IETF Logo Mail Archive

Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 17 January 2019 10:38 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31B95130DD8; Thu, 17 Jan 2019 02:38:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.554
X-Spam-Level:
X-Spam-Status: No, score=-11.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjF35HusXBfb; Thu, 17 Jan 2019 02:38:17 -0800 (PST)
Received: from MIVWSMAILOUT1.mcafee.com (mivwsmailout1.mcafee.com [161.69.47.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A624130E0A; Thu, 17 Jan 2019 02:38:16 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1547721338; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:spamdiagnosticoutput: spamdiagnosticmetadata:Content-Type:Content-Transfer-Encoding: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=f b8WtX4wR5K8B4duOx9hYfkqIDQ4WvpR1VNLjWVqvD s=; b=XNuixe82M0r1E1iKc5aEcyzf4cEPKBPZH6Ryor2YFdlZ XJYjL+KnAEDeLjAct29ESLxJ52wZpERcUp5P2K8tBJfCutD+aK tsI2vHaYi2jKhS1INKRbbzX6bXx8+ea30qx3nl0KCp0yIhhkKt ST2wKiUuzYq2jiSW8B3OH3kOlb4=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (DNVEXAPP1N05.corpzone.internalzone.com [10.44.48.89]) by MIVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 682f_c3dc_de9ae41f_44ea_44c3_acf9_64da2178fb09; Thu, 17 Jan 2019 04:35:37 -0600
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Thu, 17 Jan 2019 03:33:40 -0700
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Thu, 17 Jan 2019 03:33:40 -0700
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Thu, 17 Jan 2019 03:33:40 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2808.namprd16.prod.outlook.com (20.178.233.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.24; Thu, 17 Jan 2019 10:33:39 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f%5]) with mapi id 15.20.1537.018; Thu, 17 Jan 2019 10:33:39 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Benjamin Kaduk <kaduk@mit.edu>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-signal-channel-25 (5th Part)
Thread-Index: AdSuMPs4z5rRJt5UT++zbKjLtGqWuAABJymg
Date: Thu, 17 Jan 2019 10:33:38 +0000
Message-ID: <BYAPR16MB279051803A34079378C8327AEA830@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302EA08D24@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA08D24@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.18
