[dtn] AD evaluation of draft-ietf-dtn-bpbis-13
Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 05 July 2019 14:06 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279E21200B2; Fri, 5 Jul 2019 07:06:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXyHHF0pMv6U; Fri, 5 Jul 2019 07:06:13 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50069.outbound.protection.outlook.com [40.107.5.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69D37120026; Fri, 5 Jul 2019 07:06:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S8dwlL3Pw6BISAcp/GZSKoopIcQWtuVvfZXqDcP1P+0=; b=EDhWyKmbsyO9j6xW76iRUPakEtd4UkEeaWmfcX7ZPUrXlDHjFKObianSSu2LnclV/SJ6MixCO9fbNu9Ld8NELY4X4PU5ncUFwG2x+DQ1uJEx1RJwuaKChlA7hy4YzYLkCHZ2i7h9PjRree6AOoNKZhe1tHhDEUWHAySn/F0BbrE=
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com (10.168.128.149) by HE1PR0701MB2698.eurprd07.prod.outlook.com (10.168.186.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.14; Fri, 5 Jul 2019 14:06:07 +0000
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::3418:2814:2ee2:a22b]) by HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::3418:2814:2ee2:a22b%4]) with mapi id 15.20.2073.004; Fri, 5 Jul 2019 14:06:07 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "dtn@ietf.org" <dtn@ietf.org>, "draft-ietf-dtn-bpbis@ietf.org" <draft-ietf-dtn-bpbis@ietf.org>
Thread-Topic: AD evaluation of draft-ietf-dtn-bpbis-13
Thread-Index: AdUzOQfkywWzmEnHT4iyH8+qUympAQ==
Date: Fri, 05 Jul 2019 14:06:07 +0000
Message-ID: <HE1PR0701MB25224DF64B2B60A0C655E1CE95F50@HE1PR0701MB2522.eurprd07.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [192.176.1.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a80de122-5950-49e9-ddc1-08d70151ed1a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:HE1PR0701MB2698;
x-ms-traffictypediagnostic: HE1PR0701MB2698:
x-microsoft-antispam-prvs: <HE1PR0701MB269829FFBE9926ED1FE776CC95F50@HE1PR0701MB2698.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 008960E8EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(376002)(366004)(396003)(136003)(189003)(199004)(51444003)(186003)(2501003)(102836004)(99286004)(8676002)(6436002)(6506007)(316002)(53936002)(478600001)(7736002)(9686003)(14454004)(74316002)(54896002)(110136005)(71190400001)(30864003)(68736007)(53946003)(6306002)(33656002)(55016002)(7696005)(99936001)(5660300002)(26005)(71200400001)(66066001)(81166006)(86362001)(66446008)(3846002)(790700001)(6116002)(450100002)(81156014)(25786009)(44832011)(14444005)(486006)(66476007)(66556008)(64756008)(66946007)(66616009)(256004)(73956011)(476003)(52536014)(8936002)(76116006)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2698; H:HE1PR0701MB2522.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: eA7Y5oYA8K3O2ZeBoxpejpR27k7ic6v9uaGWmDNuz3+XwiIFDLfWdJx2WBuZt53dsBohMDy1tLAvtrHfEUHJWLn2zHNOJAsNd++sYrNYvEySDcDXTUw9Pm0oVHAgfSTI4Y4gBfWoyeIkbJFRdYtjx2SYGymbeSr/5MEgdY1GDhVOPIUhSMeEjn9hyoKv6PuK+UcapiEMiNpjtBhmP3uA5utbj4uCAaBsUhtzy0wdr/JYMvzEcG9UEWhs0G2Bx06FYM8hGIAybaazTQVWvoWhBqWX3kHgyOjvh0p/X8gJt+0dDAJjKeJwAkDcKki+F9/FsIpxi+CHRunaa6+riX7ovDI4t0x2gIoloXIKDR+JIsOAv/B1XHE6CEGO/I2IaULuQtK1+MmDzqtXRCMqqclhkiyyrJBjFrLx0xLfNiX1ZvQ=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0013_01D5334B.8D635A00"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a80de122-5950-49e9-ddc1-08d70151ed1a
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2019 14:06:07.6804 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: magnus.westerlund@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2698
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/Ib6_NgSQJ_7Q_pKwIh54O_fMXWk>
Subject: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 14:06:17 -0000
Hi, I have now reviewed this document. Consider that there are a number of issues that likely need WG discussion I thought I should send out this, despite that I have not yet reviewed the BPSEC document that appears to be highly relevant and may result in additional changes needed in this document. But BPSEC is next in a my review pile. Also as this area is new, I read the architecture a long time ago so don't hesitate to clarify if it appears that I am missing things. 1. Section 4.1.5.1 and 10 : As this document uses the "dtn" URI scheme and the "dtn" scheme was only provisional registered by RFC 5050 I think this document should formally register the DTN URI scheme and thus a new subsection in Section 10 is needed. Also, maybe similar effort to move "ipn" to permeant is needed? 