Re: [Dots] AD review of draft-ietf-dots-data-channel-25
<mohamed.boucadair@orange.com> Wed, 27 February 2019 10:25 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A583130EB5; Wed, 27 Feb 2019 02:25:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQtRiQRh_jOV; Wed, 27 Feb 2019 02:25:39 -0800 (PST)
Received: from orange.com (mta134.mail.business.static.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32238130E27; Wed, 27 Feb 2019 02:25:39 -0800 (PST)
Received: from opfednr05.francetelecom.fr (unknown [xx.xx.xx.69]) by opfednr22.francetelecom.fr (ESMTP service) with ESMTP id 448WzP2qJNz10b7; Wed, 27 Feb 2019 11:25:37 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.79]) by opfednr05.francetelecom.fr (ESMTP service) with ESMTP id 448WzP1n4yzyQ2; Wed, 27 Feb 2019 11:25:37 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM6E.corporate.adroot.infra.ftgroup ([fe80::d89a:9017:59c2:9724%21]) with mapi id 14.03.0435.000; Wed, 27 Feb 2019 11:25:37 +0100
From: mohamed.boucadair@orange.com
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "draft-ietf-dots-data-channel@ietf.org" <draft-ietf-dots-data-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: AD review of draft-ietf-dots-data-channel-25
Thread-Index: AQHUzlJcb7c2dDIvj0uWD4RT8wY9CqXzapPw
Date: Wed, 27 Feb 2019 10:25:36 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA25FC4@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <20190213164622.GX56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA1F03D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190214191707.GM56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA1FCF6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190227041011.GG53396@kduck.mit.edu>
In-Reply-To: <20190227041011.GG53396@kduck.mit.edu>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/naeV1o9EbdYklVz4ALRp6tPrqeI>
Subject: Re: [Dots] AD review of draft-ietf-dots-data-channel-25
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 10:25:43 -0000
Hi Ben, Please see inline. Cheers, Med > -----Message d'origine----- > De : Benjamin Kaduk [mailto:kaduk@mit.edu] > Envoyé : mercredi 27 février 2019 05:10 > À : BOUCADAIR Mohamed TGI/OLN > Cc : draft-ietf-dots-data-channel@ietf.org; dots@ietf.org > Objet : Re: AD review of draft-ietf-dots-data-channel-25 > > On Fri, Feb 15, 2019 at 09:36:26AM +0000, mohamed.boucadair@orange.com wrote: > > Hi Ben, > > > > Please see inline. > > > > Thanks. The -27 is in good enough shape that I've requested the IETF last > call; we can finish discussing the last few topics here in parallel. > [Med] Sure. > > > > > -----Message d'origine----- > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] > > > Envoyé : jeudi 14 février 2019 20:17 > > > À : BOUCADAIR Mohamed TGI/OLN > > > Cc : draft-ietf-dots-data-channel@ietf.org; dots@ietf.org > > > Objet : Re: AD review of draft-ietf-dots-data-channel-25 > > > > > > Hi Med, > > > > > > On Thu, Feb 14, 2019 at 02:31:26PM +0000, mohamed.boucadair@orange.com > wrote: > > > > Hi Ben, > > > > > > > > Thank you for the review. > > > > > > > > Please see inline. > > > > > > > > Cheers, > > > > Med > > > > > > > > > -----Message d'origine----- > > > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] > > > > > Envoyé : mercredi 13 février 2019 17:46 > > > > > À : draft-ietf-dots-data-channel@ietf.org > > > > > Cc : dots@ietf.org > > > > > Objet : AD review of draft-ietf-dots-data-channel-25 > > > > > > > > > > This is my AD review of the -25 > > > > > > > > > > I see that Med made a commit on github that preemptively addressed at > > > least > > > > > one of these comments, but will trust the authors to do to the right > > > thing > > > > > with anything in here that's stale. > > > > > > > > > > A handful of generic and/or high-level comments before the > > > > > section-by-section nitty-gritty stuff. > > > > > > > > > > The author count is large (7); RFC 7322 notes that the stream > approver > > > > > (i.e., the IESG) will ask questions if the count is more than five. > What > > > > > should I tell people when they ask? (The authors are listed also in > the > > > > > YANG module itself, if changes are made.) > > > > > > > > [Med] Actually, the set of co-authors of the YANG module is not exactly > the > > > same. > > > > > > Whoops, my bad for not checking. > > > > > > > Anyway, in order to comply with the rules and avoid spending extra > cycles > > > on this, we added a new section called "Contributing Authors". > Nevertheless, > > > the set of authors is not modified in the YANG module. > > > > > > Thanks. (To be clear, I'm happy to go to bat for everyone with the IESG > > > for this sort of thing, I just need an argument to present that's not me > > > making things up.) > > > > > > I don't know of a specific policy for YANG module authorship, so that > part > > > should be okay as far as I know. > > > > > > > > > > > > > Can someone (the shepherd?) confirm that an automated syntax checker > has > > > > > run over the JSON in examples? > > > > > > > > > > The concept of "DOTS client domain" is being used for actual protocol > > > > > purposes here (most notably as a bound on the prefix(es) that a > client > > > can > > > > > request mitigation for, but I don't remember seeing a formal > definition > > > for > > > > > how any DOTS actor would know the specific bounds of such a client > > > domain. > > > > > Is there text somewhere that I missed that we can point to, or will > we > > > need > > > > > to add some? > > > > > > > > [Med] Both "DOTS client domain" and "DOTS server domain" are used in > the > > > architecture draft. "DOTS client's domain" and "DOTS server's domain" are > > > also used in the architecture and requirements I-D. > > > > > > > > If a formal definition is needed, I prefer this to be done in the > > > architecture