IETF Logo Mail Archive

Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Sat, 19 January 2019 06:32 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6592130E68; Fri, 18 Jan 2019 22:32:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.854
X-Spam-Level:
X-Spam-Status: No, score=-8.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJSw37qbV-Ro; Fri, 18 Jan 2019 22:32:24 -0800 (PST)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C138312F19D; Fri, 18 Jan 2019 22:32:23 -0800 (PST)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1547879539; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-office365-filtering-correlation-id:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=WBU88VU6jPgkIzP7GmAnPOe4INH3AywvHGhJBI iWkrw=; b=P9KfYtdHRKEnNiPI2XGtld5tyLaSCZnfStV1qC9r JOSpaPcXztkM7Ig+7sf0toErALcRrbwRY36UnsPTBPt4ukl2LD Nls1Q5tatfFCTBheUk2MVlyEMbbNWy0MmHdKQ4aBBtEHqLNZaN +T0T9pVfhSEUdjFY2+9OwpP9c3VRkoo=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6bc7_1396_9a659f25_5551_4bdf_8975_fff609de597f; Fri, 18 Jan 2019 23:32:18 -0700
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 23:32:20 -0700
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 23:32:20 -0700
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Fri, 18 Jan 2019 23:32:19 -0700
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 18 Jan 2019 23:32:19 -0700
Received: from BYAPR16MB2790.namprd16.prod.outlook.com (20.178.233.91) by BYAPR16MB2918.namprd16.prod.outlook.com (20.178.235.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.29; Sat, 19 Jan 2019 06:32:17 +0000
Received: from BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f]) by BYAPR16MB2790.namprd16.prod.outlook.com ([fe80::202f:5967:73ad:130f%5]) with mapi id 15.20.1537.018; Sat, 19 Jan 2019 06:32:17 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
CC: "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)
Thread-Index: AdSuMPs4z5rRJt5UT++zbKjLtGqWuABQDVAAAAzXK9A=
Date: Sat, 19 Jan 2019 06:32:17 +0000
Message-ID: <BYAPR16MB279063917ED17BF8D0331060EA9D0@BYAPR16MB2790.namprd16.prod.outlook.com>
References: <787AE7BB302AE849A7480A190F8B93302EA08D24@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190118210258.GO81907@kduck.mit.edu>
In-Reply-To: <20190118210258.GO81907@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.18
