Re: [Dots] Erik Kline's No Objection on draft-ietf-dots-rfc8782-bis-07: (with COMMENT)
mohamed.boucadair@orange.com Fri, 04 June 2021 07:21 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B34A3A2CF3; Fri, 4 Jun 2021 00:21:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4-SqeBorJ4_0; Fri, 4 Jun 2021 00:21:06 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23D633A2CF0; Fri, 4 Jun 2021 00:21:05 -0700 (PDT)
Received: from opfedar04.francetelecom.fr (unknown [xx.xx.xx.6]) by opfedar27.francetelecom.fr (ESMTP service) with ESMTP id 4FxDhH6W21z2xT5; Fri, 4 Jun 2021 09:21:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1622791263; bh=0nRAI9g2pXogVtK2EHkOmeDWzmIZTDZ7vkKLLmJ9XOQ=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=kFSJzC4eo7jTKut2+FM5FLz+lIdhQAeNZPo51kcONg7IsoJ0Hs59ZhvGHXxBfhyJ1 J4T9UFfYt9Bq1+jPIQIisrPkBquweAWS89k/7Bpw+r0MhaxBNrmITBGUdU73F2fA2c OZ8cJ09UbVJJByDEvOBUuQB/AKvrDVMuk6CV8fMRawfFtk1a4SxQyo0mdU8d7zg2zw MsaH+UYcLVaXdpuqKfcdjXRS1xFZYbA+cIX6LVlNEtqDi2nDemISNgtbJ1vDCxhLwi JuCIaz8z5vvrCjEZASrN06tlVV1ulq+2WWyVkvityd7VGSjWCAfXkJtD8UeZqTr1rr 6QbgOE16VtgfQ==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.67]) by opfedar04.francetelecom.fr (ESMTP service) with ESMTP id 4FxDhH2tlGz1xp3; Fri, 4 Jun 2021 09:21:03 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Erik Kline <ek.ietf@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dots-rfc8782-bis@ietf.org" <draft-ietf-dots-rfc8782-bis@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "dots@ietf.org" <dots@ietf.org>, "valery@smyslov.net" <valery@smyslov.net>
Thread-Topic: Erik Kline's No Objection on draft-ietf-dots-rfc8782-bis-07: (with COMMENT)
Thread-Index: AQHXWNr4Sg8va8Um90SeuFDAUbjeB6sDcIRw
Date: Fri, 04 Jun 2021 07:21:02 +0000
Message-ID: <12185_1622791263_60B9D45F_12185_339_8_787AE7BB302AE849A7480A190F8B9330353978B1@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <162270054186.18148.14870101120799116947@ietfa.amsl.com> <28147_1622708211_60B88FF3_28147_159_1_787AE7BB302AE849A7480A190F8B933035396DD3@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAMGpriWBQxSbTJAafqHV7Rc-EHSW=ZfoeRLA5M1nF3oZmBEv9g@mail.gmail.com>
In-Reply-To: <CAMGpriWBQxSbTJAafqHV7Rc-EHSW=ZfoeRLA5M1nF3oZmBEv9g@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B9330353978B1OPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/xPP9ZEPQnO4p02Fw7fW2-Pj7YcA>
Subject: Re: [Dots] Erik Kline's No Objection on draft-ietf-dots-rfc8782-bis-07: (with COMMENT)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jun 2021 07:21:13 -0000
Hi Erik, Please see inline. Cheers, Med De : Erik Kline [mailto:ek.ietf@gmail.com] Envoyé : vendredi 4 juin 2021 02:46 À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com> Cc : The IESG <iesg@ietf.org>; draft-ietf-dots-rfc8782-bis@ietf.org; dots-chairs@ietf.org; dots@ietf.org; valery@smyslov.net Objet : Re: Erik Kline's No Objection on draft-ietf-dots-rfc8782-bis-07: (with COMMENT) > [S4.4.1.1] [question] > > * For "lifetime" in the case where a "target-fqdn" was given, should > the > resolution library's knowledge of the DNS RR TTL value(s) be > factored in? > > For example, what does lifetime=3600s mean for a hostname whose > A/AAAA > RRs have only 5 minute lifetimes? Is the DOTS server/enforcer > expected > to continuously re-resolve every ${DNS_RR_TTL} and apply the > policy for > up to the full 3600 seconds [Med] Yeah. When possible, the client makes sure that the resolved addresses are valid during the mitigation lifetime. If a resolved address flushed out (e.g., DNS TTL expiry) while the mitigation is still active (pending lifetime!=0), the resolution library should be solicited. As we don't impose any requirement on the name resolution library (and especially whether it exposes a validity timeout), I suggest the following change: OLD: How a name is passed to an underlying name resolution library is implementation and deployment specific. Nevertheless, once the name is resolved into one or multiple IP addresses, DOTS servers MUST apply the same validation checks as those for 'target- prefix'. NEW: How a name is passed to an underlying name resolution library is implementation and deployment specific. Nevertheless, once the name is resolved into one or multiple IP addresses, DOTS servers MUST apply the same validation checks as those for 'target- prefix'. These validation checks are reiterated by the DOTS client each time a name is passed to the underlying name resolution library (e.g., upon expiry of DNS TTL). Thanks for the explanation. I *think* this text is good, except: isn't it the DOTS server reiterating the validation checks and not the DOTS client? [Med] Yes, you are right. We have already fixed that in the published version: draft-ietf-dots-rfc8782-bis-08<https://datatracker.ietf.org/doc/html/draft-ietf-dots-rfc8782-bis-08> Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [Dots] Erik Kline's No Objection on draft-ietf-do… Erik Kline via Datatracker
- Re: [Dots] Erik Kline's No Objection on draft-iet… mohamed.boucadair
- Re: [Dots] Erik Kline's No Objection on draft-iet… Erik Kline
- Re: [Dots] Erik Kline's No Objection on draft-iet… mohamed.boucadair