[Gen-art] Gen-ART LC review of draft-ietf-geopriv-http-location-delivery-07
Ben Campbell <ben@estacado.net> Tue, 06 May 2008 22:03 UTC
Return-Path: <gen-art-bounces@ietf.org>
X-Original-To: gen-art-archive@optimus.ietf.org
Delivered-To: ietfarch-gen-art-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D5AF928C4AE; Tue, 6 May 2008 15:03:40 -0700 (PDT)
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 144B728C4B5 for <gen-art@core3.amsl.com>; Tue, 6 May 2008 15:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IDTPTD2tyyXD for <gen-art@core3.amsl.com>; Tue, 6 May 2008 15:03:37 -0700 (PDT)
Received: from estacado.net (dsl001-129-069.dfw1.dsl.speakeasy.net [72.1.129.69]) by core3.amsl.com (Postfix) with ESMTP id DA26128C4AE for <gen-art@ietf.org>; Tue, 6 May 2008 15:03:36 -0700 (PDT)
Received: from [172.16.3.213] ([172.16.3.213]) (authenticated bits=0) by estacado.net (8.14.2/8.14.1) with ESMTP id m46M1n48096670 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 6 May 2008 17:01:53 -0500 (CDT) (envelope-from ben@estacado.net)
Message-Id: <A2692069-AE99-4C7D-9107-B3EABB67E2B8@estacado.net>
From: Ben Campbell <ben@estacado.net>
To: Mary Barnes <mary.barnes@nortel.com>, james.winterbottom@andrew.com, martin.thomson@andrew.com, barbara.stark@bellsouth.com, General Area Review Team <gen-art@ietf.org>
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Tue, 06 May 2008 17:01:48 -0500
X-Mailer: Apple Mail (2.919.2)
Cc: Cullen Jennings <fluffy@cisco.com>, Jon Peterson <jon.peterson@neustar.biz>
Subject: [Gen-art] Gen-ART LC review of draft-ietf-geopriv-http-location-delivery-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: gen-art-bounces@ietf.org
Errors-To: gen-art-bounces@ietf.org
I have been selected as the General Area Review Team (Gen-ART) reviewer for this draft (for background on Gen-ART, please see http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html). Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-geopriv-http-location-delivery-07 Reviewer: Ben Campbell Review Date: 2008-05-06 IETF LC End Date: 2008-05-07 IESG Telechat date: (if known) Summary: This document is almost ready for publication as a proposed standard. I have a few questions and comments that should be considered prior to publication. Comments: -- Substantive comments: -- I am a little bit confused by the scope of applicability of this draft. Section 3, paragraph 1 says "This document assumes that the LIS is present within the same administrative domain as the Device (e.g., the access network)." However, section A.3. claims compliance to a requirement to the effect of "The design of the L7 LCP MUST NOT assume a business or trust relationship between the Application Service Provider (ASP) and the Access Network Provider." (It is possibly I am misunderstanding what ASP means in this context?) Furthermore, certain aspects of HELD seem to require fairly tight coupling between the LIS and the access network. For example, the NIS needs to know about any range of addresses for which it is likely to have erroneous location info due to VPNs and NATs. The security considerations indicate that the network needs to be properly configured to avoid ip spoofing attacks, which would seem to indicate at least an administrative coupling between the access network provider. It goes on to make a normative statement that network configuration SHOULD be considered. A paragraph or two describing the expected network architecture might clear this up. Maybe this is covered sufficiently in some of the referenced documents? -- I would like to see a little more analysis on the safety of using the source IP address as the device identifier. My instinct says that reverse routeability may keep this from being a problem--but the security considerations do indicate source address spoofing could cause LI to be compromised, and add a list of approaches, "one or more" of which is recommended to limit the exposure. If there are in fact risks of compromise, I think the draft needs some more exhaustive and explicit statements of what I must do to avoid such attacks. -- The lbyr requirements draft includes a SHOULD level requirement that a client should be able to cancel location references. HELD does not seem to allow for that capability. I know it was only a SHOULD, but was there a particular reason to leave it out? -- Section 4.2: I understand that the authz mechanisms for dereferencing location URLs constitute a bit of an "elephant in the room". But do we really think it is useful to punt entirely on that? The referenced doc does not seem all that helpful on the matter. Even an example of a potentially useful approach might be helpful. (I realize this is not a HELD problem per se, but without some mechanism for it, I question the usefulness of location by reference in HELD.) (If we can point to a location dereference protocol and claim that spec solves this, then no problem.) Section 4.3.1: Should there be normative advice in this section? Section 6.2 and 6.2.1: I don't see an obvious way to say I only want to get location by value. Is that intentional? Section 6.3, error code unsupportedMessage: Wasn't there a normative statement ealier that the LIS MUST ignore anything in a request that it does not understand? If so, when would this get used? 6.5.2: Can you give any guidance about useful value ranges for "expires"? I assume very short expirations would not be useful. 6.6, last paragraph: "Note that the presence parameter is not explicitly shown in the XML schema Section 7 for a location response message due to XML schema constraints." Is that not a problem, since section 7 is the formal definition of the protocol syntax? Section 8: I'm a little confused by the fact that a HELD URI can show up both in a HELD response, and in LIS discovery. Does this use of a HELD URI imply the use of the HELD protocol? If so, how would a HELD URI in a locationReponse message be used? Since HELD uses the source IP address for the identifier, it is not useful to transmit the URI to another device, right? -- Nits and Editorial Comments: S1: Expand LIS on first use. (You do so later in paragraph.) Section 4: Paragraph 1 I realized at this point I had not yet seen an expansion of "HELD", nor a statement that HELD is the protocol being defined in this document outside of the document title. Maybe an official "naming" sentence in the last paragraph of the intro would help. Also, this paragraph could use explicit references for pidf-lo and location URIs. Section 4.3, paragraph 3: Please expand VPN on first use. Table 1: Can you add a legend for o and m? I know it seems obvious, but better to be explicit. Also, listing locationUriSet and presence both as optional for responses does not quite capture the normative statement that one or the other MUST exist. Section 5.2: Should there be normative language around the inclusion of locationType? (There is for the other parameters) Section 6.2. "any" value: The normative statement that the LIS SHOULD return all available forms seems to mildly conflict with some of the further normative statements in the paragraph. Section 12.5: URI Scheme Syntax says "See section" with no section number. _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Gen-ART LC review of draft-ietf-geopriv… Ben Campbell
- Re: [Gen-art] Gen-ART LC review of draft-ietf-geo… Mary Barnes
- Re: [Gen-art] Gen-ART LC review of draft-ietf-geo… Ben Campbell
- Re: [Gen-art] Gen-ART LC review of draft-ietf-geo… Mary Barnes
- Re: [Gen-art] Gen-ART LC review of draft-ietf-geo… Ben Campbell
- Re: [Gen-art] Gen-ART LC review of draft-ietf-geo… Mary Barnes
- Re: [Gen-art] Gen-ART LC review of draft-ietf-geo… Ben Campbell
- Re: [Gen-art] Gen-ART LC review of draft-ietf-geo… Cullen Jennings
- Re: [Gen-art] Gen-ART LC review of draft-ietf-geo… Mary Barnes