[Dime] Alissa Cooper's Discuss on draft-ietf-dime-drmp-05: (with DISCUSS and COMMENT)

["Alissa Cooper" <alissa@cooperw.in>]

Alissa Cooper has entered the following ballot position for
draft-ietf-dime-drmp-05: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dime-drmp/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

(1) Given the two key security threats identified in Section 11 -- that
authorized nodes can issue requests with artificially high priority in
order to get better treatment, and that unauthorized intermediaries can
modify the priorities that senders set -- I don't see how it is
legitimate to claim that either 5.1 or 5.2 are appropriate use cases for
DRMP. The spec seems to assume that this mechanism will only be used in
scenarios where nodes and agents have some out-of-band trust relationship
established with each other (the shepherd write-up talks about a "trusted
environment"), but that is certainly not the case in many disaster and
emergency scenarios. If that really is a limitation on the scope of
applicability of this mechanism, that should be stated in the document,
and those use cases should either be removed or modified to explain the
limitations on their applicability.  

(2) Section 6 says:

	   "The mechanism for how the agent determines which requests are
       throttled is implementation dependent and is outside the scope of
       this document."

How is a node supposed to determine how to set its priorities if each
agent makes implementation-specific decisions about what those priorities
mean? I understood the document to be saying that Diameter applications
would have to define what he priority levels mean within their own
contexts, but then I would have expected the interpretation of priorities
amongst all nodes and agents implementing the same application to be the
same. 

(3) Section 8 says: 

	"Diameter nodes SHOULD use the PRIORITY_10 priority as this default
value."
   
If the determination of the priority schemes are all
application-specific, how is it appropriate for this spec to define what
the default priority should be for all applications? Shouldn't
applications specify their own defaults?


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Section 11 says: "DRMP gives Diameter nodes the ability to influence
which requests are throttled during overload scenarios." But the
information is not limited to use during overload scenarios, and the spec
specifically allows its use for prioritized routing in absence of
overload. This should be stated here too.