or the requirements I-D. > > > > > > I think it would be a somewhat better fit in the architecture document, > > > just to note that the "domain" is something that can concretely be > > > demarcated by IP addresses/prefixes (as opposed to a more nebulous > concept > > > to aid conceptual understanding). > > > > > > > [Med] Let's add that text into the architecture I-D. > > Okay. Tiru had a follow-up about how servers can identify DOTS client's > domains, which is okay but not quite what I was aiming for. In the text > Tiru quoted, we note that > > The DOTS server enforces authorization of DOTS clients' signals for > mitigation. The mechanism of enforcement is not in scope for this > document, but is expected to restrict requested mitigation scope to > addresses, prefixes, and/or services owned by the DOTS client's > administrative domain, such that a DOTS client from one domain is not > able to influence the network path to another domain. > > I was hoping to see something like "For a given client (administrative) > domain, the DOTS server needs to be able to determine whether a given > resource is in that domain. This could take the form of associating a set > of IP Prefixes per domain, for example." But I'm open to being persuaded > that the existing text conveys the same meaning. > [Med] Your proposed wording can be added to the architecture I-D, IMHO. FWIW, we do have this text in the protocol spec: DOTS servers MUST verify that requesting DOTS clients are entitled to enforce filtering rules on a given IP prefix. That is, only filtering rules on IP resources that belong to the DOTS client's domain can be authorized by a DOTS server. The exact mechanism for the DOTS servers to validate that the target prefixes are within the scope of the DOTS client's domain is deployment-specific. > > > > > > > > > > We don't say much about what validation the server does on input > data, > > > and > > > > > we probably should. For example, does the server need to validate > 'cuid' > > > > > > > > [Med] We avoided to be redundant here. This is covered by this text: > > > > > > > > "This attribute has the same > > > > meaning, syntax, and processing rules as the 'cuid' attribute > > > > defined in [I-D.ietf-dots-signal-channel]." > > > > > > > > > and/or 'cdid' in dots-client-creation requests? > > > > > > > > [Med] This is covered by this text: > > > > > > > > "This attribute has the same meaning, syntax, and processing > > > > rules as the 'cdid' attribute defined in > > > > [I-D.ietf-dots-signal-channel]" > > > > > > I guess I'm mostly just concerned about if there's anything that doesn't > > > translate directly, since the CoAP and HTTP constructs would have to > > > describe the formal validation in somewhat different terms (i.e., for > > > consistency between URL paths and message bodies). But in general I'm > > > happy to avoid redundancy as you desire. > > > > > > > And other parts in the text such as: > > > > > > > > If the request is received via a server-domain DOTS gateway, but the > > > > DOTS server does not maintain a 'cdid' for this 'cuid' while a > 'cdid' > > > > is expected to be supplied, the DOTS server MUST reply with "403 > > > > Forbidden" status-line and the error-tag "access-denied". Upon > > > > receipt of this message, the DOTS client MUST register (Section 5). > > > > > > > > > > > > What about validating that > > > > > the (e.g.) ACL name in the PUT URL matching the name in the body of > the > > > > > request? > > > > > > > > [Med] Those are supposed to be covered following RESTCONF base spec. > > > > > > Is this supposed to be RFC 8040 Section 3.5.3? I am not sure that I'm > > > reading that as covering the property I want (and will double-check if > you > > > confirm that's what you have in mind). > > > > > > > [Med] In addition to 3.5.3, Section 4.5 specifies the rules for PUT. > > > > The main point is that the validation you mentioned is not specific to DOTS > but are governed by RESTCONF procedures. > > I only see 3.5.3 as talking about how to construct a request URI for a > given data node in the YANG tree. > > What I'm wondering about for the data-channel document is if there are > cases where a given path component of the YANG module appears both in the > request URI and in the data in the request body. If so, it seems that the > server will need to verify that the redundant data agree, and I still don't > see where this is mandated by RFC 8040. (Sorry if I am being dense.) > [Med] I hear you. As mentioned in my previous answer, this is covered in Section 4.5 of RFC8040: If the target resource represents a YANG leaf-list, then the PUT method MUST NOT change the value of the leaf-list instance. If the target resource represents a YANG list instance, then the key leaf values, in message-body representation, MUST be the same as the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ key leaf values in the request URI. The PUT method MUST NOT be used ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to change the key leaf values for a data resource instance. > > > > There are probably others as well. > > > > > > > > > > The examples all use "Host: {host}:{port}" which is not really an > example > > > > > but rather a template. Since they are supposed to be examples, we > should > > > > > pick a concrete hostname (and port) to use. > > > > > > > > [Med] I will change some figures to "example.com" but will leave it for > > > schema-like figures. > > > > > > Of course. > > > > > > > > > > > > > There is, shall we say, a "high degree of overlap" between Sections > 5/6/7 > > > > > and the YANG model field descriptions. I mostly assume that the WG > > > > > considered letting the YANG model (and the core RESTCONF spec) stand > > > alone > > > > > without the additional examples/specification