Re: [Idr] Can we eliminate the "IETF Review" Capablities range? [was: Re: I-D Action: draft-ietf-idr-capabilities-registry-change-04.txt]

<bruno.decraene@orange.com> Fri, 24 May 2019 09:50 UTC

Return-Path: <bruno.decraene@orange.com>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE5191202CC for <idr@ietfa.amsl.com>; Fri, 24 May 2019 02:50:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKj8o5-k7b4z for <idr@ietfa.amsl.com>; Fri, 24 May 2019 02:50:02 -0700 (PDT)
Received: from orange.com (mta239.mail.business.static.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE69F1202DC for <idr@ietf.org>; Fri, 24 May 2019 02:50:01 -0700 (PDT)
Received: from opfedar01.francetelecom.fr (unknown [xx.xx.xx.2]) by opfedar26.francetelecom.fr (ESMTP service) with ESMTP id 459M6c1HykzFpr0; Fri, 24 May 2019 11:50:00 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.48]) by opfedar01.francetelecom.fr (ESMTP service) with ESMTP id 459M6c0LrGzBrLS; Fri, 24 May 2019 11:50:00 +0200 (CEST)
Received: from OPEXCAUBM43.corporate.adroot.infra.ftgroup ([fe80::b846:2467:1591:5d9d]) by OPEXCAUBM32.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0439.000; Fri, 24 May 2019 11:49:59 +0200
From: bruno.decraene@orange.com
To: tom petch <ietfc@btconnect.com>, "idr@ietf.org" <idr@ietf.org>, John Scudder <jgs=40juniper.net@dmarc.ietf.org>
Thread-Topic: [Idr] Can we eliminate the "IETF Review" Capablities range? [was: Re: I-D Action: draft-ietf-idr-capabilities-registry-change-04.txt]
Thread-Index: AQHVEYUyVIsCWqG9LUSO7O62sTvrZqZ5+dyA
Date: Fri, 24 May 2019 09:49:59 +0000
Message-ID: <32397_1558691400_5CE7BE48_32397_20_1_53C29892C857584299CBF5D05346208A48AE14BF@OPEXCAUBM43.corporate.adroot.infra.ftgroup>
References: <155860518236.3859.4116481267193969204@ietfa.amsl.com> <F34580D3-0033-45CA-B90A-78A37DE22F9B@juniper.net> <015701d51184$a55712c0$4001a8c0@gateway.2wire.net>
In-Reply-To: <015701d51184$a55712c0$4001a8c0@gateway.2wire.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/G3dlQGBQX1aQ2i4yaLs_4lG23u4>
Subject: Re: [Idr] Can we eliminate the "IETF Review" Capablities range? [was: Re: I-D Action: draft-ietf-idr-capabilities-registry-change-04.txt]
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 09:50:10 -0000

> 
> -----Original Message-----
> From: Idr [mailto:idr-bounces@ietf.org] On Behalf Of tom petch
> Sent: Thursday, May 23, 2019 6:33 PM
> To: idr@ietf.org; John Scudder
> Subject: Re: [Idr] Can we eliminate the "IETF Review" Capablities range? [was: Re: I-D Action: draft-ietf-idr-capabilities-registry-change-04.txt]
> 
> ----- Original Message -----
> From: "John Scudder" <jgs=40juniper.net@dmarc.ietf.org>
> Sent: Thursday, May 23, 2019 11:10 AM
> 
> > On May 23, 2019, at 12:53 PM,
> internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> wrote:
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This draft is a work item of the Inter-Domain Routing WG of the IETF.
> >
> >        Title           : Revision to Capability Codes Registration
> Procedures
> >        Author          : John Scudder
> > Filename        : draft-ietf-idr-capabilities-registry-change-04.txt
> > Pages           : 5
> > Date            : 2019-05-23
> >
> > This is a version bump to refresh the draft, which had expired. There
> are two outstanding points I can think of:
> >
> > 1. I’ve received a report of another use of Capability 129 (different
> from the one reported in the draft). I’m following up with the reporter
> to find out if that needs to be documented in the draft, if it does I’ll
> issue a revision.
> >
> > 2. The draft currently leaves Capabilities 1-63 as “IETF Review”. As I
> ’ve mentioned in another thread recently, I’ve become skeptical of the
> value of splitting registries between IETF Review and FCFS. Here are
> some options, listed in order of my own preference:
> >
> > 2.a. Make 1-238 all FCFS.
> > Pro: this is the easiest allocation policy with the least admin
> overhead. There is no decision required as to which range to select, so
> less confusion.
> > Con: there’s a theoretical risk of the number space being completely
> consumed, without any formal way for the WG to prevent it. (A “run on
> the bank”.)
> > Rebuttal: this hasn’t been seen to happen in practice. Also, we do
> reserve 255 in case we need it for future extension.
> >
> > 2.b. Make 1-63 Reserved, 64-238 FCFS.
> > Pro: as above, but without the chance that the number space could be
> completely consumed since 1-63 is protected. If that range is needed in
> the future, another draft can be written to reclassify it as IETF Review
> again, or as whatever is desired at that time.
> > Con: it’s a slightly more complicated solution to what may be a
> non-problem.
> >
> > 2.c. Leave it as written in version 04, 1-63 IETF Review, 64-238 FCFS.
> > Pro: it’s what we’ve already been discussing and nobody (other than
> me, in this note) has raised an objection so far.
> > Con: authors are required to choose between the two ranges, experience
> shows that many assume that IETF Review is “better” for some reason.
> This holds up number allocation, retards implementation, and invokes
> additional administrative overhead without returning any concrete
> benefit.
> >
> > I’d be interested in discussion of these options. 