2. Section 4.1.6: I think the format and definition of this field are insufficient. It is lacking a reference or a normative description of what "Unix Epoch Time" in an unsigned int format actually is. Is the intention here to simply measure the number of seconds since the start of year 2000? Which Unix epoch time is not due to leap seconds. And I become uncertain as UTC time scale is something else than Unix Epoch time at least when it comes to leap seconds handling. Due to that Unix Time have discontinuities in the time scale at leap seconds I would recommend strongly against using it. Select UTC or TAI depending on where you want the leap second handling pain to exist. Also, you specified only CBOR unsinged integer which is a representation that can use 64-bit and thus not have the issues with 32-bit signed integer seconds epochs that regular unix time has, but that should probably be made explicit that it is expected to handle that. Even if the first wrap of this unsigned 32-bit format will not occur until 2136. And please provide necessary normative references, not informative ones. 3. Section 4.2.2: The Lifetime field appears problematic if the creating node doesn't have a reliable clock and uses timestamp 0 for all bundles. I think that special case needs to be discussed. Which it is later done, but there is missing reference to that. 4. Section 4.2.2: Report-to EID Is this field set by bundle creator and never changed? It is not clear and appear to have implications on how this field should be treated. Primarily considering integrity options over these fields. 5. Section 4.3.3. Maximum Hop count upper limit? Can I insert a max UiNT64 here and expect that to be acceptable? 6. Section 5.1: Under some circumstances, the requesting of status reports could result in an unacceptable increase in the bundle traffic in the network. For this reason, the generation of status reports MUST be disabled by default and enabled only when the risk of excessive network traffic is deemed acceptable. I find the above paragraph rather unclear. First of all what are the circumstances. Secondly, shouldn't the type of status report requested be discussed. What I can see the different types results in at most 1, N-1 or N times the number of sent bundles with the status report set depending on type, where N is the number of nodes on the path including receiving endpoint. So are there any recommendations to when it might be acceptable to request status delivery. To me it appears the trace route like options, like forwarding status report should only be used on a small number of bundles sent for debuging or monitoring purposes. Use of the bundle deletion status report appear to have other motivations for its use. I assume that this is fine for cases when it occurs for a small fraction of the bundles for some reasons, but when you have real failures on next hop links it appears that this may cause high volumes of deletion. Thus a rate limitation makes sense. I assume that this is one of the not specified reasons the below paragraph indicates: When the generation of status reports is enabled, the decision on whether or not to generate a requested status report is left to the discretion of the bundle protocol agent. Mechanisms that could assist in making such decisions, such as pre-placed agreements authorizing the generation of status reports under specified circumstances, are beyond the scope of this specification. 7. Section 5.3: Step 1: If the bundle's destination endpoint is an endpoint of which the node is a member, the bundle delivery procedure defined in Section 5.7 MUST be followed and for the purposes of all subsequent processing of this bundle at this node the node's membership in the bundle's destination endpoint SHALL be disavowed. I don't understand why and what implications the disavowing has for a local bundle being dispatched from a member node part of the destination. 8. Section 5.4 Step 3: If forwarding of the bundle is determined to be contraindicated for any of the reasons listed in Figure 4, then the Forwarding Contraindicated procedure defined in Section 5.4.1 MUST be followed; the remaining steps of Section 5 are skipped at this time. Should that last Section 5 be Section 5.4? 9. Section 6.1.1 What does Destination endpoint ID unintelligible actually mean? Same with Block unintelligible. Are these the combination for corrupted blocks or EIDs? Are there a point of separating out the case where the CRC indicate a corruption? 10. Section 7.2 So the service description appears very high level. How is the actual interface working when it comes to dealing with that there is either possibility to send, as well as rate control in the API. When can more data be accepted and when is the convergence layer not ready. Also don't the Bundle Agent need a signal when this side thinks it has delivered as a signal of when the forwarding has completed? I was expecting this section to actually be explicit about what functionalities the Bundle Agent really need from the convergence layer. 11. Section 9 I think this section needs to be more explicit about mandating implementation support for BPSEC. The IETF do not publish a protocol today that doesn't have a mandatory to implement security solutions for the protocol's major properties. In this case communication security, i.e. confidentiality, integrity and authentication of the data communicated is very relevant. I have not yet read BPSEC so I may have additional concerns about that issues are not handled in the combined protocol. I hope the BPSEC has some discussion of the privacy properties of the protocol. 