Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-server-discovery-13: (with COMMENT)
mohamed.boucadair@orange.com Tue, 27 October 2020 07:25 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E9D3A1618; Tue, 27 Oct 2020 00:25:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yZLVEfircQI2; Tue, 27 Oct 2020 00:25:08 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DEEF3A1608; Tue, 27 Oct 2020 00:25:08 -0700 (PDT)
Received: from opfednr02.francetelecom.fr (unknown [xx.xx.xx.66]) by opfednr21.francetelecom.fr (ESMTP service) with ESMTP id 4CL3BV5lXDz5w1P; Tue, 27 Oct 2020 08:25:06 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1603783506; bh=vhjFFM9Kk8amOY3GEMNenfKn1FGTioLsJW4HK0/0U+U=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=bMyMoqDQS05iOek0utUP0q4e0ocy/MUC0QQMooMNkTrOdM3VNzNyE8Bw0njAV3cGi Dc/TNCubK/P+7uq5BfsJX29P1CSRgk546Tws4QdYA03g7D842UGM0BM74hc+VHUpQl yEntdFOVhFARQqMwI2pOIqVclh9zLH6khfEH8c5XAWzZ2iDLisZ38pvuvzWy7foyM6 pCW8ilAU6gi346DfX71pM25cFAJgaUiXw+6odXEZKP9DsMv1OJ1ZkpxZWtFrRY0kfU /Vc3N6pmGO+KWiR27pqvGWjHd2j8qDgTNNCPATGu5nVi3NUQ0zEaoFxvPyYDAxSyRN D/IHpzWh4MgZw==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.60]) by opfednr02.francetelecom.fr (ESMTP service) with ESMTP id 4CL3BV4x7bz8sYL; Tue, 27 Oct 2020 08:25:06 +0100 (CET)
From: mohamed.boucadair@orange.com
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "draft-ietf-dots-server-discovery@ietf.org" <draft-ietf-dots-server-discovery@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "dots@ietf.org" <dots@ietf.org>, Valery Smyslov <valery@smyslov.net>
Thread-Topic: Benjamin Kaduk's Yes on draft-ietf-dots-server-discovery-13: (with COMMENT)
Thread-Index: AQHWrAXPdruIhyGMcEm9MD0LXQC416mrAGxw
Date: Tue, 27 Oct 2020 07:25:06 +0000
Message-ID: <30446_1603783506_5F97CB52_30446_33_1_787AE7BB302AE849A7480A190F8B9330315673E7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <160376439800.28769.11555549483055573494@ietfa.amsl.com>
In-Reply-To: <160376439800.28769.11555549483055573494@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/sjfXV5FM3vCDQ9B72NuUrhlfzqE>
Subject: Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-server-discovery-13: (with COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 07:25:10 -0000
Hi Ben, An updated version is available at: https://tinyurl.com/dots-discovery-iesg Please see inline. Cheers, Med > -----Message d'origine----- > De : Benjamin Kaduk via Datatracker [mailto:noreply@ietf.org] > Envoyé : mardi 27 octobre 2020 03:07 > À : The IESG <iesg@ietf.org> > Cc : draft-ietf-dots-server-discovery@ietf.org; dots- > chairs@ietf.org; dots@ietf.org; Valery Smyslov <valery@smyslov.net>; > valery@smyslov.net > Objet : Benjamin Kaduk's Yes on draft-ietf-dots-server-discovery-13: > (with COMMENT) > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-dots-server-discovery-13: Yes > > When responding, please keep the subject line intact and reply to > all email addresses included in the To and CC lines. (Feel free to > cut this introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dots-server-discovery/ > > > > -------------------------------------------------------------------- > -- > COMMENT: > -------------------------------------------------------------------- > -- > > Pulling in some follow-up from the directorate review comments... > > Section 3 > > o Resolving a DOTS server domain name offered by an upstream > transit > provider provisioned to a DOTS client into IP address(es) > requires > the use of the appropriate DNS resolvers; otherwise, resolving > those names will fail. The use of protocols such as DHCP does > allow associating provisioned DOTS server domain names with a > list > of DNS servers to be used for name resolution. Furthermore, > DHCP > allows directly provisioning IP addresses therefore avoiding > the > need for extra lookup delays. > > I wonder if using "providing" rather than "provisioning" for at > least the last instance would be more clear. [Med] Works for me. > > o A resolution mechanism based on straightforward Naming > Authority > Pointer (S-NAPTR) resource records in the Domain Name System > (DNS) > (Section 6). > > "Straightforward" needs to be capitalized here. [Med] Fixed. Thanks. > > Section 4 > > will support a local configuration. More samples are discussed > in > Section 3: > > nit: s/:/./ [Med] OK. > > Section 5 > > The list of the IP addresses returned by DHCP servers is > typically > used to feed the DOTS server selection procedure including when > DOTS > agents are provided with primary and backup IP addresses of their > peer DOTS agents. An example of DOTS server selection procedure > is > specified in Section 4.3 of [RFC8782]. > > The referenced section in 8782 is about the "happy eyeballs", i.e., > picking between TCP/UDP and IPv4/IPv6 -- it doesn't really seem > intended to cover the case where you have to pick betwen different > actual nodes. [Med] That text is about an example of address selection procedure (including between nodes: think about a dual stack host that receives both v4 and v6 config). It is useful as it refers (indirectly) to RFC6724 which allows for configuring a preference ... > > I'm also not sure how the "primary and backup" is intended to work, > here. Is the "provided with" referring to "by DHCP" or some out-of- > band configuration? [Med] ... I thought we had this already covered in the text, but it isn't. I added "The addresses are listed in the order of preference for use by the DOTS agent." so that a preference is signalled by the server to the a requesting DHCP client. The primary will be listed first. > > Section 8.1 > > configured name. If the DOTS agent is instructed to trust > subdomains > of the names in that list as well, a DOTS agent will also accept > a > DHCP-discovered name if the left-most label of the discovered > name is > matching a name in the pre-configured list. > > If the agent is configured to trust subdomains of the configured > list, then in the case where that configuration is relevant for the > attack, the left-most label will be the (part of the) subdomain > name, which is explicitly not matching the pre-configured list -- > the remaining bits are what match. > [Med] Changed the wording as follows: "If the DOTS agent is instructed to trust subdomains of the names in that list as well (e.g., "*.example.com"), a DOTS agent will accept a DHCP-discovered name that matches a name in the pre-configured list (e.g., "dots-1.example.com" or "dots-2.example.com")." _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [Dots] Benjamin Kaduk's Yes on draft-ietf-dots-se… Benjamin Kaduk via Datatracker
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… mohamed.boucadair
- Re: [Dots] Benjamin Kaduk's Yes on draft-ietf-dot… Benjamin Kaduk