of the use of RESTCONF > to > > > > > manage clients, aliases, and filter rules, so I won't suggest that we > > > > > revisit the question. But I do think that it would be good to have > some > > > > > explicit text acknowledging the overlap and stating which one is > > > > > authoritative. > > > > > > > > [Med] Fixed. > > > > > > > > > > > > > > There seems to be some mismatch between whether the IPv6 ACL subtree > uses > > > > > "ttl" or "hoplimit" -- Figure 7 has "ttl" but the rest of the > document > > > > > seems to (properly) use "hoplimit". Someone else should double-check > the > > > > > relevant places, though, as I'm not sure I was looking at all of them > > > with > > > > > this issue in mind. > > > > > > > > [Med] Both are correct. > > > > > > > > Figure 7 reuses draft-ietf-netmod-acl-model which defines TTL as : > > > > > > > > leaf ttl { > > > > type uint8; > > > > description > > > > "This field indicates the maximum time the datagram is allowed > > > > to remain in the internet system. If this field contains the > > > > value zero, then the datagram must be dropped. > > > > > > > > In IPv6, this field is known as the Hop Limit."; > > > > reference > > > > "RFC 791: Internet Protocol, > > > > RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; > > > > } > > > > > > > > For the other figures, the fields are defined in the data-channel > draft. > > > > > > Ah, thanks for the pointer. > > > > > > > > > > > > > I'm also a bit curious about the use of an explicit "capabilities" > tree > > > for > > > > > fine-grained feature detection, as opposed to native YANG "feature"s. > > > > > > > > [Med] These are not serving the same purpose. Features are about parts > of a > > > module which are conditional, if you will. Our "capabilities" branch is > meant > > > to retrieve the filtering match capabilities are supported/enabled by a > DOTS > > > server. That information is used by a client to tweak its requests. > > > > > > > > The > > > > > latter would allow the relevant nodes to just not exist when > unsupported, > > > > > > > > [Med] A filtering capability may be supported but not enabled. The > server > > > is free to include an explicit field with the appropriate status or not. > This > > > is implementation-specific. > > > > > > Thanks for the explanation. > > > > > > > > as opposed to the explicit-capabilities formulation where they exist > but > > > > > are (presumably) ignored. (I don't remember us explictily saying > that > > > > > they're ignored in this case, either; might be worth adding some > text.) > > > > > > > > > > In a similar vein, we include 'capabilities' nodes for a few matching > > > > > features that are listed as "mandatory fields" for ACL matching in > Table > > > 1, > > > > > and thus whose value would always be "true". Why do we need the > > > capability > > > > > leaves in such a case? > > > > > > > > [Med] I guess you are referring to Figure 23 which says the following: > > > > > > > > Figure 23 shows an example of a response received from a DOTS server > > > > which only supports the mandatory filtering criteria listed in > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > Section 4.1. > > > > > > Correct. > > > > > > > The module allows to return other capabilities than those listed in > table > > > 1. > > > > > > Yes. But the figure should not claim to be an example that *only* > supports > > > the mandatory parts, when it shows an example that supports additional > > > capabilities than the mandatory ones. > > > > > > > [Med] Which "additional capabilities" are you referring to? > > (The text in the -27 addresses my complaint here, even if I was confused > about filtering criteria vs. actions.) > > > > > > > > > > > > > idnits notes a few references that can be updated along with the > other > > > > > changes; it also flags a "reference in abstract" for the RFC Editor > note > > > > > which we could probably ignore (but could probably also just remove > the > > > > > brackets around the text in question). > > > > > > > > [Med] idnits confuses the note to the RFC editor with the abstract. > Fixed, > > > anyway. > > > > > > > > > > > > > > I also looked at the references (especially the normative/informative > > > > > split) and have a few suggestions: > > > > > > > > > > - the IEEE.754.1985 reference is not needed; > > > > > > > > [Med] Agree, but it is not harmful to cite it either :-) > > > > > > My personal opinion is that it *is* harmful, since we are not using a > > > floating-point wire encoding; we're using a string encoding. > > > > [Med] I removed the ref, but added a sentence to justify the unit we are > using: mainly to align with traffic-rate in 5575. > > OK > > > > > > > > The reference is quoted to justify why we went with decimal64, not > uint64 > > > for example + why that unit is chosen. This allows to ease grafting DOTS > with > > > BGP Flowspec for instance, which cites IEEE.754.1985 too. > > > > > > (RFC 5575 seems to claim to be using the actual binary floating-point > > > encoding.) > > > > > > > we don't use the binary > > > > > floating-point encoding but rather a string one for YANG decimal64 > > > > > - I think that RFC 8499 (dnsop-terminology-bis) can wholly supersede > our > > > > > usage of RFC 1983, so the 1983 cite can be dropped as well > > > > > > > > [Med] Done. > > > > > > > > > - draft-ietf-dots-requirements (for terminology), > > > > > > > > [Med] For this one, we are following the same approach as for other > > > terminology documents (e.g., RFC8340) that are listed as informative. I > > > prefer to leave it as informative for now. > > > > > > Okay, we can see if anyone else complains. > > > > > > > RFC 7950, and RFC 8259 > > > > > > > > [Med] OK for these two. > > > > > > > > > should probably all move to the normative