduces management cost.

9) app a, s2 & s3: Not sure why these paragraphs are here.  The heart of matter is in s4 - fielded devices don't support FQDN/DNS hence you need a DHCP mechanism.  You're goal is to not replace all the currently fielded devices because it's too darn expensive.

If App A remains, then In s2 it might be worth making the following change before the bullets:

  Field devices currently deployed where DHCP-based KDC discovery can be more
  appropriate than DNS-based KDC discovery have the following
  characteristics:

In s3: Totally confused about why this paragraph is needed at all.  It doesn't fit under the heading of "Why DNS is not acceptable in some environments".

10) app a, s5: How are less servers being implemented?

11) app a, s6: If this remains as is, there's a whole 'lotta references in Appendix A that need to be added in s8.2.

[Ballot comment]
Please reply to these comments, as they are substantial for the document:

Section 3., paragraph 7:

>    With the exception of the Kerberos KDC Option, none of these options
>    may appear more than once in a DHCPv6 message.

  Shouldn't this read 'MUST NOT appear'?


Section 3.4., paragraph 8:

>    o  Transport Type (8-bit): The Transport Type specifies the transport
>      protocol used for Kerberos.  Kerberos [RFC4120] defines UDP and
>      TCP transports.  Exchanges over TCP are further described in
>      [RFC5021] while the transport of Kerberos over TLS is described in
>      [RFC6251].

I wonder, if the 'Transport Type' field should be also managed by IANA. E.g., how are the code points managed if a new transport protocol is added in the future to Kerberos?


Appendix B., paragraph 1:

>    When no criteria have been specified and the client could get the
>    Kerberos information from either the DNS server or the DHCPv6 server,
>    then the information from DNS should be preferred.  The following is
>    the guideline for the client in such an environment.

  This appendix is not meant to be the standard, but rather
  informational, isn't it? If it is this way, please state it
  explicitly!

[Ballot comment]
Substantive comments; these are non-blocking, but please consider them
seriously, and feel free to chat with me about them:

-- Section 4 --
I find the use of 2119 language a bit odd in the second and third paragraphs.  You use MUST for what the client sends to the server, and you don't use 2119 language for how the server responds.  In fact, I think it would be fine to strike the MUSTs from the client side too.  For example, this works fine for the third paragraph:

  If a client requires configuration parameters for a KDC, the client
  sends a DHCPv6 ORO specifying the Kerberos KDC Option.  The
  client MAY include a Kerberos Principal Name Option.  The client
  MAY include a Kerberos Realm Name Option.

That makes it parallel to the protocol instructions for the server.

I also find the MUST in the fifth paragraph to be odd, but it matches the 2119 language in RFC 2782, so I can't really pick any bones with it.

The MUST in Section 4.1 is stranger still:
  The
  administrator of the realm MUST define the method as part of the
  configuration of the client before the client is installed.

I don't know how that qualifies as a MUST, how it has anything to do with interoperability, nor how it could be detected or enforced.  Wouldn't it be suitable to just say that "the administrator of the realm usually defines the method [...]" ?

-- IANA Considerations --
  The assignment of future entries is by "IETF Consensus" policy as
  described in BCP 26 [RFC5226].

In RFC 5226 this is called "IETF Review", not "IETF Consensus"; please change that.

IANA has reviewed draft-sakane-dhc-dhcpv6-kdc-option-14.txt and has the
following comments:

Upon approval, IANA will perform the following actions:

ACTION 1:

IANA will register the following DHCPv6 Option Codes at
http://www.iana.org/assignments/dhcpv6-parameters
with this document as a reference:

OPTION_KRB_PRINCIPAL_NAME
OPTION_KRB_REALM_NAME
OPTION_KRB_DEFAULT_REALM_NAME
OPTION_KRB_KDC


ACTION 2:

IANA will create the following registry at
http://www.iana.org/assignments/kerberos-parameters

Registry Name: Kerberos Message Transport Type
Reference: [this document]
Registration Procedures: IETF Review

Value Transport Type Reference
---- -------------- ---------
0 Reserved [this document]
1 UDP [this document]
2 TCP [this document]
3 TLS [this document]
4-254 Unassigned
255 Reserved [this document]

State changed to In Last Call from Last Call Requested

The following Last Call Announcement was sent out:

From: The IESG

To: IETF-Announce

CC:

Reply-To: ietf@ietf.org

Subject: Last Call:  (Kerberos Options for DHCPv6) to Proposed Standard





The IESG has received a request from the Kerberos WG (krb-wg) to consider

the following document:

- 'Kerberos Options for DHCPv6'

  as a Proposed Standard



The IESG plans to make a decision in the next few weeks, and solicits

final comments on this action. Please send substantive comments to the

ietf@ietf.org mailing lists by 2012-03-23. Exceptionally, comments may be

sent to iesg@ietf.org instead. In either case, please retain the

beginning of the Subject line to allow automated sorting.



