Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Sat, 19 January 2019 06:32 UTC
Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6592130E68; Fri, 18 Jan 2019 22:32:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.854
X-Spam-Level:
X-Spam-Status: No, score=-8.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJSw37qbV-Ro; Fri, 18 Jan 2019 22:32:24 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C138312F19D; Fri, 18 Jan 2019 22:32:23 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1547879539; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=WBU88VU6jPgkIzP7GmAnPOe4INH3AywvHGhJBI iWkrw=; b=P9KfYtdHRKEnNiPI2XGtld5tyLaSCZnfStV1qC9r JOSpaPcXztkM7Ig+7sf0toErALcRrbwRY36UnsPTBPt4ukl2LD Nls1Q5tatfFCTBheUk2MVlyEMbbNWy0MmHdKQ4aBBtEHqLNZaN +T0T9pVfhSEUdjFY2+9OwpP9c3VRkoo=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6bc7_1396_9a659f25_5551_4bdf_8975_fff609de597f; Fri, 18 Jan 2019 23:32:18 -0700
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 23:32:20 -0700
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 23:32:20 -0700
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Fri, 18 Jan 2019 23:32:19 -0700
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 23:32:19 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2918.namprd16.prod.outlook.com (20.178.235.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.29; Sat, 19 Jan 2019 06:32:17 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f%5]) with mapi id 15.20.1537.018; Sat, 19 Jan 2019 06:32:17 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
CC: "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)
Thread-Index: AdSuMPs4z5rRJt5UT++zbKjLtGqWuABQDVAAAAzXK9A=
Date: Sat, 19 Jan 2019 06:32:17 +0000
Message-ID: <BYAPR16MB279063917ED17BF8D0331060EA9D0@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302EA08D24@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190118210258.GO81907@kduck.mit.edu>
In-Reply-To: <20190118210258.GO81907@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.18
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [185.221.69.46]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR16MB2918; 6:2cjTxNEXXzw00r9ky4tsd9bSBKsa4MEJ8gKdcIZcCe4wTpPpTuLg5VPli3DvRug1qNb/psZIIEYRrhY7zCHC2KjAHmkx6/taWC8fSjD0l1hxOztg8Bjm9fLozL6xfIEtxr9lNMed0Q040rKRD2q9VjVv9VBtpINNmZU5EgiiSmiKgGmOIBqnZ7QtXFIYfmaC7PfBYWvKkujdspDSKSVDuFClWsb5P2NJLgDRRcRL906Fzu4imaMaXnYmpEdvahExs12IHOkbRUkLjokcCfhg6OpxnUxb1wKyLoc4LXLXNMdui3HkZR/AchLOnbPj4LfHBeCZp3d498xWI2E9I+Qa+m54/jGrKrPHbh7uw/aBz/WzzBuZmoSwRJepFwFzqgEebYaU2+PM/DLC+VhLMx/Lar3A5i6QbwV8FM27z2fh8XYuevbVgUQg+stxwGPaEUeAN9hv6Sv6g2U3A3O2+/ogwA==; 5:nPuMOV45KfxAqXZQ7S/zlodIhUBmwSWIb0mbIteIZzTnuD8YpBZjMvfxJm4FkRxWu+l7qphlG4TH3pdlSFMfzi9NGeRpa6j6vTKO0U8CGuSu+M5WgzRc4jGjdgEUoafoRLMaIKeCh5LBUI4A1aOGbmSrqw8nZLNi/xExUkONCDOVhg3QgryHrLLqHE2CR0DzwQdHjUZAsrCzUNqbsrFVYA==; 7:uufi1+VGMZTW+obSK0GKMlaugPTmIVkh0C6SKpl5n66F6Xi9M08yl8XPnnjDwt45xCp5UU2c7cq8G5gXDUzWBHMeCZJ/pED/ZSN7Hh0BsuJUYsoCZD8Tlu7MJUXBE761CA8leKm4DcFAQz6wppOeOA==
x-ms-office365-filtering-correlation-id: d1ac02f4-a754-4adb-5977-08d67dd7dbc9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2918;
x-ms-traffictypediagnostic: BYAPR16MB2918:
x-microsoft-antispam-prvs: <BYAPR16MB2918D339FDEE4470F9F8B14BEA9D0@BYAPR16MB2918.namprd16.prod.outlook.com>
x-forefront-prvs: 09222B39F5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(366004)(136003)(396003)(346002)(13464003)(199004)(189003)(51444003)(32952001)(55784004)(53754006)(446003)(81166006)(68736007)(9686003)(966005)(305945005)(110136005)(316002)(76176011)(6506007)(81156014)(6306002)(8676002)(54906003)(476003)(6436002)(80792005)(2501003)(30864003)(53546011)(71200400001)(71190400001)(97736004)(7736002)(72206003)(229853002)(478600001)(99286004)(86362001)(486006)(55016002)(66066001)(105586002)(6116002)(3846002)(26005)(74316002)(102836004)(25786009)(11346002)(14454004)(33656002)(8936002)(53936002)(5660300001)(4326008)(14444005)(186003)(256004)(106356001)(5024004)(7696005)(2171002)(2906002)(6246003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2918; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 3s4FtHNs6+Q6WEp2kmoCt9GFKpodaJ0E4WFOThfesk6efHS9wLetc/MFgUechI1dPptUxYiHPh9l/55bIyUM3ai/TuRoew6LhgrKHRtnn9arcvCa3oyi1NaulLZbb2RvozJ37aDIbIszFGlJOUnEN3Qn0S+OgsGXU+pCv6oWvjzEttkxRQ67WPGBv31G4PTDjsEL/4ZiM2vbibQFgDkyoK7SCaDM8mUonuuzdWk8gmkfLNc6BdQFChiuRhH+71qX34KwsEFFFuzqs3vO0izbsqKFTrFLgiRs9zY+7WAEnQ01V7p4T0FmhuC7Qu6AWCbqpvi2fF59SN5Na4uW+iN69A6Bu5iYQyL/nZq5dTJnTnonhsTAXd/GNWCyJFH3Vhw0Z+rIBzXZB4MmjmWKD3cV+D0LJyZUsgCAGy8c/0n5owY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d1ac02f4-a754-4adb-5977-08d67dd7dbc9
