IETF Logo Mail Archive

Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Thu, 21 February 2019 14:59 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE12A1286E7; Thu, 21 Feb 2019 06:59:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCl10qYLsVeS; Thu, 21 Feb 2019 06:59:30 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77D75124408; Thu, 21 Feb 2019 06:59:28 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1550761032; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-exchange-diagnostics:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=st+hqCQENeUJgsowiMi9uSO0OkI+XPrRfvlOob PxrfU=; b=RGAbvssMswf3N0n7bifb8mJ75Z6lYJTgyN1l9dMF 4d2PaowzveTrlswrC0e01Y0KSE+XbckG76mSfQxxeh2biuKfjt ++rff8XKDJo9cWkPKzWGm+hk9VAd9b4RaRlcmeuQAeM76U2oVO Qb5mjh4HSk2e8VAhto/VLKb1Vp4cBHY=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 5b5e_65cb_6508e61e_8556_470f_abb7_b3097e354ee8; Thu, 21 Feb 2019 07:57:12 -0700
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 21 Feb 2019 07:58:56 -0700
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Thu, 21 Feb 2019 07:58:56 -0700
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 21 Feb 2019 07:58:55 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2422.namprd16.prod.outlook.com (20.177.225.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1622.19; Thu, 21 Feb 2019 14:58:55 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::9c48:452b:e39c:ef39%2]) with mapi id 15.20.1622.020; Thu, 21 Feb 2019 14:58:55 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
CC: "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-dots-requirements@ietf.org" <draft-ietf-dots-requirements@ietf.org>
Thread-Topic: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
Thread-Index: AQHUyfNmchRbiQkDSUaSyjwDnUu6AqXqVlbA
Date: Thu, 21 Feb 2019 14:58:55 +0000
Message-ID: <BYAPR16MB2790CA5915717C58079425D6EA7E0@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <155068522853.31498.10686203344983870104.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA23122@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <66BB8E3D-DEB6-43AC-AAEB-B6EB1A248865@kuehlewind.net> <787AE7BB302AE849A7480A190F8B93302EA232A6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <6EFF6377-02A4-4D0B-BCF2-313FDB3B18B8@kuehlewind.net> <787AE7BB302AE849A7480A190F8B93302EA2346F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA2346F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [122.171.76.178]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9d3e7f2f-e551-4dbd-b8a6-08d6980d19b5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2422;
x-ms-traffictypediagnostic: BYAPR16MB2422:
