[Gen-art] Gen-ART Early Review of draft-ietf-opsawg-mud-iot-dns-considerations-02
Paul Kyzivat <pkyzivat@alum.mit.edu> Sat, 18 December 2021 22:10 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D553A3A11E2; Sat, 18 Dec 2021 14:10:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYGSd2wA0A7O; Sat, 18 Dec 2021 14:10:21 -0800 (PST)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2049.outbound.protection.outlook.com [40.107.220.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC4FC3A11DE; Sat, 18 Dec 2021 14:10:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VtcnrPMP+00VkW0brSexgcwZyNiTWecItmSZp69Qvt6M8IL6pXFXtf+WH/6PDym4kh9tyVS77furlawHNontoGBPRKjck3/BFtfnFdTdOTX+xAYF55if1E/0W9cxiAJ2XrV2n0PEFMr/kQ3KzjmDBpMprBcYHeWPYSuJCPPl5xYviZulJrHoCHSSVXFK3dgU/u8L9woJ3xAFMfpR/87vD2Fq/IbbL1JTkHjtvmc8b3Q5X3+Gq2dqEAx7r8xF2FXuHmQGMqOIYJ7JqYaKL9oMUlNoOSOIn53ezuAAuotq2UOePPUl2ABv9SzzDUVGXGldBcBF2Ysoq2eqO4TQfgrS/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NN4pUHOpWNklfH5DzRJy5LWJDYmEWXcxzOrmxp/96KI=; b=U1eTwwAdbbhnOiHLaM7Ag5f23ke2Imaq7zpbP7p+DH2OcrkmqSurZjAJgvPX7qKYx+8oaY91GKAxc8t+9Pa+lu3qvkwDZR0o9Ppm16wYHTI0TKBKQty2ZBL7UKdfROf6S3Gq/yA+VT0mVx2l8gomqOwcgqfLTysB+GUq60RpmgdNBhLUXRct+6xU5oUZfC5x4Mh2gwyRmdySFYXq1gF7SB/uKUvbDJVreikuGQKRybsZmewPQzTlUNegHlu+xma/LnVm1qURrnfQF/GC6R6y6J9TlW9TMqrOfg1Pytcfm4iP/cY5YaCIfgIEcZ1d67yy1ipVWZEy6yZUaZ1oM5Z7WQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=ietf.org smtp.mailfrom=alum.mit.edu; dmarc=pass (p=none sp=none pct=100) action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NN4pUHOpWNklfH5DzRJy5LWJDYmEWXcxzOrmxp/96KI=; b=MoZRl09ru4VVVCgZQ7JAkxDnlhmaJBrzKdSEGZrwapZZD0sSkDQpWOyndKgmDcAoeYCQA0YTOfT/o6ahYOZyUTyRtlZ1wHJGI5Y5oN4CGBDi/5bPNZfQcvyRBlmO0TjspIayJl9f5WtxBu4XUYjAQ/RPMOrTEmBk7oBg6NzEXP4=
Received: from DM5PR13CA0029.namprd13.prod.outlook.com (2603:10b6:3:7b::15) by DM5PR12MB1547.namprd12.prod.outlook.com (2603:10b6:4:c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4801.17; Sat, 18 Dec 2021 22:10:15 +0000
Received: from DM3NAM02FT039.eop-nam02.prod.protection.outlook.com (2603:10b6:3:7b:cafe::2) by DM5PR13CA0029.outlook.office365.com (2603:10b6:3:7b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4823.8 via Frontend Transport; Sat, 18 Dec 2021 22:10:15 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by DM3NAM02FT039.mail.protection.outlook.com (10.13.5.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4801.14 via Frontend Transport; Sat, 18 Dec 2021 22:10:14 +0000
Received: from [192.168.1.52] (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 1BIMACkp007122 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Sat, 18 Dec 2021 17:10:14 -0500
Message-ID: <a46c68ad-624b-10ed-19d7-035be181bf52@alum.mit.edu>
Date: Sat, 18 Dec 2021 17:10:12 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
To: draft-ietf-opsawg-mud-iot-dns-considerations.all@ietf.org
Cc: General Area Review Team <gen-art@ietf.org>
Content-Language: en-US
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 617b4ab4-ad3c-49ae-f77b-08d9c2732b2d
X-MS-TrafficTypeDiagnostic: DM5PR12MB1547:EE_
X-Microsoft-Antispam-PRVS: <DM5PR12MB15479162D35A008B216411DEF9799@DM5PR12MB1547.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Sr4diClQh/Ta6JWfdZspINgrFhoJtUpofFE9XHshH7fr2Z47bhtcoPMNrdSWcymKrVOvgES1H3HbHGXH31lgJ/vRcWwtOmzGARt8Dq4A0SpGh5hDHJdD+30EXJ6oDxocZxOg1mkddRXL+BtAhpekQXz66MJRlmIeyI5p6iZoJdlM+rx0HiQQbgkL3AFx47xsNuh1hdzzb4G2K/nFoIyGgCv9xZKNAgxCiaqX6VXp61PmOiUR6iBbphiOpKYgtAje3VTm2ZAWQH+CPtvhKVxdQ+OJ5404JXJV/C8+zftW3BGCWRXSKK+aOYBvztICuWYpDrNTkveJcP1e5R/O/XkNj2UFjDY7lggPidaN3mLQKSMAS9WGyrIJIRwT5f3iTtIoL0oBboYgEOz5ia9fQgiOBJBo6iEsCi5mkKRSaccRX3SS6koQlB/4sItf6JiXESxEPwSHR35v2VGT3qk62lQxrveXlivMkGUG5ncZ2sB2YLS5ZzEnCIT/Nmh3sLI7n5kjGzSfwwuTBF9J5jnKV0vDUNcC5R/XfqT/27Xcpsm691yiDxFgfjGYqMzQliDLu82EWmcs4v9h5caj3Y7t472WgVfo/9qnexZMkxRPZL+kUiNlMzdWVcATkxE8fx616p5JB7YpLinQ5qMimntMSDsSRtDNQarTfn7K/F5NFcUOuT/4TRHaE9NS5Ko1R8FxYC2jKJLFNdWA//T+ZQecnuiIwrAv4nw3XPLn/Gvt74Kd/oCwXQn0ogbWyEbdlK4SA2aZlafmXxaX/1cpcNr4tDjwObAiuBfefHuuFLNeXHYSVnUJOjALc16QdQKwzT5WHEzpBwcnnbVMBxOgVX51IZ2WYg==
X-Forefront-Antispam-Report: CIP:18.7.68.33; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing-alum.mit.edu; PTR:outgoing-alum.mit.edu; CAT:NONE; SFS:(46966006)(36840700001)(83380400001)(356005)(82310400004)(75432002)(47076005)(31696002)(7596003)(86362001)(31686004)(5660300002)(36860700001)(4326008)(450100002)(8936002)(508600001)(8676002)(70586007)(2616005)(4001150100001)(26005)(70206006)(966005)(336012)(956004)(6916009)(786003)(186003)(316002)(2906002)(21314003)(43740500002); DIR:OUT; SFP:1101;