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR16MB2808; 6:53zRSn7pYEVqeGGZR5KIIH5P3Tt7xz9qk+qEg5s2OqHKvhWljJPaUw0qzOMkEOSH5oiMqQNf+HN8ocTq0IwDqHXClufIvtyymiG42JVv/EH9Y9JUfCDGfWf6GgomDa1BO2z8GWk2gRdF2TPVXIMGDoYm9YAH31SjMIquKzdB5Y+NzuEeDmP1pBGRh2Uge9mUiU695A4EFl2YdS05qYE2j0uB0X+LwFrzvV4CuQkPzVydZvyG+oyJfSTp7ZkrQWTY985bBjRu///mYbow0azMD1pPeP6f7f2NkRjIabBMWFnKvHeZJkq1ScJa30ktLVE4S8fZCrLG9jKcr9eFg3yVX6ZAap7YIuEFQqF7gWkKpAoBSLSrnEo24Uu+2rDfaoGhw20GB2rxNo+OsPFSXTvgb0WXpY86AmaUhoj7E8b6IS8Whx4scEcANCZAcoY2Y36nqrk0VcmpUlQyZ1pCw/vWEg==; 5:nJSUzWFnapgTseXoUAi8zh0iZh7tc36TP8ye4dkqn9x4QxU1NNoTuHQkmOwynYscU4MWFc1PiTpz5eUlljilLXx8HdzoXUBsG0gexPvwulSj5bfLhYywyeUh1ReWhwEXoqqPmRRJ31+z0xds8wgHgesSQaRj7CsWgixVzu29pk1z3IijCun9qOXYKelHb13nPw6MQTYtuQIrMlBrLLSoEQ==; 7:73N2cOQp2bfgBseejZOUKF2xt64EP/LAKCHQM5xeiGIJYDi/+GAnkPZSQ1+8ARUGmbgpjgXh6qpjQbLGUJ6Ugq3FThSgvHE8faB8v9HPRLtKCfIbqr0dUVytnolvJmD3bZMmM1jtotBmBrU43rHPuA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: fb6a72da-af42-446b-6a49-08d67c673e80
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2808;
x-ms-traffictypediagnostic: BYAPR16MB2808:
x-microsoft-antispam-prvs: <BYAPR16MB28086462C8B68B08F90052A5EA830@BYAPR16MB2808.namprd16.prod.outlook.com>
x-forefront-prvs: 0920602B08
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(39860400002)(366004)(136003)(376002)(189003)(199004)(55784004)(13464003)(32952001)(51444003)(6306002)(81166006)(8676002)(8936002)(81156014)(6246003)(229853002)(7736002)(26005)(110136005)(186003)(305945005)(66066001)(486006)(6116002)(68736007)(2906002)(9686003)(106356001)(2171002)(105586002)(476003)(446003)(11346002)(25786009)(80792005)(6506007)(53546011)(33656002)(99286004)(3846002)(71190400001)(478600001)(5660300001)(71200400001)(74316002)(76176011)(97736004)(4326008)(53936002)(7696005)(316002)(5024004)(966005)(256004)(14444005)(14454004)(86362001)(72206003)(55016002)(102836004)(6436002)(2501003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2808; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: TlQ+dqndd51vMpIpiuzv4cDVZx8hZBhzseLIcuac0uxOAVxHyzkLNNMLATE5d+2xlsrCwYrCz39p6IFJdbg69R9SAzIrRkPrQ83B1+GWOKv8yJLfF0kynM0ahP9xt7nfxme99JZFkmnTulrZ+qMjl+WyQN7VQluJoXhAMSMVF6a+HO+lS8KvXG4FI+CMbXWC/OGrR18NUSSHbw4ZxiPwVnH+rktfonqJG0dBOoFYt5wYErkVjkNwLP0Mq1lw+iYYfwi3LqcOaPYLtcDMg3b6+WY4Tgs84oSNqkshT3mAy8LaOW4CvUFnV1bGiWjJGSvyfjEjYUniy+N9gnToAce3HTWTfxmPoZDSU+LoFIy+Iov8CM1+sbhVuqTuFBJnDnjQesD9xqDsb6HFOm4ZngLHqEMzRWx1EQ9eGvW+8hv27YY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: fb6a72da-af42-446b-6a49-08d67c673e80
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jan 2019 10:33:38.9241 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2808
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6463> : inlines <6996> : streams <1810333> : uri <2781262>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/--cRG6YY-5cvVtrtdcbuZfoZ2X8>
Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2019 10:38:20 -0000

