IETF Logo Mail Archive

Re: [Dots] Adoption call for draft-reddy-dots-home-network-04

<mohamed.boucadair@orange.com> Wed, 24 April 2019 13:11 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BF6012009A; Wed, 24 Apr 2019 06:11:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qFt9zrQUknNI; Wed, 24 Apr 2019 06:11:46 -0700 (PDT)
Received: from orange.com (mta134.mail.business.static.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18917120019; Wed, 24 Apr 2019 06:11:46 -0700 (PDT)
Received: from opfednr01.francetelecom.fr (unknown [xx.xx.xx.65]) by opfednr27.francetelecom.fr (ESMTP service) with ESMTP id 44q11D3Yzrz4wsQ; Wed, 24 Apr 2019 15:11:44 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.101]) by opfednr01.francetelecom.fr (ESMTP service) with ESMTP id 44q11D2mQszDq86; Wed, 24 Apr 2019 15:11:44 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM6F.corporate.adroot.infra.ftgroup ([fe80::c489:b768:686a:545b%23]) with mapi id 14.03.0439.000; Wed, 24 Apr 2019 15:11:44 +0200
From: mohamed.boucadair@orange.com
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Valery Smyslov <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>
CC: "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "kaduk@mit.edu" <kaduk@mit.edu>
Thread-Topic: [Dots] Adoption call for draft-reddy-dots-home-network-04
Thread-Index: AdTuHVZNyfDh6IMnTiyfhZP8vM2pOAMPXcMAAAHlewAAACVi8AABQijQAAj4x4AAAJCXsAADitfgAAByLdA=
Date: Wed, 24 Apr 2019 13:11:43 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA64E53@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <023d01d4ee1f$c2bcb190$483614b0$@smyslov.net> <019001d4fa5a$cf08fb60$6d1af220$@smyslov.net> <787AE7BB302AE849A7480A190F8B93302EA648E7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27907ABC5E91DD572EBE7807EA3C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA649DB@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790ED963937C8C15B319F63EA3C0@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA64C46@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB27902B9175E96A2062D06E83EA3C0@BYAPR16MB2790.namprd16.prod.outlook.com>
In-Reply-To: <BYAPR16MB27902B9175E96A2062D06E83EA3C0@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/OSZEwJXlPGOvPJXeOKHwYuQ786k>
Subject: Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 13:11:48 -0000

Re-,

Please see inline. 