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Dec 2021 22:10:14.9846 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 617b4ab4-ad3c-49ae-f77b-08d9c2732b2d
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-AuthSource: DM3NAM02FT039.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1547
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/jV4U_nM_vhGwY5dxx-VTVfalNVE>
Subject: [Gen-art] Gen-ART Early Review of draft-ietf-opsawg-mud-iot-dns-considerations-02
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Dec 2021 22:10:26 -0000
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. For more information, please see the FAQ at <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. Document: draft-ietf-opsawg-mud-iot-dns-considerations-02 Reviewer: Paul Kyzivat Review Date: 2021-12-18 IETF LC End Date: ? IESG Telechat date: ? Summary: This draft is on the right track but has open issues, described in the review. General Thoughts: I struggled in choosing a Summary statement. I'm caught between: * This draft is on the right track but has open issues, described in the review. * This draft has serious issues, described in the review, and needs to be rethought. I don't feel qualified to make that call, so I've gone with the more positive choice. One reason for by ambivalence is that I'm uncertain if the things recommended in this document are *good enough* to be described as BCPs. I would hope that following BCPs would give high probability of successful deployment. I'm not convinced of that. The real question may be whether the MUD approach can work for all the types of deployment that IoT manufacturers might want to use? And if so whether RFC8520 together with some BCPs is sufficient to accomplish that? Issues: Major: 3 Minor: 2 Nits: 3 1) MAJOR: Section 3: Probabilistic results Several if the strategies in this section appear to be probabilistic in nature. E.g., ... the list may have changed between the time that the MUD controller did the lookup and the time that the IoT device does the lookup ... In order to compensate for this, the MUD controller SHOULD regularly do DNS lookups. Even with regular lookups the IoT devices could experience intermittent failures. IMO the document needs to explore this issue. Is it good enough if it sometimes fails when the list changes? Should the device do something to mitigate the issue? 2) MAJOR: Section 3: Installation Specific Mechanisms I'm bothered by the statement: "In this case, additional installation specific mechanisms are probably needed to get the right view of DNS." Isn't this just hand waving? (I.e. you can't currently imagine a solution?) "Installation specific" is particularly troubling, since its hard to imagine what an operator doing the installation would be capable of doing. I think you need to dig deeply into this, or else somehow scope the problem to exclude it. 3) MAJOR: Section 6: Recommendations While following these recommendations may be helpful in achieving workable deployments involving MUD it seems unlikely that all manufacturers of IoT devices would be able to comply with them all. (E.g., Do not use geofenced names.) What are manufacturers who can't comply to do? 4) MINOR: Section 3: Strategies to map names The statement: "This is not a successful strategy, and do not use it." seems to be out of place here. Shouldn't this be in section 6? 5) MINOR: Section 4: Anti-Patterns It isn't clear what you want done with these. I presume you want to tell device manufacturers to stop doing these things. If so, then I suggest you add BCPs recommending what manufacturers should do instead. 6) NIT: XXX The document uses "XXX --" in several places. I'm assuming the intent is to expand these in a future version. 7) NIT: Section 1: Section cross references This section refers to "The first section ... The second section ... The third section ... The fourth section ...". However the section numbers of the appropriate sections are 3,4,5,6. You need to switch to referring to sections by numbers that are specified by xrefs. 8) NIT: Section 1: "DNS Presolution" Is the use of "DNS presolution" intentional, or did you mean "DNS resolution"? While "presolution" is a word, I don't find any meaning for "DNS presolution".
- [Gen-art] Gen-ART Early Review of draft-ietf-opsa… Paul Kyzivat