Re: [Dots] AD Review of draft-ietf-dots-multihoming-10
Roman Danyliw <rdd@cert.org> Mon, 14 March 2022 22:15 UTC
Return-Path: <rdd@cert.org>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC0D3A08A6 for <dots@ietfa.amsl.com>; Mon, 14 Mar 2022 15:15:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kM_bG1TtPbG5 for <dots@ietfa.amsl.com>; Mon, 14 Mar 2022 15:15:46 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0095.outbound.protection.office365.us [23.103.208.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B94BC3A0898 for <dots@ietf.org>; Mon, 14 Mar 2022 15:15:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=JTmdLv9wwCrFcDGEPRlh6gq/lEt2pd/+BGFL4vwPUnQEH/MJBdENbZHrpb+OZ7zQAjqu4sVs4ok/UacG9RvWP44nVESlEKvoutqsziHi1p3y0buAQiT8okCvMtGDlTqM3LrCKbAX3luxBTkSqIaqeCnrcMCO8dtK8WlkikvxCAnzZIw16u+zxJ9UZ+Sqs1dLrH/RQDhCqtuwR5YHoOlwZFNVeQ1y1iVNVuXiVSMtoWaJefSXHsJ3Y/MqMwJM2LeCDv5frzwSmewbO1fQ2BNewrITUU7ddRKgxl4jzf+lhiFiiM5wlmtzoOq8YW4Y4NO5cmtA7nDqip4MePd/CcPcEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hI9MLxBJf2r7N4LirsPuWnsoSLFMgIu+rJdIRaGdf00=; b=hmS2hXtp+lf/njrFt0BfG7jGICxxt96vB3IatQlEroBggkYTo/LNCYMUhWl/kJ7x7mrN04IcNgLm7p+hCz+ySD1+tDsrhCly7aCQe0J3yJytAtKkk8yj1Oh1+bwOCRWrkdMvfEchhawiX+DiObaH1jrTUuLISnZEaP438JJSCduegllOhfKdyU69jV7svQmcFZPvKlcDhnX1WDHBZtbY7JkUYJt7cjG1NduzVSbMRbWF59LMa2eyaHvhvsCBGlRfPT3rCef21IhkSo8VsbzirqQPFp5B3cA0rX+GLGLSzFvXVQoSLtCMw2GPl0jfAjrBfGI23+q4BidYVJBqykKE0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hI9MLxBJf2r7N4LirsPuWnsoSLFMgIu+rJdIRaGdf00=; b=VaRIFtX5QgZ8UJ96A31piIzm9998C8yM/icK0oPNRtd9RPu1oA/m5uVoqLZKpFDLtA11PP5VrQ6mUICgvkkRGcy3Twbci1nokkpZL8y/na+gtdAP4RMuiVzmHzLbImgJzOaEtqCAmvmaQEhqxHQfDCPRHevfFl26PLiq1pkloPM=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1288.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.14; Mon, 14 Mar 2022 22:15:43 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::3525:e765:3ea4:f086]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::3525:e765:3ea4:f086%5]) with mapi id 15.20.5038.015; Mon, 14 Mar 2022 22:15:43 +0000
From: Roman Danyliw <rdd@cert.org>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: AD Review of draft-ietf-dots-multihoming-10
Thread-Index: AdgdQRczmylxqY99T/m+05a8i9tRpgASKHyABpnQnZA=
Date: Mon, 14 Mar 2022 22:15:42 +0000
Message-ID: <BN2P110MB110777CDACDCCD24EF09CD07DC0F9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <BN2P110MB1107E72FCCFCF1E866861710DC2D9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <5754_1644397847_62038517_5754_69_1_787AE7BB302AE849A7480A190F8B93303548E7BB@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <5754_1644397847_62038517_5754_69_1_787AE7BB302AE849A7480A190F8B93303548E7BB@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-02-09T08:46:59Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=1fb505bc-6d53-4dcd-a11b-699d31a037a6; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2d11bdca-0dd0-4d24-b624-08da06082e31
x-ms-traffictypediagnostic: BN2P110MB1288:EE_
x-microsoft-antispam-prvs: <BN2P110MB1288A175C6828B975FD95D8FDC0F9@BN2P110MB1288.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lW10J7lXYDZtB3vS+gkvnH1EmDNJVEnuKPRlCMQsrE3QJw02M2jv4nDrZKk95F5JHKNbgWCBrDa2urbY+AbQx2QM4FP5zjbyOj9dbHRX+C4k7hs8UY1Ic/uVFMVlrcTzdb9STpcXGFGU7YP/LkAU4bVJR117lJLfex5XiV8d5MntvQodBy2HleeIl3HEqEInBDMGYGbFDPEJ8kYjV4X/80Z19EGoeQ4TGvTJM3EcFUzgDznFJ4Y+V0HSzlromOdxgJrnFspc9uqj3QaZQUH4gungYvUixoQz7tDKCwpqj+2dpwPwZ+3nkRjx8EBWz2ES9DTHXdeVypj3R7fvjvvHKARZ3EkgAa/u+dJQNW4Mn54eDoPZ41MxSEVcs+r5RpNVfTIy/5AZinAgwpzPMJsymnXsAlKgwdCiv1IKMuBUE4fL6dw72AzGzGD3RhNK/S+oMds2r16IP5TUwHmHDMidozP5xUq9AEj8kUwZPDWt8fdrV4dKCHANZ6y10DO4LI52Oz57JZGA+3rVOZDbQmU4EN8s5qzF0f8ntrSJB/bE/LVqm41Afi3MNIYBO8DTbk6O+ODIM1ZRhNTKProuXJvlO1UuNEvfCkIFSMebuhDIMVtH9/TqMS5j4MSBD1XbZtuJA7NWCPvsuopafnvRTJU5d7l4vxXY7g/pQyZbJH3HplvK7CwCG+KFiZPSpsrQO6TXikNeVL0NtgCRuPgYwbT2zw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(5660300002)(66574015)(64756008)(8936002)(55016003)(33656002)(76116006)(86362001)(66476007)(66556008)(8676002)(966005)(26005)(66446008)(9686003)(2906002)(82960400001)(186003)(66946007)(498600001)(38100700002)(52536014)(122000001)(7696005)(6506007)(53546011)(83380400001)(71200400001)(110136005)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2TRXpav0iQuiUS7x+EU7BAuWIOH5M8CSHPOOyBdf9se8pnZkDKnJaprxEHhKTl355jidYIvMGyHaP0CahYey1jcLkglodcekQUBigENdhg66zl0nReeSdO3YcXORxfrgKtORs2CUsJ/+Tmnh1DCg9Q==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2d11bdca-0dd0-4d24-b624-08da06082e31
