DRAFT — DRAFT — DRAFT — DRAFT — DRAFT
IESG Narrative Minutes
Narrative Minutes of the IESG Teleconference on 2011-12-15. These are not an official record of the meeting.
Narrative scribe: Barry Leiba and John Leslie (The scribe was sometimes uncertain who was speaking.)
Corrections from:
1 Administrivia
- Roll Call 1133 EST Amy:
- Jari Arkko--- y
- Amanda Baber--- y
- Ron Bonica--- y
- Stewart Bryant--- regrets
- Gonzalo Camarillo--- y
- Michelle Cotton--- regrets
- Ralph Droms--- y
- Wesley Eddy--- y
- Adrian Farrel--- regrets
- Stephen Farrell--- y
- Sandy Ginoza--- y
- Joel Halpern--- regrets
- Susan Hares--- regrets
- David Harrington--- y
- Russ Housley--- y
- Barry Leiba--- scribe
- John Leslie--- scribe
- Cindy Morgan--- y
- Ray Pelletier--- regrets
- Pete Resnick--- y
- Dan Romascanu--- y
- Peter Saint-Andre--- y
- Robert Sparks--- y
- Sean Turner--- y
- Amy Vezza--- y
- Bash the Agenda
- Approval of the Minutes of the past telechat
- December 1 minutes--- No objections, approved.
- December 1 narrative minutes--- No objections, approved.
- Review of Action Items from last Telechat
- Jari Arkko to add guidance on multi-Area work to the wiki.
Jari: I've done something!
Russ: I saw the email.
Jari: I'd like the IESG to discuss this with me. I think it would be useful to post things of this nature as an I-D and have the community discuss them.
Russ: I'm not sure we have consensus even in the IESG, so I think discussion is needed. We may not have time on today's agenda. Can we push the discussion to a future meeting?
Jari: Yes, and people haven't had a chance to look at it yet. I'm looking for the right forum for discussion.
Russ: We need to get a feel for where the IESG consensus sits, to answer that.
Dan: This looks like good stuff for the first informal telechat in the new year.
Jari: I'm looking at this from my perspective, and different people have different viewpoints and experiences. Please provide them.
Dan: I had time to look over it, so I'll send you comments on the IESG list.
Amy: We'll mark this as in progress.
Russ: We'll do it on an informal chat, and please mark it done.
- Pete Resnick to identify a designated expert for RFC 5797 [IANA #499641].
Pete R: Still in progress. We don't have an informal telechat next week?
Russ: I was not planning to call one.
Pete R: In progress, and I will email iesg-only if progress isn't made quickly with the problems I'm running into.
- Ron Bonica and Stewart Bryant to establish an IETF mailing list on data centers.
Amy: The mailing list is active, so I'm going to call it done.
2. Protocol Actions
2.1 WG Submissions
2.1.1 New Items
- OSPFv3 as a PE-CE routing protocol (Proposed Standard)
draft-ietf-l3vpn-ospfv3-pece-10
Token: Stewart Bryant
Note: Ben Niven-Jenkins (ben@niven-jenkins.co.uk) is the Document Shepherd
Discusses/comments (from ballot 3233):
- Jari Arkko: Comment [2011-12-14]:
+1 to comments from Fred Baker and Dan Romascanu
- Stephen Farrell: Comment [2011-12-13]:
- Who's the document shepherd? Tracker note says Ben, iesg writeup says Danny. Probably a typo somewhere or a change, but might be worth fixing.
- The abstract is confusing. It says "We had BGP/MPLS for IPv4; then we added IPv6; then we added OSPFv2 and now in this document, we add OSPFv3." Telling the reader about IPv4/IPv6 just seems distracting here.
- NLRI & NSSA not expanded on 1st use.
- Is it safe to use a NULL domain ID? If I do that then an incoming message can easily be confusing?
- Section 7 refers to rfc 4659 section 11 and 4577 section 6.
4659 section 11 refers to 2545 section 5 and 4364 section 13.
4577 refers to 4364 and 4365.
2545 says "nothing new here."
4364 is updated by 4577, 4684 and 5462.
4577 says "cryptographic authentication" SHOULD be used and MUST be implemented but doesn't say what "cryptographic authentication" really means.
I stopped following the breadcrumbs at that point;-)
Can't we do this better and simpler?
- Dan Romascanu: Comment [2011-12-14]:
Fred Baker made in his OPS-DIR review a couple of comments which are not show stoppers but deserve being answered and clarified if necessary in the text:
1. The introduction mentions the use of OSPFv2 for IPv4 and OSPFv3 for IPv6. With the advent of OSPFv3 address families, mentioned in section 6, it is possible to use OSPFv3 for IPv4, enabling one protocol and one configuration to be used for both network layer protocols. I would expect that this might be a useful thing to comment on in the introduction.
2. The one question I was left asking was why the document mentioned MPLS in 20 places but did nothing with MPLS other than mention that it was used in BGP/MPLS VPNs. The routing technology could just as easily be used on any other PE-CE link; the point is that it is between an OSPFv3 instance in the PE and a correspondent on the CE router, enabling a customer to communicate with an upstream in a manner that enabled the upstream to trust routing information without the customer needing to obtain an AS number and operate a BGP configuration. That's not an impediment; the document only chose to specify that configuration. But the narrowness of specification left me puzzled.
Telechat:
- Amy: Stewart is not here today, and he has the token on this. No discusses, no objections, approved. Stewart sent email saying he wanted "point raised", and will work with the authors to address comments.
- RPL Option for Carrying RPL Information in Data-Plane Datagrams (Proposed Standard)
draft-ietf-6man-rpl-option-06
Token: Jari Arkko
Note: Brian Haberman (brian@innovationslab.net) is the document shepherd.
Discusses/comments (from ballot 3770):
- Jari Arkko: Comment [2011-12-01]:
Sorry, posted the IANA issue in wrong tracker window...
- Ralph Droms: Discuss [2011-11-29]:
1. The first sentence of section 4: "Datagrams sent between RPL routers MUST include a RPL Option or RPL Source Route Header ([I-D.ietf-6man-rpl-routing-header]) and MAY include both."
Under what circumstances would a RPL router include an SRH but not a RPL Option?
2. This issue requires a little clarification before I can provide an actionable Discuss issue. Is it possible to deploy RPL in a network in which not all of the nodes in the network participate in RPL? E.g., can there be "leaf" nodes, the equivalent of hosts, that do not participate in RLL and that exchange datagrams with immediate neighbors that are RPL routers? There is a hint that such a deployment is anticipated in the phrase "attachment router" in section 4. If so, I think there needs to be additional text similar to that in section 5 describing how a RPL router must ensure that it doesn't forward a datagram containing a RPL Option to a non-RPL leaf node.
- Adrian Farrel: Comment [2011-11-30]:
I have no objection to the publication of this document, but I have a umber of questions/nits that I hope you will consider.
Section 1: "To that end, this document proposes a new IPv6 option,"
s/proposes/defines/
Setion 2: "Every RPL router along a packet's delivery path processes and updates the RPL Option. If the received packet does not already contain a RPL Option, the RPL router must insert a RPL Option before forwarding it to another RPL router."
Surely that means that the absence of the option indicates a defect in the upstream router. This issue is also present in section 4 where there is some flexibility about whether to include the RPL Option, but no guidance.
Section 3: Please consider using RFC2119 language (e.g. "shall")
Section 3: "Nodes that do not understand the RPL Option MUST discard the packet."
You cannot state this in this way. Nodes that do not understand the option will not implement this spec!
You probably simply need: "As defined in [foo] nodes that do not understand an option on a received packet MUST discard the packet."
Sections 3 and 7: Please check "sub-TLV" and "TLV". I think you have used them interchangeably.
- Stephen Farrell: Comment [2011-12-14]:
(blank)
- Russ Housley: Comment [2011-11-28]:
The Gen-ART Review by Joel Halpern on 22-Nov-2011 included a suggestion for improved clarity. Please consider it.
While calling a bit the O bit does not appear unreasonable, I note that when looking at the packet form, the difference between the O bit and the mbz bits marked as 0 is small, and a likely source of confusion for the reader.
- Robert Sparks: Comment [2011-11-29]:
Please double-check the first paragraph of section 4 to make sure that "ICMPv6 errors generated by inserting the RPL option" is really what you mean to say - are you talking about errors that resulted from inserting the option itself, or possibly other ICMP errors that might result from other data in the tunnel header?
- Sean Turner: Comment [2011-11-30]:
I support Stephen's discuss.
Telechat:
- Jari: Don't really need to discuss this. It's actually a returning item, and I've changed that. One remaining discuss, and Ralph is looking at that.
- Amy: AD follow-up, then.
- A Location Dereferencing Protocol Using HELD (Proposed Standard)
draft-ietf-geopriv-deref-protocol-04
Token: Robert Sparks
Note: Richard Barnes (rbarnes@bbn.com) is the document shepherd.
Discusses/comments (from ballot 3968):
- Jari Arkko: Comment [2011-12-15]:
Maybe I missed it or it is discussed in some other document, but I felt the document did not describe some basic properties of local references. For instance, if I ask for my location and then pass it on to someone else, is the resulting dereferenced location my location at the time of the request, or my current location? Devices can move...
- Stephen Farrell: Discuss [2011-12-12]:
#1 The draft is (a little) inconsistent about the requirement to *use* TLS. Section 1, end of 3rd para says this "requires use of TLS", but elsewhere (e.g. section 4, 2nd para) you say that this defines how to use "http:" URIs and the security considerations says only that TLS is "strongly RECOMMENDED." I'd prefer it all to say that you MUST use TLS always, but it at least needs to be consistent doesn't it? This should be an easy fix, I guess.
#2 What, if any, form(s) of TLS server auth are required to be used when TLS is used? Would it be right to say a client MUST NOT not offer anonymous ciphersuites in the client hello? i.e the TLS_*_anon_* ciphersuites. (Just checking in case that hadn't been considered. If it already was and there's a reason to allow anon ciphersuites that's ok but would be worth explaining.)
- Stephen Farrell: Comment [2011-12-12]:
- I expected to see some mention of single-use URIs here. Is there no use-case for those? It might help a bit given the possession-is-authorizaiton model? (But it'd also conflict with other use-cases maybe.)
- s3.1, maybe s/is constructed/MUST be constructed/ such that it is hard to guess?
- what are the "other measures" mentioned in the 2nd last para of 3.1?
- Pete Resnick: Discuss [2011-12-14]:
3.2/3.3: I cannot see how this protocol can be interoperable unless you commit to a particular policy mechanism and format, not just a "possible format" [3.2] or a mechanism "such as those described in [I-D.ietf-geopriv-policy]". It seems to me that ietf-geopriv-policy should be a normative reference in this document, not an informative one, and these two sections should be written to normatively reference it.
- Pete Resnick: Comment [2011-12-14]:
Section 1: Lots of redundant text. Could use an edit. A single paragraph is probably sufficient. I also find the diagram not terribly useful in the intro.
Section 3: I actually found this discussion rather confusing and unnecessary. "Authorization by Posession" is often equivalent to no authorization at all. For certain resources that require no particular protection, there needn't be any obscuration by "hard to guess" URIs, and there needn't be a Rule Maker in existence at all. On the flip side, Authorization via Access Control needn't involve a policy document at all: regular HTTP authenthication could be used with a username and password, and access control can be handled entirely by the HTTP server, again without a Rule Maker. (Of course, in each case there is theoretically a "Rule Maker", but that is so theoretical as to make the entity of little use conceptually.) No matter the authorization and authentication used, Posession is still required, so I don't see that as a useful concept.
I would be happy if this section simply eliminated the concept of "Authorization by Posession" and simply talked about different authorization and authentication methods. I think it would also be fine to leave this entire discussion to the policy document. But at the very least, I think you should mention that Authorization by Posession does not require a Rule Maker or a policy or making URIs hard to guess, though those are options to make access to location information more controlled.
- Peter Saint-Andre: Comment [2011-12-13]:
The AppsDir review by Ted Hardie raised several minor issues, which deserve a response.
A number of terms are re-used from RFC 3693 and RFC 5808; it would be helpful to cite those specifications in Section 2.
Although Section 3 says that "no authentication framework is provided", it's not true that authentication cannot be performed (e.g., if HTTP is used to communicate with the LIS/LS then HTTP authentication can be used). The text here is not entirely consistent with the later text in Section 3.3 ("A Location Server MAY support an authentication mechanism that enables identity-based authorization policies to be used") and similar text in Section 4.
It would be appropriate to say something about leakage of location URIs (which could happen outside the TLS-protected channel between the Target and the Location Recipient -- URIs have a tendency to leak). RFC 5808 has some text about this, and perhaps you could simply point there.
- Sean Turner: Discuss [2011-12-14]:
1) This is along the same lines as Stephen's #1.
s3.1: Just to make sure I understand Authorization by Possession could just as easily have been called Authorization by Obscure URI? These seems like security through obscurity.
Also, shouldn't there be some kind of statement like at a minimum: "The use of this model SHOULD involve the use of TLS?"
Actually based on s4 shouldn't that be a MUST?
s4 contains the following: "The Location Recipient establishes a connection to the LS, as described in [RFC2818]. The TLS ciphersuite TLS_NULL_WITH_NULL_NULL MUST NOT be used. The LS MUST be authenticated to ensure that the correct server is contacted."
I read that as HTTPS MUST be used. If that is how you intended it, can't you just say that instead?
s6 says s4 says it's strong RECOMMENDED, but I don't see that in s4.
- Sean Turner: Comment [2011-12-14]:
1) Figure 2: Shouldn't the two figures in the geo-priv drafts match?
2) s3.1: Isn't it c8 in RFC 5808: "(see C9 of [RFC5808])"
3) s3.1: Isn't this true only when you don't use S/MIME: "Use of authorization by possession location URIs in a hop-by-hop protocol such as SIP [RFC3261] adds the possibility of on-path adversaries."
4) s3.2: strike the a: "In contrast to authorization by possession, possession of a this form of location URI does not imply authorization."
5) s3.2: I think you need to work something about authorization by access control being based on an authentication mechanism. You mention in s3 and then again in s3.3, but it seems like it needs to be included in s3.2. I kept thinking .. because … after the first sentence. Maybe:
"Use of explicit access control provides a Rule Maker greater control over the behaviour of an LS because it determines access based on individual Location Recipients."
or something like that.
6) s3.3: In the first two paragraphs of s3.3, I think you're trying to say this:
"This document does not describe a specific authentication mechanism; therefore, the authorization by access control model is not an option. Instead, this document uses the authorization by possession model."
The existing two paragraphs seemed little wordy.
Telechat:
- Robert: Overall, the conversation is going to go best by email. Richard, as shepherd, is engaging on those. I'd like to have a group conversation on the basic notion of authorization by possession. It's been hotly debated for a number of years, both in location by reference and providing location. There was a conversation in Dublin about "on behalf of". The basic premise that's captured in this draft and others is that it's the assumed worst case, addressing the situation the requirements on the framework put in, to not assume a pre-existing relationship between the target and the location recipient and the location provider, to be able to walk in the network and get location, and influence who gets the location. It's not intended to be the end-all, but the place where deployments can start from. Having an understanding of how these URIs will get passed around, and when there's stricter authentication available.
- Robert: Richard has addressed most of Stephen's discuss. The notion that the things that are going to be servicing a de-reference would need to get to the policy... does not imply that it needs the policy URI. You won't need to hand the policy URI around to the things that will fo the dereferencing. You're going to want to be able to hand out the location reference. Having the policy URI lets you do that, but you don't have to hand that out. That's background, so it's easier to follow the email conversation. Does anyone want to dive into anything deeper on this call?
- Pete R: I want to bring up one thing. This doc is really simply defining using held to get location data, and all the other models that are not used is discussion for future work.
- Robert: The future work part is continuing in 3.3.3.4 in the doc, making sure that we rewrote things so we're not burying the lede.
- Sean: I read that there are two options, and we can't do the second, so we'll do the first, and here's how.
- Pete R: Is auth by possession auth at all?
- Sean: Leap of faith.
- Stephen: OAuth has the same thing with bearer tokens.
- Pete R: We did this with IMAP URLs too. They're generated and have security properties internal to them, more than "make one that's hard to guess."
- Robert: Hard to guess isn't a required property of one of these things.
- Pete R: I'm more concerned about the structure of the document. I'm hoping they can address that. The security stuff does surprise me.
- Sean: That's why there are a lot of discusses on it.
- Robert: You do need to go back and look at the geopriv req doc, the location by reference req doc. They will lead you to see what environment this is designed to address. For the baseline use of this, the auth by possession is sufficient. There are environments where you'll want to use more.
- Stephen: Say someone invents a usable but stronger authorization scheme. How would that new doc play with this one?
- Robert: At what place in the mechanics? We're talking about de-referencing. That will be about evaluating the de-ref itself. It will look at the policy associated with the URI. That policy may say "this has to come with the FOO technology to establish identity. If it doesn't say no."
- Stephen: Then they'd write another RFC parallel to de-ref? And another that updates policy?
- Robert: Might not have to update policy at all. The policy docs might get updated. The extension points exist, that's the important part of this conversation. Ask Richard some specifics. OK, this should be AD follow-up. And we can do the same with the policy URI draft.
- Location Configuration Extensions for Policy Management (Proposed Standard)
draft-ietf-geopriv-policy-uri-04
Token: Robert Sparks
Note: Alissa Cooper (acooper@cdt.org) is the document shepherd.
Discusses/comments (from ballot 3978):
- Jari Arkko: Discuss [2011-12-15]:
I will probably clear this after some discussion in the IESG tonight, and let Stephen hold his Discuss (item #5 in particular).
However, I am concerned that the document provides an authorization-by-possession model for clients to access their policies, delivers the policy URLs in the same DHCP and XML structures as other location URLs, and also acknowledges that there is a legitimate need for other entities to access policies:
"This document does not describe how policy might be provided to entities other than for location configuration, for example, in responses to dereferencing requests [I-D.ietf-geopriv-deref-protocol] or requests from third parties [RFC6155]."
I predict that policy URLs will be leaked, intentionally, to those who need them, and that this will lead to security issues down the road. Is there something that we could do about this?
- Stephen Farrell: Discuss [2011-12-12]:
#1 Intro para 2 says that the deref protocol provides a PEP, but just having read it, it doesn't, except for in that very very limited sense of supporting authorization-by-possession. So the claim seems wrong. I'd say just removing the claim is easiest.
(I guess I agree with Tobias' Apps area review points being a discuss, so... I've broken the overall points down into a number of specific things below, hopefully that'll help get 'em sorted quicker.)
#2 Why even allow HTTP URIs? Why not insist on HTTPS for this? geopriv-deref does (almost correctly) insist on use of TLS so it seems illogical for this to be more open. In any case, the same choices would be best for both of these specs I think wrt TLS usage.
#3 For the case where a policy URI is a "shared secret," what TLS server auth settings are required to be used? Would it be good to say the client MUST NOT offer TLS_*_anon_* ciphersuites in the client hello?
#4 Saying the policy server SHOULD allow all requests (3.1 2nd para) seems unwise. It may be reasonable to allow for the URI-is-secret model, but I don't get why you want to prevent anything more? (That's how I interpret the SHOULD.) Saying (at the end of section 3) that a new policy URI MUST be generated whenever a new location URI set if generated also seems to work against any other (better;-) kind of authorization.
#5 Assuming URIs remain secret seems problematic. Is there evidence that the confidentiality of these URIs can be maintained really?
#6 Describing the policy URI as a shared secret doesn't seem to be enough. I think you need to say that it MUST be a practically unguessable shared secret, even if I have seen many such URIs. The DHCP option in 4.2 means that anyone can I guess get the server to emit loads of policy URI values.
#7 Why is it reasonable to have a default of making location available (to possessor's of the URI)? Couldn't that be dangerous in conjunction with some other defaults (e.g. some other protocol might default to including a location URI in a message), or is there somewhere in geopriv where it says that the overall default is that location information has to be denied by default?