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [185.221.69.46]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR16MB2918; 6:2cjTxNEXXzw00r9ky4tsd9bSBKsa4MEJ8gKdcIZcCe4wTpPpTuLg5VPli3DvRug1qNb/psZIIEYRrhY7zCHC2KjAHmkx6/taWC8fSjD0l1hxOztg8Bjm9fLozL6xfIEtxr9lNMed0Q040rKRD2q9VjVv9VBtpINNmZU5EgiiSmiKgGmOIBqnZ7QtXFIYfmaC7PfBYWvKkujdspDSKSVDuFClWsb5P2NJLgDRRcRL906Fzu4imaMaXnYmpEdvahExs12IHOkbRUkLjokcCfhg6OpxnUxb1wKyLoc4LXLXNMdui3HkZR/AchLOnbPj4LfHBeCZp3d498xWI2E9I+Qa+m54/jGrKrPHbh7uw/aBz/WzzBuZmoSwRJepFwFzqgEebYaU2+PM/DLC+VhLMx/Lar3A5i6QbwV8FM27z2fh8XYuevbVgUQg+stxwGPaEUeAN9hv6Sv6g2U3A3O2+/ogwA==; 5:nPuMOV45KfxAqXZQ7S/zlodIhUBmwSWIb0mbIteIZzTnuD8YpBZjMvfxJm4FkRxWu+l7qphlG4TH3pdlSFMfzi9NGeRpa6j6vTKO0U8CGuSu+M5WgzRc4jGjdgEUoafoRLMaIKeCh5LBUI4A1aOGbmSrqw8nZLNi/xExUkONCDOVhg3QgryHrLLqHE2CR0DzwQdHjUZAsrCzUNqbsrFVYA==; 7:uufi1+VGMZTW+obSK0GKMlaugPTmIVkh0C6SKpl5n66F6Xi9M08yl8XPnnjDwt45xCp5UU2c7cq8G5gXDUzWBHMeCZJ/pED/ZSN7Hh0BsuJUYsoCZD8Tlu7MJUXBE761CA8leKm4DcFAQz6wppOeOA==
x-ms-office365-filtering-correlation-id: d1ac02f4-a754-4adb-5977-08d67dd7dbc9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:BYAPR16MB2918;
x-ms-traffictypediagnostic: BYAPR16MB2918:
x-microsoft-antispam-prvs: <BYAPR16MB2918D339FDEE4470F9F8B14BEA9D0@BYAPR16MB2918.namprd16.prod.outlook.com>
x-forefront-prvs: 09222B39F5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(366004)(136003)(396003)(346002)(13464003)(199004)(189003)(51444003)(32952001)(55784004)(53754006)(446003)(81166006)(68736007)(9686003)(966005)(305945005)(110136005)(316002)(76176011)(6506007)(81156014)(6306002)(8676002)(54906003)(476003)(6436002)(80792005)(2501003)(30864003)(53546011)(71200400001)(71190400001)(97736004)(7736002)(72206003)(229853002)(478600001)(99286004)(86362001)(486006)(55016002)(66066001)(105586002)(6116002)(3846002)(26005)(74316002)(102836004)(25786009)(11346002)(14454004)(33656002)(8936002)(53936002)(5660300001)(4326008)(14444005)(186003)(256004)(106356001)(5024004)(7696005)(2171002)(2906002)(6246003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR16MB2918; H:BYAPR16MB2790.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 3s4FtHNs6+Q6WEp2kmoCt9GFKpodaJ0E4WFOThfesk6efHS9wLetc/MFgUechI1dPptUxYiHPh9l/55bIyUM3ai/TuRoew6LhgrKHRtnn9arcvCa3oyi1NaulLZbb2RvozJ37aDIbIszFGlJOUnEN3Qn0S+OgsGXU+pCv6oWvjzEttkxRQ67WPGBv31G4PTDjsEL/4ZiM2vbibQFgDkyoK7SCaDM8mUonuuzdWk8gmkfLNc6BdQFChiuRhH+71qX34KwsEFFFuzqs3vO0izbsqKFTrFLgiRs9zY+7WAEnQ01V7p4T0FmhuC7Qu6AWCbqpvi2fF59SN5Na4uW+iN69A6Bu5iYQyL/nZq5dTJnTnonhsTAXd/GNWCyJFH3Vhw0Z+rIBzXZB4MmjmWKD3cV+D0LJyZUsgCAGy8c/0n5owY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d1ac02f4-a754-4adb-5977-08d67dd7dbc9
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jan 2019 06:32:17.5988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR16MB2918
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6464> : inlines <6998> : streams <1810508> : uri <2782228>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/yPDNZldDVLLYRqsMqDLrUQwQfww>
Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jan 2019 06:32:27 -0000

