[Dots] Benjamin Kaduk's Yes on draft-ietf-dots-server-discovery-13: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Tue, 27 October 2020 02:06 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dots@ietf.org
Delivered-To: dots@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 726883A11D1; Mon, 26 Oct 2020 19:06:38 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dots-server-discovery@ietf.org, dots-chairs@ietf.org, dots@ietf.org, Valery Smyslov <valery@smyslov.net>, valery@smyslov.net
X-Test-IDTracker: no
X-IETF-IDTracker: 7.21.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <160376439800.28769.11555549483055573494@ietfa.amsl.com>
Date: Mon, 26 Oct 2020 19:06:38 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/W-RSgYU0Wiodq23i8zFz8kjgZbg>
Subject: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-server-discovery-13: (with COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 02:06:39 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-dots-server-discovery-13: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dots-server-discovery/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Pulling in some follow-up from the directorate review comments... Section 3 o Resolving a DOTS server domain name offered by an upstream transit provider provisioned to a DOTS client into IP address(es) requires the use of the appropriate DNS resolvers; otherwise, resolving those names will fail. The use of protocols such as DHCP does allow associating provisioned DOTS server domain names with a list of DNS servers to be used for name resolution. Furthermore, DHCP allows directly provisioning IP addresses therefore avoiding the need for extra lookup delays. I wonder if using "providing" rather than "provisioning" for at least the last instance would be more clear. o A resolution mechanism based on straightforward Naming Authority Pointer (S-NAPTR) resource records in the Domain Name System (DNS) (Section 6). "Straightforward" needs to be capitalized here. Section 4 will support a local configuration. More samples are discussed in Section 3: nit: s/:/./ Section 5 The list of the IP addresses returned by DHCP servers is typically used to feed the DOTS server selection procedure including when DOTS agents are provided with primary and backup IP addresses of their peer DOTS agents. An example of DOTS server selection procedure is specified in Section 4.3 of [RFC8782]. The referenced section in 8782 is about the "happy eyeballs", i.e., picking between TCP/UDP and IPv4/IPv6 -- it doesn't really seem intended to cover the case where you have to pick betwen different actual nodes. I'm also not sure how the "primary and backup" is intended to work, here. Is the "provided with" referring to "by DHCP" or some out-of-band configuration? Section 8.1 configured name. If the DOTS agent is instructed to trust subdomains of the names in that list as well, a DOTS agent will also accept a DHCP-discovered name if the left-most label of the discovered name is matching a name in the pre-configured list. If the agent is configured to trust subdomains of the configured list, then in the case where that configuration is relevant for the attack, the left-most label will be the (part of the) subdomain name, which is explicitly not matching the pre-configured list -- the remaining bits are what match.
- [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-se… Benjamin Kaduk via Datatracker
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… mohamed.boucadair
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… Benjamin Kaduk