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org> On Behalf Of
> mohamed.boucadair@orange.com
> Sent: Thursday, January 17, 2019 12:21 PM
> To: Benjamin Kaduk <kaduk@mit.edu>; draft-ietf-dots-signal-
> channel@ietf.org
> Cc: dots@ietf.org
> Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> Hi Ben,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : mercredi 16
> > janvier 2019 01:14 À : draft-ietf-dots-signal-channel@ietf.org
> > Cc : dots@ietf.org
> > Objet : AD review of draft-ietf-dots-signal-channel-25
> >
> > Section 7.2
> >
> > The TLS 1.3 handshake with 0-RTT diagram needs to be
> > revisited/refreshed, as RFC 8446 does not look like that.
> > Additionally, the usage of PSK as well as a certificate is not defined
> > until draft-housley-tls-tls13-cert-with-extern-psk is published.
> > I also note that in the diagram as presented, the client is not yet
> > known to be authenticated when the server sends its initial (0.5-RTT)
> > DOTS signal message.
> >
> 
> [Med] Noted. Thanks.

The DOTS signal channel draft is discussing PSK with (EC)DHE key establishment explained in RFC8446, and I don't see the need to refer to draft-housley-tls-tls13-cert-with-extern-psk-00. 
The 0-RTT diagram is a simplified version of 0-RTT just like the Figure 1 in https://tools.ietf.org/html/draft-ietf-quic-tls-17.

The only correction required to the diagram is end_of_early_data must be sent along with the client Finished message.

> 
> > Section 7.3
> >
> > This whole section seems to only be relevant for UDP usage, so
> > probably the "If UDP is used" clause can be dropped and an
> > introductory statement added earlier on.
> 
> [Med] Will consider that.
> 
> >
> >                               Path MTU MUST be greater than or equal to
> >    [CoAP message size + DTLS overhead of 13 octets + authentication
> >    overhead of the negotiated DTLS cipher suite + block padding]
> >    (Section 4.1.1.1 of [RFC6347]).  If the request size exceeds the path
> >    MTU then the DOTS client MUST split the DOTS signal into separate
> >    messages, for example the list of addresses in the 'target-prefix'
> >    parameter could be split into multiple lists and each list conveyed
> >    in a new PUT request.
> >
> > (DTLS 1.3 will have a short header for some packets, that is less than
> > 13 octets.)
> 
> [Med] The text is more about 1.2. We can add a 1.3 note if you think it is
> useful for the discussion.

We should say "DTLS 1.2 overhead of 13 octets"
In DTLS 1.3 DTLSCiphertext structure is variable length (full header is of size 6 octets). 

> 
> >
> > Section 8
> >
> > We've got some requirements in here about limiting behavior of
> > clients/servers when talking to gateways; is knowing about the
> > presence of a gateway something that's required to happen out of band
> > or is there an in-band way to identify that the peer is a gateway?
> 
> [Med] An agent does not necessary know that it peer is gateway. A gateway
> is seen as a server for the client, and a client for a server.
> 
> >
> >    messages from an authorized DOTS gateway, thereby creating a two-link
> >    chain of transitive authentication between the DOTS client and the
> >    DOTS server.
> >
> > This seems to ignore the possibility of setups that include both
> > client-domain and server-domain gateways.
> 
> [Med] I updated the text to mention this is only an example.
> 
> >
> >                  DOTS client certificate validation MUST be performed as
> >    per [RFC5280] and the DOTS client certificate MUST conform to the
> >    [RFC5280] certificate profile.  [...]
> >
> > This seems to duplicate a requirement already stated in Section 7.1;
> > it's probably best to only have normative language in one location,
> > even if we need to mention the topic in multiple locations.
> > Similarly for the mutual authentication requirement, which we
> > duplicate in the second and fourth paragraphs of this section.
> 
> [Med] Good point. Fixed.
> 
> >
> > If we don't want to use example.com vs. example.net as sample domains,
> > we can also use whateverwewant.example, per RFC 6761.
> 
> [Med] Will maintain the ones already in the draft. Thanks.
> 
> >
> > Section 9
> >
> > We should mention the media-type allocation in the top-level section.
> 
> [Med] Will fix that.
> 
> >
> > "mappings to CBOR" feels confusing to me, since it leaves empty what
> > we are mapping from.  Perhaps just talking about a registry of "CBOR
> > map keys" would be better, both here and in the Section 9.3 intro.
> >
> 
> [Med] Unless there is an objection, I can use "CBOR Map Keys".

I don't see "CBOR Map Keys" defined or used anywhere in the draft. 