Hi Ben,

Please see inline

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org> On Behalf Of Benjamin Kaduk
> Sent: Saturday, January 19, 2019 2:33 AM
> To: mohamed.boucadair@orange.com
> Cc: draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org
> Subject: Re: [Dots] AD review of draft-ietf-dots-signal-channel-25 (5th Part)
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> Hi all,
> 
> Thanks for all the edits and the published -27.
> Assuming I'm actually caught up on all the review/response threads, I think
> we're pretty close to being able to go to IETF LC -- here's what I see as still left:
> 
> - We need to settle the risk of needing normative downrefs called out for
>   the last call
> - I just noticed while reviewing the diff that we also need to say a
>   little more about (D)TLS 1.3 0-RTT data (more below)
> - It looks like we lost the guidance to the Experts and text about the
>   review mailing list from the IANA Considerations, during the reshuffling
>   around having IANA manage more things
> 
> Regarding the (D)TLS 1.3 0-RTT data, RFC 8446 notes that "Application
> protocols MUST NOT use 0-RTT data without a profile that defines its use.
> That profile needs to identify which messages or interactions are safe to use
> with 0-RTT and how to handle the situation when the server rejects 0-RTT and
> falls back to 1-RTT."  So we either need to say which client requests are 0-RTT
> safe (and why) or defer that profile to another document.  draft-ietf-dnsop-
> session-signal is perhaps an example of a document that specifies which
> messages are/aren't allowed in early data.
> (draft-ietf-acme-acme is another, but an uninteresting one, since they make
> every request include a single-use nonce, and all messages are 0-RTT safe.)
> Our use of increasing 'mid' values may help here, in terms of allowing DELETEs
> to be safe, but I'd have to think a little more to be sure that requesting
> mitigation would be safe.  (On first glance the session-managemnet bits would
> not be safe, but I may be missing something.)

The draft only uses idempotent requests (GET, PUT and DELETE), and CoAP is capable of detecting message duplication (see https://tools.ietf.org/html/rfc7252#section-4.5) for both confirmable and non-confirmable messages.  
 [1] An attacker replaying DELETE will not have any adverse impact, 2.02 (Deleted) Response Code is returned even if the mitigation request does not exist.
[2] The techniques discussed in Section 8 of RFC8446 should suffice to handle anti-replay (e.g. an attacker replaying a 0-RTT data carrying an old mitigation request replaced by a new mitigation scope). 