x-microsoft-exchange-diagnostics: 1;BYAPR16MB2422;23:0AIkHEjn8ZqmyNwRVu/qcTxjVDkO7dIibP//30/MPf9C7zyRZfJXCSaz7O1YJPHoG3Dp2eaBZQ1j3IIjXdJkI8HJ1ijIlRRUhhYt7xoTXX3naIHseXvj2b53D/j2u36IQj+E63fI3du8+6gfc5u3KNMmxyJXJH6Mgm2+NP2kAs3dRoC580a60HZQpks/HkRx1dL5eo4azf5z1o2CzvkTQfPww9VxXPA9/QmyYtw3klR7yxiYhejcX4+1yoqgX7Emz30faP2DOmz9stwvim350oD+ggW6AUJPbm0n3oFiPcuz7DN3Zg8bg2jVgnKjz7i9W/Lwu8xCeWOs3tRfWu92swVHK5B87q5v0osFPTD0NUlYj9mR7L6/0/5Urb2Envs8u0pF1Ndoo/6VEaHfsriZqluXTXGaEmHVcLKzN5Xuz/C+NHO0va8PqxZs7pnPwou1fOKXG4z0P7VSzlFXUiJmeIkJ1DNAfrSUpqEGIPzcNbgSmVpx9myTnxE42JBheC1mq1h5qKYvvJsQJ/Oq+c4Sw7kJOiVNRZPQQlnXR721KqbdFqrr911SaWEC9+zptvhOeTmVAcUwP6c9F3H+umeGEAlY3zeoNl4+tffRLaKoOw6oHshm9apff88bsfFbbfLmxjYsexMQOYjpgvKilrR/Uyy0rdF9R9w6DpkI8KDe/DbzJIkyGKIDxBllaOYGwAjPf337FG1jWTcgjh0axgxLI2SeDLMKvxBBJ8+If/GqzbEl8VLHcuKa8TP7847GH2+gwlRGu1fkPgYB8VC3ghQmTVL8x/VGePXwmVq5Hzc9eXbTTjkcBxSo65bNL7SwYWPqAFCSwl7Y9yvKwaKUOzxO+2pJJ2ANC+xUmvLdAVt7yFYswq/s/v3zoawJVFbLKS0SgL6d0sRC5NDXO04sR0GgpcYK5WubLXw4XNkUL89CD4pnMbLjoXNnuy7ZXztDvkp3wq83jgywHbDCJE3KgZgWsXmvQYhmTYe1H4Ab6/xvLRg3/YsitEFkBNC+j2xZjW2cxG5YJ70kXVhorzwkbNqSGa1htmS/lYa7dKYTOPiMliAGP7WM/2OYjja6kQi1EbQ7/o5iez+JA9ZztgXXxyPgpAM/yfb/uIqh+MQUz2TZc/8RQYW9M47NWyuLwL5sbvwyfsXC994Kp+QhmjMN8VLSaymwEkSosdEKo0VAN0dxbISWkpO2nUnmYLV73ILv/wHTCr6bYmWS2i1SwEGEJ8+J9kdqk9gvirgPxSrI14k03CoKlSwoFxptj+jVmmzZOPoYUxjAI7AvOUwelsONXqDZHfhyu9CdEyQB3JWYSTkpbhfRkZk7BeKySLnupgdLeNWlubDUIrKxPjNX9sSSIshvxTbvVOdG+l3322oQD1JLZW8eeKmLG7NszD6pAyoSEhQ/kr+MKH7yMGObo3vzaLttqgRxnBWxRfO6RWF3RVTh3sb+8k9KSnX9V4NgGHw2woOP
x-microsoft-antispam-prvs: <BYAPR16MB24224F329E4837D65E348F8BEA7E0@BYAPR16MB2422.namprd16.prod.outlook.com>
x-forefront-prvs: 09555FB1AD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(376002)(39860400002)(346002)(136003)(199004)(189003)(13464003)(55784004)(32952001)(78486014)(86362001)(105586002)(80792005)(66574012)(4326008)(5024004)(106356001)(224303003)(14444005)(256004)(2501003)(53936002)(3846002)(66066001)(25786009)(6116002)(74316002)(93886005)(6436002)(305945005)(55016002)(7736002)(97736004)(6506007)(68736007)(7696005)(76176011)(9686003)(81166006)(99286004)(81156014)(478600001)(186003)(316002)(33656002)(54906003)(5660300002)(8936002)(11346002)(446003)(2906002)(110136005)(486006)(14454004)(6246003)(53546011)(71200400001)(71190400001)(229853002)(102836004)(476003)(26005)(72206003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2422; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: MyvLkZ7srFRz5lHhW++DZCiN6oO4sTd4tGvgpigdPkGF0QKmXjipUg+tVFBb7kkhP70X/rw382ooWaig/+9wNwBY6+2NRwr6BJbsnms19DoVCakxbq8pP9F7/uI5hcSrIOZbr2gbBMZpqKZpvvS6ze8ny2L8Nu7oyIGp9t1raTUBVcjvEsyOxr9dytU2d8rw+yFSsLsS5M6ySkhfU1sYlUlD9k2p+LVfhnDB3LIYEsw+z5sqWYyVtqbHWKzlycWCekpr+LVqkq9OEzWm5zAhxw2rOpFDAHiOx2yT8Evw9n++9etVpoan1pkArXMaEnoMirRwxLtxablHEL+SmzIMo0Y3lwjIfaIdE2MJh7PiInRhykc59l5cZ+NVm9TnXp6XrEI/Tyz0LuNXDbFY0taxofnYTv6/FRnQHe8qMa+EXU8=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9d3e7f2f-e551-4dbd-b8a6-08d6980d19b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2019 14:58:55.1759 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2422
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.4
X-NAI-Spam-Version: 2.3.0.9418 : core <6488> : inlines <7019> : streams <1813688> : uri <2799975>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/T2ovgDyhy9wN9ECfljTCaw4OtLg>
Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 14:59:34 -0000

