[dhcwg] Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-15
"Black, David" <david.black@emc.com> Fri, 28 August 2015 22:06 UTC
Return-Path: <david.black@emc.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7454B1B3490; Fri, 28 Aug 2015 15:06:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id exXwZe5-ycHk; Fri, 28 Aug 2015 15:06:42 -0700 (PDT)
Received: from mailuogwhop.emc.com (mailuogwhop.emc.com [168.159.213.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ECCD1B3480; Fri, 28 Aug 2015 15:06:41 -0700 (PDT)
Received: from maildlpprd01.lss.emc.com (maildlpprd01.lss.emc.com [10.253.24.33]) by mailuogwprd01.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id t7SM6AaW017312 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 28 Aug 2015 18:06:14 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com t7SM6AaW017312
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1440799574; bh=+zlNPW3YQKPC6yPT73bUUiF6YZo=; h=From:To:CC:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=VNx1Nzru5VK3mqQtTfgVr4auTFG5M60eCTJw998fgF/B9onsOhb3FIHxTzD87DDBR CQMdAQamdAj4eZChYrnFwgByMHF+ynGyZQR6U/u7TBb/ecV/XXFV71fnfkVqf9lAH0 cOmtXRl33r+ePrzgXj37qkT69N/buHxo+ht/23yo=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com t7SM6AaW017312
Received: from mailusrhubprd04.lss.emc.com (mailusrhubprd04.lss.emc.com [10.253.24.22]) by maildlpprd01.lss.emc.com (RSA Interceptor); Fri, 28 Aug 2015 18:05:20 -0400
Received: from mxhub18.corp.emc.com (mxhub18.corp.emc.com [10.254.93.47]) by mailusrhubprd04.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id t7SM5S73001512 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 28 Aug 2015 18:05:28 -0400
Received: from MXHUB105.corp.emc.com (10.253.50.22) by mxhub18.corp.emc.com (10.254.93.47) with Microsoft SMTP Server (TLS) id 8.3.327.1; Fri, 28 Aug 2015 18:05:28 -0400
Received: from MX104CL02.corp.emc.com ([169.254.8.86]) by MXHUB105.corp.emc.com ([10.253.50.22]) with mapi id 14.03.0224.002; Fri, 28 Aug 2015 18:05:27 -0400
From: "Black, David" <david.black@emc.com>
To: Warren Kumari <warren@kumari.net>, "olafur@cloudflare.com" <olafur@cloudflare.com>, "ebersman-ietf@dragon.net" <ebersman-ietf@dragon.net>, "steve.sheng@icann.org" <steve.sheng@icann.org>, "General Area Review Team (gen-art@ietf.org)" <gen-art@ietf.org>, "ops-dir@ietf.org" <ops-dir@ietf.org>
Thread-Topic: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-15
Thread-Index: AdDh3aUMKZyuQxPoTs6OQPcV693y0Q==
Date: Fri, 28 Aug 2015 22:05:27 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949361407B7BB@MX104CL02.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.45.85]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd04.lss.emc.com
X-RSA-Classifications: public, Resumes
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/IDciuITxcMsTCjZJi1oiCxHLP7k>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, "Black, David" <david.black@emc.com>, "ietf@ietf.org" <ietf@ietf.org>
Subject: [dhcwg] Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-15
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 22:06:44 -0000
The Gen-ART and OPS-Dir review of the -13 version of this draft does not appear to have been directly addressed in the -15 version. Of the 5 minor issues, other changes have addressed issue [4] and the first part of issue [5] (first chunk of quoted text). In addition, it's ok to treat issue [1] as editorial. That leaves minor issues [2], [3] and the second part of [5] (second chunk of quoted text) as topics that still merit attention, and I would like the authors to consider adding the suggested additional security consideration. Thanks, --David > -----Original Message----- > From: Black, David > Sent: Sunday, July 05, 2015 10:37 AM > To: Warren Kumari; olafur@cloudflare.com; ebersman-ietf@dragon.net; > steve.sheng@icann.org; General Area Review Team (gen-art@ietf.org); ops- > dir@ietf.org > Cc: ietf@ietf.org; dhcwg@ietf.org; Black, David > Subject: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-13 > > This is a combined Gen-ART and OPS-Dir review. Boilerplate for both follows > ... > > I am the assigned Gen-ART reviewer for this draft. For background on > Gen-ART, please see the FAQ at: > > <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Please resolve these comments along with any other Last Call comments > you may receive. > > I have reviewed this document as part of the Operational directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments > were written primarily for the benefit of the operational