Re: [Dots] some nits and comments about draft-dots-signal-channel-23:

<mohamed.boucadair@orange.com> Mon, 10 September 2018 08:09 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8D3130DD7; Mon, 10 Sep 2018 01:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9n9PW47fi5V; Mon, 10 Sep 2018 01:09:20 -0700 (PDT)
Received: from orange.com (mta135.mail.business.static.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED831130E2E; Mon, 10 Sep 2018 01:09:19 -0700 (PDT)
Received: from opfednr06.francetelecom.fr (unknown [xx.xx.xx.70]) by opfednr23.francetelecom.fr (ESMTP service) with ESMTP id 42810Z1qgDz5wJT; Mon, 10 Sep 2018 10:09:18 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.42]) by opfednr06.francetelecom.fr (ESMTP service) with ESMTP id 42810Z0dvWzDq7C; Mon, 10 Sep 2018 10:09:18 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM41.corporate.adroot.infra.ftgroup ([fe80::c845:f762:8997:ec86%19]) with mapi id 14.03.0415.000; Mon, 10 Sep 2018 10:09:17 +0200
From: <mohamed.boucadair@orange.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "Jon Shallow" <supjps-ietf@jpshallow.com>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] some nits and comments about draft-dots-signal-channel-23:
Thread-Index: AdQ7fkPcZXaZ/b/SQr2JzmmZxhn5iAADTsyAALlvKeAACZzwUAAoKpjAAAfra5AAARw6gAAPVpsAAlC16nA=
Date: Mon, 10 Sep 2018 08:09:16 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302DFDB4BB@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <C02846B1344F344EB4FAA6FA7AF481F12C851E42@dggemm511-mbs.china.huawei.com> <BN6PR16MB14254170346ECA688FB485D0EA350@BN6PR16MB1425.namprd16.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12C855E79@dggemm511-mbx.china.huawei.com> <BN6PR16MB1425DDE9F8C3F75A8F798222EA0A0@BN6PR16MB1425.namprd16.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12C8567D9@dggemm511-mbx.china.huawei.com> <BN6PR16MB1425362E99AE92CB4271B55FEA090@BN6PR16MB1425.namprd16.prod.outlook.com> <168401d43f6d$3c42e870$b4c8b950$@jpshallow.com> <BN6PR16MB1425152EB8010FD5332C5216EA090@BN6PR16MB1425.namprd16.prod.outlook.com>
In-Reply-To: <BN6PR16MB1425152EB8010FD5332C5216EA090@BN6PR16MB1425.namprd16.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.4]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B93302DFDB4BBOPEXCLILMA3corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/YyNUQYJVGd53BDcwg69Ohxgv-6Y>
Subject: Re: [Dots] some nits and comments about draft-dots-signal-channel-23:
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Sep 2018 08:09:23 -0000

Hi all,

I agree with almost all replies from Tiru. I have one minor comment about this one:

==
5.       P18: / cdid:  Stands for Client Domain IDentifier./ cdid:  Stands for Client Domain Identifier./
==

The initial wording was correct.

Anyway, I’m not planning to change this back in the draft.

Cheers,
Med

De : Dots [mailto:dots-bounces@ietf.org] De la part de Konda, Tirumaleswar Reddy
Envoyé : mercredi 29 août 2018 17:12
À : Jon Shallow; Xialiang (Frank); draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org
Objet : Re: [Dots] some nits and comments about draft-dots-signal-channel-23:

From: Jon Shallow <supjps-ietf@jpshallow.com>
Sent: Wednesday, August 29, 2018 1:22 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; Xialiang (Frank) <frank.xialiang@huawei.com>; draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org
Subject: RE: [Dots] some nits and comments about draft-dots-signal-channel-23:


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi there,

One comment inline Jon>

Regards

Jon

From: Dots [mailto: dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>] On Behalf Of Konda, Tirumaleswar Reddy
Sent: 29 August 2018 08:42
To: Xialiang (Frank, Network Integration Technology Research Dept); draft-ietf-dots-signal-channel.authors@ietf.org<mailto:draft-ietf-dots-signal-channel.authors@ietf.org>
Cc: dots@ietf.org<mailto:dots@ietf.org>
Subject: Re: [Dots] some nits and comments about draft-dots-signal-channel-23:

Hi Frank,

Please see inline [TR3]