section > > > > > > > > > > Section 1 > > > > > > > > > > The sub-bullet point about "If a network resource ... informs its > > > servicing > > > > > DOTS gateway of all suspect IP addresses that need to be drop- or > > > > > accept-listed ..." made me wonder if that was more of a signal- > channel > > > > > activity or a data-channel one. Perhaps this is just a matter of the > > > text > > > > > not being as clear as it could be. > > > > > > > > [Med] The point is that a client is not sure that an attack is active > and > > > targeting the client domain but it wants to enforce some preventive > actions > > > during an investigation period. For example, this can be triggered by an > > > administrator who is informed that an attack is currently targeting other > > > networks, but its network is likely to be subject to that attack too. > Other > > > preventive actions which require further investigation may be considered. > > > > > > > > I changed the text as follows: > > > > > > > > OLD: > > > > detects a potential DDoS attack from > > > > > > > > NEW > > > > is informed about a potential DDoS attack from > > > > > > > > (I also wonder if we should say > > > > > "further investigation" since we don't really have an automated way > to > > > > > indicate that yet.) > > > > > > On further reflection, would "further manual investigation" be > appropriate? > > > > [Med] No assumption is made how that investigation is made. I prefer to > leave the text as it. > > OK > > > > > > > > > Section 2 > > > > > > > > > > When we talk about tree diagrams, should we also say something like > "Note > > > > > that the full module's tree has been split across several figures to > aid > > > > > the exposition of the various sub-trees"? > > > > > > > > [Med] Done. Thanks. > > > > > > > > > > > > > > Section 3.1 > > > > > > > > > > When we talk about using GET to retrieve running configuration, do we > > > want > > > > > to note that since the data channel can fail during attack time, it's > > > > > expected to be common to perform such a GET before attempting to make > > > > > modifications to configuration? > > > > > > > > [Med] The data channel is supposed to be invoked when no attack is > ongoing. > > > Normal RESTCONF operations are therefore followed. I don't see the need > to > > > add a note. > > > > > > I always have to consider edge cases in my IESG reviews -- what happens > if > > > an attack starts after the request is sent but before the response is > > > received? > > > > [Med] The dots client will know if its request is successfully delivered. > When an attack is ongoing, the dots client should not use it data channel > because it is likely to be perturbed. > > (There was some further discussion with Med and Tiru but I seem to have > lost track of the resolution.) [Med] The conclusion is that how the client syncs with the server is implementation-specific. An implementation note may be added. > > > > > > > > > > > > > > A DOTS client registers itself to its DOTS server(s) in order to > set > > > > > up DOTS data channel-related configuration data and receive state > > > > > data (i.e., non-configuration data) from the DOTS server(s) > > > > > (Section 5). Mutual authentication and coupling of signal and > data > > > > > channels are specified in [I-D.ietf-dots-signal-channel]. > > > > > > > > > > I think we should split the "mutual authentication" and "coupling of > > > signal > > > > > and data channels" into their own sentence, and flesh them out > slightly > > > > > more. So, section references to Sections 8 and 4.4.1, respectively, > the > > > > > usage of TLS client certificates, the coupling of channels via the > > > client's > > > > > identity ('cuid' and 'cdid'), etc. > > > > > > > > [Med] Done. > > > > > > > > > > > > > > A TLS heartbeat [RFC6520] verifies > > > > > that the DOTS server still has TLS state by returning a TLS > message. > > > > > > > > > > I expect this will get some pointed comments during IETF LC, given > the > > > > > recent-ish IETF-wide discussions about heartbeats/keepalives in > general. > > > > > Is there perhaps a RESTCONF-level probe message that could be used to > > > check > > > > > liveliness; a capabilities query perhaps? > > > > > > > > [Med] There is no such mechanism. The approach in the data channel > draft is > > > aligned with RFC8071 for keepalives. > > > > > > I guess we'll just have to wait to see what kind of comments we get, > then. > > > (Thanks for the pointer to 8071.) > > > > > > > > > > > > > A DOTS server may detect conflicting filtering requests from > distinct > > > > > DOTS clients which belong to the same domain. For example, a DOTS > > > > > client could request to drop-list a prefix by specifying the > source > > > > > prefix, while another DOTS client could request to accept-list > that > > > > > same source prefix, but both having the same destination prefix. > It > > > > > is out of scope of this specification to recommend the behavior to > > > > > follow for handling conflicting requests (e.g., reject all, reject > > > > > the new request, notify an administrator for validation). DOTS > > > > > servers SHOULD support a configuration parameter to indicate the > > > > > behavior to follow when a conflict is detected. Section 7.2 > > > > > specifies the behavior when no instruction is supplied to a DOTS > > > > > server. > > > > > > > > > > I'm a bit confused by the "out of scope of this specification to > > > recommend > > > > > the behavior to follow for handling conflicting requests", since not > only > > > > > does the last sentence of the paragraph give a pointer to a specified > > > > > behavior in case of conflicts, but we also mention it in a couple > other > > > > > places (e.g., the bottom of page 43). > > > > > > > > [Med] The specified