#8 Why not acually define a good policy URI generation function rather than give all these partial hints? I don't even necessarily mean as a MTI but rather as a good example of how to do it.
#9 What is the argument that 2^32 unique policy URIs is a big enough number?
#10 (2^(N/2))/T is meant to restrict an unlimited attacker to one successful guess per T seconds? Is that correct and the intent? Be better to explain your logic there. If that is the intent, I don't see why its considered a good thing. (Be fun to sse if my arithmetic is screwed up there or not;-)
#11 What are the likely values of T that will be used? It seems odd to only introduce a lifetime value like this at this point. Maybe you mean that T is some value derived from system behaviour rather than a parameter? If the former, then is it reasonable to expect the rate limiting enforcement function to have that number available to it?
- Stephen Farrell: Comment [2011-12-12]:
- Just adding 32 random bits to the mix might not be enough if you have ~ 2^32 clients. Worth noting?
- 2^(N/2)/T is likely to be error-prone. One more set of parenthesis would be good.
- Pete Resnick: Comment [2011-12-13]:
Please consider the review of Tobias Gondrom <http://www.ietf.org/mail-archive/web/apps-discuss/current/msg03926.html*gt;. I will defer to the expertise of the Security ADs to consider whether the issues he points out are worthy of DISCUSSion, but I have not seen a public reply to his message.
[Updated to add:] I note from the writeup that there are no implementations of this. I also note that geopriv-policy is given as an example of what might be used as a policy document in addition to the others. Is my suspicion correct that, in fact, down the road geopriv-policy will be the *predominant* use of this URI? If so, is it not worth holding this document until that one is completed? I suspect it will end up a lot shorter if it could talk in terms of an actual GEOPRIV policy document and use the others only as examples. (I see no need to hold a DISCUSS position on this, as I think there is no harm in publishing this first, but I would like to hear from the authors/chair/WG as to what the reasoning was.)
- Peter Saint-Andre: Comment [2011-12-13]:
I concur with the DISCUSS position of Stephen Farrell.
Why does this specification use the term "Internet host" instead of the term "Target" from RFC 3693? Consistency across this suite of documents would be good.
It would be helpful to cite RFC 3693 and RFC 5808 in Section 2.
In Section 4.1, the schema references "urn:ietf:params:xml:ns:geopriv:held:policy" but that namespace is never used in the schema definition.
In the examples, it would be helpful to point to the specifications that define the various data structures (i.e., the "urn:ietf:params:xml:ns:geopriv:held", "urn:ietf:params:xml:ns:common-policy", and "urn:ietf:params:xml:ns:geolocation-policy" namespaces).
The second block of XML in Section 5.3 never defines the gp: prefix (i.e., you need to add xmlns:gp="urn:ietf:params:xml:ns:geolocation-policy" to the root <ruleset/> element).
- Sean Turner: Comment [2011-12-15]:
I'm with Stephen and Jari on this one and definitely support Stephen's discuss. This really feels like security through obscurity, but if I let you see mine then you can be me for while.
Telechat:
- Amy: This will go into AD follow-up as well.
- Connection Establishment for Media Anchoring (CEMA) for the Message Session Relay Protocol (MSRP) (Proposed Standard)
draft-ietf-simple-msrp-cema-03
Token: Gonzalo Camarillo
Note: Hisham Khartabil (hisham.khartabil@gmail.com) is the document shepherd.
Discusses/comments (from ballot 4005):
- Stephen Farrell: Discuss [2011-12-14]:
#1 Lawful intercept is not a feature in this context (see rfc 2804) I'd say just delete the phrase and you'll loose nothing.
As you'll see from the points below I have some issues with how you're using TLS. Could be that some of this is just a lack of context on my part but I'd like to check at least.
#2 What name is authenticated in "name based authentication"? Would any such name (in a cert issued by a locally trusted CA) do just fine?
#3 2nd para of 7.2: if an MSRP endpoint can get an "incorrect impression" about TLS in the presence of a middlebox then how does the MSRP endpoint ever benefit from authentication?
#4 How is the MIKEY reference not normative? 7.2 RECOMMENDS doing either 1) TLS certs with blah (RFC 6042) or 2) MIKEY stuff. The MIKEY RFC (RFC 6043) is informational so that's a downref.
#5 I don't understand how MIKEY for managing TLS-PSK values is well-defined. The string "TLS" does not occur in RFC 6043. (I'd just drop the MIKEY idea entirely - is anyone really gonna do that?)
#6 Can you re-assure me that there are in fact implementations of RFC 6072 and RFC 6043 (in the latter case usable for managing TLS-PSK symmetric keys). If so, great, I'd appreciate some pointers to those. If not, then are you really building on fiction? Wouldn't that be a bad plan?
#7 I don't get the trust model for "fingerprint" based authentication for TLS. Who's including the fingerprint where and using it to verify what self-signed cert?
#8 How do MSRP endpoints figure out what authentication methods they have in common in a way that's not attackable by an on-path active attacker? What is the list of "mechanisms" that you mean in 7.2 (para starting with "If possible, ...")
#9 I get the impression that the 2nd last paragraph of 7.2 is what you think people will actually do and that all the rest of that section is window dressing. Am I wrong? If I'm right, then why not just plainly say that and then we can discuss it more easily?
#10 If I'm wrong about #9: On what basis can an MSRP endpoint pick between the two choices at the end of 7.2? What code do I write?
- Stephen Farrell: Comment [2011-12-14]:
- Pete Resnick: Comment [2011-12-10]:
Section 3: "Support of the extension is optional."
Do you mean "OPTIONAL"?
"MSRP endpoints that support CEMA are required to use RFC 4975 behavior in cases where they detect that the CEMA extension cannot be enabled."
Do you mean "REQUIRED"?
Section 4.1: "In the following cases, where there is a Middlebox in the network, the CEMA extension cannot be used..."
Do you mean "MUST NOT be used"?
Section 4.2: "When the offerer receives an SDP answer, if the MSRP media description of the SDP answer does not contain an SDP 'msrp-cema' attribute, the offerer MUST check the criteria below. If either or all of the criteria is met, the offerer MUST fallback to RFC 4975 behavior, by sending a new SDP offer according to the procedures in RFC 4975 and RFC 4976."
This is mostly editorial, but since it involves 2119 language, I think it's worth fixing: The first MUST is redundant. If the offerer MUST do things based on the criteria, there is no need to say that you MUST check the criteria. (Also, "either" is the wrong word when there are more than two criteria. You meant "any".) Instead maybe:
"The offerer MUST fallback to RFC 4975 behavior, by sending a new SDP offer according to the procedures in RFC 4975 and RFC 4976, if it receives an SDP answer whose description does not contain an SDP 'msrp-cema' attribute, any of the following criteria are met: [1... 2... 3...] The new offer MUST NOT contain an SDP 'msrp-cema' attribute."
- Peter Saint-Andre: Comment [2011-12-07]:
It seems to me that the security considerations are somewhat underspecified, and I find the concept of a TLS B2BUA unsatisfying, but I will let folks from the security area comment on those aspects of the specification.
- Robert Sparks: Discuss [2011-12-13]:
There are two paragraphs in section 7.2 (the ones starting "When an MSRP endpoint" and "If possible, MSRP endpoints") that need to be scoped to this extension. It might be enough to say CEMA-enabled MSRP endpoint everywhere you currently say MSRP endpoint, but that would likely make the text hard to read.
There's something wrong with the second paragraph and the list that follows it. It currently says "Check every authentication mechanism at your disposal. If they all fail, then based on local policy, decide whether you want to believe the failure is because there is a benign network that's trying to help you instead of a malicious party trying to hurt you." Is that what the document was actually trying to say? If so, then if you're going to allow an endpoint to make that decision (and I don't think you should since there's no way to tell that all the network elements are actually part of that benign network), why waste the time authenticating in the first place? Unless the paragraph intended something completely different, option 2 in the list should be removed.
- Robert Sparks: Comment [2011-12-13]:
The short title that appears on every page but the first needs to be changed. It's currently MRSP. CEMA or MSRP-CEMA would be better.
In section 4.2, "either or all of the criteria" is unclear. I suggest "any of the following criteria" instead.
In 4.2 and 4.3, there are notes about resolving domain names before trying to match against addresses in c or m lines in SDP. They currently say "whether there address". I suggest "whether the address" instead.
In section 4.4 when you discuss handling multiple records from DNS, it's not clear whether all the resolved addresses must match or only one in the set must match.
- Sean Turner: Discuss [2011-12-15]:
s7.1: I believe the following requires a normative reference to TLS: "For backward compability, a CEMA-enabled MSRP endpoint MUST implement TLS."
s7.2: What is "a common authentication mechanism" in following:
"If possible, MSRP endpoints MUST use name-based authentication. If not possible, if the MSRP endpoints support a common authentication mechanism, they MUST use that mechanism. If the MSRP endpoints do not support such common authentication mechanism, they MUST try fingerprint-based authentication, which will succeed if there are no Middleboxes present. If that also fails, the MSRP endpoints MUST either:"
- Sean Turner: Comment [2011-12-15]:
s1: strike lawful intercept (I see Stephen made this a discuss otherwise I would have made it one too)
s2: Fingerprint Based TLS AUthentication:
r/self-signed TLS certificate/self-signed certificate
r/fingerprint/fingerprint (i.e., a hash of the self-signed certificate)
s2: Name Based TLS Authethication
r/certificate authority/certification authority
r/SubjectAltName parameter/SubjectAltName extension
s3: r/Support of the extension is optional./Support of the extension is OPTIONAL.
s7.2: certificates are by definition public so I'm a little confused by the following:
"1. TLS certificates together with support of interacting with a Certificate Management Service [RFC6072], to which it publishes the public version of its own self-signed certificate and from which it fetches on demand the public certificates of other endpoints."
Maybe:
"1. TLS certificates together with support of interacting with a Certificate Management Service [RFC6072], to which it publishes its self-signed certificate and from which it fetches on demand the self-signed certificates of other endpoints."
s7.2: (Stephen caught this too) MIKEY-TICKET is a normative reference.
s7.2: I share the same concerns Stephen has wrt the fingerprint authentication.
s7.3: Probably worth a pointer to the SIP issues based on the following:
"Even with seemingly end-to-end media integrity, at the time of the publication of this document there are other vulnerabilities in MSRP, due to vulnerabilities in the SIP signaling."
Telechat:
- Gonzalo: Three discusses. I talked with Robert, and the authors are in email with him. Same with Sean's and Stephen's, but the authors aren't ready to resolve those yet. Revised I-D needed, and the authors will follow up.
- Robert: To the Sec ADs: the section about the fingerprint, I think that's really broken, and I'd appreciate help with something that's honest about what it's saying.
- Gonzalo: The authors seem to be proposing something without data integrity. Please check that.
- Stephen: The second to last point, number 9... I got the impression that the security considerations is kind of window dressing. Is that fair?
- Gonzalo: Part is text they've added to address concerns in the WG. I'll check it with the authors whether we can remove or change things without breaking WG consensus. Revised I-D needed.
- The NewReno Modification to TCP's Fast Recovery Algorithm (Proposed Standard)
draft-ietf-tcpm-rfc3782-bis-04
Token: Wesley Eddy
Note: David Borman (david.borman@windriver.com) is the document shepherd.
Discusses/comments (from ballot 4013):
- David Harrington: Comment [2011-12-13]:
I read the document. I got a bit lost in the details. The document appears to be well-written.
in section 2, "This document assumes that the reader is familiar with the terms SENDER MAXIMUM SEGMENT SIZE (SMSS), CONGESTION WINDOW (cwnd), and FLIGHT SIZE (FlightSize) defined in [RFC5681]. FLIGHT SIZE is defined as in [RFC5681] as follows:"
If you assume the reader is familiar with the FLIGHT SIZE definition, why repeat it here? If you repeat the defintion of flight size here, why not SMSS and CWND as well?
It would have been good to have a tsvdir review of this document.
- Russ Housley: Discuss [2011-12-14]:
The Gen-ART Review by Ben Campbell on 21-Nov-2011 against -03 of this document raised several concerns. Draft -04 has been posted, but none of the concerns were addressed, nor was Ben told why his concerns were incorrect.
Please respond to these concerns from Ben's Gen-ART Review:
-- Appendix A refers the reader to RFC 3782 for additional information. But this draft purports to obsolete that RFC. If there is important information in it that document that is not covered by this draft, then it doesn't really obsolete it. Is there a reason that information was not brought forward into this draft?
-- There is very little RFC 2119 normative language. On a quick scan, I see one capitalized SHOULD NOT and one MAY. Yet it seems like there are other statements that are just as important for correct behavior as those. For the sake of consistency, it might be easiest to just drop the RFC 2119 language entirely.
- Russ Housley: Comment [2011-12-14]:
Please consider the comments raised in the Gen-ART Review by Ben Campbell on 21-Nov-2011.
Telechat:
- Wes: It looks like the discuss should be trivial to address, but I'd like the authors to propose changes to Russ rather than discuss it today. Probably minor changes, not needing a new I-D.
- Amy: We can put it into AD follow-up, and it can go either way.
2.1.2 Returning Items
- An IPv6 Routing Header for Source Routes with RPL (Proposed Standard)
draft-ietf-6man-rpl-routing-header-06
Token: Jari Arkko
Note: Brian Haberman (brian@innovationslab.net) is the document shepherd.
Discusses/comments (from ballot 3769):
- Ralph Droms: Discuss [2011-11-29]:
I have two Discuss issue that should be easy to resolve.
1. I think there is an inadvertent omission of some text. From section 4.2:
"When forwarding an IPv6 datagram that contains a SRH with a non-zero Segments Left value, if the IPv6 Destination Address is not on-link, a router SHOULD send an ICMP Destination Unreachable (ICMPv6 Type 1) message with ICMPv6 Code set to (TBD by IANA) to the packet's Source Address."
There should also be text explicitly requiring that the router drops the datagram.
2. This issue requires a little clarification before I can provide an actionable Discuss issue. Is it possible to deploy RPL in a network in which not all of the nodes in the network participate in RPL? E.g., can there be "leaf" nodes, the equivalent of hosts, that do not participate in RLL and that exchange datagrams with immediate neighbors that are RPL routers? If so, I think there needs to be additional text similar to that in section 5 describing how a RPL router must ensure that it doesn't forward a datagram containing an SRH to a non-RPL leaf node.
- Ralph Droms: Comment [2011-11-30]:
Comment added on 11/30.
The working group summary is pretty terse. I think it would be helpful to explain that the design and use of the option morphed several times during the working group discussion before it arrived at its current state. Also, the working group summary should refer to the roll (not RPL) working group.
- Adrian Farrel: Comment [2011-11-30]:
I have no objection to the publication of this document, but I have a number of small editorial questions/comments that I hope you will address along the way.
(8 items)
- Stephen Farrell: Comment [2011-12-14]:
(blank)
- Robert Sparks: Comment [2011-11-29]:
(blank)
Telechat:
- Jari: Same approach for both 6man docs. Don't need to discuss this now. Leave it as AD follow-up, and we'll get it done soon.
- ARP Mediation for IP Interworking of Layer 2 VPN (Proposed Standard)
draft-ietf-l2vpn-arp-mediation-18
Token: Stewart Bryant
Note: Document Shepherd: Nabil Bitar, nabil.n.bitar@verizon.com
Discusses/comments (from ballot 3912):
- Jari Arkko: Discuss [2011-09-22]:
I am reading the ND modifications and trying very hard to convince myself that they are correct and complete. I'm not 100% sure I've managed to do that.
I scanned the mailing list for 6man and found no discussion of this draft. Did I miss it? Shouldn't relatively complex surgery on ND require some review from the experts on ND?
I'm also wondering if the SEND proxy specification from CSI WG would be an applicable recommendation in addition to recommending turning SEND off.
To be more specific, can you:
1) perform a 2-week last call in 6MAN for additional review, and
2) either point to the use of the SEND proxy specification or provide reasons why it cannot be used
- Ralph Droms: Comment [2011-09-21]:
In section 4.3.3, is "the link-layer address of the local AC" really "the link-layer address of the PE interface attached to the local AC"?
- Adrian Farrel: Discuss [2011-09-22]:
I will move to a "Yes" ballot when my Discuss has been resolved.
Why does this document include a redefinition of the Address List TLV that is already defined in RFC 5036? Although the text says that it is using the RFC 5036 definition, the text also says that the I-D defines the Address List TLV.
Shouldn't you simply refer to 5036 and say how the fields are set for your specific use?
Similarly the redefinition of the Notification message.
To be clear, the main reason for objecting to the redefinition is that it opens the door to discrepencies, and makes it hard to handle future extensions. (Coders should be familiar with the practice of only defining data structures in one place :-)
Please add some text to clarify whether the Stack Capability field in the Stack capability Interface Parameter sub-TLV is an integer or a bit-field.
The IANA section makes it look like a bit field (which is what I would expect) but the text in the main body says... "Stack Capability = 0x0001 to indicate IPv6 stack capability" ...which makes it look like an integer
Additionally, the text goes on to imply that the interpretation of the field is context-specific...
"The value of Stack Capability is dependent on the PW type context. For IP Layer2 Transport type, a setting of 0x0001 indicates IPv6 stack capability."
...if this is the case, presumably, 0x0001 could mean something else in other circumstances. How is this tracked in the IANA registry?
- Adrian Farrel: Comment [2011-09-22]:
Should the figure on page 5 include the label "AC3"?
I agree with the other ADs who are concerned about the use or non-use of RFC 2119 language. Hopefully, this will be easy for you to clean up and will not be construed as changing the technical content of the document.
"The "IP Layer 2 interworking circuit" pseudowire is also commonly referred to as "IP pseudowire". "
Can you insert a reference for "IP pseudowire"?
- Stephen Farrell: Comment [2011-09-16]:
- 8.1 says that you "can" secure the PE-PE control plane "using MD5 authentication." Is that (still) the best that can be done? Doesn't it need a reference? Why can't something better be used, e.g. IPsec? Why no 2119 language? (This isn't a discuss because I hope that all that's in some other RFC.)
- 8.1 says that this protocol is incompatible with SEND. I guess that's inevitable, but do you need to say more about the trade-offs concerned, e.g. would it ever be likely that a CE that depends on SEND is deployed and later on a PE doing this protocol is installed breaking the CE or changing its security properties in a bad way? (Just wondering.)
- Frame Relay (FR) is expanded only on its 2nd use. 1st use is in 2nd para of section 1.
- David Harrington: Discuss [2011-12-14]:
1) in section 2, it says IPv4 L2 interworking MUST be supported, but it is only a SHOULD for IPv6. Why is IPv6 mediation not a MUST for PEs?
(please note that draft-ietf-intarea-ipv6-required-02 is in IESG Eval for Proposed Standard. It hans't been approved yet, but probably will soon.)
2) in 3, "In this case, all data link headers are removed to expose the IP packet at the ingress." should this be MUST remove?
3) in 2, "Intercept Neighbor Discovery and Inverse Neighbor Discovery packets received over the pseudowire from the remote PE, possibly modifying them (if required for the type of outgoing AC) before forwarding to the local CE,"
Can the RFC2119 language make "possibly if required" less ambiguous? Does possibly mean "MUST if REQUIRED" or "SHOULD if REQUIRED" or "MAY if REQUIRED"? and please make sure this section is consistent with section 3, "In the case of an IPv6 L2 Interworking Circuit, the egress PE MAY modify the contents of Neighbor Discovery or Inverse Neighbor Discovery packets ..."
- Russ Housley: Comment [2011-09-21]:
The Gen-ART Review by Peter McCann on 20-Sep-2011 raised a minor issue and two editorial suggestions:
Section 5.2 says: "Since this notification does not refer to any particular message the Message ID and Message Type fields are set to 0." There does not appear to be a Message Type field in the PDU.
Section 5: suggest replacing the idiom "chicken and egg situation" with "possible deadlock situation."
Section 5.2: "Section 6. below." should be "Section 6 below."