area directors. > Document editors and WG chairs should treat these comments just like any other > last call comments. > > Document: draft-wkumari-dhc-capport-13 > Reviewer: David Black > Review Date: July 5, 2015 > IETF LC End Date: July 7, 2015 > > Summary: This draft is on the right track, but has open issues > described in the review. > > This draft specifies DHCP (v4 and v6) and IPv6 RA options to provide the > contact URI of a captive portal (e.g., for a WiFi hotspot). It's a > short draft that gets the job done - I found a few minor issues, and > have an additional security consideration to suggest. > > Major issues: None > > Minor issues: > > [1] Section 2: > > captive portals will still need to implement the > interception techniques to serve legacy clients, and clients will > need to perform probing to detect captive portals. > > Please explain what "the interception techniques" and "probing" are. > I think this material was in -12 and removed for -13 - it does not need > to be restored in its entirety, but those two terms deserve some > explanation. This should also explain "DNS interception" in the last > paragraph in the section. > > [2] Section 2.1 - DHCPv4 has the shortest URI length limit, 255 bytes. > That should be noted either here or in Section 2 in discussion of serving > multiple classes of clients. This should not be a problem in practice. > > [3] Sections 2.1, 2.2, 3: The term "URI of the authentication page" should > be changed to something like "contact URI for the captive portal" because > authentication is not always required by a captive portal. > > [4] Section 4: The IANA Considerations section is incomplete - see IANA's > review. > > [5] Section 5: > > Fake > DHCP servers / fake RAs are currently a security concern - this > doesn't make them any better or worse. > > Please cite a reference for this, preferably with operational recommendations > on limiting these problems (e.g., ensure that DHCP and RA traffic cannot be > injected from outside/beyond the network that is relevant to the portal). > > Redirection to a portal where TLS can be used > without hijacking can ameliorate some of the implications of > connecting to a potentially malicious captive portal. > > Please explain who or what does the redirection and what is redirected > (browser, VPN client?). Is this a suggestion to use http:// URLs? (if > so, that should be said explicitly). > > Nits/editorial comments: > > p.3, first sentence: > > This document describe a DHCP ([RFC2131]) option (Captive Portal) and > > s/describe/describes > > I would add a sentence to section 2 to say that URI strings are not > null-terminated. > > Section 3 - this should be renumbered to 2.3, as the overview text in > Section 2 applies to the RA option. > > Possible additional security consideration: > > Captive portals are increasingly hijacking TLS connections to force > browsers to talk to the portal. Providing the portal's URI via a DHCP > or RA option is a cleaner technique, and reduces user expectations of > being hijacked - this may improve security by making users more reluctant > to accept TLS hijacking, which can be performed from beyond the network > associated with the captive portal. > > --- Selected RFC 5706 Appendix A Q&A for OPS-Dir review --- > > Most of these questions reduce to the corresponding questions for DHCP > or IPv6 RAs. Once the portal is contacted, there are significant > operational considerations that are well outside the scope of this > draft. > > A.1.3 Has the migration path been discussed? > > Yes, briefly. Minor issue [1] requests more information on > existing techniques, with which coexistence is anticipated. > > A.3. Documentation > > An operational considerations or manageability section isn't > called for. I do not expect the options in this draft to > have significant operational impact. > > Thanks, > --David > ---------------------------------------------------- > David L. Black, Distinguished Engineer > EMC Corporation, 176 South St., Hopkinton, MA 01748 > +1 (508) 293-7953 FAX: +1 (508) 293-7786 > david.black@emc.com Mobile: +1 (978) 394-7754 > ----------------------------------------------------
- [dhcwg] Gen-ART and OPS-Dir review of draft-wkuma… Black, David
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Warren Kumari
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Black, David
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Warren Kumari
- Re: [dhcwg] Gen-ART and OPS-Dir review of draft-w… Jari Arkko