Skip to main content

Last Call Review of draft-ietf-6man-uri-zoneid-05
review-ietf-6man-uri-zoneid-05-secdir-lc-perlman-2012-11-29-00

Request Review of draft-ietf-6man-uri-zoneid
Requested revision No specific revision (document currently at 06)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2012-11-26
Requested 2012-11-18
Authors Brian E. Carpenter , Stuart Cheshire , Bob Hinden
Draft last updated 2012-11-29
Completed reviews Genart Last Call review of -05 by Martin Thomson (diff)
Genart Telechat review of -?? by Martin Thomson
Secdir Last Call review of -05 by Radia Perlman (diff)
Assignment Reviewer Radia Perlman
State Completed
Review review-ietf-6man-uri-zoneid-05-secdir-lc-perlman-2012-11-29
Reviewed revision 05 (document currently at 06)
Result Has Nits
Completed 2012-11-29
review-ietf-6man-uri-zoneid-05-secdir-lc-perlman-2012-11-29-00
I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors.  Document editors and WG chairs should treat

these comments just like any other last call comments.



This document provides syntax for specifying a port within a URI for an IPv6
link-local address.

I find no security-specific issues with this draft, but I do think the clarity
of the draft

could be improved a lot, and also, I think that the draft allows options of
what is or is not allowed,

which could cause confusion for a human using this, since some strings will
work sometimes.  I think it would

be better to lock down what is and is not allowed.



I'm not fond of the term "zone identifier" (I had to do some Internet searching
to figure out what it was). It would

only take a sentence to explain it in this draft.  Admittedly, not many people
will be reading this draft out of

context (like me).



An example of where the wording is needlessly hard to read, and where I think
the rule should be a MUST:



" A <zone_id> SHOULD contain only ASCII characters classified

   in

RFC 3986

 as "unreserved", which conveniently excludes "]" in order

   to simplify parsing."



That wording could mean that ] is reserved or it could mean that it is not
reserved.

Turns out (by referring to RFC 3986) "]" is actually reserved.

And also, with my preference for specifying mandatory behavior rather than
recommendation...

perhaps saying something like



" A <zone_id> MUST NOT contain ASCII characters classified

   in

RFC 3986

 as "reserved".  The character  "]" is reserved, so MUST NOT

  be used in the zone ID.





---------

Again,

    "The rules in [

RFC5952

] SHOULD be applied in producing URIs."

Why not MUST be applied?



----------

"we recommend that URI parsers accept bare "%" signs...make it easy for a user
to copy and

paste a string..."



again, I'd think it would be better to specify what parsers MUST do, rather
than saying some parsers

can be more lenient, so that the same string will create the same behavior
regardless of the implementation

parsing it.



---------

similarly



"To limit this risk, implementations SHOULD NOT allow use of this

   format except for well-defined usages such as sending to link local

   addresses under prefix fe80::/10."



I'd think it would be better to say MUST NOT, and also, to specify what it
should

do if it receives such a thing.



Radia