> 
> Further notes inline.
> 
> On Thu, Jan 17, 2019 at 06:51:04AM +0000, mohamed.boucadair@orange.com
> wrote:
> > Hi Ben,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : mercredi 16
> > > janvier 2019 01:14 À : draft-ietf-dots-signal-channel@ietf.org
> > > Cc : dots@ietf.org
> > > Objet : AD review of draft-ietf-dots-signal-channel-25
> > >
> > > Section 7.2
> > >
> > > The TLS 1.3 handshake with 0-RTT diagram needs to be
> > > revisited/refreshed, as RFC 8446 does not look like that.
> > > Additionally, the usage of PSK as well as a certificate is not
> > > defined until draft-housley-tls-tls13-cert-with-extern-psk is published.
> > > I also note that in the diagram as presented, the client is not yet
> > > known to be authenticated when the server sends its initial
> > > (0.5-RTT) DOTS signal message.
> > >
> >
> > [Med] Noted. Thanks.
> >
> > > Section 7.3
> > >
> > > This whole section seems to only be relevant for UDP usage, so
> > > probably the "If UDP is used" clause can be dropped and an
> > > introductory statement added earlier on.
> >
> > [Med] Will consider that.
> >
> > >
> > >                               Path MTU MUST be greater than or equal to
> > >    [CoAP message size + DTLS overhead of 13 octets + authentication
> > >    overhead of the negotiated DTLS cipher suite + block padding]
> > >    (Section 4.1.1.1 of [RFC6347]).  If the request size exceeds the path
> > >    MTU then the DOTS client MUST split the DOTS signal into separate
> > >    messages, for example the list of addresses in the 'target-prefix'
> > >    parameter could be split into multiple lists and each list conveyed
> > >    in a new PUT request.
> > >
> > > (DTLS 1.3 will have a short header for some packets, that is less
> > > than
> > > 13 octets.)
> >
> > [Med] The text is more about 1.2. We can add a 1.3 note if you think it is
> useful for the discussion.
> >
> > >
> > > Section 8
> > >
> > > We've got some requirements in here about limiting behavior of
> > > clients/servers when talking to gateways; is knowing about the
> > > presence of a gateway something that's required to happen out of
> > > band or is there an in-band way to identify that the peer is a gateway?
> >
> > [Med] An agent does not necessary know that it peer is gateway. A gateway is
> seen as a server for the client, and a client for a server.
> >
> > >
> > >    messages from an authorized DOTS gateway, thereby creating a two-link
> > >    chain of transitive authentication between the DOTS client and the
> > >    DOTS server.
> > >
> > > This seems to ignore the possibility of setups that include both
> > > client-domain and server-domain gateways.
> >
> > [Med] I updated the text to mention this is only an example.
> >
> > >
> > >                  DOTS client certificate validation MUST be performed as
> > >    per [RFC5280] and the DOTS client certificate MUST conform to the
> > >    [RFC5280] certificate profile.  [...]
> > >
> > > This seems to duplicate a requirement already stated in Section 7.1;
> > > it's probably best to only have normative language in one location,
> > > even if we need to mention the topic in multiple locations.
> > > Similarly for the mutual authentication requirement, which we
> > > duplicate in the second and fourth paragraphs of this section.
> >
> > [Med] Good point. Fixed.
> >
> > >
> > > If we don't want to use example.com vs. example.net as sample
> > > domains, we can also use whateverwewant.example, per RFC 6761.
> >
> > [Med] Will maintain the ones already in the draft. Thanks.
> >
> > >
> > > Section 9
> > >
> > > We should mention the media-type allocation in the top-level section.
> >
> > [Med] Will fix that.
> >
> > >
> > > "mappings to CBOR" feels confusing to me, since it leaves empty what
> > > we are mapping from.  Perhaps just talking about a registry of "CBOR
> > > map keys" would be better, both here and in the Section 9.3 intro.
> > >
> >
> > [Med] Unless there is an objection, I can use "CBOR Map Keys".
> >
> > > Section 9.3
> > >
> > > I suggest being very explicit about whether new requests for
> > > registration should be directed to the mailing list or to IANA, as
> > > we've had some confusion about this elsewhere.
> > >
> > > The criteria used by the experts also just lists things they should
> > > consider, but does not provide full clarity on which answer to the
> > > question is more likely to be approved.  (And yes, I know that this
> > > text is largely copied from already published RFCs, but we can still
> > > do
> > > better.)
> >
> > [Med] Will check this.
> >
> > >
> > > Section 9.3.1
> > >
> > > If we want the value 0 to be reserved we need to say so.
> >
> > [Med] 0 is not part of the allocation range.
> >
> > > Do we want to say anything about the usage of negative integers as
> > > map keys?
> > >
> > > I suggest not mentioning the postal address, given the recent (e.g.)
> > > GDPR requirements.
> >
> > [Med] Good point. Done.
> >
> > >
> > > Section 9.3.2
> > >
> > > It may be worth mentioning Table 4 here as well.
> >
> > [Med] OK.
> >
> > >
> > > Section 9.5.1
> > >
> > > We need to specify which range of values we are asking for an
> > > allocation from.
> >
> > [Med] Added a mention to 0-255 range.
> >
> > >
> > > Section 9.6.1
> > >