behavior is a default behavior, not a recommended > one. > > > > > > In effect a default is a recommendation, though -- a recommendation for > > > what to do if you don't know any better. Perhaps "it is out of scope of > > > this specification to provide guidance on how conflicting requests may be > > > safely handled, with the default behavior being to reject such requests"? > > > > [Med] I went for this updated text: > > > > DOTS servers SHOULD support a configuration parameter to indicate the > > behavior to follow when a conflict is detected (e.g., reject all, > > reject the new request, notify an administrator for validation). > > Section 7.2 specifies a default behavior when no instruction is > > supplied to a DOTS server. > > Works for me. > > > > > > > > I update this text: > > > > > > > > If the request is conflicting with an existing filtering installed > by > > > > another DOTS client of the domain, and absent any local policy, the > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > > > That helps (maybe the "and" is not even needed?). Do you want to do a > > > sweep for other places where the text talks about 409 responses? > > > > [Med] OK. > > > > > > > > > DOTS server returns "409 Conflict" status-line to the requesting > DOTS > > > > client. The error-tag "resource-denied" is used in this case. > > > > > > > > > > > > > > Also in that paragraph, it's unclear that a 2119 SHOULD is > appropriate > > > for > > > > > "support a configuration parameter"; there's no interoperability > > > > > considerations for having or not having such a configuration knob. > > > > > > > > [Med] This is important for interoperability (or at least for ensuring > a > > > deterministic behavior). E.g., during service subscription a technical > clause > > > may be negotiated out of band how to deal with conflicts from clients of > the > > > same domain. > > > > > > It seems that the default behavior of disallowing conflicts would always > be > > > interoperable, but I'm happy to leave this as-is for now. > > > > > > > > > > > > > Section 3.3 NAT Considerations have "high overlap" with the > > > > > text at the end of the signal-channel's "Design Overview". At a > minimum > > > we > > > > > should diff them and enforce convergence, but do we want to consider > just > > > > > having one refer to the other? > > > > > > > > [Med] Makes sense. Section 3.3 is now deleted and replaced with this > NEW > > > text: > > > > > > > > NAT considerations for the DOTS data channel are similar to those > > > > discussed in Section 3 of [I-D.ietf-dots-signal-channel]. > > > > > > Cool, thanks. > > > > > > > > > > > > > Section 3.5 > > > > > > > > > > I had to read up on RESTCONF and NETCONF while reviewing this, but > from > > > > > what I've seen so far, the "error-severity" field is only present in > > > > > NETCONF and not RESTCONF. If so, then we shouldn't need to talk > about it > > > > > here, since we use RESTCONF exclusively. I also couldn't find > whether > > > > > there's a registry that we should add the "loop-detected" error-tag > to. > > > > > Can anyone here help me out? > > > > > > > > > > > > > [Med] We used the template in > https://tools.ietf.org/html/rfc6241#appendix- > > > A because the errors in 8040 are the ones imported from there. > > > > > > Thanks for the pointer. It sounds like I'll need to ask around about > this > > > one. > > > > [Med] I checked this with Martin Bjorklund. He confirmed that the error > list in 6241 is fixed in the protocol version. He recommended to go with app- > tags. Our error will look like the following: > > > > OLD: > > error-tag: loop-detected > > error-type: transport, application > > error-severity: error > > error-info: <via-header> : A copy of the Via header when > > the loop was detected. > > Description: An infinite loop has been detected when forwarding > > a requests via a proxy. > > > > NEW: > > > > error-app-tag: loop-detected > > error-tag: operation-failed > > error-type: transport, application > > error-severity: error > > error-info: <via-header> : A copy of the Via header when > > the loop was detected. > > Description: An infinite loop has been detected when forwarding > > a requests via a proxy. > > Thanks! I will try to remember to solicit a YANG doctors review during > IETF LC if it does not get scheduled automagically. > > > > > > > > There is no registry for the errors; only a YANG module which is not > > > maintained by IANA. This is why no action is included in the IANA > section. > > > > > > > > > Section 4.2 > > > > > > > > > > Is there any plan/expectation for filtering/match rules for QUIC? It > is > > > > > probably premature to put anything in this document specifically, but > > > still > > > > > worth thinking about. > > > > > > > > [Med] Some of the existing fields can be already reused for QUIC (UDP, > port > > > number). There are few fields in the QUIC public header that are > available > > > (public flags, CID, version). A match on the first N bytes of the UDP > payload > > > can be considered but I do think this is not mature enough. > > > > > > > > The key point is that our module is extensible. > > > > > > Indeed. > > > > > > > > > > > > > The order in which the leaves appear in the "capabilities/ipv6" and > > > > > "capabilities/tcp" subtrees do not match the order they appear in the > ACL > > > > > subtree itself; it would be good to keep the order consistent. > > > > > > > > [Med] Fixed. > > > > > > > > FWIW, the order in capabilities/* follows the order of the fields as > they > > > appear in the header. We don't have a control on the ACL order because we > are > > > reusing an external module. > > > > > > Ah, good to know. > > > > > > > > > > > > > We don't really say much about what the semantis of the "port-range" > > > > > capabilities