IETF Logo Mail Archive

Re: [Curdle] Genart last call review of draft-ietf-curdle-ssh-ext-info-10

denis bider <denisbider.ietf@gmail.com> Thu, 27 July 2017 03:09 UTC

Return-Path: <denisbider.ietf@gmail.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 286F3124BE8; Wed, 26 Jul 2017 20:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHPVzlwvB3KU; Wed, 26 Jul 2017 20:09:21 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D88B112711E; Wed, 26 Jul 2017 20:09:20 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id l82so40769043ywc.2; Wed, 26 Jul 2017 20:09:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=i4nqD/Hf0VXTis24YtlGqh9ZwQrKatGgfP76M7+ubo8=; b=OFc8Gr3QMEh1O7S1U9YvTFLrGNmDS7Cn1npOEEd+cULR+oljssLULCsrHibb7+G4Bv YxSyTlf1PICfwDdGvQwOJ9SlYCaq6/caVbnCPVsstVEq0q+Ks923D/a9UO89hDl1vHp8 7CN0F/bGfJvYZPBSoF3LkEZTklotGbkiqxOK90u2XFoZegIWWJi2BMdkfoNHa2YlT2Tp Ifp39PMxweT9zeIomP6zLGk9g5yp+joW/QChQno67MJxBaJvjHqkEObesMKGltWBzc30 6dtonJ6ibOx5CwPzx7lUcdVxFKVi74gPe76OlwvIVilY4PKr1s1Wf9aKv30RVlWcAffl jX4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=i4nqD/Hf0VXTis24YtlGqh9ZwQrKatGgfP76M7+ubo8=; b=Fmyv8HQsZtFxKsstghdhIuYjKGeDaqbhhM3YFz0N7EH4N3Y//Nm+fMXya7Zn0Bovw/ aVPSLZdnEWpzxtJkO0kypIdyrC1j/cUVnKqWs/+qk7FRY0nlHhxoLR1OiFCeyJUGYF1m MbR7WUvmHpP1btznAZ1zkrufuwggmgW3W3gl+K1prKg9xXWinp+AFi9rE/H5Czr6Rvv6 DGjiUGK4vZgYkTfjvpijPouBnTdB4KmbXRy3Xq08wL4X2wOPSjrn1wLAWWrGd0GYsJID mFi6L7weQseHPvG9NTMSCeDlOxFDX9obl3qmyzbTAdxYA3UuqMwAG0mnJnOraGiFUCBw Dq8Q==
X-Gm-Message-State: AIVw1121EUqVwGIjnTJ56dr+Em1RSlT/vXklngzLZFCT9PiepaMeawXf Ps4KGKoDKYjI5MG9dT8ye7p5erYpQA==
X-Received: by 10.37.0.195 with SMTP id 186mr2578406yba.46.1501124960090; Wed, 26 Jul 2017 20:09:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.42.200 with HTTP; Wed, 26 Jul 2017 20:09:19 -0700 (PDT)
In-Reply-To: <1eef6165-9b5b-c354-dffe-5df1e98098fa@outer-planes.net>
References: <150093015937.32021.12465797358778837950@ietfa.amsl.com> <CADPMZDCE+m+_QA7s6vdFOw-7uF4cfV4g8_U07fb-Ydur30OR5g@mail.gmail.com> <1eef6165-9b5b-c354-dffe-5df1e98098fa@outer-planes.net>
From: denis bider <denisbider.ietf@gmail.com>
Date: Wed, 26 Jul 2017 21:09:19 -0600
Message-ID: <CADPMZDDjQoHc9yoYb7sSTa2r7e71DSMdqQ7OEH7neWU0ygKzNw@mail.gmail.com>
To: "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
Cc: gen-art@ietf.org, curdle <curdle@ietf.org>, ietf@ietf.org, draft-ietf-curdle-ssh-ext-info.all@ietf.org
Content-Type: multipart/alternative; boundary="001a113cf650028e01055543e495"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/d9w3O1yhwX63Bf3HiYxQ9x_r7Jc>
Subject: Re: [Curdle] Genart last call review of draft-ietf-curdle-ssh-ext-info-10
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jul 2017 03:09:23 -0000

Hello Matthew,

I'm not sure if I know how to address this better than with the language so
far proposed.

Perhaps one choice would be to simply remove this paragraph. However, the
reason it was added was because an earlier reviewer (I'm not sure of the
details at this time) raised the question about whether extension
negotiation works like it does for algorithm lists, such as in e.g.
SSH_MSG_KEXINIT. In that case, multiple algorithms are enumerated by both
sides, and only one is chosen that (1) is enumerated by both sides, and (2)
is the first of those to be enumerated by the client. The main purpose of
this paragraph has been to clarify that extension negotiation does not work
that way in EXT_INFO.

What language would you propose? Is there some simple language that would
do? How about this?

"An extension may dictate, where it is specified, that in order to take
effect, both parties must include it in its EXT_INFO; or it may be
sufficient that only one party does; or more complex rules may be
specified."