- Pete Resnick: Comment [2011-09-21]:
1. This entire document needs a good "MUST/SHOULD/MAY vs. must/should/may" scrubbing. Just to cite two examples:
4.2.2: "When the PE learns the IP address of the remote CE, it should generate an Inverse ARP request."
It "should"? Or it "SHOULD"? Or it "will"?
4.3.2: "If a Router Discovery message contains a link layer address, then the PE MAY also use this message to discover the link layer address and IPv6 interface address."
That MAY doesn't sound like a protocol option.
2. Section 2: "PEs MUST support ARP mediation for IPv4 L2 Interworking circuits. PEs SHOULD support ARP mediation for IPv6 L2 interworking circuits."
I assume this means "PEs that support ARP mediation MUST support it for IPv4 and SHOULD for IPv6". The way it is now, it sounds like ALL PEs must support this, which can't be right. That said, I see no reason for this paragraph. Mediation should be supported on both v4 and v6 circuits. I say drop the paragraph.
3. For the record, and not something the authors need to address: I understand that the IETF doing sub-IP protocols is a ship that has sailed long before I got on the IESG. However, the mind boggles that we are deploying this particular protocol: Why can't we simply *route*?!?!? This protocol is standing on its head to allow layer 2 bridging of IP across disparate links instead of just having a routed VPN. This is goofy, it is a complete layer violation, and I don't think we should be standardizing this nonsense.
There, I feel marginally better. :-/
- Peter Saint-Andre: Comment [2011-09-21]:
This document appears to be predicated on "know[ing] that only IP traffic will be carried". How is this determined?
- Robert Sparks: Comment [2011-09-21]:
Section 7.2 invokes an IANA well known policy of "IETF Consensus", referencing RFC5226, but that RFC has renamed that particular policy to "IETF Review".
- Sean Turner: Comment [2011-09-22]:
I have the same question Stephen did about MD5.
Telechat:
- Amy: Token is for Stewart, and there are some discusses. Stewart sent email, and Adrian said the latest changes don't address his points. This will stay in AD follow-up.
2.2 Individual Submissions
2.2.1 New Items
- Reserved IPv6 Interface Identifier for Proxy Mobile IPv6 (Proposed Standard)
draft-gundavelli-v6ops-pmipv6-address-reservations-05
Token: Jari Arkko
Discusses/comments (from ballot 3904):
- Jari Arkko: Comment [2011-10-20]:
(blank)
- Ralph Droms: Comment [2011-09-07]:
There seem to be a couple of syntax issues in this text:
OLD: "The base Proxy Mobile IPv6 [RFC5213] all though required the use of a fixed link-local and a fixed layer-layer address,"
NEW: "Although the base Proxy Mobile IPv6 [RFC5213] requires the use of a fixed link-local and a fixed link-layer address,"
- Wesley Eddy: Comment [2011-08-30]:
I think this is a useful document. It seems like it should have "Updates: RFC 5213" though?
- Adrian Farrel: Comment [2011-09-06]:
Section 1: "To address this problem, this specification makes the following two reservations. The mobility elements in the Proxy Mobile IPv6 domain MAY choose to use these fixed addresses."
Stumbled over this because it looks like the second sentence is a reservation (i.e. a modification to the base spec), but there is only one reservation listed.
- Pete Resnick: Comment [2011-09-05]:
Strike section 2.1. 2119 is not used in this document.
Telechat:
- Amy: No discusses, no objections, approved.
- Jari: This was brought up to the IESG as a returning item in case they want to check something. We've made the requested changes from the WG. Let's leave it for AD follow-up for now.
- Amy: If there are no discusses, we can't do that, but can do point raised, writeup needed.
2.2.2 Returning Items
- IANA Reserved IPv4 Prefix for Shared CGN Space (BCP)
draft-weil-shared-transition-space-request-10
Token: Ron Bonica
Discusses/comments (from ballot 3933):
- Jari Arkko: Comment [2011-12-01]:
FWIW, the issue that I had with the previous incarnation of this document has been resolved. Thanks for working through the measurements and evidence about risks, and documenting them.
However, my fellow AD colleagues have raised other issues (including status of IETF consensus for this document). I defer to them on those issues.
- Ron Bonica: Discuss [2011-11-29]:
I will change this ballot to "YES" when a /10 has been allocated for this space.
- Stewart Bryant: Discuss [2011-11-29]:
I understand the commercial imperatives that the ISPs face, and appreciate this is a dilemma.
However, the authors have not so far generated an adequate degree of consensus (as evidenced by discussions on the IETF list) that the deployment of this technology "makes the Internet work better". Indeed section 5 indicates that the deployment of this technology makes the Internet worse by reducing it to a network that only supports a limited range of services (Web, Mail and IM) sanctioned by the ISP. This seems contra to the mission of the IETF.
If this were a clearly defined limited application network, a case could be developed for accepting restrictions, but the application described here is connectivity to the Internet and hence access to new innovative services.
The authors need to gain consensus in the IETF, that there is no other solution to the problem in hand, and hence that the significant restriction on the type of user application supported is justified.
- Ralph Droms: Discuss [2011-11-30]:
I am posting a Discuss position for this document because the IESG should discuss some fundamental issues of how we should make a decision about publication of this document.
I also have concerns about whether the IESG is the appropriate body to approve this request. I intend to post an Abstain position after my questions are answered and I clear my Discuss.
The conversation about this document and any attempt to determine consensus is difficult because the issues are technical, economic, political and psychological. We (the IESG) are well-equipped and
responsible for decisions about technical issues, but less so for the other issues.
I've been reading most of the e-mail in the consensus call on ietf@ietf.org. Here are some of the questions I think I've seen discussed:
- Does the assignment of the requested /10 enable or hinder the deployment of IPv6?
- Is CGN a viable service model for IPv4?
- Is the reserved /10 required for the deployment of CGN?
- Can the deployment of CGN be prevented by not assigning Shared CGN address space?
- What is the effect of burning 4 million IPv4 addresses on the exhaustion of IPv4?
- Can alternative /10s be used such as 10.64.0.0/10 or 240.0.0.0/10?
- How many ISPs really want this assignment and how many don't care because they don't need it?
Most of these questions are, in fact, not technical questions and I don't think the IESG can answer them. The document itself addresses only a few issues, giving one reason not to use each of the alternatives:
o legitimately assigned globally unique address space
o usurped globally unique address space (i.e., squat space)
o [RFC1918] space
In particular, the reason for not using RFC 1918 space is simply asserted with no support facts.
If the IESG is to make a decision, I would like to walk through the following questions:
- Is the IESG the appropriate body to make the decision? If no, where should the decision be made, perhaps with technical advice from the IETF?
- Should the IESG identify any specific /10 for use as Shared CGN Space? If no, do not approve the document.
- Does this document describe the usage scenarios, constraints and caveats sufficiently well to allow the use of a /10 as Shared CGN Space? If no, ask for a revision.
- Should the IESG approve a request to IANA for a /10 as described in the document? If yes, publish the document.
- Should the IESG request that IANA identify some other /10 (or similar address block), such as 172.16.0.0/12, 10.64.0.0/10 or 240.0.0.0/10 for use as Shared CGN Space?
- Wesley Eddy: Comment [2011-11-30]:
I agree with the comments and discuss positions from others that say there is not IETF consensus on this document.
- Adrian Farrel: Comment [2011-11-30]:
I concur with Stewart that there does not appear to be IETF consensus around this I-D.
I am concerned that the alternative to this has been presented as "if you don't allocate the address space, the ISPs will just squat on another space." However, this also seems to be less worser than any other proposal on the table.
- Stephen Farrell: Comment [2011-12-08]:
Based on more and more and more and more discussion I'm reluctantly ok with this.
I think additionally allocating part of 240/4 would be a fine thing to do at the same time within the same document. I would not be that keen on punting on the 240/4 part allocation until later since that would engender most of the same discussion.
- David Harrington: Discuss [2011-12-13]:
I believe there is not IETF Consensus for approving a /10 for this purpose, and, as a result, there is not IETF consensus to approve this document.
This document describes a number of problems that occur with CGN, even with this shared /10, so CGN does not make the Internet run better. I think there is IETF consensus that widespread deployment of CGN could be damaging to the Internet. I believe approving Shared CGN space to make CGN deployment easier is counter to the IETF mission of making the Internet run better, and approving allocation of this /10 does not represent IETF consensus.
- Pete Resnick: Discuss [2011-12-01]:
Calling out one piece of Ralph's DISCUSS directly: I agree with Ralph and Stephen that the question of whether there is another existing block of addresses that will cause less potential application damage and is still usable by CGNs (e.g., 10.64/16, 172.16/12, 240/10) has not yet been sufficiently answered. The proponents have claimed that there is full *use* of the 1918 space, but not whether there is full use *by* devices that can't deal with 1918 address space on their "external" interfaces. Until that question is answered, we can't tell if the risk of application damage really is outweighed by the risk to deployment.
- Pete Resnick: Comment [2011-12-01]:
I agree with Ralph's DISCUSS: We need to first come up with a list of criteria by which consensus can be judged. While I agree with most folks that there is *disagreement* on the list as to whether this allocation should be made, I think some of the issues on which there is disagreement are not legitimate criteria for the consensus call. (For example, "Is CGN a viable service model for IPv4?" is *not* something that we should be using as a criteria for consensus.) Before we come to a conclusion on consensus, we need to lay out the legitimate issues being discussed and whether there is consensus on each of them.
- Dan Romascanu: Discuss [2011-12-01]:
Ralph sumarized well and in details the reasons for which the IESG cannot approve this document under its current form and at this point in time. I will probably change my DISCUSS into an Abstain after the telechat, unless we come with a different plan of action.
- Peter Saint-Andre: Comment [2011-12-08]:
Based on list discussion, I have come to the conclusion that this is the least worst workaround (not "solution") available to us at this time.
- Robert Sparks: Discuss [2011-12-01]:
While I personally agree with the position that approving this allocation is the least bad of the available choices, I don't believe IETF consensus for approving this document as it is currently written exists.
- Robert Sparks: Comment [2011-12-01]:
I encourage pursuing Ralph's questions and carefully separating the question of allocating the address space and what effect CGNs may have on the Internet.
- Sean Turner: Comment [2011-12-01]:
I agree with Ralph.
Telechat:
- Amy: This was deferred from the last telechat.
- Ron: Ralph, I'm looking at your discuss. The second paragraph is concerned about whether the IESG is the appropriate body to approve this. While that's a legitimate concern, we have to make a decision one way or another. The IAB won't, and ARIN won't. Would you be willing to back away from that part?
- Ralph: Thinking.
- Russ: I think we're talking about a BCP assigning address space, and that's an IETF action. Where else could it land?
- Ralph: I'll interpret it as an equivalent to a 1918 assignment as a change to the protocol, as opposed to global address space that's in someone else's authority. So, yes, I'll back away.
- Ron: You talk about technical, political, and psychological impact. Can we deal with the last two with an IESG note. We can say that we know there are issues, and this will break some applications, but v4 needs to be maintained for a while, CGNs will happen, and this avoids making things worse.
- Ralph: We are clearly in a bad situation. A note one way or the other would help capture what our thinking was, and add transparency to the process. I'm backing up the level of the conversation... you're asking for approving this as BCP, and asking if these will let me clear my discuss on that point. It feels like we're jumping ahead a bit in the conversation. You went back to the IETF list, an there was discussion there. Can you summarize those?
- Ron: A couple of things have changed in the discussion. Noel said give them the /10, and also give them a /8 from 240/4, which no one is using. That will give us other stuff for allocation. I don't see a down-side of that. Some people proposed giving them that *instead* of what they're asking for, but equipment won't route that, so it won't work.
- Jari: Giving them 240/4 will actually be harmful and requires technical changes.
- Russ: The document before us doesn't include that allocation.
- Ron: That was in the discussion on the list.
- Russ: Are you asking us to approve this doc, or are you going to change it?
- Ron: OK, take that off the table. Other arguments... the major one is a claim that you don't need this allocation, because you can use 1918 space, because you can find a chunk that is not widely used by people who have CPE that can't handle the same address space inside/outside. That claim isn't substantiated. You have no idea how many people will have a problem if you number CGN space from 1918 space.
- Ralph: I did follow that part of the discussion.
- Ron: I'd say that was a majority of the discussion. I think the answer is that we have no idea how many people would have a problem.
- Ralph: Whether or not we could perform a study to get some data about whether this would be acceptable, the input from the folks who would be using it is that they won't use it.
- Ron: Now, what happens if this allocation isn't made. In the best world, someone would use their own /10. In the worst world, people will use squat space. The same thing will happen whether we make this allocation or not. Do we want to be in front of it, or pretend it didn't happen?
- Ralph: I think we've walked through my discuss positions, mostly. Except for my middle point... is this document complete and understandable? All these issues aside, is it technically correct?
- Ron: I think it is. I haven't seen anyone arguing about that, only the allocation.
- Pete R: I have one. This seems to me that the move to do all the "this spall only be used for CGN" is silly. We're allocating more 1918 space, and saying this has a special caveat about inside/outside. But anyone can use that for any kind of NAT, not just CGN.
- Ron: Would you be happy if it said "you could use this as additional 1918, but be careful"?
- Pete R: On the list, people have been arguing that this will be used as private address space. Yes, it can be, but with the understanding that it will be on two sides of your CPE, and you have to deal with that.
- Ron: We could put in an RFC note that says it's OK to use it as 1918, but be careful because you might get burned.
- Pete R: It should be a MUST.
- Ron: Would you clear with an appropriate RFC Ed note?
- Pete R: If no one's going to do a study of which part of 1918 space can be used safely, the IESG cannot ask them to use part-of-1918.
- Ron: Ralph, would you clear?
- Ralph: I have one more technical issue. One of the arguments for using a separate space instead of 1918 space is that some devices, in addition to not behaving well with the same address on both sides, they also make assumptions about WAN interfaces with respect to 1918 addresses.
- Ron: A large CPE vendor... if it sees a 1918 address on the wrong side, the router goes into bridge more, and things stop working. That means a call to the ISP. ISPs could get millions of support calls from that.
- Ralph: I understand that, and don't question it. I wanted to make sure I had the conversation right. I wonder if a caveat along the lines of what Pete suggested... if you use this space internally as well as in the intended way, you'll have these bad properties. Vendors will make assumptions. Do we need to put that caveat in there someplace?
- Ron: That should be in the RFC Ed note.
- Pete R: That's sounding like it's getting large enough that I'm worried about the IESG rewriting too much of the document, and it's not going to the community.
- Ron: You would be OK with a new version of the draft, and having it go back to the community.
- Robert: I've been wanting to stress exactly that point. The community needs to express consensus on that.
- Ron: If such text were put in, and the community got to discuss it, how many would clear?
- Pete R: I would go to "no objection" if we got community review of the idea we've just been talking about.
- Ralph: Tentative agreement, depending upon the details.
- Russ: I propose we not take the whole doc back. I'd rather have a thread with OLD/NEW.
- Ralph: I had the same concern about reopening the whole doc.
- Russ: Otherwise, you're going to hear all the objections about the allocation again.
- Dan: I think a limited last call and not hearing strong objections would be enough for me.
- Ron: That's everyone on the call. Let's do that. Revised I-D needed.
- Robert: I have one question. The PROTO writeup has a question about appeal threats. Do we have any new ones?
- Ron: No, I don't think so.
- Pete R: An appeal based on not having consensus is something we have to deal with either way. The change we're proposing might address that. But no appeals on technical grounds?
- Ron: No. Only on consensus.
3. Document Actions
3.1 WG Submissions
3.1.1 New Items
- A Framework for the Control of Wavelength Switched Optical Networks (WSON) with Impairments (Informational)
draft-ietf-ccamp-wson-impairments-08
Token: Adrian Farrel
Note: Deborah Brungard (dbrungard@att.com) is the Document Shepherd.
Discusses/comments (from ballot 3961):
- Ron Bonica: Comment [2011-12-13]:
== Missing Reference: 'Eppstein' is mentioned on line 1020, but not defined
== Missing Reference: 'RFC5920' is mentioned on line 1138, but not defined
- Stephen Farrell: Comment [2011-11-26]:
(blank)
- Russ Housley: Comment [2011-12-14]:
The Gen-ART Review by Wassim Haddad on 13-Dec-2011 raised one editorial comment. Please consider it:
- In Security considerations section: s/maybe/may be/
- Pete Resnick: Comment [2011-12-13]:
I am left wondering why this document is being published in the IETF instead of elsewhere and then later referred to by a GMPLS document that will use this terminology and framework, but I can say that I do not have a clue about the technology and am therefore deferring to others to review the content of this document.
- Dan Romascanu: Comment [2011-11-01]:
Bert Wijnen made the following comment (that I support) in his OPS-DIR review:
As the document writeup states: "This document is an informational framework with nothing to implement. There are a number of drafts being progressed that address various aspects of the framework."
So it would be those documents being progressed that would have to include any discussion about operational or manageability aspects of the various solutions.
At the other hand, it might have been useful if this document would have touched upon some operational/manageability aspects for each of the possible solutions. It seems clear that there are different characteristics depending on which solution is chosen. Specifically the talk about "black links" makes me worried that solutions can become complex and less interoperable.
- Sean Turner: Comment [2011-12-13]:
s6/s8: Need add a reference to [RFC5920].
Telechat:
- Amy: Token is for Adrian. No discusses, and Adrian wants it in point raised.
- Problem Statement of Peer-to-Peer Streaming Protocol (PPSP) (Informational)
draft-ietf-ppsp-problem-statement-07
Token: Wesley Eddy
Note: Martin Stiemerling (martin.stiemerling@neclab.eu) is the document shepherd.
Discusses/comments (from ballot 3979):
- Jari Arkko: Discuss [2011-12-15]:
I do, of course, support the development of a P2P streaming protocol, and I think it will be good for the industry. It is good to write a document that provides some justification and background for this.
However, I do agree with others who have commented that the document overdoes this a little bit. A shorter and more matter-of-fact style would have worked better on me.
But that is not my Discuss comment, I also have a more specific technical concern. Section 3.1 makes it sound like to deploy P2P caches an ISP needs to implement DPI-based detection of P2P content. I think that is first of all wrong, as adding the ISP as a participant in the particular trackers and P2P networks offers a much cleaner way to do this. Secondly, I do not think the IETF should condone or recommend DPI-based hidden caching.
This does not change the fact that I agree with the general point of Section 3.1 that a standardized method will be easier to implement, even when you do the implementation in the correct way.
I suggest deleting some of the text from Section 3.1. that deals with the specifics of how the ISP deals with participation in a P2P network; those details are unnecessary for the general point to be made.
- Stewart Bryant: Discuss [2011-12-12]:
There is a fine line between providing evidence for a case to design something and delivering a commercial message. Unfortunately, even though the author does not appear to work for the companies mentioned the introduction sounds like a commercial. Additionally later in the document there is reference to at least one other company.
Please will the author look at each mention of a company name and re-write the text to provide the evidence in a more objective, vendor neutral, style.
- Adrian Farrel: Discuss [2011-12-13]:
As it stands, I'm affraid I don't see much value in this document. Although it is probably harmless and the usecases may provide valuable background, a lot of the document is a discussion around the topic and does not give the WG any guidance or instructions.
I think most of the "justification" in the Introduction is not really needed. Since the WG has been chartered, it is not necessary to go into great detail on your motivation. You could lift a few lines from the WG charter, and then use the paragraphs that say what this document does.
Similarly, section 3 provides motivation for a standard PPSP, but the existence of the WG is plenty good enough orivation for the work. What seems to be missng, however, is the problem statement that says what the PPSP actually has to do. In other words, I find the document strangely without guidance to the developers of a standard PPSP.
Fixing this might be particularly hard because there is no bug fix and no easy textual addition. Maybe I should phrase the question as "why does the WG see this document as a valuable addition to the canon?"
