IETF Logo Mail Archive

Re: [Dots] some nits and comments about draft-dots-signal-channel-23:

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 28 August 2018 13:25 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B850130EBA; Tue, 28 Aug 2018 06:25:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pRBh3-xiH3a6; Tue, 28 Aug 2018 06:25:12 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D53D130E74; Tue, 28 Aug 2018 06:25:12 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1535462722; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-exchange-antispam-report-test: x-ms-exchange-senderadcheck:x-exchange-antispam-report-cfa-test: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=W y08qkD2J38eJyervkHn2thv3HnIJALwKULmeBftCw o=; b=XCfMMcRPMOHEqPpl69LEo4UPm5IVP+ORcMHQ7nSZqkyZ hLv56K5H1T9YueUm1t42ajOKgWFOz2keal0wnwBGlhDSl4fKzS D1YYW9Qe0oTygOnx9NFzoDMFtt73ZoYygRW/CarficxLEQc5lk h49MqncmACTXEAaKPIhx4vMC/MI=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 3126_6c3a_a4015606_8e03_4d5a_b823_97f93d437a25; Tue, 28 Aug 2018 08:25:21 -0500
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 28 Aug 2018 07:24:28 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 28 Aug 2018 07:24:26 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Tue, 28 Aug 2018 07:24:26 -0600
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 28 Aug 2018 07:24:25 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1377.namprd16.prod.outlook.com (10.172.207.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1080.17; Tue, 28 Aug 2018 13:24:22 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::70b9:d1c3:ceda:596]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::70b9:d1c3:ceda:596%4]) with mapi id 15.20.1080.015; Tue, 28 Aug 2018 13:24:22 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, "draft-ietf-dots-signal-channel.authors@ietf.org" <draft-ietf-dots-signal-channel.authors@ietf.org>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: some nits and comments about draft-dots-signal-channel-23:
Thread-Index: AdQ7fkPcZXaZ/b/SQr2JzmmZxhn5iAADTsyAALlvKeAACZzwUA==
Date: Tue, 28 Aug 2018 13:24:22 +0000
Message-ID: <BN6PR16MB1425DDE9F8C3F75A8F798222EA0A0@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <C02846B1344F344EB4FAA6FA7AF481F12C851E42@dggemm511-mbs.china.huawei.com> <BN6PR16MB14254170346ECA688FB485D0EA350@BN6PR16MB1425.namprd16.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F12C855E79@dggemm511-mbx.china.huawei.com>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F12C855E79@dggemm511-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.500.52
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [185.221.69.47]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1377; 6:7NrMRd3k61sP2hV45ReiUm2nDJFIKoCn35C65FZykzHWh8UTSxi2SmUoNDLXd9JFO44qhPEXPI34i0YgZTKhKTk4SRYJHUfW2ULzTFk6PKH4KGIjIKjArz0ZwUw6DAx8mwXphMDzlDuNm9QzJ/u6Fm0MGsq696RBPwiZef0BYunSPr7ti5FBlIwHSw3YY8desYlBjAiXDZ7yf8X9/ywbPL0FFEOWUstlZr8UF+8+ZmVygu6UvESVztbzpOceBVsCAaOhjBEAPA91gMXFNArpu9FDD/vJdk/XavBDX6YY6VW/lUnsIgi+bDDQYFLhNBDmh9NhqdK8XyzjSxwgytxceTYIuGRIWDgnz1oNYIrAmDDJ5mOud91oaG9AkX/ZLXRhrOgRH0tqRICW6PojCStojvU02AEQ/FydGcXRJGXhzrHlf6F33KiKUgNfIVrsi64uA4O92+p+oiTFKDTVbQQlgQ==; 5:jvB1YRSDOp2Jjq0QPumtja4ErEGyx9+YaGaGtVG1+jdr/hSjWvqV6S5vHgDPJEHmHflqrglsiCj1uDP/lx9WyDDbTM0rKKRNMD3QRCHy9jhHwGfc4ih9J7oAZJ1bMYiPobsl4xDLqOTxIS499IG2c8MIV1sHgL31W7rD0r0FitY=; 7:kcQKSTYq7TwajutATpgOHuS/6MyUZJ2g/TJXwePkD6YLDdthhshyzR6KhcRZVKCkEHN9UBu0Q9dAd9M0AT3FxZvSuwMoF+VVkK96gM5B+krFAMkFVTLArVCgSbc/ozXhsYAofn5sPmBNMkKAdlcnmGRpzBZPUD1OqFIvQuYYfPGUcipKuKe1Xsin7DdVM6PvcdBBg6rtS32dtPNzjr6yUdSgxOrmMH/X7/EhAEAqtQ4U9/COGkc+m0OWXCB6skeA
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 49036e40-4b77-46a3-8aac-08d60ce991a5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1377;
x-ms-traffictypediagnostic: BN6PR16MB1377:
x-microsoft-antispam-prvs: <BN6PR16MB1377A8185F96F24196F07E3DEA0A0@BN6PR16MB1377.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(192374486261705)(50582790962513)(788757137089)(21748063052155)(123452027830198);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(10201501046)(3002001)(93006095)(93001095)(149027)(150027)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123562045)(201708071742011)(7699016); SRVR:BN6PR16MB1377; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1377;
x-forefront-prvs: 077884B8B5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(346002)(136003)(366004)(39860400002)(199004)(189003)(32952001)(53936002)(14444005)(5024004)(99286004)(236005)(5660300001)(476003)(102836004)(229853002)(6306002)(54896002)(9686003)(110136005)(316002)(6436002)(486006)(446003)(11346002)(478600001)(966005)(55016002)(72206003)(53546011)(53946003)(256004)(186003)(7696005)(106356001)(6506007)(33656002)(14454004)(26005)(105586002)(606006)(76176011)(86362001)(68736007)(8936002)(9326002)(66066001)(5250100002)(80792005)(6246003)(2501003)(81156014)(2906002)(97736004)(4326008)(25786009)(81166006)(8676002)(7736002)(74316002)(6116002)(790700001)(3846002)(2900100001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1377; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: zj1GJAgiq87ia7qL9svoF4Si8tJzv3yod4WqO1sMdaiyTXyG9DzO1R9/ptAkWuS7QSoDucCZXCLrAwlAuDtAIbzrkgUfIh2B1Ebj2iMuQzQOeM6WjGvRdsWsDuf5BspMjg1NRkmnCkQF17chtP7R7WTU2K9Gnnf7A1VqLTEHp4YrtdS/JOKZbc9jctcAIf7ZnGpp0qUdahY8+KlH0MijjyOQ/yc2aiHaZ7OE9m9iqwUu3gSQ1DywfcRb67NUTeW3zM0JAuDL9oDwkHOutb40h+jycIOy/HU9l0Kx8BwZg0o+vxeVPGapdNjFiRSVox/03tGjSrbHHzsytrlxSYgNSsp+oHPkZGJTScggIEu0eU0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR16MB1425DDE9F8C3F75A8F798222EA0A0BN6PR16MB1425namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 49036e40-4b77-46a3-8aac-08d60ce991a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Aug 2018 13:24:22.9181 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1377
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6361> : inlines <6831> : streams <1796806> : uri <2697898>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/rorYocrrDlK397tDIDBUSfxivpw>
Subject: Re: [Dots] some nits and comments about draft-dots-signal-channel-23:
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2018 13:25:15 -0000