Abstract





  This document defines new four options for the Dynamic Host

  Configuration Protocol for IPv6 (DHCPv6) to carry configuration

  information related to the Kerberos protocol [RFC4120].





The file can be obtained via

http://datatracker.ietf.org/doc/draft-sakane-dhc-dhcpv6-kdc-option/



IESG discussion can be tracked via

http://datatracker.ietf.org/doc/draft-sakane-dhc-dhcpv6-kdc-option/ballot/





No IPR declarations have been submitted directly on this I-D.



This document has a normative reference to RFC 6251 which is an

informational RFC.

Restore state to Submitted to IESG as it was before the new version was submitted.
Drop Revised I-D Needed; -14 addresses issues raised in AD review.
Drop Author/Editor Needed; many thanks to Stephen Farrell for helping clean up the text.

Needs a volunteer to clean up English-language issues and make the document more readable.  If a volunteer is found, we should be ready to move forward sometime in January 2012.  Otherwise, we'll have to move forward without doing any more editing at this time, and hope reviewers don't have too hard a time at it.

This is a request to the IESG to approve publication of "Kerberos Option
for DHCPv6", draft-sakane-dhc-dhcpv6-kdc-option-12.txt, as a Standards
Track RFC. This document is a product of the Kerberos Working Group.
Please note that although the header on the current version lists the
intended status as "Informational", we are in fact requesting that it
be published on the standards track.

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

>> The Document Shepherd for this document is Jeffrey Hutzelman,
>> . I have reviewed this document, and I believe
>> it is ready for IETF-wide review and publication as a
>> Proposed Standard.

(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

>> This document has received significant review within the
>> Kerberos working group, and also received review from members
>> of the Dynamic Host Configuration (DHC) working group. The
>> WGLC announcement was sent to both lists. Any issues raised
>> have been resolved.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization or XML?

>> I don't believe any particular outside review is required,
>> beyond that already received from the DHC WG.
>> Of course, more review is always welcome.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here. Has an IPR disclosure related to this document
been filed? If so, please include a reference to the
disclosure and summarize the WG discussion and conclusion on
this issue.

>> I have no concerns.
>> No IPR disclosures related to this document have been filed.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

>> There is concensus within the working group to publish this
>> document.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

>> There have been no expressions of discontent.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/). Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type and URI type reviews?

>> This document has been run through the idnits tool, and was
>> reviewed manually for compliance with requirements not checked
>> by the automatic tool. No additional formal review criteria
>> apply to this document.

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

>> References have been split appropriately. There are no
>> normative downward references or normative references to
>> documents that are not ready for advancement.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC2434]. If the
document describes an Expert Review process has Shepherd
conferred with the Responsible Area Director so that the IESG
can appoint the needed Expert during the IESG Evaluation?

>> This document allocates four DHCPv6 option codes and creates
>> a registry for KDC transport protocols.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

>> No part of this document is written in a formal language
>> requiring such verification.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:


Technical Summary

This document defines a new DHCPv6 option to carry a set of
configuration information related to the Kerberos protocol [RFC4120].
This document also defines three sub-options to be used within this
new option, which specify a realm name of the Kerberos, a list of IP
addresses of the Key Distribution Center of that realm, and a client
principal name to distinguish a Kerberos client by the DHCPv6 server.

Working Group Summary

This document represents the consensus of the Kerberos Working Group.
It was also reviewed in the Dynamic Host Configuration Working Group,
in keeping with that working group's responsibility for reviewing
DHCP options and extensions.

Document Quality

I know of no implementations at this time.

Personnel

The Document Shepherd for this document is Jeffrey Hutzelman.
The responsible Area Director is Stephen Farrell.