> -----Original Message-----
> From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
> Sent: Thursday, February 21, 2019 8:10 PM
> To: Mirja Kuehlewind (IETF) <ietf@kuehlewind.net>
> Cc: dots-chairs@ietf.org; frank.xialiang@huawei.com; dots@ietf.org; The IESG
> <iesg@ietf.org>; draft-ietf-dots-requirements@ietf.org
> Subject: RE: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-
> 18: (with DISCUSS and COMMENT)
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> Re-,
> 
> My point is that combining RFC8085 and deployments where timers can be
> controlled/discovered is sufficient to fulfill the requirement.
> 
> Of course, this does not guarantee that bindings are kept active if a NAT/FW
> assigns timers of less than 15 seconds...which is fair. The requirement does not
> ask for such guarantee.

Agreed, I propose the following update to capture the discussion and addresses the comment:

Channel Health Monitoring: DOTS agents MUST support exchange of heartbeat messages over the signal channel to monitor channel health. These keepalives serve the purpose to maintain any on-path NAT or Firewall bindings to avoid cryptographic handshake for new mitigation requests. The heartbeat interval during active mitigation could be negotiable based on NAT/Firewall characteristics. Absent information about the NAT/Firewall characteristics, DOTS agent needs to ensure its on-path NAT or Firewall bindings do not expire, by using the keep-alive frequency discussed in Section 3.5 of [RFC8085].