Hi Frank,

Please see inline [TR2]

From: Dots <dots-bounces@ietf.org> On Behalf Of Xialiang (Frank, Network Integration Technology Research Dept)
Sent: Tuesday, August 28, 2018 7:29 AM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; draft-ietf-dots-signal-channel.authors@ietf.org
Cc: dots@ietf.org
Subject: [Dots] 答复: some nits and comments about draft-dots-signal-channel-23:


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________
Hi Tiru,
Please see further comments inline:

发件人: Dots [mailto:dots-bounces@ietf.org] 代表 Konda, Tirumaleswar Reddy
发送时间: 2018年8月25日 22:32
收件人: Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>; draft-ietf-dots-signal-channel.authors@ietf.org<mailto:draft-ietf-dots-signal-channel.authors@ietf.org>
抄送: dots@ietf.org<mailto:dots@ietf.org>
主题: Re: [Dots] some nits and comments about draft-dots-signal-channel-23:

Hi Frank,

Please see inline [TR]

From: Dots <dots-bounces@ietf.org<mailto:dots-bounces@ietf.org>> On Behalf Of Xialiang (Frank, Network Integration Technology Research Dept)
Sent: Friday, August 24, 2018 1:59 PM
To: draft-ietf-dots-signal-channel.authors@ietf.org<mailto:draft-ietf-dots-signal-channel.authors@ietf.org>
Cc: dots@ietf.org<mailto:dots@ietf.org>
Subject: [Dots] some nits and comments about draft-dots-signal-channel-23:


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.


________________________________

Hi authors,
After once more careful review of this draft, I have the following nits and comments:

Nits:

1.       Last paragraph of section 1: /This is a companion document…/There is a companion document…/


[TR] The line looks correct, DOTS signal channel is a companion document of the DOTS data channel document.


2.       P13, the definition of cuid: /This is a mandatory Uri-Path./ This is a mandatory Uri-Path parameter./

[TR] Yes, will update.


3.       First paragraph in P16: / with indefinite lifetimes./ with indefinite lifetime./


[TR] The line looks correct, “lifetimes” is plural to refer to “mitigations”.