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jan 2019 06:32:17.5988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2918
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6464> : inlines <6998> : streams <1810508> : uri <2782228>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/yPDNZldDVLLYRqsMqDLrUQwQfww>
Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jan 2019 06:32:27 -0000
Hi Ben, Please see inline > -----Original Message----- > From: Dots <dots-bounces@ietf.org> On Behalf Of Benjamin Kaduk > Sent: Saturday, January 19, 2019 2:33 AM > To: mohamed.boucadair@orange.com > Cc: draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org > Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part) > > This email originated from outside of the organization. Do not click links or > open attachments unless you recognize the sender and know the content is safe. > > Hi all, > > Thanks for all the edits and the published -27. > Assuming I'm actually caught up on all the review/response threads, I think > we're pretty close to being able to go to IETF LC -- here's what I see as still left: > > - We need to settle the risk of needing normative downrefs called out for > the last call > - I just noticed while reviewing the diff that we also need to say a > little more about (D)TLS 1.3 0-RTT data (more below) > - It looks like we lost the guidance to the Experts and text about the > review mailing list from the IANA Considerations, during the reshuffling > around having IANA manage more things > > Regarding the (D)TLS 1.3 0-RTT data, RFC 8446 notes that "Application > protocols MUST NOT use 0-RTT data without a profile that defines its use. > That profile needs to identify which messages or interactions are safe to use > with 0-RTT and how to handle the situation when the server rejects 0-RTT and > falls back to 1-RTT." So we either need to say which client requests are 0-RTT > safe (and why) or defer that profile to another document. draft-ietf-dnsop- > session-signal is perhaps an example of a document that specifies which > messages are/aren't allowed in early data. > (draft-ietf-acme-acme is another, but an uninteresting one, since they make > every request include a single-use nonce, and all messages are 0-RTT safe.) > Our use of increasing 'mid' values may help here, in terms of allowing DELETEs > to be safe, but I'd have to think a little more to be sure that requesting > mitigation would be safe. (On first glance the session-managemnet bits would > not be safe, but I may be missing something.) The draft only uses idempotent requests (GET, PUT and DELETE), and CoAP is capable of detecting message duplication (see https://tools.ietf.org/html/rfc7252#section-4.5) for both confirmable and non-confirmable messages. [1] An attacker replaying DELETE will not have any adverse impact, 2.02 (Deleted) Response Code is returned even if the mitigation request does not exist. [2] The techniques discussed in Section 8 of RFC8446 should suffice to handle anti-replay (e.g. an attacker replaying a 0-RTT data carrying an old mitigation request replaced by a new mitigation scope). > > Further notes inline. > > On Thu, Jan 17, 2019 at 06:51:04AM +0000, mohamed.boucadair@orange.com > wrote: > > Hi Ben, > > > > Please see inline. > > > > Cheers, > > Med > > > > > -----Message d'origine----- > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : mercredi 16 > > > janvier 2019 01:14 À : draft-ietf-dots-signal-channel@ietf.org > > > Cc : dots@ietf.org > > > Objet : AD review of draft-ietf-dots-signal-channel-25 > > > > > > Section 7.2 > > > > > > The TLS 1.3 handshake with 0-RTT diagram needs to be > > > revisited/refreshed, as RFC 8446 does not look like that. > > > Additionally, the usage of PSK as well as a certificate is not > > > defined until draft-housley-tls-tls13-cert-with-extern-psk is published. > > > I also note that in the diagram as presented, the client is not yet > > > known to be authenticated when the server sends its initial > > > (0.5-RTT) DOTS signal message. > > > > > > > [Med] Noted. Thanks. > > > > > Section 7.3 > > > > > > This whole section seems to only be relevant for UDP usage, so > > > probably the "If UDP is used" clause can be dropped and an > > > introductory statement added earlier on. > > > > [Med] Will consider that. > > > > > > > > Path MTU MUST be greater than or equal to > > > [CoAP message size + DTLS overhead of 13 octets + authentication > > > overhead of the negotiated DTLS cipher suite + block padding] > > > (Section 4.1.1.1 of [RFC6347]). If the request size exceeds the path > > > MTU then the DOTS client MUST split the DOTS signal into separate > > > messages, for example the list of addresses in the 'target-prefix' > > > parameter could be split into multiple lists and each list conveyed > > > in a new PUT request. > > > > > > (DTLS 1.3 will have a short header for some packets, that is less > > > than > > > 13 octets.) > > > > [Med] The text is more about 1.2. We can add a 1.3 note if you think it is > useful for the discussion. > > > > > > > > Section 8 > > > > > > We've got some requirements in here about limiting behavior of > > > clients/servers when talking to gateways; is knowing about the > > > presence of a gateway something that's required to happen out of > > > band or is there an in-band way to identify that the peer is a gateway? > > > > [Med] An agent does not necessary know that it peer is gateway. A gateway is > seen as a server for the client, and a client for a server. > > > > > > > > messages from an authorized DOTS gateway, thereby creating a two-link > > > chain of transitive authentication between the DOTS client and the > > > DOTS server. > > > > > > This seems to ignore the possibility of setups that include both > > > client-domain and server-domain gateways. > > > > [Med] I updated the text to mention this is only an example. > > > > > > > > DOTS client certificate validation MUST be performed as > > > per [RFC5280] and the DOTS client certificate MUST conform to the > > > [RFC5280] certificate profile. [...] > > > > > > This seems to duplicate a requirement already stated in Section 7.1; > > > it's probably best to only have normative language in one location, > > > even if we need to mention the topic in multiple locations. > > > Similarly for the mutual authentication requirement, which we > > > duplicate in the second and fourth paragraphs of this section. > > > > [Med] Good point. Fixed. > > > > > > > > If we don't want to use example.com vs. example.net as sample > > > domains, we can also use whateverwewant.example, per RFC 6761. > > > > [Med] Will maintain the ones already in the draft. Thanks. > > > > > > > > Section 9 > > > > > > We should mention the media-type allocation in the top-level section. > > > > [Med] Will fix that. > > > > > > > > "mappings to CBOR" feels confusing to me, since it leaves empty what > > > we are mapping from. Perhaps just talking about a registry of "CBOR > > > map keys" would be better, both here and in the Section 9.3 intro. > > > > > > > [Med] Unless there is an objection, I can use "CBOR Map Keys". > > > > > Section 9.3 > > > > > > I suggest being very explicit about whether new requests for > > > registration should be directed to the mailing list or to IANA, as > > > we've had some confusion about this elsewhere. > > > > > > The criteria used by the experts also just lists things they should > > > consider, but does not provide full clarity on which answer to the > > > question is more likely to be approved. (And yes, I know that this > > > text is largely copied from already published RFCs, but we can still > > > do > > > better.) > > > > [Med] Will check this. > > > > > > > > Section 9.3.1 > > > > > > If we want the value 0 to be reserved we need to say so. > > > > [Med] 0 is not part of the allocation range. > > > > > Do we want to say anything about the usage of negative integers as > > > map keys? > > > > > > I suggest not mentioning the postal address, given the recent (e.g.) > > > GDPR requirements. > > > > [Med] Good point. Done. > > > > > > > > Section 9.3.2 > > > > > > It may be worth mentioning Table 4 here as well. > > > > [Med] OK. > > > > > > > > Section 9.5.1 > > > > > > We need to specify which range of values we are asking for an > > > allocation from. > > > > [Med] Added a mention to 0-255 range. > > > > > > > > Section 9.6.1 > > > > > > As above, specify what range we're asking about. > > > > [Med] OK. > > > > > > > > I expect the current text to get some IESG (or directorate) feedback > > > that the Data Item and Semantics descriptions are repetitive and banal. > > > > > > Section 9.7 > > > > > > IIUC, IANA is going to ask if we want this module to be "maintained > > > by IANA", so it would be good to have an answer ready even if we > > > don't put it in the document text. > > > > [Med] This is discussed in -26. > > > > > > > > Rate-limiting DOTS requests, including those with new 'cuid' values, > > > from the same DOTS client defends against DoS attacks that would > > > > > > With respect to "new" 'cuid' values, is the server required to > > > remember which ones it has seen in perpetuity, or can it time them > > > out eventually? > > > > [Med] The attack vector is a DOTS client which changes frequently its cuid. > The DOTS server can set an interval in which the same client cannot present a > new cuid. > > > > > > > > Section 10 > > > > > > The security considerations seem to be taking a narrow focus on the > > > requirements for and consequences of specific bits on the wire in > > > the signal channel protocol. I think it's appropriate to also > > > include some high-level thoughts about the functional behavior of > > > the protocol, allowing to signal that an attack is underway and > > > trigger mitigation, increasing the availability of services, etc., > > > and the risks that are posed by the protocol failing to work > > > properly, whether that means letting attack traffic through or > > > improperly blocking legitimate traffic. > > > > [Med] Would a pointer to the architecture/requirements I-Ds be sufficient to > cover to high-level aspects? > > Those documents' security considerations do seem to cover the relevant points, > yes. > > > > > > > Section 13.1 > > > > > > I think the IANA registries should be listed as Informational and > > > not Normative references. > > > > > > > [Med] Done. > > > > > Section 13.2 > > > > > > Pending resolution of the question about using > > > draft-ietf-core-yang-cbor rules or RFC7951+RFC7049, the > > > draft-ietf-core-yang-cbor reference may need to be Normative. > > > > [Med] Please refer to my answer to that question. draft-ietf-core-yang-cbor is > informative. > > > > > > > > Given that "URI" is a well-known abbreviation, we may be able to get > > > away with not citing RFC 3986. On the other hand, it's not causing > > > any harm to leave it in... > > > > [Med] Will leave it. > > > > > > > > RFC 4632 needs to be Normative, since we need to know CIDR to > > > encode/decode target-prefixes. > > > > [Med] Works for me. > > > > > > > > Similarly, I think that RFCs 6234 > > > > [Med] This one is not listed as normative because other hash algos may be > used. > > It's a lower-case "recommended", which can probably eke by as descriptive and > not a "protocol feature" (see below). > > > , 7413 > > [Med] The support if TFO is not mandatory. > > It's a SHOULD ("SHOULD implement all of the following items"), though... > > > , 7589 > > [Med] This is a MAY in the spec. It is just fine to leave it as informative. > > ....per > https://www.ietf.org/blog/iesg-statement-normative-and-informative- > references/ > note 1, "Even references that are relevant only for optional features must be > classified as normative if they meet the above conditions for normative > references." > > This does seem to be something we actually need to care about before IETF LC, > though, as 7413 is Experimental and not listed in the downref registry > (https://datatracker.ietf.org/doc/downref/), so if we leave it as Informational > and have to change it later, we'd need to also restart/re-run the IETF LC. > > > , 7918 > > [Med] Idem as TFO. > > This is Informational (i.e., also susceptible to the downref issue). > > > , 7924 > > [Med] Idem as TFO. > > (idem x2), though this is standards-track at least, so we have more leeway to > move things around later. > > > > I think the most expedient thing to do here would just be to relax the > requirement for TLS Falst STart, TFO, and Cached Information, perhaps to text > like "The following items are additional mechanisms that can reduce the delay > required to deliver a DOTS signal channel message, which implementations are > encouraged to implement as possible.", but I am open to other suggestions for > what to do. TLS False Start and Cached Information can be made normative references (just like we referenced these items in our spec https://tools.ietf.org/html/rfc8310) TFO is for TCP only and that too for exception scenarios where UDP is blocked. TFO can removed from the list of items the DOTS agents SHOULD implement. NEW: Compared to UDP, DOTS signal channel over TCP requires an additional round-trip time (RTT) of latency to establish a TCP connection. Implementations are encouraged to implement TCP Fast Open [RFC7413] to eliminate that RTT when information exists from prior TCP connection. -Tiru > > > > , and 7951 > > [Med] this one was not listed as normative because the document lists two > ways to do the mapping. > > Agreed. > > -Ben > > > > should also be Normative. > > > > > > > > > -Ben > > > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-signal-ch… Konda, Tirumaleswar Reddy