IETF Logo Mail Archive

Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)

Qin Wu <bill.wu@huawei.com> Thu, 06 January 2022 11:57 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: alto@ietfa.amsl.com
Delivered-To: alto@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88A7C3A082A; Thu, 6 Jan 2022 03:57:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZamxsKCoMxUL; Thu, 6 Jan 2022 03:57:31 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2884A3A0829; Thu, 6 Jan 2022 03:57:31 -0800 (PST)
Received: from fraeml714-chm.china.huawei.com (unknown [172.18.147.207]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4JV4Tr6hHbz67qS3; Thu, 6 Jan 2022 19:52:32 +0800 (CST)
Received: from canpemm500008.china.huawei.com (7.192.105.151) by fraeml714-chm.china.huawei.com (10.206.15.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Thu, 6 Jan 2022 12:57:27 +0100
Received: from canpemm500005.china.huawei.com (7.192.104.229) by canpemm500008.china.huawei.com (7.192.105.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Thu, 6 Jan 2022 19:57:25 +0800
Received: from canpemm500005.china.huawei.com ([7.192.104.229]) by canpemm500005.china.huawei.com ([7.192.104.229]) with mapi id 15.01.2308.020; Thu, 6 Jan 2022 19:57:25 +0800
From: Qin Wu <bill.wu@huawei.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-alto-cdni-request-routing-alto@ietf.org" <draft-ietf-alto-cdni-request-routing-alto@ietf.org>, "alto-chairs@ietf.org" <alto-chairs@ietf.org>, "alto@ietf.org" <alto@ietf.org>, Vijay Gurbani <vijay.gurbani@gmail.com>
Thread-Topic: Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)
Thread-Index: AdgC9F6sNFXly2Rew0C3fMcs/wP71w==
Date: Thu, 06 Jan 2022 11:57:25 +0000
Message-ID: <60a200a4a50e42cf932b7529f59af2f6@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.100.16]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/g6LXVQIE7o3jFN-UiHCyskUwCIA>
Subject: Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jan 2022 11:57:36 -0000

Thanks Roman for clearing DISCUSS, @authors, please engage with Roman and address his additional comments. 

-Qin
-----邮件原件-----
发件人: Roman Danyliw via Datatracker [mailto:noreply@ietf.org] 
发送时间: 2022年1月6日 5:31
收件人: The IESG <iesg@ietf.org>
抄送: draft-ietf-alto-cdni-request-routing-alto@ietf.org; alto-chairs@ietf.org; alto@ietf.org; Vijay Gurbani <vijay.gurbani@gmail.com>; vijay.gurbani@gmail.com
主题: Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)

Roman Danyliw has entered the following ballot position for
draft-ietf-alto-cdni-request-routing-alto-18: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks to Klaas Wierenga for the SECDIR review.

Thanks for addressing my DISCUSS point

** Section 8.
     For authenticity and integrity of ALTO information, an attacker
      may disguise itself as an ALTO server for a dCDN, and provide
      false capabilities and footprints to a uCDN using the CDNI
      Advertisement service.

-- I don’t follow the intent of the first clause.  Why is an _attacker_ concerned with the authenticity and integrity of the ALTO information?

-- What role can TLS, an associated server certificate (for the dCDN) and configured knowledge of this certificate at the uCDN mitigate some of this risk?  Shouldn’t the uCDNs only be communicating with a collection of known dCDNs with which it has some out-of-band negotiated arrangement?

** Section 8.
      For availability of ALTO services, an attacker may conduct service
      degradation attacks using services defined in this document to
      disable ALTO services of a network.

Again, operating under the assumption that the dCDN (ALTO Server) would only be working with a known (prearranged) set of uCDNs and they would have authenticated somehow (per the DISCUSS), couldn’t repeated requested be rate limited and after attribution, filtered to minimize impact?

v2.23.0 | Report a Bug | By Email