> > > As above, specify what range we're asking about.
> >
> > [Med] OK.
> >
> > >
> > > I expect the current text to get some IESG (or directorate) feedback
> > > that the Data Item and Semantics descriptions are repetitive and banal.
> > >
> > > Section 9.7
> > >
> > > IIUC, IANA is going to ask if we want this module to be "maintained
> > > by IANA", so it would be good to have an answer ready even if we
> > > don't put it in the document text.
> >
> > [Med] This is discussed in -26.
> >
> > >
> > >    Rate-limiting DOTS requests, including those with new 'cuid' values,
> > >    from the same DOTS client defends against DoS attacks that would
> > >
> > > With respect to "new" 'cuid' values, is the server required to
> > > remember which ones it has seen in perpetuity, or can it time them
> > > out eventually?
> >
> > [Med] The attack vector is a DOTS client which changes frequently its cuid.
> The DOTS server can set an interval in which the same client cannot present a
> new cuid.
> >
> > >
> > > Section 10
> > >
> > > The security considerations seem to be taking a narrow focus on the
> > > requirements for and consequences of specific bits on the wire in
> > > the signal channel protocol.  I think it's appropriate to also
> > > include some high-level thoughts about the functional behavior of
> > > the protocol, allowing to signal that an attack is underway and
> > > trigger mitigation, increasing the availability of services, etc.,
> > > and the risks that are posed by the protocol failing to work
> > > properly, whether that means letting attack traffic through or
> > > improperly blocking legitimate traffic.
> >
> > [Med] Would a pointer to the architecture/requirements I-Ds be sufficient to
> cover to high-level aspects?
> 
> Those documents' security considerations do seem to cover the relevant points,
> yes.
> 
> > >
> > > Section 13.1
> > >
> > > I think the IANA registries should be listed as Informational and
> > > not Normative references.
> > >
> >
> > [Med] Done.
> >
> > > Section 13.2
> > >
> > > Pending resolution of the question about using
> > > draft-ietf-core-yang-cbor rules or RFC7951+RFC7049, the
> > > draft-ietf-core-yang-cbor reference may need to be Normative.
> >
> > [Med] Please refer to my answer to that question. draft-ietf-core-yang-cbor is
> informative.
> >
> > >
> > > Given that "URI" is a well-known abbreviation, we may be able to get
> > > away with not citing RFC 3986.  On the other hand, it's not causing
> > > any harm to leave it in...
> >
> > [Med] Will leave it.
> >
> > >
> > > RFC 4632 needs to be Normative, since we need to know CIDR to
> > > encode/decode target-prefixes.
> >
> > [Med] Works for me.
> >
> > >
> > > Similarly, I think that RFCs 6234
> >
> > [Med] This one is not listed as normative because other hash algos may be
> used.
> 
> It's a lower-case "recommended", which can probably eke by as descriptive and
> not a "protocol feature" (see below).
> 
> > , 7413
> > [Med] The support if TFO is not mandatory.
> 
> It's a SHOULD ("SHOULD implement all of the following items"), though...
> 
> > , 7589
> > [Med] This is a MAY in the spec. It is just fine to leave it as informative.
> 
> ....per
> https://www.ietf.org/blog/iesg-statement-normative-and-informative-
> references/
> note 1, "Even references that are relevant only for optional features must be
> classified as normative if they meet the above conditions for normative
> references."
> 
> This does seem to be something we actually need to care about before IETF LC,
> though, as 7413 is Experimental and not listed in the downref registry
> (https://datatracker.ietf.org/doc/downref/), so if we leave it as Informational
> and have to change it later, we'd need to also restart/re-run the IETF LC.
> 
> > , 7918
> > [Med] Idem as TFO.
> 
> This is Informational (i.e., also susceptible to the downref issue).
> 
> > , 7924
> > [Med] Idem as TFO.
> 
> (idem x2), though this is standards-track at least, so we have more leeway to
> move things around later.
> 
> 
> 
> I think the most expedient thing to do here would just be to relax the
> requirement for TLS Falst STart, TFO, and Cached Information, perhaps to text
> like "The following items are additional mechanisms that can reduce the delay
> required to deliver a DOTS signal channel message, which implementations are
> encouraged to implement as possible.", but I am open to other suggestions for
> what to do.

TLS False Start and Cached Information can be made normative references (just like we referenced these items in our spec https://tools.ietf.org/html/rfc8310)
TFO is for TCP only and that too for exception scenarios where UDP is blocked. TFO can removed from the list of items the DOTS agents SHOULD implement.

NEW:
Compared to UDP, DOTS signal channel over TCP requires an additional round-trip time (RTT) of latency to establish a TCP connection.  Implementations are encouraged to implement TCP
Fast Open [RFC7413] to eliminate that RTT when information exists from prior TCP connection. 

-Tiru

> 
> 
> > , and 7951
> > [Med] this one was not listed as normative because the document lists two
> ways to do the mapping.
> 
> Agreed.
> 
> -Ben
> 
> > > should also be Normative.
> > >
> > >
> > > -Ben
> >
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email