12. Section 9: Additionally, convergence-layer protocols that ensure authenticity of communication between adjacent nodes in BP network topology SHOULD be used where available, to minimize the ability of unauthenticated nodes to introduce inauthentic traffic into the network. In this context wouldn't it be reasonable to also recommend using encryption on the convergence layer to avoid eavsedropping on the part that is in clear and prevent traffic analysis by third parties? 13. Section 9. Note that the generation of bundle status reports is disabled by default because malicious initiation of bundle status reporting could result in the transmission of extremely large numbers of bundle, effecting a denial of service attack. I think there is a clear lack of mitigations proposed for this issue. As I mentioned in Issue 6 I think one both needs to consider amount of generated traffic versus utility for the sender. Also I will have to read BPSec to understand what integrity and source authentication there is of the request for status reports. Next is the issue of rate limiting and prioritization of status reports versus other bundles. Also due to the multi-hop store and forward nature of this protocol the actual bottle neck may only occur several hops towards the receiver. What can be said about dropping status reports versus other bundles when there is a resource contention, either in storage or in convergence layers capability of forwarding messages within time. 14. Section 6 I fail to see any discussion of how the sender of a status report should set the lifetime and max hop. Can it actually take that information from the Bundle it is reporting on? 15. Section 10. I think this section needs to be clearer. Several improvements that can be made. * I recommend individual sub-sections per registry operation * Can you be clearer in references to point to specific sections of definitions that makes it simpler to find the relevant from the IANA registry? More specific parts. This document defines the following additional Bundle Protocol block types, for which values are to be assigned from the Bundle Administrative Record Types namespace [RFC6255]: First of all according to the registry, this registry is actually created by RFC 7116. This and the observation that the things you attempt to register in this registry you are actual called Bundle Block Types in your document. Thus, I have to ask are you actually addressing the right registry, or is the issue that you actually need per version specific registries for example Bundle Block Types? If it is the later, then lets define new registries. Possibly there should be a new major page for BPv7. Not having read all the old documents, you likely have to consider which registries are version specific and which are not. 16. Section 10: For the new registry, do you have any requirements for registrations that should be written out. And in addition any criteria you want the expert to consider when approving or rejecting registries? And is this registry version 7 specific or not? 17. Section 4.1.1: The CRCs are lacking proper normative references. Needed for both 1 and 2. Note that you have [CRC] that is currently unused. 18. Section 11.2: [BPSEC] is a normative reference. [RFC6255] is normatively referenced for their registration procedures. 19. Section 13, Section 4.2.2 This Section 13 item was something I wondered over: . Restructure primary block, making it immutable. Add optional CRC. Did I simply miss where that is said in the context of Section 4.2.2? 20. Optional CRCs Why are the primary block CRC optional? I assume the intention with it is to do a verification that the primarily block with the addressing information hasn't become corrupted in the transmission between nodes, similar to the checksums we have in other protocols. Under which conditions will not using it be a reasonable idea? Are you expecting other mechanisms to cover for it, or are you reasoning that having corrupted bundles being delivered to the wrong places is not an issue? As the primarily block is the main addressing part, I would think the considerations that went into discussion of the (almost) always usage of the UDP checksum for IPv6 applies here. Also the implications for corruptions and cost in some DTNs for stray data appears quite high. Cheers Magnus Westerlund
- [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 Magnus Westerlund
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 R. Atkinson
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 Magnus Westerlund
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 Magnus Westerlund
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 Templin (US), Fred L
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 Magnus Westerlund
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 R. Atkinson
- Re: [dtn] [EXTERNAL] Re: AD evaluation of draft-i… Burleigh, Scott C (312B)
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 Burleigh, Scott C (US 312B)
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 Magnus Westerlund
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 Magnus Westerlund
- Re: [dtn] AD evaluation of draft-ietf-dtn-bpbis-13 Burleigh, Scott C (US 312B)