Re: [Dots] Erik Kline's No Objection on draft-ietf-dots-rfc8782-bis-07: (with COMMENT)
mohamed.boucadair@orange.com Thu, 03 June 2021 08:16 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 294A63A2F36; Thu, 3 Jun 2021 01:16:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QpIihdTzl-xW; Thu, 3 Jun 2021 01:16:54 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A46833A2F5C; Thu, 3 Jun 2021 01:16:53 -0700 (PDT)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar26.francetelecom.fr (ESMTP service) with ESMTP id 4Fwdz75ntJzFq1g; Thu, 3 Jun 2021 10:16:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1622708211; bh=R82Kmqwj7OoDiD2EsLcC7cw2blL9pf2LP6eNslUJ52M=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=ml2PpnseW4XVqMVFOjoCaurn8Jok0XOQuMHkgc/DsQrzQlHzP8+317tC3+NDJ00vT 4UroHN0pIMt9d3YnQysv6viwcoe5+M+xo0trv7lR6lZyPvGvTN3A8bzf5nJd3R1BBX E8hnOKeoSXtIfGxBSHvWHo5BtfIuKxs5tK2vYiG+RSXHdTYc9TKyDWJl1vd+h63hzQ Nb1h5nJRpWV/YwxmQTzBiSs00BeUisijucoeylUE0BRTq9n7HPPFuklYa3pcFzK5Cx wGiRpWgMH4zWH1uU5UmTcSpgYfFkV8kKP9ABsstuhbVw8we2QbQl2s1l2FjsBcJcGC lTwy1SEfrlNhg==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.38]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id 4Fwdz74JCmzCqkd; Thu, 3 Jun 2021 10:16:51 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Erik Kline <ek.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-dots-rfc8782-bis@ietf.org" <draft-ietf-dots-rfc8782-bis@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "dots@ietf.org" <dots@ietf.org>, "valery@smyslov.net" <valery@smyslov.net>
Thread-Topic: Erik Kline's No Objection on draft-ietf-dots-rfc8782-bis-07: (with COMMENT)
Thread-Index: AQHXWD77ZxlT8QPpBk2F+G0JieRroKsB4hng
Date: Thu, 03 Jun 2021 08:16:51 +0000
Message-ID: <28147_1622708211_60B88FF3_28147_159_1_787AE7BB302AE849A7480A190F8B933035396DD3@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <162270054186.18148.14870101120799116947@ietfa.amsl.com>
In-Reply-To: <162270054186.18148.14870101120799116947@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/-wdIB4KGe88wkrqdMrzdo7cZ_LA>
Subject: Re: [Dots] Erik Kline's No Objection on draft-ietf-dots-rfc8782-bis-07: (with COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jun 2021 08:17:00 -0000
Hi Erik, Thanks for the review. Please see inline. Cheers, Med > -----Message d'origine----- > De : Erik Kline via Datatracker [mailto:noreply@ietf.org] > Envoyé : jeudi 3 juin 2021 08:09 > À : The IESG <iesg@ietf.org> > Cc : draft-ietf-dots-rfc8782-bis@ietf.org; dots-chairs@ietf.org; > dots@ietf.org; valery@smyslov.net; valery@smyslov.net > Objet : Erik Kline's No Objection on draft-ietf-dots-rfc8782-bis-07: > (with COMMENT) > > Erik Kline has entered the following ballot position for > draft-ietf-dots-rfc8782-bis-07: No Objection > > When responding, please keep the subject line intact and reply to > all email addresses included in the To and CC lines. (Feel free to > cut this introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > criteria.html > for more information about DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dots-rfc8782-bis/ > > > > -------------------------------------------------------------------- > -- > COMMENT: > -------------------------------------------------------------------- > -- > > [S3] [comment] > > * I don't know if it's really necessary to dredge up RFC 6296, but I > understand the desire for completeness. > [Med] You got the intent about the completeness. The key point is that we are not recommending it, but just cite as one example where things may be broken. > [S4.4.1.1] [question] > > * For "lifetime" in the case where a "target-fqdn" was given, should > the > resolution library's knowledge of the DNS RR TTL value(s) be > factored in? > > For example, what does lifetime=3600s mean for a hostname whose > A/AAAA > RRs have only 5 minute lifetimes? Is the DOTS server/enforcer > expected > to continuously re-resolve every ${DNS_RR_TTL} and apply the > policy for > up to the full 3600 seconds [Med] Yeah. When possible, the client makes sure that the resolved addresses are valid during the mitigation lifetime. If a resolved address flushed out (e.g., DNS TTL expiry) while the mitigation is still active (pending lifetime!=0), the resolution library should be solicited. As we don't impose any requirement on the name resolution library (and especially whether it exposes a validity timeout), I suggest the following change: OLD: How a name is passed to an underlying name resolution library is implementation and deployment specific. Nevertheless, once the name is resolved into one or multiple IP addresses, DOTS servers MUST apply the same validation checks as those for 'target- prefix'. NEW: How a name is passed to an underlying name resolution library is implementation and deployment specific. Nevertheless, once the name is resolved into one or multiple IP addresses, DOTS servers MUST apply the same validation checks as those for 'target- prefix'. These validation checks are reiterated by the DOTS client each time a name is passed to the underlying name resolution library (e.g., upon expiry of DNS TTL). , or is the DNS RR TTL ignored once the > resolution has been confirmed to have succeeded or failed? > _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [Dots] Erik Kline's No Objection on draft-ietf-do… Erik Kline via Datatracker
- Re: [Dots] Erik Kline's No Objection on draft-iet… mohamed.boucadair
- Re: [Dots] Erik Kline's No Objection on draft-iet… Erik Kline
- Re: [Dots] Erik Kline's No Objection on draft-iet… mohamed.boucadair