IETF Logo Mail Archive

Re: [Gen-art] Telechat review of draft-ietf-dime-erp-16.txt

Benoit Claise <bclaise@cisco.com> Tue, 22 January 2013 14:21 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA63521F8807; Tue, 22 Jan 2013 06:21:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.578
X-Spam-Level:
X-Spam-Status: No, score=-10.578 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Efon6UZsBFKp; Tue, 22 Jan 2013 06:21:18 -0800 (PST)
Received: from av-tac-bru.cisco.com (weird-brew.cisco.com [144.254.15.118]) by ietfa.amsl.com (Postfix) with ESMTP id A68DA21F87FB; Tue, 22 Jan 2013 06:21:17 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-bru.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id r0MELF3t002815; Tue, 22 Jan 2013 15:21:15 +0100 (CET)
Received: from [10.60.67.84] (ams-bclaise-8913.cisco.com [10.60.67.84]) by strange-brew.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id r0MEKFel013712; Tue, 22 Jan 2013 15:20:25 +0100 (CET)
Message-ID: <50FEA01E.4030809@cisco.com>
Date: Tue, 22 Jan 2013 15:20:14 +0100
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: draft-ietf-dime-erp@tools.ietf.org
References: <50FC23D1.2080400@dial.pipex.com>
In-Reply-To: <50FC23D1.2080400@dial.pipex.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: me <bclaise@cisco.com>, General Area Review Team <gen-art@ietf.org>, dime mailing list <dime@ietf.org>, draft-ietf-dime-erp.all@tools.ietf.org
Subject: Re: [Gen-art] Telechat review of draft-ietf-dime-erp-16.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jan 2013 14:21:18 -0000

draft-ietf-dime-erp authors,

Please address this feedback, ideally before the IESG telechat this 
Thursday.

Regards, Benoit
> I am the assigned Gen-ART reviewer for this draft. For background on
> Gen-ART, please see the FAQ at
> < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
> Please wait for direction from your document shepherd
> or AD before posting a new version of the draft.
>
> Document: I am the assigned Gen-ART reviewer for this draft. For 
> background on
> Gen-ART, please see the FAQ at
> < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
> Please wait for direction from your document shepherd
> or AD before posting a new version of the draft.
>
> Document: I am the assigned Gen-ART reviewer for this draft. For 
> background on
> Gen-ART, please see the FAQ at
> < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
> Please wait for direction from your document shepherd
> or AD before posting a new version of the draft.
>
> Document: draft-ietf-dime-erp-16.txt
> Reviewer: Elwyn Davies
> Review Date: 20 Jan 2013
> IETF LC End Date:
> IESG Telechat date: 24 jan 2013
>
> Summary: Not ready assuming I have correctly identified that the 
> requirements specified in RFC 5295 below are not met by this usage of 
> the DSRK.  Generally the use of the term 'domain' in this draft is 
> rather cavalier, as it fails to explicitly tie it back to the 
> restricted meaning of RFC 5295 and does not clarify how nodes find out 
> what domain name they should be using.
>
> Major issues:
> s5, para 1:
> Para 1 states:
>
>   To
>    achieve this, it must learn the domain name of the ER server. How
>    this information is acquired is outside the scope of this
>    specification, but the authenticator might be configured to advertize
>    this domain name, especially in the case of re-authentication after a
>    handover.
>
> It appears that declaring learning the domain name out of scope for 
> this specification is in conflict with RFC 5295, para 4 (top of page 12):
>    Usages that make use of the DSRK must define how the peer learns the
>    domain label to use in a particular derivation.
>
> This matter escaped me on the previous pass, when I just asked whether 
> there was any suggestions of how the advertisement might be done.
>
> Minor issues:
> s3:  In my Last call review of this document (version 12) I queried 
> the use of the phrase 'the existence of at most one (logical) ER 
> server entity' in two places in s3.  I received an answer from one of 
> the the authors that suggested that the phrase was self-explanatory.  
> At the time I did not push back on this and no change has been made.  
> On re-reading the latest version of the draft and the author's reply, 
> I (still) feel that it would help to explain:
> (1) Why having more than one ER server in a domain is a mistake - 
> apparently because this will result in EAP 'failing inappropriately' 
> in some cases which would seem to be a reason to specifically 
> deprecate having more then one, and explaining just what the 
> inappropriate consequences would be.
> (2) The consequences of having zero ER servers in a domain.  The reply 
> to my comments seem to imply that this would just result in the 
> 'protocol failing gracefully'.  However, reading RFC 6695, para 2 of 
> s5.1 seems to imply that having zero ER servers in the local (visited) 
> domain may not be fatal if there is an ER server in the home domain 
> (see also s4 of this draft).  If I have interpreted this correctly, 
> then there is a distinction between the cases (home vs arbitrary 
> visited domain) that could usefully be brought out here rather than 
> leaving the reader to work it out from later reading.
>
> s3, last sentence of para 1: ''we assume only one ER server that is 
> *near* the peer involved in ERP": How are we to interpret 'near' here? 
> Topologically or physically?  How would the peer know a server was 
> 'near' it or nearer than some other server?
>
> Nits/editorial comments:
> s2/s3:  I assume that the term 'domain' is intended to be interpreted 
> as in  RFC 5295, i.e. as a shorthand for Key Management Domain.  This 
> needs to be spelt out here.   Similarly 'home domain', 'local domain' 
> and 'visited domain' should be explicitly mentioned as (presumably) 
> having the same meanings as in RFC 6696.
>
>

v2.23.0 | Report a Bug | By Email