Cheers
-Tiru

> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Mirja Kuehlewind (IETF) [mailto:ietf@kuehlewind.net] Envoyé :
> > jeudi 21 février 2019 14:46 À : BOUCADAIR Mohamed TGI/OLN Cc :
> > dots-chairs@ietf.org; frank.xialiang@huawei.com; dots@ietf.org; The
> > IESG; draft-ietf-dots-requirements@ietf.org
> > Objet : Re: [Dots] Mirja Kühlewind's Discuss on
> > draft-ietf-dots-requirements-
> > 18: (with DISCUSS and COMMENT)
> >
> > Hi Med,
> >
> > please see below.
> >
> > > Am 21.02.2019 um 13:17 schrieb mohamed.boucadair@orange.com:
> > >
> > >>>> 2) Also on this text in SIG-004:
> > >>>> "The heartbeat interval during active mitigation could be
> > >>>>     negotiable, but MUST be frequent enough to maintain any on-path
> > >>>>     NAT or Firewall bindings during mitigation.  When TCP is used as
> > >>>>     transport, the DOTS signal channel heartbeat messages need to be
> > >>>>     frequent enough to maintain the TCP connection state."
> > >>>>
> > >>>> As Joe commented already, different heartbeats at different
> > >>>> layers can
> > be
> > >>>> used
> > >>>> at the same time for different purposes. You can use heartbeats
> > >>>> at the application layer to check service availability while e.g.
> > >>>> using a
> > higher
> > >>>> frequent heartbeat at the transport layer to maintain firewall
> > >>>> and NAT
> > >> state.
> > >>>
> > >>> [Med] Please note that the text you quoted is about "during active
> > >> mitigation". When no attack is ongoing, we do have the following
> > >> behavior which covers your comment:
> > >>>
> > >>>     When DOTS agents are exchanging heartbeats and no
> > >>>     mitigation request is active, either agent MAY request changes to
> > >>>     the heartbeat rate.  For example, a DOTS server might want to
> > >>>                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > >>>     reduce heartbeat frequency or cease heartbeat exchanges when an
> > >>>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > >>>     active DOTS client has not requested mitigation, in order to
> > >>>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > >>>     control load.
> > >>>
> > >>>> The advantage to such an approach is that there is less
> > >>>> application
> > layer
> > >>>> overhead/load e.g. in scenarios where it might be expensive to
> > >>>> wake up
> > the
> > >>>> application or a server is already highly loaded. Also note that
> > >>>> the
> > >> time-
> > >>>> outs
> > >>>> values of NATs and firewalls on the path are usually unknown,
> > >>>> therefore
> > an
> > >>>> application can never rely on heartbeats (no matter at which
> > >>>> level) and
> > >> must
> > >>>> be
> > >>>> prepared to try to reconnect on the application layer if the
> > >>>> connection fails.
> > >>>> Usually, the main reason for using heartbeats to maintain NAT or
> > firewall
> > >>>> state
> > >>>> (vs. reconnect every time) in TCP is if the application is time-
> > sensitive
> > >> and
> > >>>> a
> > >>>> full TCP handshake takes too long for the desired service. I'm
> > >>>> not sure
> > >> that
> > >>>> the case for DOTS, however, I understand it may be beneficial to
> > >>>> have established state if an attack is on-going.
> > >>>
> > >>> [Med] This is important to avoid new handshakes when the client
> > >>> has to
> > >> request a mitigation.
> > >>
> > >> This is okay but could be spelled out more explicitly as a
> > >> requirement, rather than taking about the details of sending heartbeats.
> > >>>
> > >>>>
> > >>>> For UDP I guess it's more complicated in your case. Time-outs are
> > usually
> > >>>> very
> > >>>> short, however, state is created with the first packet of a flow
> > >>>> (as
> > there
> > >> is
> > >>>> no handshake in UDP). As you don't see blocking if state is
> > >>>> expired as
> > new
> > >>>> state is created immediately, it's kind of impossible to measure
> > >>>> the configured time-out values. Only if the firewall is under
> > >>>> attack it would start
> > >> blocking
> > >>>> UDP traffic that is has no state for yet. So I understand why it
> > >>>> is
> > >> desirable
> > >>>> to maintain UDP state for you, however, I don't understand how
> > >>>> you can
> > >> know
> > >>>> that your frequency is high enough to actually keep the state
> > >>>> open. Note
> > >> that
> > >>>> TCP time-outs are usually in the order of hours, while UDP
> > >>>> time-outs are usually in range of tens of seconds, and might
> > >>>> expire even quicker if a system is under attack. If that is a
> > >>>> scenario that is important for you, and assuming that not all
> > >>>> time-outs values on the path can be known, I guess it would
> > >> be
> > >>>> recommendable to use TCP instead.
> > >>>>
> > >>>> In any case this can not be a MUST requirement (as timers are
> > >>>> usually
> > not
> > >>>> known). I would recommend to state something like:
> > >>>>
> > >>>> "MAY be frequent enough to maintain NAT or firewall state, if
> > >>>> timer
> > values
> > >>>> are
> > >>>> known, or if TCP is used, SHOULD use in addition TCP heartbeats
> > >>>> to
> > >> maintain
> > >>>> the TCP connection state and reconnect immediately if a failure
> > >>>> is
> > >> detected."
> > >>>>
> > >>>
> > >>> [Med] The original wording is accurate and reflects the
> > >>> requirement of
> > the
> > >> WG. How this will be enforced is part of the solution/specification space.
> > >>
> > >> My hold point here is that
> > >>
> > >> "MUST be frequent enough to maintain any on-path NAT or Firewall
> > >> bindings during mitigation.“
> > >>
> > >> cannot be a MUST requirement as the network time-out values are not
> > >> known
> > by
> > >> the endpoints. Therefore it is impossible to fulfill this requirement.
> > >
> > > [Med] Two comments here:
> > > * The requirement can be fulfilled by relying RFC8085
> > > recommendations. This
> > is discussed in the spec documents.
> >
> > RFC8085 provide recommended value and limits, however, this does not
> > guarantee that the proposed values actually match the time-out values
> > as deployed on the path.
> >
> > > * there are deployments in which timers can be discovered (e.g., PCP
> > (RFC6887)).
> >
> > This does not work in all cases and the draft does not seem to require
> > the usage of anything like this. If a requirement is that the timeout
> > values MUST be known in the deployed scenario, then that should be
> > spelled out, however, I assume that is not your intention because that
> > would limit deployment heavily.
> >
> > Mirja
> >

v2.23.0 | Report a Bug | By Email