- Adrian Farrel: Comment [2011-12-13]:
I like that "chunk" is a unit of "block" with sub-unit "piece". What is "block"? :-)
The definition of CDN in section 2 actually only provides a definition of "CDN node".
"key signaling protocol" may be unfortunate term because it is used in other context to indicate a protocol that is used to signal "keys"
- Stephen Farrell: Discuss [2011-12-14]:
(Discuss discuss, for the IESG really I guess)
How does this all fit with decade and cdni? Are we heading towards a good or bad outcome with all those? An example of a bad outcome would be 3 ways to do one thing that are incompatible but the same except for gratuitous differences. Maybe I'm just missing some context but something seems wrong somewhere...
(And one for the authors/chairs...)
- I don't see what PPSP WG document will include "considerations on threats and mitigations when combining both protocols in an application." That's the kind of thing that gets forgotten and where protocol specification authors will say "that's not my problem."
What's the plan for addressing that in the WG?
- Stephen Farrell: Comment [2011-12-14]:
- Section 4 says that you can have pull, push or a hybrid but does say if the PPSP wg is going to work on all of those or some of those. (Its sort of implied that all will be done via different "modes" but that's not clearly stated.) Since it'd be better to only have one "mode," I think the document should justify choosing to do all "modes." (If that's really what the PPSP WG are planning. If not then the document should say what the WG is actually planning.)
- Section 5 really needs to say what sections 5.x are. They could be use-cases the WG is going to tackle, or maybe the WG will decide later, or whatever is the case. Without that, its hard to know why sections 5.x are present.
- 5.1: "easily expand the broadcasting scale" just seems wrong. Is that sales-pitch (in which case delete it) or do you mean something else?
- Section 6 should mention that a malicious (or careless) peer/tracker can leak private information about other peers or trackers.
- David Harrington: Discuss [2011-12-14]:
1) in section 4, there is a discussion of pull-based versus push-based. The discussion talks about the benefits of pull-based (but not the drawbacks) and the fact that most systems use this approach. Then the push-based approach, which few deployed systems use, is discussed including the drawbacks but not much about the benefits. Then the conclusion is that a hybrid system woudl be best, with little justification for why hybrid is more practical, and no discussion of whether anybody actually does this now.
2) This document is supposed to be a problem statement, but throughout it the design of the proposed PPSP protocol is thrown in. This document should focus on identifying what the problems are that need to be solved. Basically, this should discuss what problems the tracker and peer protocols each must address. This document seems to lump the tracker and peer protocols together as the PPSP protocol, and doesn't differentiate or clearly describe the problems that need to be solved by each protocol.
I recommend dropping the notion of a PPSP protocol suite, which seems to encourage marketing of PPSP, and blurring of the distinction between the two protocols. This document should focus on describing the problems to be addressed by each of the two protocols:
"The tracker protocol handles the initial and periodic exchange of meta information between trackers and peers, such as peer lists and content information."
- what are the problems that a tracker protocol addresses, and what problems must be overcome in its design?
"The peer protocol controls the advertising and exchange of media data availability between the peers."
- what are the problems that the peer protocol addresses, and what problems must be overcome in tis design?
in 5.3, there is an incomplete sentence.
in 5.3, "a mobile peer within a high-load base station is unlikely to be selected, which may lead to higher load on the base station."
is unclear. Does this mean "a mobile peer within a high-load base station is unlikely to be selected, because selecting the mobile peer might lead to higher load on the base station."?
Discussion of the PPSP working group should be removed form the document. The goals and deliverables of the WG are documented in the charter, which will have a similar lifetime as the WG. This document published as an RFC will exist long after the WG has been closed.
- Russ Housley: Comment [2011-12-12]:
Please consider the comments provided in the Gen-ART Review by Francis Dupont on 24-Nov-2011.
- Dan Romascanu: Comment [2011-12-15]:
I find the document useful in intent but problematic in the way it is written, and I beleive that some of the sections need serious editing before publication. As the critical issues are covered in DISCUSSes of other ADs I will enter them as COMMENT:
1. Section 1 needs to be shortened and all 'commercial' content needs to be dropped. The main functions should be described avoiding the mentioning of the vendors names.
2. The requirements from the tracker and peer protocols need to be sumarized and listed in one place. I found the figures in section 5 quite useful to understand the functions, but it took time and effort to go through them as they are disparated in the descriptions of the use cases
3. Avoid text (like in the Abstract) that may be interpreted as the protocol proposal is included in this document
- Peter Saint-Andre: Comment [2011-12-05]:
The first three paragraphs of the Introduction are mostly marketing and deserve to be deleted.
"In this document we propose an open P2P Streaming Protocol..." I think you mean "propose the development of" because this document does not define such a protocol.
Section 3.3, paragraph 1: these numbers will become stale quickly. I suggest removing this paragraph.
- Robert Sparks: Comment [2011-12-13]:
It's not obvious how this document is going to help the working group with it's protocol work, or help document the work once it's complete. Is the set of use cases intended to be a set of motivating examples, or does it exhaustively cover every scenario the protocol is expected to handle? Please consider clarifying those points.
Telechat:
- Wes: I agree with the points about toning down the "marketing" approach to the doc. There's a question about whether this is really needed at all. You have to look at the WG's other docs to see it. This is the common thread that stitches them together. Tracker protocol, peer protocol... those are ships in the night, and this describes how those work together to solve the WG's problem. It might not be written that well, but the doc has use for the WG and the IETF in that sense.
- Dan: I didn't enter a discuss, because other ADs said it better. I think the doc can be useful, but there's an important piece that's missing, specifying clearly the requirements on those two protocols.
- Wes: They're doing a separate requirements doc, but it's not near ready.
- Robert: You think this will help new people understand the work, and I don't think it does. It's just an echo of people who want to motivate work in the first place.
- Wes: It is in some sense an echo of the BoF, and the discussion of scope. The authors have proposed major changes, but I haven't seen a new draft yet. I wonder, based on what you and Dan said, whether to push this into the requirements doc. Would that make sense?
- Dan: This makes me regret that I didn't enter a discuss.
- Wes: The requirements will be for two different protocols, and this talks about why we have two protocols. If you just had the raw requirements without some of the figures and text in this doc, two protocols wouldn't make sense.
- Dan: I found the diagrams the most useful part, but they could be folded into the requirements doc.
- Wes: I'm not sure how the authors will feel, but that makes sense to me. Once we strip out the stuff that's not very useful, what's left is a small amount that can go into the requirements pretty easily. I'll talk to the authors about that.
- Jari: My discuss is a minor technical detail, which we could get rid of without a major change.
- Stephen: My discuss is also a bit different.
- Wes: Yours is architectural about decade and cdni.
- Stephen: This document says that someone says the two protocols should be considered together for security considerations. Where will that happen? If you're giving a new plan to the WG, make sure they consider that point.
- Wes: Security considerations about the composition of the two protocols would also belong in that doc.
- Stephen: I'd like your take on my other point.
- Wes: That's more important, affects docs we have yet to see. David, how does this stand with your discuss?
- Dave: I suppose we can combine this with the requirements doc. The second point I have is where they talk about what the ppsp protocol is designed to do, and this isn't supposed to be about the protocol, but about the problem. They tend to talk about the ppsp suite, and I think that's a bad thing to do. There might be other protocols that can do this job with some new attributes. If you consider this a suite, you lose the ability to consider existing protocols, and there might be some out there that can be used. They want to write a new protocol.
- Wes: I don't think anyone has proposed a protocol that meets the requirements. I'm highly skeptical about that. When they say "suite" they mean a pair, tracker and peer protocols. Going to Stephen's point, relation (or lack) to decade and cdni...
- Dave: Wes and I need to sit down with the chairs of the three WGs about that.
- Wes: Some of the same participants are in all three groups, but there's a lack of architectural vision of how they work together.
- Stephen: At the decade meeting in Taipei, someone came along and presented what looked like cdni.
- Wes: That's a good comment. The ppsp doc is nowhere near coming to the IESG. If we fold this content into that, it gives us time to work on this cross-cutting issue. I think we have enough discussion on this doc. This will be AD follow-up. Or should it be revised I-D?
- Dave: The issue with putting the problem statement into the requirements... this is a different problem than decade and cdni want to address. We might want to take the problem statements from the three groups and put them into requirements.
- Wes: Let's do AD follow-up.
- Happy Eyeballs: Success with Dual-Stack Hosts (Informational)
draft-ietf-v6ops-happy-eyeballs-06
Token: Ron Bonica
Note: Fred Baker (fred.baker@cisco.com) is the document shepherd.
Discusses/comments (from ballot 3985):
- Stewart Bryant: Comment [2011-11-28]:
Wes raises an interesting point, the draft needs to discuss connectionless transport protocols.
- Wesley Eddy: Comment [2011-12-14]:
(blank)
- Adrian Farrel: Comment [2011-12-11]:
I understand why improving IPv6 experience in dual stack deployments is valuable to the IETF in promoting migration to IPv6. For that reason, publication of this document may be beneficial and encourage implementations to include more flexible selection algorithms such as that described in this document. However, I don't see anything in this document that impacts interworking, so I don't see why it is Standards Track.
- Stephen Farrell: Comment [2011-12-09]:
(blank)
- Stephen Farrell: Comment [2011-12-09]:
I've cleared
- Pete Resnick: Comment [2011-12-11]:
I really think this document should have had a co-author in the apps area. It is written exceedingly "thinly" and doesn't really understand some of the application implementation issues. That said, I still think it is valuable and worth publishing (and hopefully updating in the future). Though it is a bit this for the standards track as it is now, I see the potential to fill this in over time with more proscriptive information, and therefore I don't object to go it going on the standards track now in anticipation of that. Some issues to consider for this go-round:
3.1 - This has nothing to do with URIs. It is about hostnames. Hostnames used that don't appear in URIs have exactly the same issues.
4. - Though using SYN and ACK in the diagram is fine, I recommend using words like "connection attempt" in the descriptive text. SYN and ACK are probably not as familiar to application layer folks, and since this is aimed at them, it is likely better to use the application layer terminology. Furthermore, there is a performance/resource impact to making a "connection attempt" that an apps person will understand that they might not if it is understood as only an additional packet.
I agree with Stephen's concerns regarding "MUST cache". There are valid reasons to try v6 later even if v4 succeeds first, but those reasons must be carefully considered and understood. That sounds like a SHOULD.
4.1 - The first few paragraphs strike me as introductory material, not part of the alogirthm requirements.
4.2. - "SHOULD do so every 10 minutes" I think instead you mean "SHOULD do so no more frequently than every 10 minutes". It's perfectly fine to do so every 20 minutes, or once a day.
4.3. - DNA does not describe how applications (which are the ones who are going to implement Happy Eyeballs) are to be notified of these changes. Though I agree that a Happy Eyeballs app should be able to ask its host to do a DNA for it (or more to the point, get notifications from the host), that's an additional requirement on these apps and should be noted.
- Peter Saint-Andre: Discuss [2011-12-08]:
The Apps Directorate review by Murray Kucherawy on 2011-11-26 raised two major technical issues and eight minor technical issues. These issues merit a response.
- Peter Saint-Andre: Comment [2011-12-08]:
Much as I love XMPP, I would change "xmpp clients" to "IM clients".
- Sean Turner: Comment [2011-12-14]:
Please consider the editorial comments suggested by Sandy in here secdir review
Telechat:
- Ron: Peter, there was a conversation between the people who posted that email and Dan Wing.
- Peter StA: I just replied to that thread. I'm waiting to hear back from Murray, who did the AppsDir review.
- Pete R: I think this is inappropriate for informational. It has normative guidance and is standards track.
- Ron: You and Dave Harrington should duke it out.
- Pete R: Dave's issue is that there are problems if it's standards track.
- Ron: Dave thinks it only talks about requirements.
- Dave: At one point in the discussion they took out the normative stuff and just made it requirements.
- Ron: Pete is right; there is stuff saying you MUST cache, and you MUST flush the cache.
- Dave: It affects on the wire?
- Pete R: Absolutely. And there are SHOULDs and RECOMMENDEDs that affect what's on the wire.
- Robert: I agree with Pete.
- Dave: I'll take it either way.
- Ron: We'll put it back to PS, and we'll put the 2119 language back in. Just waiting for confirmation from Peter that his issues are worked out.
- Pete R: I hadn't actually done to look at the diffs for -06 to see what 2119 stuff was removed.
- Ron: That was done in an RFC Ed note last night.
- Russ: Ron, you're just saying remove the RFC Ed note, and it's back where it was.
- Pete R: I'm fine with that.
- Ron: The only thing we're waiting for then is Peter.
- Pete R: Neither Stephen nor Wes moved off of discuss because of the RFC Ed note?
- Stephen: There are some items in the note for me, separate from the doc status, so those should stay.
- Dave: I note that the abstract says that this provides *requirements* and an example algorithm.
- Ron: I think that's still OK for PS.
- Dave: It says "example" algorithm.
- Ron: I can remove the word "example".
- Dave: I'm willing to go with standards, if everyone thinks that's the way to go.
- Pete R: I'll clear my discuss.
- Amy: We're going back to PS, and we're still waiting for Peter's issue, so it's AD follow-up until that happens.
- Dave: Ron, if you take out the word "example" you may need to go back to the WG and make sure they don't object to this change. They put it in deliberately.
- Ron: OK, I'll ask them.
3.1.2 Returning Items
- (none)
3.2 Individual Submissions Via AD
3.2.1 New Items
- Transmission of Syslog Messages over TCP (Informational)
draft-gerhards-syslog-plain-tcp-12
Token: Dan Romascanu
Discusses/comments (from ballot 3840):
- Adrian Farrel: Comment [2011-12-11]:
It would be good if the Introduction included a brief paragraph on the purpose/content of this document. The first paragraph of Section 4 contains roughly the necessary material.
I am uncomfortable (but not quite to the point of a Discuss) by the way that this I-D flies in the face of IETF consensus to recommend the use of TLS. I believe this could be resolved by a slightly stronger statement on the intent of the document to facilitate interoperability with legacy deployments whild continuing to recommend the use of TLS. I.e. "this document does not recommend that new implementations or deployments use syslog over TCP except for the explicit purpose of interoperating with existing deployments."
I am surprised that section 5 does not mention TCP/AO.
- Stephen Farrell: Comment [2011-12-14]:
- I agree with Dave's discuss points 1,2 and 4 and sympathise with his point 3.
- Be nice to add the hex values that go with %d32 and %d126 just to be super-clear
- 3.1 mentions "relays" but those weren't mentioned in the intro - be nice to say what those are in section 1.
- What does "not available" mean at the end of section 5? I think it would be better to say "This protocol SHOULD NOT be used unless syslog/tls [RFC5425] has been tried and failed, e.g. because there
is no listener on port 6514."
- I think you could note that falling back to this if syslog/tls fails could in principle indicate that an attack is happening. If there's a sensible action to take there (e.g. some local logging of the failure of the TLS handshake or whatever in addition to remote logging using this) that'd maybe be worth saying.
- David Harrington: Discuss [2011-12-13]:
As co-chair of syslog WG, I have worked witrh Rainer and Chris closely, and understand that they feel this is valuiable documentation for the community. I disagree for a number of reasons.
1. I think the applicability statement is not consistent with IETF consensus: "It is hoped that this description, along with the assignment of a standardized port for this protocol, will promote future interoperability."
IETF consensus is to use strong security [RFC3365 - BCP61] to provide secure interoperability. RFC5424 and RFC5425 have IETF consensus as the right way to achieve syslog interoperability, and to do so securely. Based on BCP61, RFC5424 and RFC5425 provide mandatory-to-implement security features, which may be configured by operators to provide no security if operators so choose (RFC5425, section 5). I
do not believe this document will result in future interoperability for syslog, and sends the wrong message to the community about how to achieve interoperability. I do not believe it is in the IETF interest to assign a standard port number for syslog/tcp.
2. I believe this document, if published, should be published as Historic (or Obsoleted by RFCs 5424 and 5425).
I believe this designation is important based on experience with RFC3164, which allegedly documented BSD Syslog, but actually ended up being a survey of existing syslog/UDP implementations that showed how on-the-wire formats of the many existing implementations had little in common. Most only had the first byte in common. Many vendors claimed "compliance" to RFC3164. I believe this document needs to have it very clearly spelled out that this is only a document of past practices, is NOT an IETF standard, and should NOT be implemented in new implementations.
RFC3164 (legacy syslog/udp) was obsoleted by RFC5424. This legacy syslog/tcp document should be handled the same way.
3. Personally, I don't see a lot of value to this document. Similar to existing implementations of syslog that run over udp, existing implementations of syslog that run over tcp are not very consistent.
This document does not contain enough detail for syslog receivers/applications to process incoming legacy messages; application implementers would need to do additional research into the formats used by specific implementations. Therefore, this document does not serve to significantly improve interoperability between senders and receivers. Cross-vendor interoperability could be improved by standardizing a port#, and recommending consistent implementation choices, such as message layout, support for octet-counting versus framing in the message format, internationalized character sets, and transport session initiation and closure.
The IETF has already standardized support for a message layout, and internationalized character sets in RFC5424. The IETF has already standardized a transport for syslog messages in RFC5425, including session initiation and closure, a standard port#, as well as strong security as called for by BCP61. I have concerns that publishing this as an RFC sends the wrong message to the community, and am especially concerned that vendors wil use this to claim "compliance" to an IETF RFC, just as they did with RFC3164. This could slow vendors moving to support interoperability by using the IETF standards defined in RFC5424 and RFC 5425.
4. Despite my belief that publishing this document will not make the Internet run better, I could accept publication of this document with a Historic or Obsolete label and a big IESG Note that says
"The IESG does NOT RECOMMEND implementing or deploying syslog over plain tcp, which is documented in this document, because it lacks the ability to enable strong security [BCP61]. syslog/tls [RFC5425] is RECOMMENDED for implementation so that security features are available to operators who want to deploy secure syslog, and those security features can be turned off for those who do not want them."
- Pete Resnick: Comment [2011-12-13]:
I must agree with Robert's comment that the port allocation seems inappropriate. However, it concerns me that the port that is chosen some of the time is the rsh port. If there is an unregistered port that is widely used for this, it should be registered.
I agree with Adrian's comment that some of the contents of section 4 would be terribly helpful in the intro.
I think Peter's comment regarding character terminology is important, and I'm happy to see you're addressing it.
I am ambivalent as to whether the document should be Informational or Historic. I lean slightly toward Informational since it is describing widespread current practice.
[Updated to add:]
Please re-use ABNF constructs defined in RFC 5234 instead of redefining them here:
3.4.1 - DIGIT and SP are already defined in 5234.
3.4.2 - LF is already in 5234.
- Peter Saint-Andre: Comment [2011-12-08]:
According to BCP 166 (RFC 6365): "The terms "charset", or "character encoding scheme" and "coded character set", are strongly preferred over the term "character set" because "character set" has other definitions in other contexts, particularly outside the IETF."
Please consider changing the term used in Section 3.1 of this I-D to match BCP 166.
- Robert Sparks: Discuss [2011-12-13]:
Capturing a description of what's observable in the wild is a very good thing - thank you for putting this document together. If that's all this document is trying to do, why isn't it Historic, and why doesn't it register the port(s) that existing implementations are actually using?
A new port for something that's not a standard (and is not already the de facto port) doesn't seem like the right thing to do.
- Robert Sparks: Comment [2011-12-13]:
Most of the document is written with a tone of "here's what we see deployed already", which is good. In a few places it drifts into a tone that would be more appropriate for "and we want people to make more things that do this". Section 3.2, in particular, reads more like a protocol definition than a description of already existing behavior. Section 3.4 uses the phrase "usually preferred". Something like "has caused fewer problems" would be more descriptive (if it's accurate).
- Sean Turner: Comment [2011-12-14]:
I tend to agree with Dave here.
