Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Tue, 05 March 2019 11:38 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 473B213112D; Tue, 5 Mar 2019 03:38:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LH_lARxGHV4B; Tue, 5 Mar 2019 03:38:42 -0800 (PST)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B425E1310EF; Tue, 5 Mar 2019 03:38:42 -0800 (PST)
Received: from sessfw99-sesbfw99-92.ericsson.net ([192.176.1.92] helo=[10.156.247.140]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1h18P7-0001ww-7T; Tue, 05 Mar 2019 12:38:37 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <BYAPR16MB2790CC0ED0E41B3551F7C93BEA7E0@BYAPR16MB2790.namprd16.prod.outlook.com>
Date: Tue, 05 Mar 2019 12:38:35 +0100
Cc: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "dots@ietf.org" <dots@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-dots-requirements@ietf.org" <draft-ietf-dots-requirements@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C44BC70E-6F50-4665-B3C0-ACDC93FAA344@kuehlewind.net>
References: <155068522853.31498.10686203344983870104.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA23122@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <66BB8E3D-DEB6-43AC-AAEB-B6EB1A248865@kuehlewind.net> <BYAPR16MB2790CC0ED0E41B3551F7C93BEA7E0@BYAPR16MB2790.namprd16.prod.outlook.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1551785922;c61909e2;
X-HE-SMSGID: 1h18P7-0001ww-7T
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/dN5Gfg9HsIRQOFJ5mBly3mmQDVA>
Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-requirements-18: (with DISCUSS and COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 11:38:45 -0000
Hi Tiru, hi Med, to catch up on this comment. > Am 21.02.2019 um 15:23 schrieb Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>: > >>>> One editorial comment on SEC-002: >>>> >>>> "A security mechanism at the network layer (e.g., >>>> TLS) is thus adequate to provide hop-by-hop security. In other >>>> words, end-to-end security is not required for DOTS protocols." >>>> >>>> TLS is transport layer security (not network layer) and therefore >>>> known as providing end-to-end security while the term hop-by-hop is used >> for e.g. >>>> IPSec. >>>> >>>> I would recommend to change the wording here in order to avoid >>>> confusion, e.g. >>>> >>>> "A security mechanism at the transport layer (e.g., >>>> TLS) is thus adequate to provide security between different DOTS >>>> agents. >>>> In other words, a direct security association between the server and >>>> client, excluding any proxy, is not required for DOTS protocols." >>>> >>> >>> [Med] I disagree with the last part of the proposed wording. The DOTS >> architecture involves gateways, hence the hop-by-hop security model. >> >> This is not a technical comment. The technical content is correct. However, as I >> said above, the term hop-by-hop is associated by many people in the >> community with something like IPSec, while application layer gateways are >> rather considered as endpoints. All I'm requesting is to avoid the terms end-to- >> end and hop-by-hop in this context as it might be confusing to others. > > > SEC-002 is modified in version 18 to add more details to address the following comment from Robert Sparks (Genart review) : > from Paragraph 3 of SEC-002: This paragraph doesn't read as sensibly when you have the pictures of aggregating gateways from the architecture document in mind. > Does it constrain the types of connections that can be aggregated to those that share equivalent security properties? If so, it should be explicit. So, there are to point here: 1) With the current text there is at least one mistake. It says "A security mechanism at the network layer (e.g. TLS)…“ However, TLS is at actually at the application layer. So this needs rewording. 2) The other part of my comment was simply that the use of the term „end-to-end“ and "hop-by-hop“ could be confusing as currently used (without much explanation). I suggest initially to simply not use these term, however, you could also say something like „hop-by-hop between an DOTS gateway and a DOTS client or sever“ and end-to-end directly between the DOTS client and server“, just to be very clear about this. Mirja
- [Dots] Mirja Kühlewind's Discuss on draft-ietf-do… Mirja Kühlewind
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Teague, Nik
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… mohamed.boucadair
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Konda, Tirumaleswar Reddy
- Re: [Dots] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)