IETF Logo Mail Archive

Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-07

Paul Wouters <paul.wouters@aiven.io> Thu, 30 March 2023 04:33 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A29AC1524DD for <ace@ietfa.amsl.com>; Wed, 29 Mar 2023 21:33:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TajPRd4R7GCL for <ace@ietfa.amsl.com>; Wed, 29 Mar 2023 21:33:37 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A023C1522CB for <ace@ietf.org>; Wed, 29 Mar 2023 21:33:37 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id i9so17741824wrp.3 for <ace@ietf.org>; Wed, 29 Mar 2023 21:33:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1680150815; x=1682742815; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=cw3sgpZQ1tLu/oD5zAINXeNwkhoyrNyeEOcgfzxV3Lk=; b=XMx385NR23iqEx5J0OZmiObfmJLrO0w1WX5nyVEcCty68VS8U8t/tnd0ymbGEJNxSu xvhUZhIlxO/C6kK8BVsSaPHgyfMmHeHpkUuRlQZ3BlMZPZTrI8YJHb8Eo5IDbFWH7VTk 6S+Eb08lb8xipwv3mJIa5Qj1hSKKMAeBClIWs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680150815; x=1682742815; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cw3sgpZQ1tLu/oD5zAINXeNwkhoyrNyeEOcgfzxV3Lk=; b=GswLpVs2YVgre7z4Rxkx5P+VVyIf3PRe8tDEdQsURuHNqyUf7CLKlMfc27bckCLCra yNcCgDkkzBEJg07toni2NR8LzC3xnVEoO5WS7uEC3hVdp3NoIlMXIyJQhnKaPk+DjRS4 Fy1djSN2l18fslGSKvJOHJThSFXdVsrkYvSHMPp5pAwa2Ayjo8O1mSD5w+otndOI8cea A4HCqg2nWFRAGgfWAkJGpQjzqDn6aNJwI14erVTOlgP3MZdFnSK5vLrK62Vt+Mty7EIV 0DEc4Bnf9yrcDqRch1Wqx9RKzhUdfc3Obuh6Dpmlsgmeis8QNWLXfSZgl+EyXKYPjeT5 bzJQ==
X-Gm-Message-State: AAQBX9diEr+sQSjRGnoxP5oi5ZAyHFM8YJjYf06lyQ6hT5noUEONqgYx 7mYDC7vfD9lHWaCeSAP+OtVWsuN3i7aGkUG8lazEwQ==
X-Google-Smtp-Source: AKy350YtAmPeejf7uEdKwU0T/PZpTaS35SYHNjg8KviTOxcURlfqfD2ccpLoHOm5OYD1DJX7z8wS2RcBmjimEcDcfs8=
X-Received: by 2002:a5d:5002:0:b0:2c5:4f32:b49f with SMTP id e2-20020a5d5002000000b002c54f32b49fmr1078448wrt.0.1680150815542; Wed, 29 Mar 2023 21:33:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL5yWZEWE5LfRQ+bNn2mRLo8XPyyaVzvEWAGQLMa6QXvKwabA@mail.gmail.com> <CAMRcsGR44FDPL-KuJ68yoP=6xHEnZnrx=af2888Ow5A=XV-TFw@mail.gmail.com> <CAMRcsGTron7s6O9GB=F3KSzkyouXoAZuw-hXPo-34ud6ePYNtg@mail.gmail.com>
In-Reply-To: <CAMRcsGTron7s6O9GB=F3KSzkyouXoAZuw-hXPo-34ud6ePYNtg@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Thu, 30 Mar 2023 13:33:24 +0900
Message-ID: <CAGL5yWZQc+dNbHjb58P0Gi2NU_A5wd52bPaxfDH9NKoGyNW2iA@mail.gmail.com>
To: Mohit Sahni <msahni@paloaltonetworks.com>
Cc: draft-ietf-ace-cmpv2-coap-transport@ietf.org, ace@ietf.org
Content-Type: multipart/alternative; boundary="00000000000087aa9505f81698c3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/X1PBYd6yupWuAGpbfo-k-f45Hto>
Subject: Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-07
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2023 04:33:41 -0000

On Fri, Mar 10, 2023 at 4:12 AM Mohit Sahni <msahni@paloaltonetworks.com>
wrote:

[ proposed changes / confirmations in the xml file ]

I have read the xml diff and I agree with all changes made.



> Just noticed an incomplete response for this comment, responding again to
> it.
>
> >The next bullet I just do not understand:
> >
> >        In order to to reduce the risks imposed by DoS attacks, the
> >        implementations SHOULD optimally use the available datagram size
> >        i.e. avoid small datagrams containing partial CMP PKIMessage data.
> >
> >Please explain what is meant here and/or rephrase it.
>
> <M.S.>The intent here is to instruct clients to send CMP messages in as
> few packets as possible. Fragmentation of CMP messages may cause the server
> to buffer packets which will consume resources on the server. With clients
> instructed to send CMP messages in as few packets as possible, servers can
> choose to ignore fragmented CMP messages to mitigate such DOS attacks.
>
>
So maybe:

Implementations SHOULD use the available datagram size and avoid small
datagrams containing partial CMP PKIMessage data in order to reduce memory
usage for packet buffering.

Please submit a new version to the datatracker with these changes, so we
can start the IETF Last Call.

Paul

v2.23.0 | Report a Bug | By Email