are; is that supposed to indicate any port-matching > ability > > > at > > > > > all, or specifically the low-to-high range matching, or also the > > > "operator" > > > > > options? > > > > > > > > [Med] Updated as follows: > > > > > > > > OLD: > > > > "Support of filtering based on a port range."; > > > > > > > > NEW: > > > > > > > > "Support of filtering based on a port range. > > > > > > > > This includes filtering based on a source port range, > > > > destination port range, or both. All operators > > > > (i.e, less than or equal, greater than or equal, equal > to, > > > > and not equal to) are supported."; > > > > > > Thanks! > > > > > > > > > > > > > Section 4.3 > > > > > > > > > > We define an "operator" typedef that is rather different from that > from > > > > > netmod-acl-model. Do we want to use a different name to aid > > > > > disambiguation? ("bitmask-operator" comes to mind as an option.) > > > > > > > > [Med] It is not recommended in yang to use prefixes to disambiguate > nodes. > > > The disambiguation is ensured by the context/position in the tree. For > > > example, this is why we are using name and not acl-name or ace-name, etc. > I > > > will leave the text as it is. > > > > > > For names this makes natural sense to me, but this question is about a > > > typedef. I have less clear of a picture for how typedefs are or are not > > > namespaced (is it just per-module?). > > > > > > > [Med] They are namespaced. For example: > > > > type operator; > > > > is about the operator defined in the module itself. But, if we use: > > > > type packet-fields:operator; > > > > this means the operator is the one imported from ietf-packet-fields. > > Ah, thanks for the YANG lesson. > > > > > > > > > > > > > typedef fragment-type { > > > > > type bits { > > > > > bit df { > > > > > position 0; > > > > > description > > > > > "Don't fragment bit for IPv4. > > > > > This bit must be set to 0 for IPv6."; > > > > > > > > > > Set to zero by whom? What should the receiver do if it is set > otherwise? > > > > > > > > > > > > > [Med] In IPv6, fragmentation is only done by the source. Hence, this > value > > > for IPv6. A fragment-type with the first bit set will be discarded by the > > > server. > > > > > > I was looking for a few more words in the text, like "must be set to 0 > when > > > it appears in an IPv6 filter". > > > > [Med] OK. > > > > > > > > > > What are the semantics if (either or both of target-fqdn and target- > uri) > > > > > and target-prefix are specified? (I suppose maybe this could be > covered > > > in > > > > > Section 6.1 when we say that at least one is required in ACL-creation > > > > > requests.) > > > > > > > > [Med] The resulting IP prefixes/addresses will be bound to the alias. > Added > > > the following in Section 6.1: > > > > > > > > If more target-* clauses (e.g., 'target-prefix' and 'target-fqdn') > > > > are included in a POST or PUT request, the DOTS server binds all > > > > resulting IP addresses/prefixes to the same resource. > > > > > > > > > > > > > > The units for the "rate-limit" node should be specified in the YANG > > > module > > > > > and not in the description of how to install filtering rules. > > > > > > > > [Med] Added "units" to the YANG module. > > > > > > > > > > > > > > list dots-client { > > > > > key "cuid"; > > > > > description > > > > > "List of DOTS clients."; > > > > > leaf cuid { > > > > > type string; > > > > > description > > > > > "A unique identifier that is randomly generated by > > > > > a DOTS client to prevent request collisions."; > > > > > > > > > > I don't think "randomly generated" is really correct here. > > > > > > > > [Med] Changed to: > > > > > > > > "A unique identifier that is generated by a DOTS client > > > > to prevent request collisions."; > > > > > > > > > > > > > > The "capabilities/icmp/rest-of-header" description should be more > clear > > > > > that (per draft-ietf-netmod-acl-model) it is supposed to match both > the > > > > > ICMP four-byte field and the ICMPv6 message body. > > > > > > > > [Med] OK. > > > > > > > > > > > > > > Section 5.1 > > > > > > > > > > It may be worth reiterating that (per the signal-channel doc) > gateways > > > may > > > > > rewrite the 'cuid'. > > > > > > > > [Med] OK: > > > > > > > > As a reminder, DOTS gateways may rewrite the 'cuid' used by peer > DOTS > > > > clients (Section 4.4.1 of [I-D.ietf-dots-signal-channel]). > > > > > > > > > > > > > > When POST is used to create a dots-client resource, how does the > client > > > > > know the path of the created resource (to be used for subsequent > RESTCONF > > > > > requests)? (I assume it is supposed to just use the submitted > 'cuid', > > > but > > > > > we need to explicitly say this. This also seems to render much of > the > > > > > distinction between POST and PUT moot, for our usage, though I do not > > > > > propose any change to the text.) > > > > > > > > [Med] The procedure to determine the root path is recalled in Section > 3.1, > > > then normal RESTCONF operation is followed. > > > > > > > > > > > > > > The DOTS gateway, that inserted a 'cdid' in a PUT request, MUST > strip > > > > > the 'cdid' parameter in the corresponding response before > forwarding > > > > > the response to the DOTS client. > > > > > > > > > > Why does this apply only to PUT and not POST? > > > > > > > > [Med] Because RFC8040 says the following: > > > > > > > > If the POST method succeeds, a "201 Created" status-line is returned > > > > and there is no response message-body. > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > > > Whoops, I clearly missed that part. Thanks for calling it out. > > > > > > > > > > > > > Section 6.1 > > > > > > > > > > DOTS clients within the same domain can create different aliases > for > > > > > the same resource. > > > > > > > > > > My