[Gen-art] Gen-art review of draft-sakane-dhc-dhcpv6-kdc-option-14.txt

Alexey Melnikov <alexey.melnikov@isode.com> Fri, 23 March 2012 18:22 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB7821F862F for <gen-art@ietfa.amsl.com>; Fri, 23 Mar 2012 11:22:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.599
X-Spam-Level:
X-Spam-Status: No, score=-104.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhYD6BCrAYEs for <gen-art@ietfa.amsl.com>; Fri, 23 Mar 2012 11:22:30 -0700 (PDT)
Received: from rufus.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 4593021F8629 for <gen-art@ietf.org>; Fri, 23 Mar 2012 11:22:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1332526949; d=isode.com; s=selector; i=@isode.com; bh=Pe8zpzsI7CAWRihTWe7wR7q3a1sNGncM0maGhUYGW9M=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=h5qKxHFOLvMpuSmcGUZ3dibYxFVzVvqCCfEE5uhwxcVJnw+VepMUti9yZs05Sy84itol/8 XFZE7zEaLU5VTJmbVBVk6TJAaLPjRwiVvA8pDO9YsVT0ax78ns4votQp4XhQK0ay5BCZMo Q2ojy+V2oB/l3TtvBJENuiWJSrKI9iQ=;
Received: from [192.168.1.79] (191.49.12.93.rev.sfr.net [93.12.49.191]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T2y=YgAikiqM@rufus.isode.com>; Fri, 23 Mar 2012 18:22:29 +0000
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4F6CBF66.9090802@isode.com>
Date: Fri, 23 Mar 2012 19:22:30 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: Shoichi Sakane <ssakane@cisco.com>, General Area Review Team <gen-art@ietf.org>, Masahiro Ishiyama <masahiro@isl.rdc.toshiba.co.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: [Gen-art] Gen-art review of draft-sakane-dhc-dhcpv6-kdc-option-14.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2012 18:22:35 -0000

I am the assigned Gen-ART reviewer for this draft. For background on 
Gen-ART, please see the FAQ at 
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments 
you may receive.

Document: draft-sakane-dhc-dhcpv6-kdc-option-14.txt
Reviewer: Alexey Melnikov
Review Date: 23 March 2012
IETF LC End Date: 23 March 2012
IESG Telechat date: (if known)  -

Summary: I think this document needs another revision before being ready 
for IESG review, although I don't think that changes are difficult.


1.  Introduction

    To provide a set of IP addresses of the KDC, the Kerberos V5
    specification [RFC4120] defines KDC discovery by utilizing DNS SRV
    records [RFC2782].  However, systems that do not employ the DNS, but
    do use DHCP, do exist, for example industrial systems.  Some
    industrial systems don't use DNS because they have already had their
    own name spaces and their own name resolution systems, including pre-
    configured mapping tables for devices, rather than using FQDNs and
    DNS.  And these systems would prefer not to employ DNS only for name
    resolution because adding a new server may bring a decrease in the
    reliability of the system, and increase the management cost of the
    system.

Minor: I am a bit doubtful about this claim, but maybe this is just me.
Many systems already depend on DNS. However, I think you might be 
missing out on showing another reason of why your extension might be 
useful: it might eliminate some DNS lookups and thus can speed-up 
acquisition of Kerberos credentials.


3.3.  Kerberos Default Realm Name Option

    This option provides a default realm name of the Kerberos system.
    Unlike the Kerberos Realm Name Option, it is intended for a DHCPv6
    server to use, and specifies the default realm name to both clients
    and Kerberos application servers in the Kerberos system.

Major: Can you give me an example of when this option might be different 
from the Kerberos Realm Name Option (section 3.2)?


3.4.  Kerberos KDC Option

    This option provides a set of configuration information about a KDC.

    The format of the Kerberos KDC Option is:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |         OPTION_KRB_KDC        |          option-len           |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |           Priority            |            Weight             |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       | Transport Type|          Port Number          |               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               |
       |                                                               |
       |                                                               |
       |                       KDC IPv6 address        +---------------+
       |                                               |               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               :
       :                                                               :
       :                          realm-name                           :
       :                       (variable length)                       :
       :                                                               :
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Major: realm-name is not described later in this section. I think it 
should be removed considering that you have 2 other options for Kerberos 
realms already.


4.  Client Operation

    When the client requires configuration parameters for a Kerberos
    system while bootstrapping, the client SHOULD put the client
    principal name itself into the Kerberos Principal Name Option.

Minor: So this option is only ever sent from a DHCP client to a DHCP 
server? Section 3.1 is not clear on that.

    When the client requires specific information for a certain realm,
    the client SHOULD specify the realm name in the Kerberos Realm Name
    Option.

Minor: This might be answering one of my questions above, but I think 
you should make this clear in Section 3.2.

    When the client requires specific information related to a
    certain Kerberos application server of the Kerberos system, the
    client SHOULD put the principal name of the server into the Kerberos
    Principal Name Option.

Major: Is such dual-purpose use a good idea?


4.1.  KDC discovery for a client

    1) Initially, the client asks both DNS and Kerberos information to
       the DHCP server.

Nit: s/to/from

    6) If, as the result of (1), if the client gets both DNS and Kerberos
       information from the DHCP server, then the client asks Kerberos
       information to the DNS server.

Nit: s/to/from

Minor: But this (or the diagram) looks confusing to me: if the client 
already got both Kerberos and other information from DHCP, why should it 
query DNS at all? I think either your diagram is confusing, or the 
description below, or both.


5.  Server Operation

    After the DHCPv6 server receives a message which is contained an
    Option Request Option, the information the server will provide
    depends on local policy.  If there are no criteria on the server, the
    following operation is RECOMMENDED.

Nit: It is not entirely clear to me what you mean by "no criteria" above.


idnits reports a DownRef to RFC 6251, but this was called out during 
IETF LC, so no problems here.