IETF Logo Mail Archive

Re: [Hipsec] I-D Action: draft-ietf-hip-rfc5203-bis-03.txt

Ari Keranen <ari.keranen@nomadiclab.com> Fri, 17 January 2014 14:43 UTC

Return-Path: <ari.keranen@nomadiclab.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9FE71AE0E0 for <hipsec@ietfa.amsl.com>; Fri, 17 Jan 2014 06:43:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c57nv7mNqjpk for <hipsec@ietfa.amsl.com>; Fri, 17 Jan 2014 06:43:13 -0800 (PST)
Received: from gw.nomadiclab.com (gw.nomadiclab.com [193.234.218.122]) by ietfa.amsl.com (Postfix) with ESMTP id A70E31AD8F0 for <hipsec@ietf.org>; Fri, 17 Jan 2014 06:43:12 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by gw.nomadiclab.com (Postfix) with ESMTP id 2F6474E702; Fri, 17 Jan 2014 16:42:59 +0200 (EET)
X-Virus-Scanned: amavisd-new at nomadiclab.com
Received: from gw.nomadiclab.com ([127.0.0.1]) by localhost (inside.nomadiclab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGnokWf30Tt1; Fri, 17 Jan 2014 16:42:58 +0200 (EET)
Received: from tri60.nomadiclab.com (localhost [IPv6:::1]) by gw.nomadiclab.com (Postfix) with ESMTPSA id 18B9E4E700; Fri, 17 Jan 2014 16:42:58 +0200 (EET)
Message-ID: <52D94171.3010601@nomadiclab.com>
Date: Fri, 17 Jan 2014 16:42:57 +0200
From: Ari Keranen <ari.keranen@nomadiclab.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Julien Laganier <julien.ietf@gmail.com>
References: <20131211030009.544.78789.idtracker@ietfa.amsl.com> <52B44714.2010903@nomadiclab.com> <CAE_dhjsHQ9qJHvTr6rN3KBwd7G-Vu9xutT7G6-fuPjmP3gtB1A@mail.gmail.com> <52D806C5.1050606@nomadiclab.com> <CAE_dhjtyKAWKCXxpiYmk=AnrECV=bJrexH3M-McktLeT6i3wkw@mail.gmail.com>
In-Reply-To: <CAE_dhjtyKAWKCXxpiYmk=AnrECV=bJrexH3M-McktLeT6i3wkw@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "hipsec@ietf.org" <hipsec@ietf.org>
Subject: Re: [Hipsec] I-D Action: draft-ietf-hip-rfc5203-bis-03.txt
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2014 14:43:16 -0000

Hi Julien,

On 1/17/14 5:50 AM, Julien Laganier wrote:
> Hi Ari,
>
> On Thu, Jan 16, 2014 at 8:20 AM, Ari Keranen <ari.keranen@nomadiclab.com> wrote:
>> Hi Julien,
>>
>> Thanks, that looks good to me. Although reading the draft again, I was
>> wondering is it missing some text regarding the "Insufficient resources"
>> error?
>
> Hmm... a registration failing because of "insufficient resources" is
> quite explicit; it conveys enough information for a  requester to know
> that there are no resources to create a registration at a given
> registrar. Presumably a requester would try to register at a different
> registrar if it knows one...
>
> What else would the requester need to know?

I mean that it looks a bit strange that there's only an error code 
defined but no text at all when to use it (even if the name of the code 
kinda gives it away). I would recommend to add a sentence or two about 
when/how to use it.

I spotted one (copy-paste) error in the draft, section 3.3:

    If the registrar knows the Host Identities (HIs) of all the hosts
    that are allowed to use the relaying service, it SHOULD reject
    registrations from unknown hosts.  However, since it may be
    unfeasible to pre-configure the relay with all the HIs, the relay
    SHOULD also support HIP certificates [I-D.ietf-hip-rfc6253-bis] to
    allow for certificate based authentication.

This should no longer be "relaying service" and "relay" (2 instances 
here) but in general the service for which one is registering for.

In the figures, at the end of the section, I was wondering why S3 is not 
announced by the registrar? Also the text is a bit unclear; almost as if 
RQ would try to register for S1 and S2 even if the figure shows only S1.

In section "4.5. REG_FAILED", it says "Failure types other than zero (0) 
and one (1) have not been defined." This is obviously not true anymore. 
Perhaps here would be a good place for some text on the insufficient 
resources error code.

And by the way, I guess you can have more than one REG_FAILEDs if there 
was more than one failure type? The text seems to now imply only single 
REG_FAILED.

Section 6 says:

    Registrars act on a voluntary basis and are willing to accept being a
    responder and then to create HIP associations with a number of
    previously unknown hosts.

Now with the HI/cert authentication this has actually improved (you only 
potentially do things with previously unknown hosts).

Otherwise I think the draft is in good shape and could move forward.


Cheers,
Ari

v2.23.0 | Report a Bug | By Email