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2022 22:15:42.9611 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1288
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/B_O2qoBoyrkibbURT53ss6KQv0Y>
Subject: Re: [Dots] AD Review of draft-ietf-dots-multihoming-10
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2022 22:15:52 -0000
Hi Med! Thanks for these changes. They address my AD review. I've advanced the document to IETF LC. Roman > -----Original Message----- > From: Dots <dots-bounces@ietf.org> On Behalf Of > mohamed.boucadair@orange.com > Sent: Wednesday, February 9, 2022 4:11 AM > To: Roman Danyliw <rdd@cert.org>; dots@ietf.org > Subject: Re: [Dots] AD Review of draft-ietf-dots-multihoming-10 > > Hi Roman, > > Many thanks for the review. Much appreciated! > > The changes can be tracked at: https://tinyurl.com/dots-multihoming-latest. > > Please see inline for more context. > > Cheers, > Med > > > -----Message d'origine----- > > De : Dots <dots-bounces@ietf.org> De la part de Roman Danyliw Envoyé : > > mercredi 9 février 2022 00:16 À : dots@ietf.org Objet : [Dots] AD > > Review of draft-ietf-dots-multihoming-10 > > > > Hi! > > > > I performed an AD review of draft-ietf-dots-multihoming-10. Ben and I > > swapped on this document so I'll be the responsible AD from now on. > > Thanks for writing these operational considerations. > > > > The document is in good shape. I primarily have a few suggested > > editorial clarifications and a few places where a bit more clarity > > might be helpful. > > > > ** Section 5.*. Should the diagrams or the associated text be clearer > > on the relationship between the CPE and the DOTS clients. > > > > -- For Section 5.1, C = the CPE? > > -- For Section 5.2, G = the CPE? > > -- For Section 5.3, G1 and G2 = the CPEs? > > [Med] I agree. Updated the text and the figures as appropriate. > > > etc... > > > > ** Section 5.1. > > For each provisioning domain, the DOTS client MUST resolve the DOTS > > server's name provided by a provisioning domain [RFC8973] using the > > DNS servers learned from the respective provisioning domain (or the > > DNS servers associated with the interface(s) for which a DOTS server > > was explicitly configured). > > > > -- Editorially, given the repetition of "provisioning domain", I had > > trouble parting this sentence. > > > > -- I'm also wondering if the first step of this scenario is that the > > interface should provision itself per [RFC8973]? > > [Med] RFC8973 covers also explicit configuration. The first sentence says that: > assuming that a name is available from the upstream domain following the > means discussed in 8973, here is what to do for resolving that name. > > > > > -- Per the guidance on resolving the DOTS server. The options seem to > > be to use the DNS server the CPE learned from the network or the one > > configured for the interface. The direction is clear, but I'm trying > > to understand the intent. Is this trying to provide explicit guidance > > to not use some system wide resolver configuration? > > [Med] The text covers the specific case when the DOTS server is provided by > the upstream domain. Blindly using any DNS server may lead to failure to > resolve the name. > > If you don't get the > > DNS configuration from local policy and not from the network, I'm not > > sure where else if could come from. > > > > To be concrete, does the following mean the same thing: > > > > NEW > > For each provisioning domain, the DOTS client MUST use the procedures > > of [RFC8973] to discover the associated DOTS server(s). Furthermore, > > the DOTS client MUST resolve the DOTS server's name using either the > > DNS server learned from the provisioning domain or from a DNS server > > explicitly configured with the interface . > > [Med] What about the following: > > The DOTS client MUST resolve the DOTS server's name provided by each > provisioning domain using either the DNS servers learned from the > respective provisioning domain or from the DNS servers associated > with the interface(s) for which