reading of this text is that client A can create alias "foo" for > IP > > > > > prefix 128.0.1.5/31 and clinet B can create alias "bar" for the same > IP > > > > > prefix, and that DOTS supports that process. (Just to confirm that > the > > > > > text is saying what it's intended to.) > > > > > > > > [Med] Yes. > > > > > > > > I do wonder if we want to say > > > > > something about whether alias names need only be unique per 'cuid' or > in > > > > > some more global fashion. (Having a global uniqueness property is > > > perhaps > > > > > convenient in order to interface with non-DOTS mechanisms for > querying > > > > > aliases, or for the DOTS server to interact with network filtering > > > > > appliances.) > > > > > > > > [Med] The specification does require uniqueness per cuid: > > > > > > > > | +--rw aliases > > > > | | +--rw alias* [name] > > > > | | +--rw name string > > > > > > > > We don't have a requirement for uniqueness per domain or globally. > > > > > > > > If such requirement arise, the semantic/logic for creating those > aliases > > > can be handled out of band. > > > > > > Ok. > > > > > > > > > > > > > Figure 16 puts double-quotes around "string" in the pseudo-schema, > which > > > > > feels weird to me. > > > > > > > > [Med] This is also what we have done for other figures , e.g., 11. The > > > intent is to use a scheme-like message body while trying to preserve JSON > > > compliance. > > > > > > > > > > > > > > target-fqdn: A list of Fully Qualified Domain Names (FQDNs). An > > > > > FQDN is the full name of a resource, rather than just its > > > > > hostname. For example, "venera" is a hostname, and > > > > > "venera.isi.edu" is an FQDN [RFC1983]. Refer to > > > > > [I-D.ietf-dnsop-terminology-bis] for more details. > > > > > > > > > > I don't think this text is particularly well-aligned with RFC 8499 > and > > > > > would suggest trimming it substantially and just pointing to that > RFC. > > > > > > > > [Med] Done. > > > > > > > > > > > > > > If the request is missing a mandatory attribute or its contains an > > > > > invalid or unknown parameter, "400 Bad Request" status-line MUST > be > > > > > returned by the DOTS server. The error-tag is set to "missing- > > > > > attribute", "invalid-value", or "unknown-element" as a function of > > > > > the encountered error. > > > > > > > > > > This text seems to preclude any future extension that adds new error > > > tags; > > > > > is this intended? > > > > > > > > [Med] Those errors are only about the tree failure cases called in the > > > first sentence. > > > > > > > > > > > > > > Section 7.1 > > > > > > > > > > A DOTS client which issued a GET request to retrieve the filtering > > > > > capabilities supported by its DOTS server, SHOULD NOT request for > > > > > filtering actions that are not supported by that DOTS server. > > > > > > > > > > What is the server behavior if the client ignores this SHOULD NOT? > > > > > > > > [Med] This is covered by this text: > > > > > > > > If the request is missing a mandatory attribute or > > > > contains an invalid or unknown parameter (e.g., a match field not > > > > supported by the DOTS server), "400 Bad Request" status-line MUST be > > > > returned by the DOTS server in the response. > > > > > > sounds good. > > > > > > > > > > > > > Figure 23 shows an example of a response received from a DOTS > server > > > > > which only supports the mandatory filtering criteria listed in > > > > > Section 4.1. > > > > > > > > > > This seems inaccurate, as the mandatory filtering criteria exlude the > > > > > rate-limit among others. > > > > > > > > [Med] rate-limit is an action, not a filtering criteria. > > > > > > > > > > > > > > Section 7.2 > > > > > > > > > > activation-type: Indicates whether an ACL has to be activated > > > > > (immediately or during mitigation time) or instantiated without > > > > > being activated (deactivated). Deactivated ACLs can be > activated > > > > > using a variety of means such as manual configuration on a DOTS > > > > > server or using the DOTS data channel. > > > > > > > > > > Is this done by the data channel or the signal channel? > > > > > > > > [Med] Yes, but this is not supported in the base signal-channel spec. > This > > > is the done using the filtering control feature (draft-nishizuka-dots- > signal- > > > control-filtering). This is why signal channel is not listed after "such > as". > > > > > > Okay. (I was literally just wondering if this was a typo.) > > > > > > > > > > > > > If this attribute is not provided, the DOTS server MUST use > > > > > 'activate-when-mitigating' as default value. > > > > > > > > > > Why do we specify default values here instead of in the YANG module? > > > > > > > > [Med] There is no default statement for enumeration. To solve this, a > new > > > type is defined in the module (activation-type). This type is then used > for > > > the activation-type leaf with a default value set to activate-when- > > > mitigating. > > > > > > That's a clever workaround! > > > > > > > The change in tree diagram is (no need to insert the code here): > > > > > > > > OLD: > > > > | +--rw activation-type? Enumeration > > > > > > > > NEW: > > > > | +--rw activation-type? activation-type > > > > > > > > > > > > > > > > > > Filters that are activated only when a mitigation is in > progress > > > > > MUST be bound to the DOTS client which created the filtering > rule. > > > > > > > > > > Other filters do not need to be bound to the DOTS client that created > > > them? > > > > > > > > [Med] They are...but those filters are already enforced because they > are > > > immediate. > > > > > > The wording here is still weird, though -- by calling out the > > > delayed-activation filters it implies that immediate-activation filters > are > > > excluded from the statement, but we know that immediate-activation > filters > > > also have the same property. So I'm not entirely sure exactly what > > > information this sentence is intended to call out. > > > > [Med] When a mitigation is in progress, only the filters bound to the > client which triggered the mitigation have to be activated. 