Telechat Review of draft-ietf-uuidrev-rfc4122bis-10
review-ietf-uuidrev-rfc4122bis-10-intdir-telechat-eastlake-2023-09-01-00

Request Review of draft-ietf-uuidrev-rfc4122bis
Requested revision No specific revision (document currently at 14)
Type Telechat Review
Team Internet Area Directorate (intdir)
Deadline 2023-09-01
Requested 2023-08-25
Requested by Éric Vyncke
Authors Kyzer R. Davis , Brad Peabody , P. Leach
I-D last updated 2023-09-01
Completed reviews Artart Last Call review of -09 by Marco Tiloca (diff)
Genart Last Call review of -08 by Roni Even (diff)
Dnsdir Last Call review of -08 by Florian Obser (diff)
Dnsdir Last Call review of -09 by Florian Obser (diff)
Intdir Telechat review of -10 by Donald E. Eastlake 3rd (diff)
Dnsdir Telechat review of -10 by Geoff Huston (diff)
Dnsdir Telechat review of -11 by Geoff Huston (diff)
Assignment Reviewer Donald E. Eastlake 3rd
State Completed
Request Telechat review on draft-ietf-uuidrev-rfc4122bis by Internet Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/int-dir/9SMDrb0Hplytd7i9ZLYT7_WKNAM
Reviewed revision 10 (document currently at 14)
Result On the Right Track
Completed 2023-09-01
review-ietf-uuidrev-rfc4122bis-10-intdir-telechat-eastlake-2023-09-01-00
I am an assigned INT directorate reviewer for <
draft-ietf-uuidrev-rfc4122bis-10.txt>. These comments were written
primarily for the benefit of the Internet Area Directors. Document editors
and shepherd(s) should treat these comments just like they would treat
comments from any other IETF contributors and resolve them along with any
other Last Call comments that have been received. For more details on the
INT Directorate, see https://datatracker.ietf.org/group/intdir/about/ <
https://datatracker.ietf.org/group/intdir/about/>.

*Based on my review, if I was on the IESG I would ballot this document as
DISCUSS.*

Overall, this is an excellent document and I think it will be easy to fix
the DISCUSS points below. I did not review the Appendices.


*I have the following DISCUSS level issues:*

Section 2.1, page 5: I think a MAC address identifies a network interface,
not a "machine". Also, for MAC addresses, this document should Reference
RFC 7042 or, even better, draft-ietf-intarea-rfc7042bis (which is through
WGLC and, in my opinion, ready for publication request). Those documents
point out the existence of 64-bit MAC addresses and where they have been
and are currently used so this document should say something about how
those are handled (perhaps by discarding the top 16 bits).
OLD
       address in the node field of UUID version 1.  Exposed MAC
       addresses can be used as an attack surface to locate machines and
       reveal various other information about such machines (minimally
NEW
       address in the node field of UUID version 1.  Exposed MAC
       addresses can be used as an attack surface to locate network
interfaces
       and reveal various other information about such interfaces (minimally

Section 6.1, Page 27, 1st paragraph: The last sentence of this paragraph is
"The count will range between zero and the number of 100-nanosecond
intervals per system time interval." This is confusing. Why couldn't the
count exceed that number?

Section 7: I think it is improper in the IANA Considerations to talk about
what "the authors and the working group have concluded". The RFC this
document will be is issued as the consensus of the IETF, not as the opinion
of its authors or even the working group. I suggest replacing this section
in its entirety with the following:
"This document requires no IANA actions. In particular, no update is
required to the IANA URN namespace registration [URNNamespaces] for UUID
filed in [RFC4122] and IANA is not required to track UUIDs used for
identifying items such as versions, variants, namespaces, or hashspaces."


*The following are other issues I found with this document that SHOULD be
corrected before publication:*

Section 5.5, page 20: "This SHA-1 value is then used to populate all 128
bits of the UUID layout.  Excess bits beyond 128 are discarded." Seems like
you can and should be more precise. Maybe "The high order 128 bits of the
SHA-1 value is then used to populate all 128 bits of the UUID layout and
the remaining 32 low order bits of SHA-1 output are discarded"

Section 6.2, page 29: "Using floating point math," appears to mandate the
use of floating point which might not be available on some small platforms.
Suggest "Using floating point or scaled integer arithmetic,"

Section 6.2, Page 30, paragraph headed "Fixed-Length Dedicated Counter
Seeding":
+    "However, when the timestamp has not incremented, the counter is
frozen and
      incremented via the desired increment logic." To my mind, frozen
means it is not changed and is inconsistent with incrementing it. Perhaps
"When the timestamp has not increased, the counter is instead incremented
by the desired increment logic."
+    "For example, a 24 bit counter could have
      the 23 bits in least-significant, right-most, position randomly
      initialized.  The remaining most significant, left-most counter
      bits are initialized as zero for the sole purpose of guarding
      against counter rollovers." This is inconsistent. Either it should
say "the 23 or fewer bits" in the first sentence or it should say "bit is
initialized to zero" in the second sentence.

Section 6.3, page 32, 3rd paragraph: Frequent generation of random numbers
also puts more stress on any entropy source and or entropy pool being used
as the basis for such random numbers. This should be mentioned.

Section 6.9: The discussion of the local/global bit here would be a good
place to reference RFC 7042 or, even better, draft-ietf-intarea-ref4042bis.

Section 6.10: This section uses "quite large" without any indication of how
large. A factor of ten? A factor of ten to the tenth power? Can some hint
of how large be given? Similarly Section 2.1, item 1.

Section 8, Page 39: I think "transposed" is the wrong word. That just means
to swap around various parts of something. While that is one type of
modification, I think you mean any type of slight modification. "slightly
transposed" -> "slightly modified"


*The following are minor issues (typos, misspelling, minor text
improvements) with the document:*

Section 1, paragraph 3, page 3:
OLD
to implement services using UUIDs, UUIDs in combination with URNs
[RFC8141], or otherwise.
NEW
to implement services using UUIDs either in combination with URNs [RFC8141]
or otherwise.

Section 3.2: The expansions of UUIDv1 through UUIDv8 are quite repetitive
and uninformative. Since you have already expanded UUID in the previous
line, I don't think it needs to be expanded here. I suggest:
   UUIDv1    Gregorian time-based UUID
   UUIDv2    DCE Security version UUID
   UUIDv3    Name-based UUID with MD5
   UUIDv4    Pseudo-random UUID
   UUIDv5    Name-based UUID with SHA-1
   UUIDv6    Re-ordered Gregorian time-based UUID
   UUIDv7    Unix Epoch time-based UUID
   UUIDv8    Custom UUID

I think Section 6.2 is too long and should have subsections (6.2.1, 6.2.2,
...).

Section 6.2, page 29: "which is sorts" -> "which sorts"

Section 6.2, page 30: "randomly initialize a portion counter" -> "randomly
initialize a portion of the counter"

Section 6.2., page 31: "the random being incremented." -> "the random value
being incremented."

Section 6.5, last paragraph, page 35: "needs not be the only" -> "need not
be the only"


Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e3e3@gmail.com