Re: [Gen-art] Gen-ART LC review of draft-ietf-dnsop-cookies-08
"Peter Yee" <peter@akayla.com> Mon, 28 December 2015 01:30 UTC
Return-Path: <peter@akayla.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F99A1A873D; Sun, 27 Dec 2015 17:30:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k-R9xJDB5aqZ; Sun, 27 Dec 2015 17:30:00 -0800 (PST)
Received: from p3plsmtpa08-02.prod.phx3.secureserver.net (p3plsmtpa08-02.prod.phx3.secureserver.net [173.201.193.103]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E40DE1A8739; Sun, 27 Dec 2015 17:29:59 -0800 (PST)
Received: from spectre ([173.8.184.78]) by p3plsmtpa08-02.prod.phx3.secureserver.net with id ypVy1r00H1huGat01pVzi6; Sun, 27 Dec 2015 18:29:59 -0700
From: Peter Yee <peter@akayla.com>
To: 'Donald Eastlake' <d3e3e3@gmail.com>
References: <011001d13eb3$63339cd0$299ad670$@akayla.com> <CAF4+nEGeK9u47LZKD8D_LX75RXLiVdzJVi9LQMkt=eA3mN6a_Q@mail.gmail.com>
In-Reply-To: <CAF4+nEGeK9u47LZKD8D_LX75RXLiVdzJVi9LQMkt=eA3mN6a_Q@mail.gmail.com>
Date: Sun, 27 Dec 2015 17:30:11 -0800
Message-ID: <029101d1410f$4ca0b350$e5e219f0$@akayla.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGleb+72LtBmfQcd619gDtPiQnVBQKjUjxLnyINHVA=
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/GFFVqlsnU9WfQobe5GQ_itoWrTk>
Cc: gen-art@ietf.org, draft-ietf-dnsop-cookies.all@ietf.org, 'IETF Discussion' <ietf@ietf.org>
Subject: Re: [Gen-art] Gen-ART LC review of draft-ietf-dnsop-cookies-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2015 01:30:01 -0000
Hi Donald, Responses below. -----Original Message----- From: Donald Eastlake [mailto:d3e3e3@gmail.com] Sent: Sunday, December 27, 2015 4:31 PM To: Peter Yee Cc: draft-ietf-dnsop-cookies.all@ietf.org; gen-art@ietf.org Review Team; IETF Discussion Subject: Re: Gen-ART LC review of draft-ietf-dnsop-cookies-08 >> Minor issues: >> >> Page 14, Section 5.2.4, 1st paragraph, 1st sentence: It might be >> useful to mention what the examination entails as it would help in >> understanding the 3rd sentence in the paragraph. There's an implied >> recalculation of the Server Cookie value based on the received Client >> Cookie and client IP address as opposed to a simple lookup of the received value. >I'm not so sure of that. If the server wanted to, it could generate a random Server Cookie for each {Client Cookie, Client IP} and, in fact, do a look up. Section 5.2.4 is the invalid server cookie one. Let's say just the client's cookie changed, but all else remained the same. The server wants to do a lookup. If it looks up a stored, expected server cookie based on the client IP address, the server cookie looks valid. If it just takes the received client cookie and client IP address (plus server secret) and generates the expected cookie value, then the received server cookie will appear invalid because of the change in client cookie. That's the line of thinking that led to my comment. It appears that you're expecting to do the calculation, otherwise you wouldn't have reason to notice the client cookie changing since this is an examination of the server cookie. Sure, you could index off the client cookie, but that seems extreme. And you would presumably not update the server cookie value to be used in future responses until you've done the initial examination, so you unless you're doing an involved cookie rollover scheme, the client cookie wouldn't be used until it's needed to create the updated server cookie. >> Nits: >> Page 13, Section 5.2.2, 2nd paragraph: append "bytes" after "40". >Why after 40 but not after 8 or 16? Seems like me it would be an improvement to add "bytes" after all three. That works for me too. I just wanted to get the unit in there. If you prefer to tie the unit to each value, that's fine. >Thanks, >Donald My pleasure, -Peter
- [Gen-art] Gen-ART LC review of draft-ietf-dnsop-c… Peter Yee
- Re: [Gen-art] Gen-ART LC review of draft-ietf-dns… Donald Eastlake
- Re: [Gen-art] Gen-ART LC review of draft-ietf-dns… Peter Yee
- Re: [Gen-art] Gen-ART LC review of draft-ietf-dns… Donald Eastlake
- Re: [Gen-art] Gen-ART LC review of draft-ietf-dns… Peter Yee