On Wed, Jul 26, 2017 at 1:28 PM, Matthew A. Miller <
linuxwolf+ietf@outer-planes.net> wrote:

> Thanks very much for the response, Denis.
>
> I think I understand the intent here, but I'm not sure this new text is
> enough to mitigate some future conflict.  I'm also concerned that it
> completely ignores the one-party extensions (e.g., an extension included
> in the EXT_INFO by only the client or the server, but not both), and
> what the impact is holistically.  Looking at the one-party extensions
> defined herein, I can't see how their order matters; but does that mean
> the order will never matter?
>
> In writing this reply, I wondered if it's better for the order to always
> be irrelevant; an implementation might be allowed to hint its preferred
> order in the EXT_INFO, but implementations are still free to do whatever
> makes sense to them within the bounds of the relevant extension
> definitions.  If an extension ought to take precedence over another,
> make it clear in its specification that it SHOULD (or MUST) be dealt
> with before (or after) others.
>
> Does that make sense?
>
>
> - m&m
>
> Matthew A. Miller
>
> On 17/07/25 16:24, denis bider wrote:
> > Good catch. I believe this refers to the following paragraph:
> >
> > "If an extension requires both the client and the server to include it
> > in order for the extension to take effect, the relative position of the
> > extension-name in each EXT_INFO message is irrelevant."
> >
> > I have drafted the following new wording:
> >
> > "Unless a particular extension's specification indicates differently;
> > then, if an extension requires both the client and the server to include
> > it in order for the extension to take effect; implementers MUST use a
> > default assumption that the relative position of the extension-name in
> > each EXT_INFO message is irrelevant with respect to whether the
> > extension takes effect."
> >
> > The purpose of this wording is to:
> >
> > - Provide a sensible default, which is that in the absence of specific
> > knowledge, order of extension names does not matter.
> >
> > - Allow for deviations in special cases where there is specific
> knowledge.
> >
> > For example, extension "foo-linux" could be specified, but after some
> > years of use, it's observed that it works well for its main purpose, but
> > is not ideal for a server on Windows. Therefore, extension "foo-windows"
> > is specified, which works well when the server is Windows, but not as
> > well when it's Linux.
> >
> > In this case, an implementation that supports "foo-linux" only would be
> > ignorant of anything else, and would use the default rule (order of
> > extension names does not matter). However, an implementation that
> > supports "foo-windows" could implement only that, or both "foo-linux"
> > and "foo-windows". The specification for "foo-windows" could indicate
> > that when both are supported, the first one listed by the server (or in
> > other cases, by the client) is used.
> >
> > Allowing for such an extension-defined special case would allow a Linux
> > server to advertise extensions [... "foo-linux", ..., "foo-windows",
> > ...], preferring "foo-linux", but supporting the less appropriate
> > "foo-windows" mechanism as well. Whereas, a Windows server could
> > advertise [... "foo-windows", ..., "foo-linux", ...], preferring
> > "foo-windows", but supporting the less appropriate "foo-linux" mechanism
> > as well.
> >
> > Does this work?
> >
> > If there are no objections, I'll upload a -11 draft version with this
> > new wording.
> >
> >
> >
> > On Mon, Jul 24, 2017 at 3:02 PM, Matthew Miller
> > <linuxwolf+ietf@outer-planes.net
> > <mailto:linuxwolf+ietf@outer-planes.net>> wrote:
> >
> >     Reviewer: Matthew Miller
> >     Review result: Ready with Issues
> >
> >     I am the assigned Gen-ART reviewer for this draft. The General Area
> >     Review Team (Gen-ART) reviews all IETF documents being processed
> >     by the IESG for the IETF Chair.  Please treat these comments just
> >     like any other last call comments.
> >
> >     For more information, please see the FAQ at
> >
> >     <https://trac.ietf.org/trac/gen/wiki/GenArtfaq
> >     <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>>.
> >
> >     Document: draft-ietf-curdle-ssh-ext-info-10
> >     Reviewer: Matthew Miller
> >     Review Date: 2017-07-24
> >     IETF LC End Date: 2017-07-30
> >     IESG Telechat date: N/A
> >
> >     Summary:
> >
> >     This document is ready with an issue.
> >
> >     I found this document very coherent and easy to follow.
> >
> >     Major issues:
> >
> >     Minor issues:
> >
> >     My only issue borders on nit, but sided with nit as I can see it
> >     potentially causing confusion for an implementer in the future.
> >
> >     Section 2.5. "Interpretation of Extension Names and Values"
> explicitly
> >     states in the second paragraph a condition where the relative order
> of
> >     extension-names in an EXT_INFO message is irrelevant.  However, the
> rest
> >     of the section seems to imply to me that relative order is not
> >     important;
> >     so to explicitly call out a scenario seems to imply that relative
> order
> >     *is* relevant/important, sometimes.  If relative order is expected
> to be
> >     important most of the time, I think it helpful to explicitly state
> that
> >     and give a rationale for it.
> >
> >     Nits/editorial comments:
> >
> >     * RFC 5226 is referenced by this document, but is obsoleted by RFC
> 8126.
> >
> >
> >     _______________________________________________
> >     Curdle mailing list
> >     Curdle@ietf.org <mailto:Curdle@ietf.org>
> >     https://www.ietf.org/mailman/listinfo/curdle
> >     <https://www.ietf.org/mailman/listinfo/curdle>
> >
> >
>
>

v2.23.0 | Report a Bug | By Email