'activate-when- > mitigating' filters of other clients of the same domain should not be > activated: > > > > I changed the text as follows: > > > > OLD: > > Filters that are activated only when a mitigation is in progress > > MUST be bound to the DOTS client which created the filtering rule. > > > > NEW: > > When a mitigation is in progress, the DOTS server MUST only > > activate 'activate-when-mitigating' filters that are bound to the > > DOTS client which triggered the mitigation. > > That looks great; thanks. > > -Ben > > > > > > > > > Wouldn't we still want to remove them when the dots-client resource > in > > > > > question is deleted? > > > > > > > > [Med] This is supposed to be done by the client itself. For amnesiac > > > clients, we do have the following: > > > > > > Oh. I think I was remembering Section 5.2's "resources bound to this > DOTS > > > client will be deleted by the DOTS server" and assuming it applies to the > > > filters associated with that client. > > > > > > > In order to avoid stale entries, a lifetime is associated with alias > > > > and filtering entries created by DOTS clients. Also, DOTS servers > > > > may track the inactivity timeout of DOTS clients to detect stale > > > > entries. > > > > > > This is probably enough to ensure safe operation without the above, > though, > > > hmm... > > > > > > > > > > > > > destination-ipv4-network: The destination IPv4 prefix. DOTS > servers > > > > > [...] > > > > > This is a mandatory attribute in requests with an 'activation- > > > > > type' set to 'immediate'. > > > > > > > > > > I somehow thought there were YANG attributes that could indicate this > > > > > conditional requirement in the module itself, though I am hardly a > YANG > > > > > expert. > > > > > > > > [Med] We are reusing fields from ietf-netmod-acl, it is not easy to > > > manipulate the fields as we would want. > > > > > > Okay. > > > > > > > > > > > > > The error-tag is set > to > > > > > "missing-attribute", "invalid-value", or "unknown-element" as a > > > > > function of the encountered error. > > > > > > > > > > Same comment as above about (non-)extensibility. > > > > > > > > [Med] Idem as above. > > > > > > > > > > > > > > Section 7.3 > > > > > > > > > > I see that the "test-acl-*" and "test-ace-*" acl and ace objects in > these > > > > > examples do in fact use different names for the semantically > different > > > > > objects, but perhaps we could help the reader's eye and use strings > with > > > a > > > > > larger Hamming distance? (I thought they were all the same on my > first > > > > > read.) > > > > > > > > [Med] Fixed. > > > > > > > > > > > > > > (I also am a little confused at why the "ace" "name" field is > considered > > > a > > > > > non-config field, in Figure 31, but this seems more likely to be my > > > > > confusion than an error in the document.) > > > > > > > > [Med] This is because the name is the key of the ace list. > > > > > > > > RFC8040 says the following: > > > > > > > > To retrieve only the non-configuration child resources, the > "content" > > > > parameter is set to "nonconfig". Note that configuration ancestors > > > > (if any) and list key leafs (if any) are also returned. > > > > > > Thanks for the pointer. > > > > > > > > > > > > > Section 8 > > > > > > > > > > o DOTS server MUST NOT enable both DOTS data channel and direct > > > > > configuration to avoid race conditions and inconsistent > > > > > configurations arising from simultaneous updates from multiple > > > > > sources. > > > > > > > > > > o DOTS agents SHOULD enable DOTS data channel to configure > aliases > > > > > and ACLs, and only use direct configuration as a stop-gap > > > > > mechanism to test DOTS signal channel with aliases and ACLs. > > > > > Further, direct configuration SHOULD only be used when the on- > path > > > > > DOTS agents are within the same domain. > > > > > > > > > > Doesn't all this discussion of "direct configuration" conflict with > the > > > > > "MUST NOT" in the first bullet point? > > > > > > > > [Med] The second bullet is about controlled testing of the *signal > channel* > > > with aliases/acls communicated by the data channel. > > > > > > Whoops, my misread. > > > > > > > > > > > > > Section 10 > > > > > > > > > > Generally with the security considerations template for YANG modules, > we > > > > > need to list out all the nodes considered sensitive and the > consequences > > > of > > > > > writing(/reading) each one in turn. > > > > > > > > > > > > > [Med] The text does already call out those that are specific to this > > > document. For other nodes, we do have this text: > > > > > > > > "YANG ACL-specific security > > > > considerations are discussed in [I-D.ietf-netmod-acl-model]." > > > > > > > > I think we are OK. > > > > > > I would suggest adding a new sentence in the "All data nodes defined" > > > paragraph about "This module reuses YANG structures from > > > [I-D.ietf-netmod-acl-model], and the security considerations for those > > > nodes continue to apply for this usage.", since that text is at the other > > > end of the section and it's otherwise hard to make a linkage between > them. > > > > > > > [Med] OK. > > > > > Thanks, > > > > > > Ben
- [Dots] AD review of draft-ietf-dots-data-channel-… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Roman Danyliw
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-data-chan… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-data-chan… Konda, Tirumaleswar Reddy