Cheers,
Med
> -----Message d'origine-----
> De : Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
> Envoyé : mercredi 24 avril 2019 14:56
> À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org
> Cc : dots-chairs@ietf.org; kaduk@mit.edu
> Objet : RE: [Dots] Adoption call for draft-reddy-dots-home-network-04
> 
> > -----Original Message-----
> > From: mohamed.boucadair@orange.com
> > <mohamed.boucadair@orange.com>
> > Sent: Wednesday, April 24, 2019 4:48 PM
> > To: Konda, Tirumaleswar Reddy
> > <TirumaleswarReddy_Konda@McAfee.com>; Valery Smyslov
> > <valery@smyslov.net>; dots@ietf.org
> > Cc: dots-chairs@ietf.org; kaduk@mit.edu
> > Subject: RE: [Dots] Adoption call for draft-reddy-dots-home-network-04
> >
> > This email originated from outside of the organization. Do not click links
> or
> > open attachments unless you recognize the sender and know the content is
> > safe.
> >
> > Re-,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Konda, Tirumaleswar Reddy
> > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > Envoyé : mercredi 24 avril 2019 13:01
> > > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > dots-chairs@ietf.org; kaduk@mit.edu Objet : RE: [Dots] Adoption call
> > > for draft-reddy-dots-home-network-04
> > >
> > > > -----Original Message-----
> > > > From: mohamed.boucadair@orange.com
> > > > <mohamed.boucadair@orange.com>
> > > > Sent: Wednesday, April 24, 2019 12:18 PM
> > > > To: Konda, Tirumaleswar Reddy
> > > > <TirumaleswarReddy_Konda@McAfee.com>; Valery Smyslov
> > > > <valery@smyslov.net>; dots@ietf.org
> > > > Cc: dots-chairs@ietf.org; kaduk@mit.edu
> > > > Subject: RE: [Dots] Adoption call for
> > > > draft-reddy-dots-home-network-04
> > > >
> > > >
> > > >
> > > > Re-,
> > > >
> > > > Please see inline.
> > > >
> > > > Cheers,
> > > > Med
> > > >
> > > > > -----Message d'origine-----
> > > > > De : Konda, Tirumaleswar Reddy
> > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > > Envoyé : mercredi 24 avril 2019 08:13 À : BOUCADAIR Mohamed
> > > > > TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > > > > dots-chairs@ietf.org; kaduk@mit.edu Objet : RE: [Dots] Adoption
> > > > > call for draft-reddy-dots-home-network-04
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Dots <dots-bounces@ietf.org> On Behalf Of
> > > > > > mohamed.boucadair@orange.com
> > > > > > Sent: Wednesday, April 24, 2019 11:26 AM
> > > > > > To: Valery Smyslov <valery@smyslov.net>; dots@ietf.org
> > > > > > Cc: dots-chairs@ietf.org; kaduk@mit.edu
> > > > > > Subject: Re: [Dots] Adoption call for
> > > > > > draft-reddy-dots-home-network-04
> > > > > >
> > > > > > This email originated from outside of the organization. Do not
> > > > > > click links
> > > > > or
> > > > > > open attachments unless you recognize the sender and know the
> > > > > > content is safe.
> > > > > >
> > > > > > Re-,
> > > > > >
> > > > > > Please see inline.
> > > > > >
> > > > > > Cheers,
> > > > > > Med
> > > > > >
> > > > > > > -----Message d'origine-----
> > > > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Valery
> > > > > > > Smyslov Envoyé : mercredi 24 avril 2019 07:02 À : dots@ietf.org
> Cc :
> > > > > > > dots-chairs@ietf.org; kaduk@mit.edu Objet : Re: [Dots]
> > > > > > > Adoption call for draft-reddy-dots-home-network-04
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > we received a lot of replies supporting adoption of the document.
> > > > > > > So, the document is adopted. Authors, please re-submit it as
> > > > > > > WG
> > > draft.
> > > > > > >
> > > > > > > A couple of comments.
> > > > > > > 1. The draft uses few times a keyword "MAY NOT". This
> > > > > > > combination is
> > > > not
> > > > > > >      among the list of RFC requirement keywords (it is not
> > > > > > > listed
> > > neither
> > > > > > >      in RFC2119, nor in RFC8174). If the intent was to use RFC
> > > > > requirement
> > > > > > >      language, then I'd suggest replacing it with one of MUST
> > > > > > > NOT, SHALL NOT,
> > > > > > >      SHOULD NOT. Otherwise please make it lowcase.
> > > > > > >
> > > > > >
> > > > > > [Med] Good catch. Fixed.
> > > > > >
> > > > > > > 2. When describing transport, the draft allows both TLS and DTLS.
> > > What
> > > > > > >      makes me confusing is that the draft describes it several
> > > > > > > times as "TCP/TLS or DTLS".
> > > > > > >      Why TCP is ever mentioned here? We all know that TLS
> > > > > > > usually runs
> > > > > over
> > > > > > >      TCP (however we now have QUICK) and DTLS runs over UDP.
> > > > > > >      The way it is presented in the draft makes me think that
> > > probably
> > > > > > >      plain TCP is also allowed as a transport, but is seems to
> > > contradict
> > > > > > >      everything I read about DOTS. Am I missing something here?
> > > > > > >
> > > > > >
> > > > > > [Med] Plain TCP is not allowed. The intent was to be explicit
> > > > > > that there is
> > > > > a
> > > > > > reversal in both TCP and TLS layers, but as you rightfully
> > > > > > raised this may
> > > > > be
> > > > > > confusing since, for the DOTS case, it is trivial that the
> > > > > > reversal of TLS
> > > > > roles
> > > > > > implies the reversal of TCP ones.
> > > > >
> > > > > RESTCONF call home only reverses the TCP role but not the TLS
> > > > > role. In DOTS case, the server has to initiate DTLS handshake for
> > > > > UDP. To keep the roles same for TCP,  TLS handshake is also initiated
> by
> > the server.
> > > >
> > > > [Med] You missed "for the DOTS case" in my previous reply :-)
> > > >
> > > > We do have the following in the draft:
> > > >
> > > >                    DOTS                                DOTS
> > > >                   Server                              Client
> > > >                     |                                    |
> > > >                     |         1. (D)TLS connection       |
> > > >                     |----------------------------------->|
> > > >                     |         2. Mitigation request      |
> > > >                     |<-----------------------------------|
> > > >                     |                                    |
> > > >
> > > > That can be trivially expanded as follows for the TLS case:
> > > >
> > > >                    DOTS                                DOTS
> > > >                   Server                              Client
> > > >                     |                                    |
> > > >                     |         1.1. TCP                   |
> > > >                     |----------------------------------->|
> > > >                     |         1.2. TLS                   |
> > > >                     |----------------------------------->|
> > > >                     |         2. Mitigation request      |
> > > >                     |<-----------------------------------|
> > > >                     |                                    |
> > >
> > > Okay.
> > >
> > > >
> > > >
> > > > As mentioned earlier, the use of TCP/TLS is OK but it may be
> > > > confusing as initially raised by Valery.
> > >
> > > The updated text is not accurate if TCP is not covered, role reversal
> > > at TLS does not mean role reversal at TCP.
> >
> > [Med] The updated text is still fine (ref to Figure 1). We don't have any
> > ambiguity in the procedure part with regards to TCP. We explicitly say the
> > following:
> >
> >        If TCP is used, the DOTS server begins by initiating a TCP
> >        connection to the DOTS client.  The DOTS client MUST support
> >        accepting TCP connections on the IANA-assigned port number
> >        defined in Section 4.1, but MAY be configured to listen to a
> >        different port number.  Using this TCP connection, the DOTS
> >        server initiates a TLS connection to the DOTS client.
> >
> > > Similar to (D)TLS, I prefer explicit text to say role reversal at TCP.
> >
> > [Med] We already have such text (see the above excerpt).
> 
> [TR] Yes, but the updated sentences are incomplete/incorrect at various
> places. I have listed one of the inconsistencies below
> 
>    The one and only role reversal that
>    occurs are at the TLS or DTLS layers; that is, the DOTS server acts
>    as a DTLS client and the DOTS client acts as a DTLS server or the
>    DOTS server acts as a TLS client and the DOTS client acts as a TLS
>    server.  The DOTS server initiates TLS handshake or DTLS handshake to
>    the DOTS client.
> 
> The above update means no role reversal at the TCP layer !

[Med] This text assumes that the TCP is implicitly covered by "TLS layer" (refer again to Figure 1). There is no ambiguity that the reversal at the TLS layer for the DOTS case implies a reversal of the TCP roles, because otherwise the connection cannot be established at the first place (due to the presence of NATs/FWs) !

We can removed "one and only" if this really hurts, though.

v2.23.0 | Report a Bug | By Email