From: Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>
Sent: Wednesday, August 29, 2018 7:17 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; draft-ietf-dots-signal-channel.authors@ietf.org<mailto:draft-ietf-dots-signal-channel.authors@ietf.org>
Cc: dots@ietf.org<mailto:dots@ietf.org>
Subject: 答复: some nits and comments about draft-dots-signal-channel-23:


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,
Please see inline:

发件人: Konda, Tirumaleswar Reddy [mailto:TirumaleswarReddy_Konda@McAfee.com]
发送时间: 2018年8月28日 21:24
收件人: Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>; draft-ietf-dots-signal-channel.authors@ietf.org<mailto:draft-ietf-dots-signal-channel.authors@ietf.org>
抄送: dots@ietf.org<mailto:dots@ietf.org>
主题: RE: some nits and comments about draft-dots-signal-channel-23:

Hi Frank,

Please see inline [TR2]

From: Dots <dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>> On Behalf Of Xialiang (Frank, Network Integration Technology Research Dept)
Sent: Tuesday, August 28, 2018 7:29 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; draft-ietf-dots-signal-channel.authors@ietf.org<mailto:draft-ietf-dots-signal-channel.authors@ietf.org>
Cc: dots@ietf.org<mailto:dots@ietf.org>
Subject: [Dots] 答复: some nits and comments about draft-dots-signal-channel-23:


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,
Please see further comments inline:

发件人: Dots [mailto:dots-bounces@ietf.org] 代表 Konda, Tirumaleswar Reddy
发送时间: 2018年8月25日 22:32
收件人: Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>; draft-ietf-dots-signal-channel.authors@ietf.org<mailto:draft-ietf-dots-signal-channel.authors@ietf.org>
抄送: dots@ietf.org<mailto:dots@ietf.org>
主题: Re: [Dots] some nits and comments about draft-dots-signal-channel-23:

Hi Frank,

Please see inline [TR]

From: Dots <dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>> On Behalf Of Xialiang (Frank, Network Integration Technology Research Dept)
Sent: Friday, August 24, 2018 1:59 PM
To: draft-ietf-dots-signal-channel.authors@ietf.org<mailto:draft-ietf-dots-signal-channel.authors@ietf.org>
Cc: dots@ietf.org<mailto:dots@ietf.org>
Subject: [Dots] some nits and comments about draft-dots-signal-channel-23:


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________

Hi authors,
After once more careful review of this draft, I have the following nits and comments:

Nits:

1.       Last paragraph of section 1: /This is a companion document…/There is a companion document…/


[TR] The line looks correct, DOTS signal channel is a companion document of the DOTS data channel document.


2.       P13, the definition of cuid: /This is a mandatory Uri-Path./ This is a mandatory Uri-Path parameter./

[TR] Yes, will update.


3.       First paragraph in P16: / with indefinite lifetimes./ with indefinite lifetime./


[TR] The line looks correct, “lifetimes” is plural to refer to “mitigations”.



4.       P12: / Uri-Path: "version"/ Uri-Path: "v1"/


5.       P18: / cdid:  Stands for Client Domain IDentifier./ cdid:  Stands for Client Domain Identifier./

[TR] Yes, will fix 4 and 5.




6.       Last paragraph in P21: /The DOTS server couples the DOTS signal channel sessions using the DOTS client identity and optionally the ’cdid’ parameter value, and the DOTS server uses ’mid’ and ’cuid’ Uri-Path parameter values to detect duplicate mitigation requests./ The DOTS server differentiates the DOTS signal channel sessions using the DOTS client identity and optionally the ’cdid’ parameter value. for every DOTS signal channel session, the DOTS server uses ’mid’ Uri-Path parameter values to detect duplicate mitigation requests./

[TR] The above line is added to explain how the DOTS server couples DOTS signal channel sessions from the same DOTS client.
[Frank]: How many signal channel sessions can have between one DOTS client and DOTS server? I assume there only one.

[TR2] The DOTS client can create more than one DOTS signal channel session with the DOTS server, but the draft recommends the client to use a single channel. Please see the following snippet from the Security Considerations Section
<snip>
   A single DOTS signal channel between DOTS agents can be used to
   exchange multiple DOTS signal messages.  To reduce DOTS client and
   DOTS server workload, DOTS clients SHOULD re-use the (D)TLS session.
</snip>
[Frank]: since this is a key point for the whole protocol, I think it’s not enough you only mention it in the Security Consideration Section. Can you add some text to clarify this point in the suitable section more clearly.