4.       P12: / Uri-Path: "version"/ Uri-Path: "v1"/


5.       P18: / cdid:  Stands for Client Domain IDentifier./ cdid:  Stands for Client Domain Identifier./

[TR] Yes, will fix 4 and 5.




6.       Last paragraph in P21: /The DOTS server couples the DOTS signal channel sessions using the DOTS client identity and optionally the ’cdid’ parameter value, and the DOTS server uses ’mid’ and ’cuid’ Uri-Path parameter values to detect duplicate mitigation requests./ The DOTS server differentiates the DOTS signal channel sessions using the DOTS client identity and optionally the ’cdid’ parameter value. for every DOTS signal channel session, the DOTS server uses ’mid’ Uri-Path parameter values to detect duplicate mitigation requests./

[TR] The above line is added to explain how the DOTS server couples DOTS signal channel sessions from the same DOTS client.
[Frank]: How many signal channel sessions can have between one DOTS client and DOTS server? I assume there only one.

[TR2] The DOTS client can create more than one DOTS signal channel session with the DOTS server, but the draft recommends the client to use a single channel. Please see the following snippet from the Security Considerations Section
<snip>
   A single DOTS signal channel between DOTS agents can be used to
   exchange multiple DOTS signal messages.  To reduce DOTS client and
   DOTS server workload, DOTS clients SHOULD re-use the (D)TLS session.
</snip>



7.       P22: /This version of the specification forbids ’cuid’ and ’cdid’ (if used) to be returned in a response./This version of the specification forbids ’cuid’ and ’cdid’ (if used) to be returned in a response message body./

[TR] Yes, will update.

Comments:

1.       Last paragraph of P6: only "coaps+tcp" URI scheme is used, no “coaps+udp”?

[TR] No, by default the “coaps” URI scheme defined in RFC7252 is for UDP.
[Frank]: So, do we still need “coaps” URL for the UDP transport?

[TR2] Yes, “coaps” means DTLS-secured CoAP messages exchanged over UDP, please see RFC7252.



2.       Please consider including these terminology in section 2: JSON, YANG, CBOR, DER, ASN, SPKI, PSK, SHA, CIDR, TCP, UDP, SCTP, DCCP, IANA, FQDN, URI, ...

[TR] I have not seen any recent RFC adding them to the Terminology. However, we will expand the all the abbreviations (currently only missing for JSON, DER, ASN and PSK).
[Frank]: ok.


3.       Last paragraph of P7: 3..xx Response Codes seems to be not used in this document, delete it?

[TR] Good catch, will delete.



4.       P50: "...time to live values in the CBOR body (Figure 22)", TTL values should not be in the CBOR message body.

[TR] Yes, will remove.



5.       P72: [I-D.ietf-tls-dtls13] should be replaced by [RFC8446]

[TR] No, DTLS 1.3 has not yet become a RFC (see https://tools.ietf.org/html/draft-ietf-tls-dtls13-28)



6.       cuid vs cdid:

1)       Will server-domain DOTS gateways replace the cuid with its own cuid as the new DOTS client?

[TR] No, gateways will not modify or replace cuid.
[Frank]: then, the source ‘cuid’ will reach the final DOTS server, why do we still need the define the ‘cdid’?

[TR2] ‘cdid’ identifies the DOTS client domain whereas ‘cuid’ the DOTS client identity.



2)       Will Server-domain DOTS gateways insert the new cdid to represent the source DOTS client ?

[TR] Yes, but to convey the source DOTS client domain identity.


3)       If the above points are right, I think the third paragraph in P18 is not very clear to clarify them and have space for tuning. And I also think there is a conflict between the 5th and 6th paragraph, since source DOTS clients cannot generate cdid, the DOTS server is impossible to ignore ‘cdid’ attributes that are directly supplied by source DOTS clients.

[TR] I did not get the above comment.



4)       P21: Is “the DOTS client identity” here the same as the ‘cuid’? or another id?

[TR] “DOTS client identity” is explained in page 26
<snip>
As a reminder, a DOTS client
   is identified by its identity (e.g., client certificate, 'cuid') and
   optionally the 'cdid'.
</snip>
[Frank]: so, you mean a “DOTS client identity” can be the client certificate, ‘cuid’ or ‘cdid’ depending on context? If you use this term in other place, how can I know which one it is?

[TR2] No, “DOTS client identity” is ‘cuid’ + ‘cdid’ (‘cdid’ may or may not be present in the mitigation request). The algorithm for generating ‘cuid’ and ‘cdid’ is discussed in the draft and
‘cuid’  can be generated from the DOTS client certificate.

Cheers,
-Tiru

Thanks!

B.R.
Frank

v2.23.0 | Report a Bug | By Email