Telechat:
- Dan: The editors would like discussion from the IESG. This was set up as a taxonomy. It's observing that there's a usage of syslog over tcp on a number of ports. The most popular choice is 514, which seems to be a problem because it's originally for shell. It's trying to make a recommendation to pick another port, 10514. I got a discuss from David, which shows a number of problems with the way the authors approached this. He suggests that the document do nothing, or move to historical, take out IANA allocations, and put a strong note inside the document that it's historical and not recommended behaviour. I want to hear from the rest of the IESG.
- Robert: I see a lot of value in publishing this, observations about what's in the wild. If we're seeing enough use of this port, we should register that port with IANA. I don't think we're doing the right thing with making a new port, and trying to get people to change to it. That's writing a new standard. There are ways to deal with the shell situation.
- Pete R: I agree with Robert: this documents what's in the field. We shouldn't go historic, we should say this is information. The question of allocating a new port should be separate. If this doc can justify allocating 514, that's a good idea too.
- Dan: What would the comment near the IANA registration for this port say? Allocated for syslog over TCP, formerly for RSH, but probably no living implementations? Or what? I don't know if there's an RFC that talks about the shell allocation.
- Dave: Does anyone have a copy of all of the RFCs, and run a grep on it.
- Pete R: Is it 1282?
- Dan: I don't see any RFC. So deprecating it here is probably enough.
- Dave: We should put a note on the IETF mailing list, asking if anyone knows about it being used.
- Dan: We can ask the editors to rewrite this part... probably the whole IANA section... and then run another IETF last call. We can put text into the last call giving the gist of the change. Would that be the right way to proceed?
- Dave: It makes perfect sense to give them 514 over TCP. We need to figure out how to get the other one out of the way. 6335 talks about how to recover.
- Robert: I looked back through the email thread. Lars and the authors seem to be converging on its not being a predominant port. Lots of nodes in the usage.
- Dan: We can leave the description, but not make any new allocation. The only change in the registry would be the text that defines how 514 is defined. If someone looks at 514 now, they will find only shell. We should add that it's probably used predominately by syslog over TCP.
- Robert: That works for me.
- Dan: I will instruct the editors and the shepherd. Revised I-D needed, and another IETF last call.
- Dave: BCP 61 was widely discussed in the IETF, and a decision was made that all protocols should support strong security. This is weak security, and flies in the face of the standard. It should be mandatory to implement TLS, so it's there for operators who wish to use it.
- Robert: Only if you interpret this doc as "go make more of this." But the document is stressing not to do that. It even says that you should stop using TCP if it's possible to use TLS.
- Dave: Why shouldn't it be declared historic?
- Pete R: It's not saying it's going away. It's saying this is what's out there, and will continue to be out there.
- Dan: If the document is informational, we need to put stronger text that there is a standard transport that is MTI. If you're doing the doc historic, we don't need to put that strong text there.
- Dave: I think you might want it there in both cases. Historic or obsolete says this isn't something we recommend. Syslog over UDP was obsoleted by the syslog standard. Why should this be?
- Dan: Retroactive obsolete?
- Dave: If 5424 can't say that it obsoletes this, what happens? I'm concerned about this because syslog documented syslog over UDP, and found that there was no common usage, yet 3164 was used to claim compliance by vendors. Makes me have second thoughts about whether this should be published. If it is, it needs to be very clear that it's what's in the wild and shouldn't be used.
- Dan: And that can be made clear whether it's informational or historic.
- Dave: I'm willing to accept IESG consensus. If I'm in the rough, it's OK.
- Dan: Does anyone feel strongly that this should be informational?
- Stephen: I don't care about the status, but I agree that it has to be very clear.
- Sean: I agree too.
- Pete R: I have some feeling that informational is appropriate, but I have no objection to adding text to make it clear what the intent is?
- Dan: Would you object to historic?
- Ron: I agree with Pete, but don't want to go to war over it.
- Dave: How about obsolete?
- Robert: We don't have a way to do that without another document.
- Stephen: Sean, what did we do with SSL?
- Sean: Straight to historic.
- Dan: I will propose this as historic, and everyone will have his say, and I'll reset the ballot for the second IETF last call.
- Dave: And what are we doing with the port number?
- Dan: All the current IANA Considerations section will be removed, and it will just change the description on port 514 to say that it's being used by syslog over TCP, formerly used by shell.
- Dave: Seems to me we were marking some port usages as being squatted upon in the wild, in the directories. Do we want to put it in here in the directory, that it's been used incorrectly?
- Robert: Why don't you bring that up in last call?
- Dave: OK.
- Dan: Revised I-D needed.
- Amy: Dan, you wanted to reset the ballot. Now, or after last call?
- Dan: I'll do that after last call.
- Recommendations for the Remediation of Bots in ISP Networks (Informational)
draft-oreirdan-mody-bot-remediation-18
Token: Stephen Farrell
Discusses/comments (from ballot 3939):
- Jari Arkko: Comment [2011-12-15]:
Thanks for writing this.
- Ron Bonica: Comment [2011-12-14]:
Minor comments:
Section 1.3 - Do we really need to define the word host
Section 1.5 - When IPv6 takes off, you will see fast-flux using AAAA records
- Stewart Bryant: Comment [2011-11-28]:
There is the outstanding issue of verifying that the IPR issues noted by the Shepherd have been fully resolved. I am sure that Stephen will verify the resolution before issuing a publication request, and thus am highlighting this issue as a comment.
"An ISP may use Netflow [RFC3954]"
I would think that the the standards based solution IPFIX [RFC5101] would be a better reference.
- Wesley Eddy: Comment [2011-11-29]:
This is a good document. I am not at all an expert in this area, but my only comment is that it seems like there may be some liability to the ISP in attempting to detect bot infections because they may then need to bear the burden to report criminal activity that they witness. I'm sure commercial ISPs have considered this in their policies, but I didn't notice it clearly mentioned in the document.
- Adrian Farrel: Comment [2011-12-12]:
Thanks for a very readable document with a lot of valuable information. I have a few small conversation topics that I would appreciate you thinking about and addressing if you can see a way forward.
I am surprised by the statement in the Abtract that a user with an infected computer is exposed to the risk of phishing. The second statement that their computer might be used as an inadvertent participant in a phishing network sounds more reasonable.
I wonder whether Section 5 needs to consider the risks of notifications after false positives, and the problems caused by false notifications as a form of attack.
Section 7 upset me a little. Recognising the need of ISPs to protect their businesses, I also see the need to continue to provide service to vulnerable people who cannot be expected to protect their computers.
In view of this, you might discuss the service providers' duty to ensure that hosts connected to their network cannot become infected with bots through data transfered across the service providers' networks. Or you might just drop the text about account termination.
- Pete Resnick: Comment [2011-12-13]:
1.1 - I have never heard of "benign bots" before. Is this an invention of the authors or is it used in some circles? I would prefer if the document referred to only the malicious applications as "bots" and referred to the benign applications as "background applications" or "daemons" or "background processes". I think it is still important to point out that such applications should not be monitored for or prevented from functioning.
1.2 - "Bot Networks or Botnets" is better defined as "a group of bots that are remotely controlled by a single party". The first sentence of 1.2 is circular.
I know what all of those malicious activities are, but it might be useful to define some of them.
"Infection vectors" is undefined. So are a bunch of the terms in that paragraph.
Much of this section assumes a familiarity by the reader. If the reader was this familiar with the material, this section wouldn't be necessary. Similarly with 1.4.
1.5 - The information in the two paragraphs is reversed, burying the important point: Compromised hosts are used as proxies to web servers in order to hide the IP address of the server itself. This is *accomplished* by DNS Fast Fluxing.
10. - Some of the activities outlined in section 3 should be called out specifically with regard to privacy considerations.
A reference to RFC 4948 seems pretty essential. I'm surprised not to see some of the information that appears in that document in this one.
- Dan Romascanu: Comment [2011-12-15]:
Good document. All my comments are related to Section 5:
1. "It should be possible for the end user to indicate the preferred means of notification on an opt-in basis for that notification method. It is recommended that the end user should not be allowed to totally opt out of notification entirely.
It looks like either 'totally' or 'entirely' is redundant
2. I would expect notifications by management protocols like SNMP and NETCONF be also described in this section
3. The danger of DoS attacks by flasely reporting of bots via notifications shoulsd also be mentioned as a major security concern
- Peter Saint-Andre: Comment [2011-11-29]:
Overall this is a helpful document. I have a few comments and suggestions.
In Section 1.2:
OLD: "The detection and destruction of bots is an ongoing issue and also a constant battle between the Internet security community, network security engineers and bot developers."
NEW: "The detection and destruction of bots is an ongoing issue and also a constant battle between the Internet security community and network security engineers on the one hand and bot developers on the other."
P2P is not a communication protocol, it is an architectural approach.
It is a bit odd to speak of the "introduction" of HTTP, given that HTTP was invented over 20 years ago.
The document sometimes conflates bots and botnets. For example:
"As a consequence, botnets that are initially detected and classified by the ISP as one particular type of bot need to be continuously monitored and tracked in order to identify correctly the threat the botnet poses at any particular point in time."
Although a botnet consists of bots, not all bots are part of a botnet (and we certainly can't say that a botnet can be classified as a type of bot, as in the quoted paragraph).
Telechat:
- Amy: No discusses, no objections, approved.
- Stephen: Possibly need notes. Make it point raised, and I'll go through the comments and see if changes are needed.
3.2.2 Returning Items
- (none)
3.3 IRTF and Independent Submission Stream Documents
3.3.1 New Items
- Host/Host Protocol for the ARPA Network (Historic)
draft-mckenzie-arpanet-host-host-protocol-01
Token: Russ Housley
Note: ISE document
Discusses/comments (from ballot 4044):
- (none)
Telechat:
- Amy: No discusses on this. If no objections, I'll send a "no problem" message to the ISE. Russ, notes in the writeup box are correct?
- Russ: Yes, we just have a simple suggestion to the ISE.
3.3.2 Returning Items
- (none)
4 Working Group Actions
4.1 WG Creation
4.1.1 Proposed for IETF Review
- SPF Update (spfbis)
Token: Pete
Telechat:
- Amy: Any objections to sending this to external review? None, so external review is approved. It will come back here on 5 Jan.
4.1.2 Proposed for Approval
- (none)
4.2 WG Rechartering
4.2.1 Under evaluation for IETF Review
- (none)
4.2.2 Proposed for Approval
- (none)
5. IAB News We can use
- Sean: The only thing is that the ITU meetings are going on in Geneva, and things are looking to be interesting.
- Dan: Adrian mentioned reports from Scott, and I didn't see any. Maybe those were directed not to the IESG list.
- Russ: To the ITU liaison list. You don't want to follow every blow-by-blow. A two-week meeting ends tomorrow, and we still don't know what the document to be balloted on looks like. Balloting will take place tomorrow, on the closing day of the meeting.
6. Management Issues
- Use and maintenance of datatracker.ietf.org/iesg/ann/ind , /new, and /prev (Robert Sparks)
Telechat:
- Robert: I discovered that these pages exist, and what they produce is incorrect. Do we know anyone who uses them? If not, I propose we remove them.
- Russ: We should ask the community, because I don't know.
- Robert: I'll take an action to send out a question.
- Executive Session for IAOC Member Selection (Russ Housley)
Telechat:
- Should RFC 3934 become part of BCP 25? (Russ Housley)
Telechat:
- Pete R: Given what the RFC Editor has said, and given the nature of 3934, it should be BCP 25.
- Russ: If there's agreement, we just ask the RFC Editor to change the metadata. Does anyone object to that? None, OK.
- Dave: Do we need to change our tools, so we notice this in the future?
- Russ: I believe that was an AUTH48 oversight. The tools are available, but it doesn't appear they were used.
- Sandy: If a doc updates another BCP, we tend to ask.
- Russ: This was in the title, not the header.
- Pete R: This is just old, and it got missed.
7. Agenda Working Group News
- Jari Arkko (Internet)--- none
- Ron Bonica (O & M)--- The announcement and doodle poll for data center interim has gone out.
- Stewart Bryant (Routing)---
- Gonzalo Camarillo (RAI)--- none
- Ralph Droms (Internet)--- none
- Wesley Eddy (Transport)--- none
- Adrian Farrel (Routing)---
- Stephen Farrell (Security)--- none
- David Harrington (Transport)---
- Russ Housley (General)--- none
- Pete Resnick (Apps)--- We just got two IPR disclosures on two Sieve docs, where the author failed to disclose that he'd filed IPR on the docs. He has since stopped participating in the IETF. Does anyone object to informing the WG informally, or does this have to be last called again?
Russ: You have to ask them as the AD on their mailing list.
Pete R: Yes, that was my plan.
Russ: If anyone raises concerns, you might have to pull it back into an additional last call.
- Dan Romascanu (O & M)--- none
- Peter Saint-Andre (Apps)--- none
- Robert Sparks (RAI)--- none
- Sean Turner (Security)--- MILE WG has two drafts to be done soon. I will last call them for an extra week because of Christmas. Shooting for 19 Jan telechat.
1330 EST Executive Session for management issue 6.2
Appendix: Snapshot of discusses/comments
(at 2011-12-15 07:30:05 PST)
draft-ietf-l3vpn-ospfv3-pece
- Jari Arkko: Comment [2011-12-14]:
+1 to comments from Fred Baker and Dan Romascanu
- Stephen Farrell: Comment [2011-12-13]:
- Who's the document shepherd? Tracker note says Ben, iesg writeup
says Danny. Probably a typo somewhere or a change, but might be worth
fixing.
- The abstract is confusing. It says "We had BGP/MPLS for IPv4; then
we added IPv6; then we added OSPFv2 and now in this document, we add
OSPFv3." Telling the reader about IPv4/IPv6 just seems distracting
here.
- NLRI & NSSA not expanded on 1st use.
- Is it safe to use a NULL domain ID? If I do that then
an incoming message can easily be confusing?
- Section 7 refers to rfc 4659 section 11 and 4577 section 6.
4659 section 11 refers to 2545 section 5 and 4364 section 13.
4577 refers to 4364 and 4365.
2545 says "nothing new here."
4364 is updated by 4577, 4684 and 5462.
4577 says "cryptographic authentication" SHOULD be used and
MUST be implemented but doesn't say what "cryptographic
authentication" really means.
I stopped following the breadcrumbs at that point;-)
Can't we do this better and simpler?
- Dan Romascanu: Comment [2011-12-14]:
Fred Baker made in his OPS-DIR review a couple of comments which are not show
stoppers but deserve being answered and clarified if necessary in the text:
1. The introduction mentions the use of OSPFv2 for IPv4 and OSPFv3 for IPv6.
With the advent of OSPFv3 address families, mentioned in section 6, it is
possible to use OSPFv3 for IPv4, enabling one protocol and one configuration to
be used for both network layer protocols. I would expect that this might be a
useful thing to comment on in the introduction.
2. The one question I was left asking was why the document mentioned MPLS in 20
places but did nothing with MPLS other than mention that it was used in BGP/MPLS
VPNs. The routing technology could just as easily be used on any other PE-CE
link; the point is that it is between an OSPFv3 instance in the PE and a
correspondent on the CE router, enabling a customer to communicate with an
upstream in a manner that enabled the upstream to trust routing information
without the customer needing to obtain an AS number and operate a BGP
configuration. That's not an impediment; the document only chose to specify that
configuration. But the narrowness of specification left me puzzled.
draft-ietf-6man-rpl-option
- Jari Arkko: Comment [2011-12-01]:
Sorry, posted the IANA issue in wrong tracker window...
- Ralph Droms: Discuss [2011-11-29]:
1. The first sentence of section 4:
Datagrams sent between RPL routers MUST include a RPL Option or RPL
Source Route Header ([I-D.ietf-6man-rpl-routing-header]) and MAY
include both.
Under what circumstances would a RPL router include an SRH but not a
RPL Option?
2. This issue requires a little clarification before I can provide an
actionable Discuss issue. Is it possible to deploy RPL in a network
in which not all of the nodes in the network participate in RPL?
E.g., can there be "leaf" nodes, the equivalent of hosts, that do not
participate in RLL and that exchange datagrams with immediate
neighbors that are RPL routers? There is a hint that such a
deployment is anticipated in the phrase "attachment router" in section
4. If so, I think there needs to be additional text similar to that
in section 5 describing how a RPL router must ensure that it doesn't
forward a datagram containing a RPL Option to a non-RPL leaf node.
- Adrian Farrel: Comment [2011-11-30]:
I have no objection to the publication of this document, but I have a umber of
questions/nits that I hope you will consider.
Section 1
To that end, this document proposes a new IPv6 option,
s/proposes/defines/
---
Setion 2
Every RPL router along a packet's delivery path processes and updates
the RPL Option. If the received packet does not already contain a
RPL Option, the RPL router must insert a RPL Option before forwarding
it to another RPL router.
Surely that means that the absence of the option indicates a defect in
the upstream router. This issue is also present in section 4 where there
is some flexibility about whether to include the RPL Option, but no
guidance.
---
Section 3
Please consider using RFC2119 language (e.g. "shall")
---
Section 3
Nodes
that do not understand the RPL Option MUST discard the packet.
You cannot state this in this way. Nodes that do not understand the
option will not implement this spec!
You probably simply need:
As defined in [foo] nodes that do not understand an option on a
received packet MUST discard the packet.
---
Sections 3 and 7
Please check "sub-TLV" and "TLV". I think you have used them
interchangeably.
- Stephen Farrell: Comment [2011-12-14]:
- Russ Housley: Comment [2011-11-28]:
The Gen-ART Review by Joel Halpern on 22-Nov-2011 included a
suggestion for improved clarity. Please consider it.
While calling a bit the O bit does not appear unreasonable, I
note that when looking at the packet form, the difference between
the O bit and the mbz bits marked as 0 is small, and a likely
source of confusion for the reader.
- Robert Sparks: Comment [2011-11-29]:
Please double-check the first paragraph of section 4 to make sure that "ICMPv6
errors generated by inserting the RPL option" is really what you mean to say -
are you talking about errors that resulted from inserting the option itself, or
possibly other ICMP errors that might result from other data in the tunnel
header?
- Sean Turner: Comment [2011-11-30]:
I support Stephen's discuss.
draft-ietf-geopriv-deref-protocol
- Jari Arkko: Comment [2011-12-15]:
Maybe I missed it or it is discussed in some other document, but I felt the
document did not describe some basic properties of local references. For
instance, if I ask for my location and then pass it on to someone else, is the
resulting dereferenced location my location at the time of the request, or my
current location? Devices can move...
- Stephen Farrell: Discuss [2011-12-12]:
#1 The draft is (a little) inconsistent about the requirement to *use* TLS.
Section 1, end of 3rd para says this "requires use of TLS", but
elsewhere (e.g. section 4, 2nd para) you say that this defines how to
use "http:" URIs and the security considerations says only that TLS is
"strongly RECOMMENDED." I'd prefer it all to say that you MUST
use TLS always, but it at least needs to be consistent doesn't it?
This should be an easy fix, I guess.
#2 What, if any, form(s) of TLS server auth are required to be used
when TLS is used? Would it be right to say a client MUST NOT not offer
anonymous ciphersuites in the client hello? i.e the TLS_*_anon_*
ciphersuites. (Just checking in case that hadn't been considered.
If it already was and there's a reason to allow anon ciphersuites
that's ok but would be worth explaining.)
- Stephen Farrell: Comment [2011-12-12]:
- I expected to see some mention of single-use URIs here. Is there
no use-case for those? It might help a bit given the
possession-is-authorizaiton model? (But it'd also conflict with other
use-cases maybe.)
- s3.1, maybe s/is constructed/MUST be constructed/ such
that it is hard to guess?
- what are the "other measures" mentioned in the 2nd last
para of 3.1?
- Pete Resnick: Discuss [2011-12-14]:
3.2/3.3: I cannot see how this protocol can be interoperable unless you commit
to a particular policy mechanism and format, not just a "possible format" [3.2]
or a mechanism "such as those described in [I-D.ietf-geopriv-policy]". It seems
to me that ietf-geopriv-policy should be a normative reference in this document,
not an informative one, and these two sections should be written to normatively
reference it.