[TR3] we can move the above text to section 3 (Design overview), let us know if any other details need to be added.

Jon> During Happy Eyeballs, there can be up to 4 signal channel sessions, which should settle down to one.

[TR4] Happy Eyeballs specification discusses to abandon non-winning connections, don’t see a need to repeat.

-Tiru

~Jon



7.       P22: /This version of the specification forbids ’cuid’ and ’cdid’ (if used) to be returned in a response./This version of the specification forbids ’cuid’ and ’cdid’ (if used) to be returned in a response message body./

[TR] Yes, will update.

Comments:

1.       Last paragraph of P6: only "coaps+tcp" URI scheme is used, no “coaps+udp”?

[TR] No, by default the “coaps” URI scheme defined in RFC7252 is for UDP.
[Frank]: So, do we still need “coaps” URL for the UDP transport?

[TR2] Yes, “coaps” means DTLS-secured CoAP messages exchanged over UDP, please see RFC7252.
[Frank]: why I cannot see the “coaps” URI in the whole document?

[TR3] The doc does not discuss complete URI, hence you don’t see “coaps”.



2.       Please consider including these terminology in section 2: JSON, YANG, CBOR, DER, ASN, SPKI, PSK, SHA, CIDR, TCP, UDP, SCTP, DCCP, IANA, FQDN, URI, ...

[TR] I have not seen any recent RFC adding them to the Terminology. However, we will expand the all the abbreviations (currently only missing for JSON, DER, ASN and PSK).
[Frank]: ok.


3.       Last paragraph of P7: 3..xx Response Codes seems to be not used in this document, delete it?

[TR] Good catch, will delete.



4.       P50: "...time to live values in the CBOR body (Figure 22)", TTL values should not be in the CBOR message body.

[TR] Yes, will remove.



5.       P72: [I-D.ietf-tls-dtls13] should be replaced by [RFC8446]

[TR] No, DTLS 1.3 has not yet become a RFC (see https://tools.ietf.org/html/draft-ietf-tls-dtls13-28)



6.       cuid vs cdid:

1)       Will server-domain DOTS gateways replace the cuid with its own cuid as the new DOTS client?

[TR] No, gateways will not modify or replace cuid.
[Frank]: then, the source ‘cuid’ will reach the final DOTS server, why do we still need the define the ‘cdid’?

[TR2] ‘cdid’ identifies the DOTS client domain whereas ‘cuid’ the DOTS client identity.
[Frank]: so, the main reason for introducing the ‘cdid’ is for differentiating the different DOTS client with the same ‘cuid’ but from the different domain (with different ‘cdid’), not for representing the source DOTS client ?

[TR3] The other reason is ‘cid’ can only be conveyed by the server-domain DOTS gateway and can be trusted by the DOTS server to enforce policies.

If there are multiple DOTS clients in one domain, there should be multiple ‘cuid’ with the only one ‘cdid’?

[TR3] Yes.

Cheers,
-Tiru



2)       Will Server-domain DOTS gateways insert the new cdid to represent the source DOTS client ?

[TR] Yes, but to convey the source DOTS client domain identity.


3)       If the above points are right, I think the third paragraph in P18 is not very clear to clarify them and have space for tuning. And I also think there is a conflict between the 5th and 6th paragraph, since source DOTS clients cannot generate cdid, the DOTS server is impossible to ignore ‘cdid’ attributes that are directly supplied by source DOTS clients.

[TR] I did not get the above comment.



4)       P21: Is “the DOTS client identity” here the same as the ‘cuid’? or another id?

[TR] “DOTS client identity” is explained in page 26
<snip>
As a reminder, a DOTS client
   is identified by its identity (e.g., client certificate, 'cuid') and
   optionally the 'cdid'.
</snip>
[Frank]: so, you mean a “DOTS client identity” can be the client certificate, ‘cuid’ or ‘cdid’ depending on context? If you use this term in other place, how can I know which one it is?

[TR2] No, “DOTS client identity” is ‘cuid’ + ‘cdid’ (‘cdid’ may or may not be present in the mitigation request). The algorithm for generating ‘cuid’ and ‘cdid’ is discussed in the draft and
‘cuid’  can be generated from the DOTS client certificate.

Cheers,
-Tiru

Thanks!

B.R.
Frank