a DOTS server was explicitly > configured (Section 4). > > > Note that the pointer to Section 4 targets specifically this part: > > If a DOTS server is explicitly configured, it is assumed that an > interface is also provided to bind the DOTS service to an > interconnection link. If no interface is provided, this means that > the DOTS server can be reached via any active interface. > > > > > ** Section 5.1. > > The DOTS client SHOULD use the certificate > > provisioned by a provisioning domain to authenticate itself to the > > DOTS server(s) provided by the same provisioning domain. > > > > Is there an automated mechanism to get this certificate being hinted > > at, or is this certificate provisioned by some out-of-band (and > > out-of- > > scope) mechanism? > > [Med] This is out of scope. Added a note to record this. > > > > > ** Section 5.1 > > The DOTS client MUST be able to associate a DOTS server with each > > provisioning domain. > > > > The subsequent example text clarifies the intent. On first read it > > seems like the normative guidance is that there must be a DOTS server > > with each PD. Would the following be clearer? > > > > NEW: > > The DOTS client MUST be able to associate a DOTS server with the > > provisioning domain it serves. > > [Med] Works for me. Thanks. > > > > > ** Section 5.2. > > Figure 6 illustrates a first set of DOTS sessions that can be > > established with a client-domain DOTS gateway > > > > What are the "first set of DOTS sessions"? > > [Med] s/first set of DOTS sessions/DOTS sessions > > > > > ** Section 5.2. Typo. s/addreses/addresses/ > > [Med] Fixed. > > > > > ** Section 5.2 > > > > The CPE MUST select the appropriate source IP address when forwarding > > DOTS messages received from an internal DOTS client. > > > > Is this guidance specific only to Figure 6 where the gateway is present? > > [Med] This applies when the CPE does not host a dots gateway. Made this > change for better clarity (merge): > > OLD: > > For both deployments depicted in Figures 7 and 8, each DOTS client > SHOULD be provided with policies (e.g., a prefix filter that will be > against DDoS detection alarms) that will trigger DOTS communications > with the DOTS servers. Such policies will help the DOTS client to > select the appropriate destination DOTS server. > > The CPE MUST select the appropriate source IP address when forwarding > DOTS messages received from an internal DOTS client. > > NEW: > > For both deployments depicted in Figures 7 and 8, each DOTS client > SHOULD be provided with policies (e.g., a prefix filter that will be > against DDoS detection alarms) that will trigger DOTS communications > with the DOTS servers. Such policies will help the DOTS client to > select the appropriate destination DOTS server. The CPE MUST select > the appropriate source IP address when forwarding DOTS messages > received from an internal DOTS client. > > > > > ** Section 5.3. Editorial. > > OLD > > A client-domain DOTS gateway is enabled in each CPE (rtr1, rtr2). > > > > NEW > > A client-domain DOTS gateway is enabled in each CPE (rtr1 and rtr2 per > > Table 1; and G1 and G2 per Figure 9). > > > > [Med] Changed to: > > o A client-domain DOTS gateway is enabled in each CPE (rtr1 and rtr2 > per Table 1). > > The link between rtrs/Gs was clarified in the updated Figure 9. > > > Regards, > > Roman > > > > _______________________________________________ > > Dots mailing list > > Dots@ietf.org > > https://www.ietf.org/mailman/listinfo/dots > > ___________________________________________________________________ > ______________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou > copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le > signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, Orange decline toute > responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; they should not be distributed, used > or copied without authorisation. > If you have received this email in error, please notify the sender and delete this > message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- [Dots] AD Review of draft-ietf-dots-multihoming-10 Roman Danyliw
- Re: [Dots] AD Review of draft-ietf-dots-multihomi… mohamed.boucadair
- Re: [Dots] AD Review of draft-ietf-dots-multihomi… Roman Danyliw