- Pete Resnick: Comment [2011-12-14]:
Section 1: Lots of redundant text. Could use an edit. A single paragraph is
probably sufficient. I also find the diagram not terribly useful in the intro.
Section 3: I actually found this discussion rather confusing and unnecessary.
"Authorization by Posession" is often equivalent to no authorization at all. For
certain resources that require no particular protection, there needn't be any
obscuration by "hard to guess" URIs, and there needn't be a Rule Maker in
existence at all. On the flip side, Authorization via Access Control needn't
involve a policy document at all: regular HTTP authenthication could be used
with a username and password, and access control can be handled entirely by the
HTTP server, again without a Rule Maker. (Of course, in each case there is
theoretically a "Rule Maker", but that is so theoretical as to make the entity
of little use conceptually.) No matter the authorization and authentication
used, Posession is still required, so I don't see that as a useful concept.
I would be happy if this section simply eliminated the concept of "Authorization
by Posession" and simply talked about different authorization and authentication
methods. I think it would also be fine to leave this entire discussion to the
policy document. But at the very least, I think you should mention that
Authorization by Posession does not require a Rule Maker or a policy or making
URIs hard to guess, though those are options to make access to location
information more controlled.
- Peter Saint-Andre: Comment [2011-12-13]:
The AppsDir review by Ted Hardie raised several minor issues, which deserve a
response. The review can be found at http://www.ietf.org/mail-archive/web/apps-
discuss/current/msg03941.html
A number of terms are re-used from RFC 3693 and RFC 5808; it would be helpful to
cite those specifications in Section 2.
Although Section 3 says that "no authentication framework is provided", it's not
true that authentication cannot be performed (e.g., if HTTP is used to
communicate with the LIS/LS then HTTP authentication can be used). The text here
is not entirely consistent with the later text in Section 3.3 ("A Location
Server MAY support an authentication mechanism that enables identity-based
authorization policies to be used") and similar text in Section 4.
It would be appropriate to say something about leakage of location URIs (which
could happen outside the TLS-protected channel between the Target and the
Location Recipient -- URIs have a tendency to leak). RFC 5808 has some text
about this, and perhaps you could simply point there.
- Sean Turner: Discuss [2011-12-14]:
1) This is along the same lines as Stephen's #1.
s3.1: Just to make sure I understand Authorization by Possession could just as
easily have been called Authorization by Obscure URI? These seems like security
through obscurity.
Also, shouldn't there be some kind of statement like at a minimum:
The use of this model SHOULD involve the use of TLS?
Actually based on s4 shouldn't that be a MUST?
s4 contains the following:
The Location Recipient establishes a connection to the LS, as
described in [RFC2818]. The TLS ciphersuite TLS_NULL_WITH_NULL_NULL
MUST NOT be used. The LS MUST be authenticated to ensure that the
correct server is contacted.
I read that as HTTPS MUST be used. If that is how you intended it, can't you
just say that instead?
s6 says s4 says it's strong RECOMMENDED, but I don't see that in s4.
- Sean Turner: Comment [2011-12-14]:
1) Figure 2: Shouldn't the two figures in the geo-priv drafts match?
2) s3.1: Isn't it c8 in RFC 5808:
(see C9 of [RFC5808])
3) s3.1: Isn't this true only when you don't use S/MIME:
Use of authorization by possession location URIs in a hop-by-hop
protocol such as SIP [RFC3261] adds the possibility of on-path
adversaries.
4) s3.2: strike the a:
In contrast to authorization by possession, possession of a this
form of location URI does not imply authorization.
5) s3.2: I think you need to work something about authorization by access
control being based on an authentication mechanism. You mention in s3 and then
again in s3.3, but it seems like it needs to be included in s3.2. I kept
thinking .. because … after the first sentence. Maybe:
Use of explicit access control provides a Rule Maker greater
control over the behaviour of an LS because it determines access
based on individual Location Recipients.
or something like that.
6) s3.3: In the first two paragraphs of s3.3, I think you're trying to say this:
This document does not describe a specific authentication
mechanism; therefore, the authorization by access control
model is not an option. Instead, this document uses the
authorization by possession model.
The existing two paragraphs seemed little wordy.
draft-ietf-geopriv-policy-uri
- Jari Arkko: Discuss [2011-12-15]:
I will probably clear this after some discussion in the IESG tonight, and let
Stephen hold his Discuss (item #5 in particular).
However, I am concerned that the document provides an authorization-by-
possession model for clients to access their policies, delivers the policy URLs
in the same DHCP and XML structures as other location URLs, and also
acknowledges that there is a legitimate need for other entities to access
policies:
This document does not describe
how policy might be provided to entities other than for location
configuration, for example, in responses to dereferencing requests
[I-D.ietf-geopriv-deref-protocol] or requests from third parties
[RFC6155].
I predict that policy URLs will be leaked, intentionally, to those who need
them, and that this will lead to security issues down the road. Is there
something that we could do about this?
- Stephen Farrell: Discuss [2011-12-12]:
#1 Intro para 2 says that the deref protocol provides a PEP, but just
having read it, it doesn't, except for in that very very limited sense
of supporting authorization-by-possession. So the claim seems wrong.
I'd say just removing the claim is easiest.
(I guess I agree with Tobias' Apps area review points being a discuss,
so... I've broken the overall points down into a number of specific
things below, hopefully that'll help get 'em sorted quicker.)
#2 Why even allow HTTP URIs? Why not insist on HTTPS for this?
geopriv-deref does (almost correctly) insist on use of TLS so it seems
illogical for this to be more open. In any case, the same choices would
be best for both of these specs I think wrt TLS usage.
#3 For the case where a policy URI is a "shared secret," what TLS
server auth settings are required to be used? Would it be good to say
the client MUST NOT offer TLS_*_anon_* ciphersuites in the client
hello?
#4 Saying the policy server SHOULD allow all requests (3.1 2nd para)
seems unwise. It may be reasonable to allow for the URI-is-secret
model, but I don't get why you want to prevent anything more? (That's
how I interpret the SHOULD.) Saying (at the end of section 3) that a
new policy URI MUST be generated whenever a new location URI set if
generated also seems to work against any other (better;-) kind of
authorization.
#5 Assuming URIs remain secret seems problematic. Is there evidence
that the confidentiality of these URIs can be maintained really?
#6 Describing the policy URI as a shared secret doesn't seem to be
enough. I think you need to say that it MUST be a practically
unguessable shared secret, even if I have seen many such URIs. The DHCP
option in 4.2 means that anyone can I guess get the server to emit
loads of policy URI values.
#7 Why is it reasonable to have a default of making location available
(to possessor's of the URI)? Couldn't that be dangerous in conjunction
with some other defaults (e.g. some other protocol might default to
including a location URI in a message), or is there somewhere in
geopriv where it says that the overall default is that location
information has to be denied by default?
#8 Why not acually define a good policy URI generation function rather
than give all these partial hints? I don't even necessarily mean as a
MTI but rather as a good example of how to do it.
#9 What is the argument that 2^32 unique policy URIs is a big enough
number?
#10 (2^(N/2))/T is meant to restrict an unlimited attacker to one
successful guess per T seconds? Is that correct and the intent? Be
better to explain your logic there. If that is the intent, I don't see
why its considered a good thing. (Be fun to sse if my arithmetic is
screwed up there or not;-)
#11 What are the likely values of T that will be used? It seems odd to
only introduce a lifetime value like this at this point. Maybe you
mean that T is some value derived from system behaviour rather than a
parameter? If the former, then is it reasonable to expect the rate
limiting enforcement function to have that number available to it?
- Stephen Farrell: Comment [2011-12-12]:
- Just adding 32 random bits to the mix might not be enough if you have
~ 2^32 clients. Worth noting?
- 2^(N/2)/T is likely to be error-prone. One more set of parenthesis
would be good.
- Pete Resnick: Comment [2011-12-13]:
Please consider the review of Tobias Gondrom <http://www.ietf.org/mail-
archive/web/apps-discuss/current/msg03926.html>. I will defer to the expertise
of the Security ADs to consider whether the issues he points out are worthy of
DISCUSSion, but I have not seen a public reply to his message.
[Updated to add:]
I note from the writeup that there are no implementations of
this. I also note that geopriv-policy is given as an example of what might be
used as a policy document in addition to the others. Is my suspicion correct
that, in fact, down the road geopriv-policy will be the *predominant* use of
this URI? If so, is it not worth holding this document until that one is
completed? I suspect it will end up a lot shorter if it could talk in terms of
an actual GEOPRIV policy document and use the others only as examples. (I see no
need to hold a DISCUSS position on this, as I think there is no harm in
publishing this first, but I would like to hear from the authors/chair/WG as to
what the reasoning was.)
- Peter Saint-Andre: Comment [2011-12-13]:
I concur with the DISCUSS position of Stephen Farrell.
Why does this specification use the term "Internet host" instead of the term
"Target" from RFC 3693? Consistency across this suite of documents would be
good.
It would be helpful to cite RFC 3693 and RFC 5808 in Section 2.
In Section 4.1, the schema references
"urn:ietf:params:xml:ns:geopriv:held:policy" but that namespace is never used in
the schema definition.
In the examples, it would be helpful to point to the specifications that define
the various data structures (i.e., the "urn:ietf:params:xml:ns:geopriv:held",
"urn:ietf:params:xml:ns:common-policy", and "urn:ietf:params:xml:ns:geolocation-
policy" namespaces).
The second block of XML in Section 5.3 never defines the gp: prefix (i.e., you
need to add xmlns:gp="urn:ietf:params:xml:ns:geolocation-policy" to the root
<ruleset/> element).
- Sean Turner: Comment [2011-12-15]:
I'm with Stephen and Jari on this one and definitely support Stephen's discuss.
This really feels like security through obscurity, but if I let you see mine
then you can be me for while.
draft-ietf-simple-msrp-cema
- Stephen Farrell: Discuss [2011-12-14]:
#1 Lawful intercept is not a feature in this context (see rfc 2804)
I'd say just delete the phrase and you'll loose nothing.
As you'll see from the points below I have some issues with how
you're using TLS. Could be that some of this is just a lack
of context on my part but I'd like to check at least.
#2 What name is authenticated in "name based authentication"? Would
any such name (in a cert issued by a locally trusted CA) do just
fine?
#3 2nd para of 7.2: if an MSRP endpoint can get an "incorrect
impression" about TLS in the presence of a middlebox then how does
the MSRP endpoint ever benefit from authentication?
#4 How is the MIKEY reference not normative? 7.2 RECOMMENDS doing
either 1) TLS certs with blah (RFC 6042) or 2) MIKEY stuff. The
MIKEY RFC (RFC 6043) is informational so that's a downref.
#5 I don't understand how MIKEY for managing TLS-PSK values is
well-defined. The string "TLS" does not occur in RFC 6043. (I'd
just drop the MIKEY idea entirely - is anyone really gonna do that?)
#6 Can you re-assure me that there are in fact implementations of
RFC 6072 and RFC 6043 (in the latter case usable for managing
TLS-PSK symmetric keys). If so, great, I'd appreciate some pointers
to those. If not, then are you really building on fiction? Wouldn't
that be a bad plan?
#7 I don't get the trust model for "fingerprint" based
authentication for TLS. Who's including the fingerprint where and
using it to verify what self-signed cert?
#8 How do MSRP endpoints figure out what authentication methods
they have in common in a way that's not attackable by an on-path
active attacker? What is the list of "mechanisms" that you
mean in 7.2 (para starting with "If possible, ...")
#9 I get the impression that the 2nd last paragraph of 7.2 is
what you think people will actually do and that all the rest
of that section is window dressing. Am I wrong? If I'm right,
then why not just plainly say that and then we can discuss
it more easily?
#10 If I'm wrong about #9: On what basis can an MSRP endpoint
pick between the two choices at the end of 7.2? What code do
I write?
- Stephen Farrell: Comment [2011-12-14]:
- the term "anchor" is never really explained and it'd be good to do
that.
- hard to parse this from the top of p4: "In such cases,
middleboxes, that want to anchor the MSRP connection simply modify
the SDP c/m-line address information, similar to what it does for
non-MSRP media types" who's the last "it"?
- "The CEMA extension is fully backward compatible." Seems a bit of
sales-talk. And (fully;-) backwards compatible with what?
- "Middleboxes cannot be deployed in environments that require
end-to-end SDP integrity protection or SDP encryption." I bet I
could deploy a middlebox in such an environment, perhaps not very
effectively, but I could. "Cannot" cannot be correct.
- In general, I'd ask you to think about describing TLS usage in section
7 from the point of view of the TLS endpoints and not based on the
various options for what a middlebox might do. I suspect that might lead to
a clearer description but hard to know unless you try.
- Pete Resnick: Comment [2011-12-10]:
Section 3:
"Support of the extension is optional."
Do you mean "OPTIONAL"?
"MSRP endpoints that
support CEMA are required to use RFC 4975 behavior in cases where
they detect that the CEMA extension cannot be enabled."
Do you mean "REQUIRED"?
Section 4.1:
In the following cases, where there is a Middlebox in the network,
the CEMA extension cannot be used...
Do you mean "MUST NOT be used"?
Section 4.2:
When the offerer receives an SDP answer, if the MSRP media
description of the SDP answer does not contain an SDP 'msrp-cema'
attribute, the offerer MUST check the criteria below. If either or
all of the criteria is met, the offerer MUST fallback to RFC 4975
behavior, by sending a new SDP offer according to the procedures in
RFC 4975 and RFC 4976.
This is mostly editorial, but since it involves 2119 language, I think it's
worth fixing: The first MUST is redundant. If the offerer MUST do things based
on the criteria, there is no need to say that you MUST check the criteria.
(Also, "either" is the wrong word when there are more than two criteria. You
meant "any".) Instead maybe:
The offerer MUST fallback to RFC 4975 behavior, by sending a new
SDP offer according to the procedures in RFC 4975 and RFC 4976, if
it receives an SDP answer whose description does not contain an SDP
'msrp-cema' attribute, any of the following criteria are met:
[1...
2...
3...]
The new offer MUST NOT contain an SDP 'msrp-cema' attribute.
- Peter Saint-Andre: Comment [2011-12-07]:
It seems to me that the security considerations are somewhat underspecified, and
I find the concept of a TLS B2BUA unsatisfying, but I will let folks from the
security area comment on those aspects of the specification.
- Robert Sparks: Discuss [2011-12-13]:
There are two paragraphs in section 7.2 (the ones starting "When an MSRP
endpoint" and "If possible, MSRP endpoints") that need to be scoped to this
extension. It might be enough to say CEMA-enabled MSRP endpoint everywhere you
currently say MSRP endpoint, but that would likely make the text hard to read.
There's something wrong with the second paragraph and the list that follows it.
It currently says "Check every authentication mechanism at your disposal. If
they all fail, then based on local policy, decide whether you want to believe
the failure is because there is a benign network that's trying to help you
instead of a malicious party trying to hurt you." Is that what the document was
actually trying to say? If so, then if you're going to allow an endpoint to make
that decision (and I don't think you should since there's no way to tell that
all the network elements are actually part of that benign network), why waste
the time authenticating in the first place? Unless the paragraph intended
something completely different, option 2 in the list should be removed.
- Robert Sparks: Comment [2011-12-13]:
The short title that appears on every page but the first needs to be changed.
It's currently MRSP. CEMA or MSRP-CEMA would be better.
In section 4.2, "either or all of the criteria" is unclear. I suggest "any of
the following criteria" instead.
In 4.2 and 4.3, there are notes about resolving domain names before trying to
match against addresses in c or m lines in SDP. They currently say "whether
there address". I suggest "whether the address" instead.
In section 4.4 when you discuss handling multiple records from DNS, it's not
clear whether all the resolved addresses must match or only one in the set must
match.
- Sean Turner: Discuss [2011-12-15]:
s7.1: I believe the following requires a normative reference to TLS:
For backward compability, a CEMA-enabled MSRP
endpoint MUST implement TLS.
s7.2: What is "a common authentication mechanism" in following:
If possible, MSRP endpoints MUST use name-based authentication. If
not possible, if the MSRP endpoints support a common authentication
mechanism, they MUST use that mechanism. If the MSRP endpoints do
not support such common authentication mechanism, they MUST try
fingerprint-based authentication, which will succeed if there are no
Middleboxes present. If that also fails, the MSRP endpoints MUST
either:
- Sean Turner: Comment [2011-12-15]:
s1: strike lawful intercept (I see Stephen made this a discuss otherwise I would
have made it one too)
s2: Fingerprint Based TLS AUthentication:
r/self-signed TLS certificate/self-signed certificate
r/fingerprint/fingerprint (i.e., a hash of the self-signed certificate)
s2: Name Based TLS Authethication
r/certificate authority/certification authority
r/SubjectAltName parameter/SubjectAltName extension
s3: r/Support of the extension is optional./
Support of the extension is OPTIONAL.
s7.2: certificates are by definition public so I'm a little confused by the
following:
1. TLS certificates together with support of interacting with a
Certificate Management Service [RFC6072], to which it publishes the
public version of its own self-signed certificate and from which it
fetches on demand the public certificates of other endpoints.
Maybe:
1. TLS certificates together with support of interacting with a
Certificate Management Service [RFC6072], to which it publishes
its self-signed certificate and from which it
fetches on demand the self-signed certificates of other endpoints.
s7.2: (Stephen caught this too) MIKEY-TICKET is a normative reference.
s7.2: I share the same concerns Stephen has wrt the fingerprint authentication.
s7.3: Probably worth a pointer to the SIP issues based on the following:
Even with seemingly end-to-end media integrity, at the time of the
publication of this document there are other vulnerabilities in MSRP,
due to vulnerabilities in the SIP signaling.
draft-ietf-tcpm-rfc3782-bis
- David Harrington: Comment [2011-12-13]:
I read the document. I got a bit lost in the details.
The document appears to be well-written.
in section 2,
This document assumes that the reader is familiar with the terms
SENDER MAXIMUM SEGMENT SIZE (SMSS), CONGESTION WINDOW (cwnd), and
FLIGHT SIZE
(FlightSize) defined in [RFC5681]. FLIGHT SIZE is
defined as in [RFC5681] as
follows:
If you assume the reader is familiar with the FLIGHT SIZE definition,
why repeat it here?
If you repeat the defintion of flight size here, why not
SMSS and CWND as well?
It would have been good to have a tsvdir review of this document.
- Russ Housley: Discuss [2011-12-14]:
The Gen-ART Review by Ben Campbell on 21-Nov-2011 against -03 of
this document raised several concerns. Draft -04 has been posted,
but none of the concerns were addressed, nor was Ben told why his
concerns were incorrect.
Please respond to these concerns from Ben's Gen-ART Review:
-- Appendix A refers the reader to RFC 3782 for additional
information. But this draft purports to obsolete that RFC. If
there is important information in it that document that is not
covered by this draft, then it doesn't really obsolete it. Is
there a reason that information was not brought forward into
this draft?
-- There is very little RFC 2119 normative language. On a quick scan,
I see one capitalized SHOULD NOT and one MAY. Yet it seems like
there are other statements that are just as important for correct
behavior as those. For the sake of consistency, it might be
easiest to just drop the RFC 2119 language entirely.
- Russ Housley: Comment [2011-12-14]:
Please consider the comments raised in the Gen-ART Review by
Ben Campbell on 21-Nov-2011. The review can be found here:
http://www.ietf.org/mail-archive/web/gen-art/current/msg06919.html
draft-ietf-6man-rpl-routing-header
- Ralph Droms: Discuss [2011-11-29]:
I have two Discuss issue that should be easy to resolve.
1. I think there is an inadvertent omission of some text. From
section 4.2:
When forwarding an IPv6 datagram that contains a SRH
with a non-zero Segments Left value, if the IPv6 Destination Address
is not on-link, a router SHOULD send an ICMP Destination Unreachable
(ICMPv6 Type 1) message with ICMPv6 Code set to (TBD by IANA) to the
packet's Source Address.
