IETF Logo Mail Archive

[Anima] Re: Mohamed Boucadair's Discuss on draft-ietf-anima-brski-prm-18: (with DISCUSS and COMMENT)

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 06 April 2025 21:35 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@mail2.ietf.org
Delivered-To: anima@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 906C7182A530; Sun, 6 Apr 2025 14:35:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PH4F8qhh87uS; Sun, 6 Apr 2025 14:35:49 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 282E9182A528; Sun, 6 Apr 2025 14:35:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id AE9421800E; Sun, 6 Apr 2025 17:35:48 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id Q17Iyg1OdEap; Sun, 6 Apr 2025 17:35:47 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1743975347; bh=I8/K2wC4Ck+QlM1YaXPM9krVP1xAL3zHoBLnik8bA+0=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=kdQBp+gKxBHwLXb1bAQKG7zU9qyPoCgS5vG0Ec2oEg7bwAhxBO27AjC4u0CAkidKs JoMyS+zfS/VNy5Ag8l/h2Y6fyNAfRiC9nqN/GGg4469OvlSMr4I2tPqpFN2dbn5nTD 4vTphORbqI1YQqA/w7KXkEqM5VkgAKWrPb3NvN3Eh4DuqByRvzSTK3eUxoU/VCQqpd 3BWZQKiWXdKzyZzeUGZ8Fav+d/5647YPFd2NMMEqJ1OeVjfVJAlI0BF9S6r5JuVaLt eszU6RGlqyUnU51uRUykKYmn+0krPoZxEUSDMV3MA3PUCQ+nsmFu2z/AHDtpqDPdDq CI4njXrksm36Q==
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 38CDC1800C; Sun, 6 Apr 2025 17:35:47 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 30C835E2; Sun, 6 Apr 2025 17:35:47 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
In-Reply-To: <174395186493.249581.5702510245186761176@dt-datatracker-64c5c9b5f9-hz6qg>
References: <174395186493.249581.5702510245186761176@dt-datatracker-64c5c9b5f9-hz6qg>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 06 Apr 2025 17:35:47 -0400
Message-ID: <20895.1743975347@obiwan.sandelman.ca>
Message-ID-Hash: DP2TQURXHKDGV3J57I2QOQSC7M5SOYNB
X-Message-ID-Hash: DP2TQURXHKDGV3J57I2QOQSC7M5SOYNB
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, draft-ietf-anima-brski-prm@ietf.org, anima-chairs@ietf.org, anima@ietf.org, ietf@kovatsch.net, tte@cs.fau.de
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Anima] Re: Mohamed Boucadair's Discuss on draft-ietf-anima-brski-prm-18: (with DISCUSS and COMMENT)
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/59basYj4FVKtj0C03DLL9pgHQq8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>


Mohamed Boucadair via Datatracker <noreply@ietf.org> wrote:
    > # Unconditional MUST

    > CURRENT:
    > The pledge MUST respond to all requests regardless of the
    > Host header field provided by the client (i.e., ignore it).

    > I don’t think that is safe.

Why?

The Registrar Agent really has *only* the IP address of the pledge.
No virtual hosting is possible.  So, **anything** it puts into the Host: header
will be wrong.  mDNS may well return IPv6-LL addresses.

    > I’m afraid this needs some scoping; as there are other legitimate conditions
    > where the pledge does not have to reply.

Like... what?

    > # Compliance with HTTP BCP (RFC9205)

    > CURRENT:
    > If the pledge is unable to create the PVR, it SHOULD respond with an
    > HTTP error status code to the Registrar-Agent.  The following client
    > error status codes SHOULD be used:

    > The use of normative language is IMO not compliant with the guidance in
    > RFC9205, about error handling.

okay, we'll review.

    > # Cluster with 8366bis

    > CURRENT:

    > The JSON PVR Data MUST contain the following fields of the “ietf-
    > voucher-request” YANG module as defined in
    > [I-D.ietf-anima-rfc8366bis];

    > I think this spec should be clustered with 8366bis. There are several structure
    > that used in this document and which depends on what is defined in 8366bis.
    > Changes to the bis will have implications on this one.

Yes, it's all gonna be in a cluster.
Is there something you think we need to put into the I-D to make that so,
other than a normative reference, which it already has?

    > With that in mind, I tend to suggest holding approval of this specification
    > till we finalize the bis spec.

No, because that creates a loop of getting document X done before document Y
can proceed.  We already, as a WG, said that rfc8366bis would wait until all
others are done.  RFC8366bis could otherwise progress without the others, and
when we discover problems that require updates to two places, would wind up
making us yank it back from the RFC-editor.  We went through this with
RFC8995 already, and the WG learnt it's lesson.

    > # Requires TLS1.3

    > CURRENT:
    > As already stated in [RFC8995], the use of TLS 1.3 (or newer) is
    > encouraged.  TLS 1.2 or newer is REQUIRED on the Registrar-Agent
    > side.  TLS 1.3 (or newer) SHOULD be available on the registrar, but
    > TLS 1.2 MAY be used.  TLS 1.3 (or newer) SHOULD be available on the
    > MASA, but TLS 1.2 MAY be used.

    > Please update to take into to reflect draft-ietf-uta-require-tls13.

The reality that many platforms do not have FIPS-140 appproved TLS 1.3
stacks remains true.   It's getting better, but it's just not there yet.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.31.3 | Report a Bug | By Email | System Status