Re: [Dots] Alexey Melnikov's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 02 May 2019 13:02 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057B01200FC; Thu, 2 May 2019 06:02:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yl9a3q2Yx-cb; Thu, 2 May 2019 06:02:54 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7C151200E6; Thu, 2 May 2019 06:02:53 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1556801781; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=V7EFxbqBxd29WG/ATAENv9W/ZbBEDPqAAKmMQJ pP4yY=; b=RrG1TuvsfNBkegpCJMY/XTw8fFMAvvjh+UhEIPUa wDAt9sO5XkwaWyCsyyVF0evbODeiuQm4Kgkldt7x1FEBwKCqS5 ulxx3h71TmIwdHstYrfDQ/FeOiy2bXRiUQ7y/hZd3pXtXO4Rsz dboWoAG1nroP0uRexVlylpVImhm0SV8=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 0d90_e61f_0737e3d1_d51c_4c61_9116_636a06d2f2aa; Thu, 02 May 2019 06:56:20 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 2 May 2019 07:02:37 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Thu, 2 May 2019 07:02:37 -0600
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 2 May 2019 07:02:36 -0600
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2758.namprd16.prod.outlook.com (20.178.233.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1856.11; Thu, 2 May 2019 13:02:34 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::4873:7200:9e57:9e62%5]) with mapi id 15.20.1835.018; Thu, 2 May 2019 13:02:34 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, Xialiang <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>
Thread-Topic: Alexey Melnikov's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)
Thread-Index: AQHVALPzk4IGAmdRUUORb7E5KmipGaZXyAYwgAADTYCAAABlEA==
Date: Thu, 2 May 2019 13:02:34 +0000
Message-ID: <BYAPR16MB2790CA1394E63D59AC12C34BEA340@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <155672115649.991.301467308616633255.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA68A2C@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790D805F0057AF598F2C0E6EA340@BYAPR16MB2790.namprd16.prod.outlook.com> <e289a531-d959-4e33-bac3-9c45f03bf75f@www.fastmail.com>
In-Reply-To: <e289a531-d959-4e33-bac3-9c45f03bf75f@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [49.37.205.191]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a16ac8bd-cf4d-4506-ed08-08d6cefe71ef
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BYAPR16MB2758;
x-ms-traffictypediagnostic: BYAPR16MB2758:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BYAPR16MB2758145C66AB09C282503DF8EA340@BYAPR16MB2758.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0025434D2D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(376002)(396003)(39860400002)(346002)(366004)(189003)(199004)(32952001)(13464003)(80792005)(229853002)(74316002)(55016002)(26005)(966005)(72206003)(186003)(14454004)(3846002)(53936002)(9686003)(6116002)(6306002)(256004)(14444005)(5024004)(2501003)(7736002)(52536014)(305945005)(5660300002)(6436002)(6246003)(76116006)(54906003)(66066001)(76176011)(86362001)(81166006)(8676002)(316002)(66446008)(64756008)(66476007)(66556008)(81156014)(66946007)(33656002)(110136005)(53546011)(478600001)(6506007)(73956011)(4326008)(486006)(102836004)(11346002)(446003)(68736007)(476003)(25786009)(71200400001)(71190400001)(8936002)(99286004)(7696005)(2906002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2758; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: EAMFIDy8Jsfn14ib410Bb0D5J+JWiyLtxjO9rmgWCn6iK7gkEGp0dMtXb9a6FaH1h9vXXbTP3J1Q3pqVkPJhpzqU4mSm7pgqOe7Q2LOAQwQwjeQxeeMMjQxUmGWn2fJNAkPrS++jhr4GPybUUSMQEvFCCYftqp/RtT6rjNglc3tNJ9sA1hw1fQQyJZRayUgGkdpfkSoWA2d8yu4aZVUddU7S/fz8Tt8peHlZ47LBLb3XRTLx3J78Rq27bf/7tuUZq+ASYNzdnpuThGvC0HRyz+OzGrZygTbjY4h4pdm5782XInqaz4SveIjE1jhDPIxQbmcW9zug/gA3j6No46af5oNfpTm9zvQ75YkQquamsXV3TYPK9b4dVp9Trj7/yM+g9A/HeFjzHXjZVN2ILMykmg/A+uUq2g4VpGZJfvbavE8=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a16ac8bd-cf4d-4506-ed08-08d6cefe71ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 May 2019 13:02:34.7307 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2758
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6538> : inlines <7070> : streams <1820355> : uri <2839666>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/B8DhyMeZHA4XW83hOirfXDx9YM4>
Subject: Re: [Dots] Alexey Melnikov's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 13:02:59 -0000

> -----Original Message-----
> From: Alexey Melnikov <aamelnikov@fastmail.fm>
> Sent: Thursday, May 2, 2019 6:26 PM
> To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>om>;
> mohamed.boucadair@orange.com; The IESG <iesg@ietf.org>
> Cc: draft-ietf-dots-signal-channel@ietf.org; Xialiang
> <frank.xialiang@huawei.com>om>; dots@ietf.org; dots-chairs@ietf.org
> Subject: Re: Alexey Melnikov's Discuss on draft-ietf-dots-signal-channel-31:
> (with DISCUSS and COMMENT)
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> Hi,
> 
> On Thu, May 2, 2019, at 1:47 PM, Konda, Tirumaleswar Reddy wrote:
> 
> > > > 7) In 7.1:
> > > >
> > > >    When a DOTS client is configured with a domain name of the DOTS
> > > >    server, and connects to its configured DOTS server, the server may
> > > >    present it with a PKIX certificate.  In order to ensure proper
> > > >    authentication, a DOTS client MUST verify the entire certification
> > > >    path per [RFC5280].  The DOTS client additionally uses [RFC6125]
> > > >    validation techniques to compare the domain name with the
> certificate
> > > >    provided.
> > > >
> > > > I am glad that you are referencing RFC 6125 here, but the
> > > > description is not complete. Do you allow for wildcards in
> > > > certificate subjectAltNames? Do you support CN-ID, DNS-ID, SRV-ID,
> > > > URI-ID? I think you only want to support DNS-ID and possibly
> > > > SRV-ID and CN-ID. This needs to be explicitly stated in the
> > > > document.
> > > >
> > >
> > > [Med] Fair enough. Will consider updating the text.
> >
> > We will add the following text to address the above comment:
> >
> >       Certification authorities that issue DOTS server certificates
> >       SHOULD support the DNS-ID and SRV-ID identifier types.
> >       DOTS server SHOULD prefer the use of DNS-ID  and SRV-ID
> >       over CN-ID identifier types in certificate requests
> >       (as described in Section 2.3 from [RFC6125]) and the
> >       wildcard character '*' SHOULD NOT be included in the presented
> >       identifier.
> 
> This still doesn't say whether URI-ID is allowed. May I suggest that you add
> the following sentence at the beginning of this paragraph:
> 
>        DOTS protocol doesn't use URI-IDs for server identity verification.

Thanks, will update. 

> 
> Also, I would like to understand how SRV-IDs are to be used by DOTS. The
> document doesn't register any new service name for DOTS protcol, so it is
> not clear how SRV-IDs can be used.

SRV-ID is discussed in https://tools.ietf.org/html/draft-ietf-dots-server-discovery-01 

-Tiru

> 
> Thank you,
> Alexey