There should also be text explicitly requiring that the router drops
the datagram.
2. This issue requires a little clarification before I can provide an
actionable Discuss issue. Is it possible to deploy RPL in a network
in which not all of the nodes in the network participate in RPL?
E.g., can there be "leaf" nodes, the equivalent of hosts, that do not
participate in RLL and that exchange datagrams with immediate
neighbors that are RPL routers? If so, I think there needs to be
additional text similar to that in section 5 describing how a RPL
router must ensure that it doesn't forward a datagram containing an
SRH to a non-RPL leaf node.
- Ralph Droms: Comment [2011-11-30]:
Comment added on 11/30.
The working group summary is pretty terse. I think it would be
helpful to explain that the design and use of the option morphed
several times during the working group discussion before
it arrived at its current state. Also, the working group summary
should refer to the roll (not RPL) working group.
- Adrian Farrel: Comment [2011-11-30]:
I have no objection to the publication of this document, but I have a number of
small editorial questions/comments that I hope you will address along the way.
Section 2
First, RPL routers implement a strict source route policy where each
and every IPv6 hop is specified within the SRH.
appears to be in conflict with
2. If the SRH only specifies a subset of the path from source to
destination, the router uses IPv6-in-IPv6 tunneling [RFC2473]
This probably just needs clarifying text in the paragraph. There is
explanation of when the situation occurs (after the numbered list).
---
Section 3 Next Header
Shouldn't your base reference be RFC 2460? If IPv6 was to choose to
diverge from IPv4, which one would you follow?
---
Section 3 Routing Type
You do not mention the use to which this field is put anywhere in your
document. It should probably go here.
---
Section 3 Reserved
You have not said how the Reserved field is handled.
---
It would have been useful to state (section 4.1?) how "segments left"
is set on the initial SRH and whether the first entry in the address
list includes the source node.
---
Section 4.2
else if 2 or more entries in Address[1..n] are assigned to
local interface and are separated by at least one
address not assigned to local interface {
This check is more specific than the text previously indicated. This
is the first mention of non-adjacent repeat addressing.
---
Section 4.2
swap the IPv6 Destination Address and Address[i]
Do you really mean swap? Or do you just want to set DstA = Address[i] ?
---
Section 4.2
I'm surprised that you check and decrement the hop limit so late in the
cycle.
- Stephen Farrell: Comment [2011-12-14]:
- Robert Sparks: Comment [2011-11-29]:
draft-ietf-l2vpn-arp-mediation
- Jari Arkko: Discuss [2011-09-22]:
I am reading the ND modifications and trying very hard to convince myself that
they are correct and complete. I'm not 100% sure I've managed to do that.
I scanned the mailing list for 6man and found no discussion of this draft. Did I
miss it? Shouldn't relatively complex surgery on ND require some review from the
experts on ND?
I'm also wondering if the SEND proxy specification from CSI WG would be an
applicable recommendation in addition to recommending turning SEND off.
To be more specific, can you:
1) perform a 2-week last call in 6MAN for additional review, and
2) either point
to the use of the SEND proxy specification or provide reasons why it cannot be
used
- Ralph Droms: Comment [2011-09-21]:
In section 4.3.3, is "the link-layer address of the
local AC" really "the link-layer address of the PE
interface attached to the local AC"?
- Adrian Farrel: Discuss [2011-09-22]:
I will move to a "Yes" ballot when my Discuss has been resolved.
Why does this document include a redefinition of the Address List TLV
that is already defined in RFC 5036? Although the text says that it is
using the RFC 5036 definition, the text also says that the I-D defines
the Address List TLV.
Shouldn't you simply refer to 5036 and say how the fields are set for
your specific use?
Similarly the redefinition of the Notification message.
To be clear, the main reason for objecting to the redefinition is that
it opens the door to discrepencies, and makes it hard to handle
future extensions. (Coders should be familiar with the practice of
only defining data structures in one place :-)
---
Please add some text to clarify whether the Stack Capability field
in the Stack capability Interface Parameter sub-TLV is an integer or
a bit-field.
The IANA section makes it look like a bit field (which is what I
would expect) but the text in the main body says...
Stack Capability = 0x0001 to indicate IPv6 stack capability
- ...which makes it look like an integer
Additionally, the text goes on to imply that the interpretation of
the field is context-specific...
The value of Stack Capability is dependent on the PW type
context. For IP Layer2 Transport type, a setting of 0x0001
indicates IPv6 stack capability.
- ...if this is the case, presumably, 0x0001 could mean something else
in other circumstances. How is this tracked in the IANA registry?
- Adrian Farrel: Comment [2011-09-22]:
Should the figure on page 5 include the label "AC3"?
---
I agree with the other ADs who are concerned about the use or non-use
of RFC 2119 language. Hopefully, this will be easy for you to clean up
and will not be construed as changing the technical content of the
document.
---
The "IP Layer 2 interworking circuit"
pseudowire is also commonly referred to as "IP pseudowire".
Can you insert a reference for "IP pseudowire"?
- Stephen Farrell: Comment [2011-09-16]:
- 8.1 says that you "can" secure the PE-PE control plane "using MD5
authentication." Is that (still) the best that can be done? Doesn't
it need a reference? Why can't something better be used, e.g. IPsec?
Why no 2119 language? (This isn't a discuss because I hope that
all that's in some other RFC.)
- 8.1 says that this protocol is incompatible with SEND. I
guess that's inevitable, but do you need to say more about
the trade-offs concerned, e.g. would it ever be likely that
a CE that depends on SEND is deployed and later on a PE doing
this protocol is installed breaking the CE or changing its
security properties in a bad way? (Just wondering.)
- Frame Relay (FR) is expanded only on its 2nd use. 1st
use is in 2nd para of section 1.
- David Harrington: Discuss [2011-12-14]:
1) in section 2, it says IPv4 L2 interworking MUST be supported, but it is only
a SHOULD for IPv6.
Why is IPv6 mediation not a MUST for PEs?
(please note that draft-ietf-intarea-ipv6-required-02 is in IESG Eval for
Proposed Standard. It hans't been approved yet, but probably will soon.)
2) in 3, "In this case, all data link headers are removed to expose the IP
packet at the ingress." should this be MUST remove?
3) in 2, "Intercept Neighbor
Discovery and Inverse Neighbor Discovery packets received over the pseudowire
from the remote PE, possibly modifying them (if required for the type of
outgoing AC) before forwarding to the local CE,"
Can the RFC2119 language make
"possibly if required" less ambiguous? Does possibly mean "MUST if REQUIRED" or
"SHOULD if REQUIRED" or "MAY if REQUIRED"?
and please make sure this section is
consistent with section 3, "In the case of an IPv6 L2 Interworking Circuit, the
egress PE MAY modify the contents of Neighbor Discovery or Inverse Neighbor
Discovery packets ..."
- Russ Housley: Comment [2011-09-21]:
The Gen-ART Review by Peter McCann on 20-Sep-2011 raised a minor
issue and two editorial suggestions:
Section 5.2 says: "Since this notification does not refer to any
particular message the Message ID and Message Type fields are set
to 0." There does not appear to be a Message Type field in the PDU.
Section 5: suggest replacing the idiom "chicken and egg situation"
with "possible deadlock situation."
Section 5.2: "Section 6. below." should be "Section 6 below."
- Pete Resnick: Comment [2011-09-21]:
1. This entire document needs a good "MUST/SHOULD/MAY vs. must/should/may"
scrubbing. Just to cite two examples:
4.2.2:
When the PE learns the IP address of the remote CE, it should
generate an Inverse ARP request.
It "should"? Or it "SHOULD"? Or it "will"?
4.3.2:
If a Router Discovery message contains a link layer
address, then the PE MAY also use this message to discover the
link layer address and IPv6 interface address.
That MAY doesn't sound like a protocol option.
2. Section 2:
PEs MUST support ARP mediation for IPv4 L2 Interworking
circuits. PEs SHOULD support ARP mediation for IPv6 L2
interworking circuits.
I assume this means "PEs that support ARP mediation MUST support it for IPv4 and
SHOULD for IPv6". The way it is now, it sounds like ALL PEs must support this,
which can't be right. That said, I see no reason for this paragraph. Mediation
should be supported on both v4 and v6 circuits. I say drop the paragraph.
3. For the record, and not something the authors need to address:
I understand that the IETF doing sub-IP protocols is a ship that has sailed long
before I got on the IESG. However, the mind boggles that we are deploying this
particular protocol: Why can't we simply *route*?!?!? This protocol is standing
on its head to allow layer 2 bridging of IP across disparate links instead of
just having a routed VPN. This is goofy, it is a complete layer violation, and I
don't think we should be standardizing this nonsense.
There, I feel marginally better. :-/
- Peter Saint-Andre: Comment [2011-09-21]:
This document appears to be predicated on "know[ing] that only IP traffic will
be carried". How is this determined?
- Robert Sparks: Comment [2011-09-21]:
Section 7.2 invokes an IANA well known policy of "IETF Consensus", referencing
RFC5226, but that RFC has renamed that particular policy to "IETF Review".
- Sean Turner: Comment [2011-09-22]:
I have the same question Stephen did about MD5.
draft-gundavelli-v6ops-pmipv6-address-reservations
- Jari Arkko: Comment [2011-10-20]:
- Ralph Droms: Comment [2011-09-07]:
There seem to be a couple of syntax issues in this text:
OLD:
The base Proxy Mobile IPv6 [RFC5213] all though required the use of a
fixed link-local and a fixed layer-layer address,
NEW:
Although the base Proxy Mobile IPv6 [RFC5213] requires the use of a
fixed link-local and a fixed link-layer address,
- Wesley Eddy: Comment [2011-08-30]:
I think this is a useful document. It seems like it should have "Updates: RFC
5213" though?
- Adrian Farrel: Comment [2011-09-06]:
Section 1
To address this problem, this specification makes the
following two reservations. The mobility elements in the Proxy
Mobile IPv6 domain MAY choose to use these fixed addresses.
Stumbled over this because it looks like the second sentnece is a reservation
(i.e. a modification to the base spec), but there is only one reservation
listed.
- Pete Resnick: Comment [2011-09-05]:
Strike section 2.1. 2119 is not used in this document.
draft-weil-shared-transition-space-request
- Jari Arkko: Comment [2011-12-01]:
FWIW, the issue that I had with the previous incarnation of this document has
been resolved. Thanks for working through the measurements and evidence about
risks, and documenting them.
However, my fellow AD colleagues have raised other issues (including status of
IETF consensus for this document). I defer to them on those issues.
- Ron Bonica: Discuss [2011-11-29]:
I will change this ballot to "YES" when a /10 has been allocated for this space.
- Stewart Bryant: Discuss [2011-11-29]:
I understand the commercial imperatives that the ISPs face, and appreciate this
is a dilemma.
However, the authors have not so far generated an adequate degree of consensus
(as evidenced by discussions on the IETF list) that the deployment of this
technology "makes the Internet work better". Indeed section 5 indicates that the
deployment of this technology makes the Internet worse by reducing it to a
network that only supports a limited range of services (Web, Mail and IM)
sanctioned by the ISP. This seems contra to the mission of the IETF.
If this were a clearly defined limited application network, a case could be
developed for accepting restrictions, but the application described here is
connectivity to the Internet and hence access to new innovative services.
The authors need to gain consensus in the IETF, that there is no other solution
to the problem in hand, and hence that the significant restriction on the type
of user application supported is justified.
- Ralph Droms: Discuss [2011-11-30]:
I am posting a Discuss position for this document because the IESG
should discuss some fundamental issues of how we should make a
decision about publication of this document.
I also have concerns about whether the IESG is the appropriate body to
approve this request. I intend to post an Abstain position after
my questions are answered and I clear my Discuss.
The conversation about this document and any attempt to determine
consensus is difficult because the issues are technical, economic,
political and psychological. We (the IESG) are well-equipped and
responsible for decisions about technical issues, but less so for the
other issues.
I've been reading most of the e-mail in the consensus call on
ietf@ietf.org. Here are some of the questions I think I've seen
discussed:
Does the assignment of the requested /10 enable or hinder the
deployment of IPv6?
Is CGN a viable service model for IPv4?
Is the reserved /10 required for the deployment of CGN?
Can the deployment of CGN be prevented by not assigning Shared CGN
address space?
What is the effect of burning 4 million IPv4 addresses on the
exhaustion of IPv4?
Can alternative /10s be used such as 10.64.0.0/10 or 240.0.0.0/10?
How many ISPs really want this assignment and how many don't care
because they don't need it?
Most of these questions are, in fact, not technical questions and I
don't think the IESG can answer them. The document itself addresses
only a few issues, giving one reason not to use each of the
alternatives:
o legitimately assigned globally unique address space
o usurped globally unique address space (i.e., squat space)
o [RFC1918] space
In particular, the reason for not using RFC 1918 space is simply
asserted with no support facts.
If the IESG is to make a decision, I would like to walk through the
following questions:
Is the IESG the appropriate body to make the decision? If no, where
should the decision be made, perhaps with technical advice from the
IETF?
Should the IESG identify any specific /10 for use as Shared CGN
Space? If no, do not approve the document.
Does this document describe the usage scenarios, constraints and
caveats sufficiently well to allow the use of a /10 as Shared CGN
Space? If no, ask for a revision.
Should the IESG approve a request to IANA for a /10 as described
in the document? If yes, publish the document.
Should the IESG request that IANA identify some other /10 (or
similar address block), such as 172.16.0.0/12, 10.64.0.0/10 or
240.0.0.0/10 for use as Shared CGN Space?
- Wesley Eddy: Comment [2011-11-30]:
I agree with the comments and discuss positions from others that say there is
not IETF consensus on this document.
- Adrian Farrel: Comment [2011-11-30]:
I concur with Stewart that there does not appear to be IETF consensus around
this I-D.
I am concerned that the alternative to this has been presented as "if you don't
allocate the address space, the ISPs will just squat on another space." However,
this also seems to be less worser than any other proposal on the table.
- Stephen Farrell: Comment [2011-12-08]:
Based on more and more and more and more discussion I'm reluctantly
ok with this.
I think additionally allocating part of 240/4 would be a fine thing to do at
the same time within the same document. I would not be that keen on
punting on the 240/4 part allocation until later since that would engender
most of the same discussion.
- David Harrington: Discuss [2011-12-13]:
I believe there is not IETF Consensus for approving a /10 for this purpose, and,
as a result, there is not IETF consensus to approve this document.
This document describes a number of problems that occur with CGN, even with this
shared /10, so CGN does not make the Internet run better. I think there is IETF
consensus that widespread deployment of CGN could be damaging to the Internet. I
believe approving Shared CGN space to make CGN deployment easier is counter to
the IETF mission of making the Internet run better, and approving allocation of
this /10 does not represent IETF consensus.
- Pete Resnick: Discuss [2011-12-01]:
Calling out one piece of Ralph's DISCUSS directly: I agree with Ralph and
Stephen that the question of whether there is another existing block of
addresses that will cause less potential application damage and is still usable
by CGNs (e.g., 10.64/16, 172.16/12, 240/10) has not yet been sufficiently
answered. The proponents have claimed that there is full *use* of the 1918
space, but not whether there is full use *by* devices that can't deal with 1918
address space on their "external" interfaces. Until that question is answered,
we can't tell if the risk of application damage really is outweighed by the risk
to deployment.
- Pete Resnick: Comment [2011-12-01]:
I agree with Ralph's DISCUSS: We need to first come up with a list of criteria
by which consensus can be judged. While I agree with most folks that there is
*disagreement* on the list as to whether this allocation should be made, I think
some of the issues on which there is disagreement are not legitimate criteria
for the consensus call. (For example, "Is CGN a viable service model for IPv4?"
is *not* something that we should be using as a criteria for consensus.) Before
we come to a conclusion on consensus, we need to lay out the legitimate issues
being discussed and whether there is consensus on each of them.
- Dan Romascanu: Discuss [2011-12-01]:
Ralph sumarized well and in details the reasons for which the IESG cannot
approve this document under its current form and at this point in time. I will
probably change my DISCUSS into an Abstain after the telechat, unless we come
with a different plan of action.
- Peter Saint-Andre: Comment [2011-12-08]:
Based on list discussion, I have come to the conclusion that this is the least
worst workaround (not "solution") available to us at this time.
- Robert Sparks: Discuss [2011-12-01]:
While I personally agree with the position that approving this allocation is the
least bad of the available choices, I don't believe IETF consensus for approving
this document as it is currently written exists.
- Robert Sparks: Comment [2011-12-01]:
I encourage pursuing Ralph's questions and carefully separating the question of
allocating the address space and what effect CGNs may have on the Internet.
- Sean Turner: Comment [2011-12-01]:
I agree with Ralph.
draft-ietf-ccamp-wson-impairments
- Ron Bonica: Comment [2011-12-13]:
== Missing Reference: 'Eppstein' is mentioned on line 1020, but not defined
== Missing Reference: 'RFC5920' is mentioned on line 1138, but not defined
- Stephen Farrell: Comment [2011-11-26]:
- Russ Housley: Comment [2011-12-14]:
The Gen-ART Review by Wassim Haddad on 13-Dec-2011 raised one
editorial comment. Please consider it:
- In Security considerations section: s/maybe/may be/
- Pete Resnick: Comment [2011-12-13]:
I am left wondering why this document is being published in the IETF instead of
elsewhere and then later referred to by a GMPLS document that will use this
terminology and framework, but I can say that I do not have a clue about the
technology and am therefore deferring to others to review the content of this
document.
- Dan Romascanu: Comment [2011-11-01]:
Bert Wijnen made the following comment (that I support) in his OPS-DIR review:
As the document writeup states:
This document is an informational framework with nothing to implement.
There are a number of drafts being progressed that address various
aspects of the framework.
So it would be those documents being progressed that would have to include any
discussion about operational or manageability aspects of the various solutions.
At the other hand, it might have been useful if this document would have touched
upon some operational/manageability aspects for each of the possible solutions.
It seems clear that there are different characteristics depending on which
solution is chosen. Specifically the talk about "black links" makes me worried
that solutions can become complex and less interoperable.
- Sean Turner: Comment [2011-12-13]:
s6/s8: Need add a reference to [RFC5920].
draft-ietf-ppsp-problem-statement
- Jari Arkko: Discuss [2011-12-15]:
I do, of course, support the development of a P2P streaming protocol, and I
think it will be good for the industry. It is good to write a document that
provides some justification and background for this.
However, I do agree with others who have commented that the document overdoes
this a little bit. A shorter and more matter-of-fact style would have worked
better on me.
But that is not my Discuss comment, I also have a more specific technical
concern. Section 3.1 makes it sound like to deploy P2P caches an ISP needs to
implement DPI-based detection of P2P content. I think that is first of all
wrong, as adding the ISP as a participant in the particular trackers and P2P
networks offers a much cleaner way to do this. Secondly, I do not think the IETF
should condone or recommend DPI-based hidden caching.
This does not change the fact that I agree with the general point of Section 3.1
that a standardized method will be easier to implement, even when you do the
implementation in the correct way.
I suggest deleting some of the text from Section 3.1. that deals with the
specifics of how the ISP deals with participation in a P2P network; those
details are unnecessary for the general point to be made.
- Stewart Bryant: Discuss [2011-12-12]:
There is a fine line between providing evidence for a case to design something
and delivering a commercial message. Unfortunately, even though the author does
not appear to work for the companies mentioned the introduction sounds like a
commercial. Additionally later in the document there is reference to at least
one other company.
Please will the author look at each mention of a company name and re-write the
text to provide the evidence in a more objective, vendor neutral, style.
- Adrian Farrel: Discuss [2011-12-13]:
As it stands, I'm affraid I don't see much value in this document.
Although it is probably harmless and the usecases may provide
valuable background, a lot of the document is a discussion around
the topic and does not give the WG any guidance or instructions.
I think most of the "justification" in the Introduction is not really
needed. Since the WG has been chartered, it is not necessary to go into
great detail on your motivation. You could lift a few lines from the
WG charter, and then use the paragraphs that say what this document
does.