> 
> > Section 9.3
> >
> > I suggest being very explicit about whether new requests for
> > registration should be directed to the mailing list or to IANA, as
> > we've had some confusion about this elsewhere.
> >
> > The criteria used by the experts also just lists things they should
> > consider, but does not provide full clarity on which answer to the
> > question is more likely to be approved.  (And yes, I know that this
> > text is largely copied from already published RFCs, but we can still
> > do
> > better.)
> 
> [Med] Will check this.
> 
> >
> > Section 9.3.1
> >
> > If we want the value 0 to be reserved we need to say so.
> 
> [Med] 0 is not part of the allocation range.
> 
> > Do we want to say anything about the usage of negative integers as map
> > keys?
> >
> > I suggest not mentioning the postal address, given the recent (e.g.)
> > GDPR requirements.
> 
> [Med] Good point. Done.
> 
> >
> > Section 9.3.2
> >
> > It may be worth mentioning Table 4 here as well.
> 
> [Med] OK.
> 
> >
> > Section 9.5.1
> >
> > We need to specify which range of values we are asking for an
> > allocation from.
> 
> [Med] Added a mention to 0-255 range.

As per https://www.iana.org/assignments/cbor-tags/cbor-tags.xhtml the allowed range is 23-255.

> 
> >
> > Section 9.6.1
> >
> > As above, specify what range we're asking about.
> 
> [Med] OK.

The range is already defined in section 9.6.1.1 

Cheers
-Tiru

> 
> >
> > I expect the current text to get some IESG (or directorate) feedback
> > that the Data Item and Semantics descriptions are repetitive and banal.
> >
> > Section 9.7
> >
> > IIUC, IANA is going to ask if we want this module to be "maintained by
> > IANA", so it would be good to have an answer ready even if we don't
> > put it in the document text.
> 
> [Med] This is discussed in -26.
> 
> >
> >    Rate-limiting DOTS requests, including those with new 'cuid' values,
> >    from the same DOTS client defends against DoS attacks that would
> >
> > With respect to "new" 'cuid' values, is the server required to
> > remember which ones it has seen in perpetuity, or can it time them out
> > eventually?
> 
> [Med] The attack vector is a DOTS client which changes frequently its cuid.
> The DOTS server can set an interval in which the same client cannot present
> a new cuid.
> 
> >
> > Section 10
> >
> > The security considerations seem to be taking a narrow focus on the
> > requirements for and consequences of specific bits on the wire in the
> > signal channel protocol.  I think it's appropriate to also include
> > some high-level thoughts about the functional behavior of the
> > protocol, allowing to signal that an attack is underway and trigger
> > mitigation, increasing the availability of services, etc., and the
> > risks that are posed by the protocol failing to work properly, whether
> > that means letting attack traffic through or improperly blocking
> > legitimate traffic.
> 
> [Med] Would a pointer to the architecture/requirements I-Ds be sufficient to
> cover to high-level aspects?
> 
> >
> > Section 13.1
> >
> > I think the IANA registries should be listed as Informational and not
> > Normative references.
> >
> 
> [Med] Done.
> 
> > Section 13.2
> >
> > Pending resolution of the question about using
> > draft-ietf-core-yang-cbor rules or RFC7951+RFC7049, the
> > draft-ietf-core-yang-cbor reference may need to be Normative.
> 
> [Med] Please refer to my answer to that question. draft-ietf-core-yang-cbor is
> informative.
> 
> >
> > Given that "URI" is a well-known abbreviation, we may be able to get
> > away with not citing RFC 3986.  On the other hand, it's not causing
> > any harm to leave it in...
> 
> [Med] Will leave it.
> 
> >
> > RFC 4632 needs to be Normative, since we need to know CIDR to
> > encode/decode target-prefixes.
> 
> [Med] Works for me.
> 
> >
> > Similarly, I think that RFCs 6234
> 
> [Med] This one is not listed as normative because other hash algos may be
> used.
> 
> , 7413
> [Med] The support if TFO is not mandatory.
> 
> , 7589
> [Med] This is a MAY in the spec. It is just fine to leave it as informative..
> 
> , 7918
> [Med] Idem as TFO.
> 
> , 7924
> [Med] Idem as TFO.
> 
> , and 7951
> [Med] this one was not listed as normative because the document lists two
> ways to do the mapping.
> 
> > should also be Normative.
> >
> >
> > -Ben
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.40.4 | Report a Bug | By Email | System Status