Similarly, section 3 provides motivation for a standard PPSP, but the
existence of the WG is plenty good enough orivation for the work. What
seems to be missng, however, is the problem statement that says what
the PPSP actually has to do. In other words, I find the document
strangely without guidance to the developers of a standard PPSP.
Fixing this might be particularly hard because there is no bug fix
and no easy textual addition. Maybe I should phrase the question as
"why does the WG see this document as a valuable addition to the canon?"
- Adrian Farrel: Comment [2011-12-13]:
I like that "chunk" is a unit of "block" with sub-unit "piece". What
is "block"? :-)
---
The definition of CDN in section 2 actually only provides a definition
of "CDN node".
---
"key signaling protocol" may be unfortunate term because it is used
in other context to indicate a protocol that is used to signal "keys"
- Stephen Farrell: Discuss [2011-12-14]:
(Discuss discuss, for the IESG really I guess)
How does this all fit with decade and cdni? Are we heading towards a good
or bad outcome with all those? An example of a bad outcome would
be 3 ways to do one thing that are incompatible but the same except for
gratuitous differences. Maybe I'm just missing some context but something
seems wrong somewhere...
(And one for the authors/chairs...)
- I don't see what PPSP WG document will include "considerations on
threats and mitigations when combining both protocols in an
application." That's the kind of thing that gets forgotten and where
protocol specification authors will say "that's not my problem."
What's the plan for addressing that in the WG?
- Stephen Farrell: Comment [2011-12-14]:
- Section 4 says that you can have pull, push or a hybrid but does
say if the PPSP wg is going to work on all of those or some of
those. (Its sort of implied that all will be done via different
"modes" but that's not clearly stated.) Since it'd be better to only
have one "mode," I think the document should justify choosing to do
all "modes." (If that's really what the PPSP WG are planning. If not
then the document should say what the WG is actually planning.)
- Section 5 really needs to say what sections 5.x are. They could
be use-cases the WG is going to tackle, or maybe the WG will decide
later, or whatever is the case. Without that, its hard to know why
sections 5.x are present.
- 5.1: "easily expand the broadcasting scale" just seems wrong. Is
that sales-pitch (in which case delete it) or do you mean something
else?
- Section 6 should mention that a malicious (or careless)
peer/tracker can leak private information about other peers or
trackers.
- David Harrington: Discuss [2011-12-14]:
1) in section 4, there is a discussion of pull-based versus push-based. The
discussion talks about the benefits of pull-based (but not the drawbacks) and
the fact that most systems use this approach. Then the push-based approach,
which few deployed systems use, is discussed including the drawbacks but not
much about the benefits. Then the conclusion is that a hybrid system woudl be
best, with little justification for why hybrid i smore practical, and no
discussion of whether anybody actually does this now.
2) This document is supposed to be a problem statement, but throughout it the
design of the proposed PPSP protocol is thron in. This document should focus on
identifying what the problems are that need to be solved. Basically, this should
discuss what problems the tracker and peer protocols each must address. This
document seems to lump the tracker and peer protocols together as the PPSP
protocol, and doesn't differentiate or clearly describe the problems that need
to be solved by each protocol.
I recommend dropping the notion of a PPSP protocol suite, which seems to
encourage marketing of PPSP, and blurring of the distinction between the two
protocols. This document should focus on describing the problems to be addressed
by each of the two protocols:
"The tracker protocol handles the initial and
periodic exchange of meta
information between trackers and peers, such as peer
lists and content
information." - what are the problems that a tracker protocol
addresses, and what problems must be overcome in its design?
"The peer protocol
controls the advertising and exchange of media data availability between the
peers." - what are the problems that the peer protocol addresses, and what
problems must be overcome in tis design?
in 5.3, there is an incomplete sentence.
in 5.3, "a mobile peer within a high-
load base station is unlikely to be selected, which may lead to higher load on
the base station." is unclear. Does this mean "a mobile peer within a high-load
base station is unlikely to be selected, because selecting the mobile peer might
lead to higher load on the base station."?
Discussion of the PPSP working group should be removed form the document. The
goals and deliverables of the WG are documented in the charter, which will have
a similar lifetime as the WG. This document published as an RFC will exist long
after the WG has been closed.
- Russ Housley: Comment [2011-12-12]:
Please consider the comments provided in the Gen-ART Review by
Francis Dupont on 24-Nov-2011. The review can be found here:
http://www.ietf.org/mail-archive/web/gen-art/current/msg06935.html
- Dan Romascanu: Comment [2011-12-15]:
I find the document useful in intent but problematic in the way it is written,
and I beleive that some of the sections need serious editing before publication.
As the critical issues are covered in DISCUSSes of other ADs I will enter them
as COMMENT:
1. Section 1 needs to be shortened and all 'commercial' content needs to be
dropped. The main functions should be described avoiding the mentioning of the
vendors names.
2. The requirements from the tracker and peer protocols need to be sumarized and
listed in one place. I found the figures in section 5 quite useful to understand
the functions, but it took time and effort to go through them as they are
disparated in the descriptions of the use cases
3. Avoid text (like in the Abstract) that may be interpreted as the protocol
proposal is included in this document
- Peter Saint-Andre: Comment [2011-12-05]:
The first three paragraphs of the Introduction are mostly marketing and deserve
to be deleted.
"In this document we propose an open P2P Streaming Protocol..." I think you mean
"propose the development of" because this document does not define such a
protocol.
Section 3.3, paragraph 1: these numbers will become stale quickly. I suggest
removing this paragraph.
- Robert Sparks: Comment [2011-12-13]:
It's not obvious how this document is going to help the working group with it's
protocol work, or help document the work once it's complete. Is the set of use
cases intended to be a set of motivating examples, or does it exhaustively cover
every scenario the protocol is expected to handle? Please consider clarifying
those points.
draft-ietf-v6ops-happy-eyeballs
- Stewart Bryant: Comment [2011-11-28]:
Wes raises an interesting point, the draft needs to discuss connectionless
transport protocols.
- Wesley Eddy: Comment [2011-12-14]:
- Adrian Farrel: Comment [2011-12-11]:
I understand why improving IPv6 experience in dual stack deployments is
valuable to the IETF in promoting migration to IPv6. For that reason,
publication of this document may be beneficial and encourage
implementations to include more flexible selection algorithms such as
that described in this document. However, I don't see anything in this
document that impacts interworking, so I don't see why it is Standards
Track.
- Stephen Farrell: Comment [2011-12-09]:
- David Harrington: Comment [2011-12-14]:
I've cleared
- Pete Resnick: Comment [2011-12-11]:
I really think this document should have had a co-author in the apps area. It is
written exceedingly "thinly" and doesn't really understand some of the
application implementation issues. That said, I still think it is valuable and
worth publishing (and hopefully updating in the future). Though it is a bit this
for the standards track as it is now, I see the potential to fill this in over
time with more proscriptive information, and therefore I don't object to go it
going on the standards track now in anticipation of that. Some issues to
consider for this go-round:
3.1 - This has nothing to do with URIs. It is about hostnames. Hostnames used
that don't appear in URIs have exactly the same issues.
4. - Though using SYN and ACK in the diagram is fine, I recommend using words
like "connection attempt" in the descriptive text. SYN and ACK are probably not
as familiar to application layer folks, and since this is aimed at them, it is
likely better to use the application layer terminology. Furthermore, there is a
performance/resource impact to making a "connection attempt" that an apps person
will understand that they might not if it is understood as only an additional
packet.
I agree with Stephen's concerns regarding "MUST cache". There are valid reasons
to try v6 later even if v4 succeeds first, but those reasons must be carefully
considered and understood. That sounds like a SHOULD.
4.1 - The first few paragraphs strike me as introductory material, not part of
the alogirthm requirements.
4.2. - "SHOULD do so every 10 minutes" I think instead you mean "SHOULD do so no
more frequently than every 10 minutes". It's perfectly fine to do so every 20
minutes, or once a day.
4.3. - DNA does not describe how applications (which are the ones who are going
to implement Happy Eyeballs) are to be notified of these changes. Though I agree
that a Happy Eyeballs app should be able to ask its host to do a DNA for it (or
more to the point, get notifications from the host), that's an additional
requirement on these apps and should be noted.
- Peter Saint-Andre: Discuss [2011-12-08]:
The Apps Directorate review by Murray Kucherawy on 2011-11-26 raised two major
technical issues and eight minor technical issues. These issues merit a
response. The review can be found here:
http://www.ietf.org/mail-archive/web/apps-discuss/current/msg03819.html
- Peter Saint-Andre: Comment [2011-12-08]:
Much as I love XMPP, I would change "xmpp clients" to "IM clients".
- Sean Turner: Comment [2011-12-14]:
Please consider the editorial comments suggested by Sandy in here secdir review:
http://www.ietf.org/mail-archive/web/secdir/current/msg03016.html
draft-gerhards-syslog-plain-tcp
- Adrian Farrel: Comment [2011-12-11]:
It would be good if the Introduction included a brief paragraph on the
purpose/content of this document. The first paragraph of Section 4
contains roughly the necessary material.
---
I am uncomfortable (but not quite to the point of a Discuss) by the way
that this I-D flies in the face of IETF consensus to recommend the use
of TLS. I believe this could be resolved by a slightly stronger
statement on the intent of the document to facilitate interoperability
with legacy deployments whild continuing to recommend the use of TLS.
I.e. "this document does not recommend that new implementations or
deployments use syslog over TCP except for the explicit purpose of
interoperating with existing deployments."
---
I am surprised that section 5 does not mention TCP/AO.
- Stephen Farrell: Comment [2011-12-14]:
- I agree with Dave's discuss points 1,2 and 4 and sympathise with
his point 3.
- Be nice to add the hex values that go with %d32 and %d126 just to
be super-clear
- 3.1 mentions "relays" but those weren't mentioned in the intro -
be nice to say what those are in section 1.
- What does "not available" mean at the end of section 5? I think
it would be better to say "This protocol SHOULD NOT be used unless
syslog/tls [RFC5425] has been tried and failed, e.g. because there
is no listener on port 6514."
- I think you could note that falling back to this if syslog/tls
fails could in principle indicate that an attack is happening. If
there's a sensible action to take there (e.g. some local logging of
the failure of the TLS handshake or whatever in addition to remote
logging using this) that'd maybe be worth saying.
- David Harrington: Discuss [2011-12-13]:
As co-chair of syslog WG, I have worked witrh Rainer and Chris closely, and
understand that they feel this is valuiable documentation for the community. I
disagree for a number of reasons.
1. I think the applicability statement is not consistent with IETF consensus:
"It is hoped that this description, along with the assignment of a standardized
port for this protocol, will promote future interoperability."
IETF consensus is
to use strong security [RFC3365 - BCP61] to provide secure interoperability.
RFC5424 and RFC5425 have IETF consensus as the right way to achieve syslog
interoperability, and to do so securely. Based on BCP61, RFC5424 and RFC5425
provide mandatory-to-implement security features, which may be configured by
operators to provide no security if operators so choose (RFC5425, section 5).
I
do not believe this document will result in future interoperability for syslog,
and sends the wrong message to the community about how to achieve
interoperability. I do not believe it is in the IETF interest to assign a
standard port number for syslog/tcp.
2. I believe this document, if published, should be published as Historic (or
Obsoleted by RFCs 5424 and 5425).
I believe this designation is important based
on experience with RFC3164, which allegedly documented BSD Syslog, but actually
ended up being a survey of existing syslog/UDP implementations that showed how
on-the-wire formats of the many existing implementations had little in common.
Most only had the first byte in common. Many vendors claimed "compliance" to
RFC3164.
I believe this document needs to have it very clearly spelled out that
this is only a document of past practices, is NOT an IETF standard, and should
NOT be implemented in new implementations.
RFC3164 (legacy syslog/udp) was obsoleted by RFC5424. This legacy syslog/tcp
document should be handled the same way.
3. Personally, I don't see a lot of value to this document. Similar to existing
implementations of syslog that run over udp, existing implementations of syslog
that run over tcp are not very consistent.
This document does not contain
enough detail for syslog receivers/applications to process incoming legacy
messages; application implementers would need to do additional research into the
formats used by specific implementations. Therefore, this document does not
serve to significantly improve interoperability between senders and receivers.
Cross-vendor interoperability could be improved by standardizing a port#, and
recommending consistent implementation choices, such as message layout, support
for octet-counting versus framing in the message format, internationalized
character sets, and transport session initiation and closure.
The IETF has
already standardized support for a message layout, and internationalized
character sets in RFC5424.
The IETF has already standardized a transport for
syslog messages in RFC5425, including session initiation and closure, a standard
port#, as well as strong security as called for by BCP61.
I have concerns that
publishing this as an RFC sends the wrong message to the community, and am
especially concerned that vendors wil use this to claim "compliance" to an IETF
RFC, just as they did with RFC3164.
This could slow vendors moving to support
interoperability by using the IETF standards defined in RFC5424 and RFC 5425.
4. Despite my belief that publishing this document will not make the Internet
run better, I could accept publication of this document with a Historic or
Obsolete label and a big IESG Note that says
"The IESG does NOT RECOMMEND implementing or deploying syslog over plain tcp,
which is documented in this document, because it lacks the ability to enable
strong security [BCP61].
syslog/tls [RFC5425] is RECOMMENDED for implementation so that security features
are available to operators who want to deploy secure syslog, and those security
features can be turned off for those who do not want them."
- Pete Resnick: Comment [2011-12-13]:
I must agree with Robert's comment that the port allocation seems inappropriate.
However, it concerns me that the port that is chosen some of the time is the rsh
port. If there is an unregistered port that is widely used for this, it should
be registered.
I agree with Adrian's comment that some of the contents of section 4 would be
terribly helpful in the intro.
I think Peter's comment regarding character terminology is important, and I'm
happy to see you're addressing it.
I am ambivalent as to whether the document should be Informational or Historic.
I lean slightly toward Informational since it is describing widespread current
practice.
[Updated to add:]
Please re-use ABNF constructs defined in RFC 5234 instead of redefining them
here:
3.4.1 - DIGIT and SP are already defined in 5234.
3.4.2 - LF is already in 5234.
- Peter Saint-Andre: Comment [2011-12-08]:
According to BCP 166 (RFC 6365):
The terms "charset", or "character encoding scheme"
and "coded character set", are strongly preferred over the term
"character set" because "character set" has other definitions in
other contexts, particularly outside the IETF.
Please consider changing the term used in Section 3.1 of this I-D to match BCP
166.
- Robert Sparks: Discuss [2011-12-13]:
Capturing a description of what's observable in the wild is a very good thing -
thank you for putting this document together. If that's all this document is
trying to do, why isn't it Historic, and why doesn't it register the port(s)
that
existing implementations are actually using?
A new port for something that's not a standard (and is not already the de facto
port)
doesn't seem like the right thing to do.
- Robert Sparks: Comment [2011-12-13]:
Most of the document is written with a tone of "here's what we see deployed
already",
which is good. In a few places it drifts into a tone that would be
more appropriate
for "and we want people to make more things that do this".
Section 3.2, in particular,
reads more like a protocol definition than a
description of already existing behavior.
Section 3.4 uses the phrase "usually
preferred". Something like "has caused fewer
problems" would be more descriptive
(if it's accurate).
- Sean Turner: Comment [2011-12-14]:
I tend to agree with Dave here.
draft-oreirdan-mody-bot-remediation
- Jari Arkko: Comment [2011-12-15]:
Thanks for writing this.
- Ron Bonica: Comment [2011-12-14]:
Minor comments:
Section 1.3 - Do we really need to define the word host
Section 1.5 - When IPv6 takes off, you will see fast-flux using AAAA records
- Stewart Bryant: Comment [2011-11-28]:
There is the outstanding issue of verifying that the IPR issues noted by the
Shepherd have been fully resolved. I am sure that Stephen will verify the
resolution before issuing a publication request, and thus am highlighting this
issue as a comment.
=====
"An ISP may use Netflow [RFC3954]"
I would think that the the standards based solution IPFIX [RFC5101] would be a
better reference.
=====
- Wesley Eddy: Comment [2011-11-29]:
This is a good document. I am not at all an expert in this area, but my only
comment is that it seems like there may be some liability to the ISP in
attempting to detect bot infections because they may then need to bear the
burden to report criminal activity that they witness. I'm sure commercial ISPs
have considered this in their policies, but I didn't notice it clearly mentioned
in the document.
- Adrian Farrel: Comment [2011-12-12]:
Thanks for a very readable document with a lot of valuable information.
I have a few small conversation topics that I would appreciate you
thinking about and addressing if you can see a way forward.
---
I am surprised by the statement in the Abtract that a user with an
infected computer is exposed to the risk of phishing. Te seond statement
that their computer might be used as an inadvertent participant in a
phishing network sounds more reasonable.
---
I wonder whether Section 5 needs to consider the risks of notifications
after false positives, and the problems caused by false notifications
as a form of attack.
---
Section 7 upset me a little. Recognising the need of ISPs to protect
their businesses, I also see the need to continue to provide servie to
vulnerable people who cannot be expected to protect their computers.
In view of this, you might discuss the service providers' duty to ensure
that hosts connected to their network cannot become infected with bots
through data transfered across the service providers' networks. Or you
might just drop the text about account termination.
- Pete Resnick: Comment [2011-12-13]:
1.1 - I have never heard of "benign bots" before. Is this an invention of the
authors or is it used in some circles? I would prefer if the document referred
to only the malicious applications as "bots" and referred to the benign
applications as "background applications" or "daemons" or "background
processes". I think it is still important to point out that such applications
should not be monitored for or prevented from functioning.
1.2 - "Bot Networks or Botnets" is better defined as "a group of bots that are
remotely controlled by a single party". The first sentence of 1.2 is circular.
I know what all of those malicious activities are, but it might be useful to
define some of them.
"Infection vectors" is undefined. So are a bunch of the terms in that paragraph.
Much of this section assumes a familiarity by the reader. If the reader was this
familiar with the material, this section wouldn't be necessary. Similarly with
1.4.
1.5 - The information in the two paragraphs is reversed, burying the important
point: Compromised hosts are used as proxies to web servers in order to hide the
IP address of the server itself. This is *accomplished* by DNS Fast Fluxing.
10. - Some of the activities outlined in section 3 should be called out
specifically with regard to privacy considerations.
A reference to RFC 4948 seems pretty essential. I'm surprised not to see some of
the information that appears in that document in this one.
- Dan Romascanu: Comment [2011-12-15]:
Good document. All my comments are related to Section 5:
1.
> It should be possible for the end user to indicate the preferred
means of notification on an opt-in basis for that notification
method. It is recommended that the end user should not be allowed to
totally opt out of notification entirely.
It looks like either 'totally' or 'entirely' is redundant
2. I would expect notifications by management protocols like SNMP and NETCONF be
also described in this section
3. The danger of DoS attacks by flasely reporting of bots via notifications
shoulsd also be mentioned as a major security concern
- Peter Saint-Andre: Comment [2011-11-29]:
Overall this is a helpful document. I have a few comments and suggestions.
In Section 1.2:
OLD
The detection and
destruction of bots is an ongoing issue and also a constant battle
between the Internet security community, network security engineers
and bot developers.
NEW
The detection and
destruction of bots is an ongoing issue and also a constant battle
between the Internet security community and network security
engineers on the one hand and bot developers on the other.
P2P is not a communication protocol, it is an architectural approach.
It is a bit odd to speak of the "introduction" of HTTP, given that HTTP was
invented over 20 years ago.
The document sometimes conflates bots and botnets. For example:
As a consequence, botnets that are initially detected
and classified by the ISP as one particular type of bot need to be
continuously monitored and tracked in order to identify correctly the
threat the botnet poses at any particular point in time.
Although a botnet consists of bots, not all bots are part of a botnet (and we
certainly can't say that a botnet can be classified as a type of bot, as in the
quoted paragraph).
draft-mckenzie-arpanet-host-host-protocol
- (none)