Since you asked...

> Once these points
> are settled IMO the draft is ready for last call.
> 
> John
> 
> I see it as a question of security.  The Internet used to consist of
> friendly, helpful people who worked together to make it happen.  Now
> there is a whole raft of evil people, some state actors, some
> individual, some corporate - in fact, actors of any kind.

Two months ago, I would have said go for "2.a. Make 1-238 all FCFS" but as of today, I think Tom as a point.

A few random comments:
- If an actor requests all the code points, we probably still have the ability to write an RFC and reclaim those code points. We also have one reserved code point which would allow for extensions (but with a higher incremental cost, and possibly raising the same question for the allocation policy)
- FCFS does have minimal sanity check: well-formed request, description of usage, not a duplicate
- IMHO, in general code points are for interop and not for one private actor. (though I don't expect this opinion to be shared, and this is debatable in the specific case of BGP capabilities (vs attributes)). Hence code point would be better with a specification of how it is used. I think my preferred registration policy would be "IETF WG document Required". This one is not proposed in RFC 8126. This is not a showstopper, but I would assume that there is a (good) reason for that. Alternatively "Specification Required" seems the closest, but requires a designated expert (IDR chairs + instruction to have an IETF WG document would be pretty close to "IETF WG document Required")
- Among the 3 proposed options, I can really live with any option, but I guess that I have a slight preference with 2.b or 2.c.

> > 2.c. Leave it as written in version 04, 1-63 IETF Review, 64-238 FCFS.
> > Pro: it’s what we’ve already been discussing and nobody (other than
> me, in this note) has raised an objection so far.
> > Con: authors are required to choose between the two ranges, experience
> shows that many assume that IETF Review is “better” for some reason.
> This holds up number allocation, retards implementation, and invokes
> additional administrative overhead without returning any concrete
> benefit.

I understand the Con, but would feel that education, e.g. in this draft, should work. Altso, with an FCFS range anyone can make the request for the specification (including a chair/shepherd/anyone needing to implement/use), so we do not really have to rely on authors' assumptions.
But I'm speaking (weak) theory, while your "Con" reflects real experience. In theory there is no difference between theory and practice. In practice there is.

--Bruno 
 
> So, if we make it FCFS, and an evil actor sets out to sabotage us, what
> mechanisms do we have to stop them?  Think of the kind of mechanisms
> that routers have to stop them being overwhelmed.
> 
> As RFC8126says,
> 
> "   It is also important to understand that First Come First Served
   > really has no filtering.  Essentially, any well-formed request is
>    accepted."
> 
> so we have no defence against a DoS attack.  We have not had one such
> yet but as they say of pilots, there are those who have landed with the
> wheels up and there are those who will land with the wheels up.
> 
> We should reserve enough entries, i.e. IETF Review, to accommodate our
> needs for, say, the next decade.
> 
> Tom Petch
> 
> > Thanks,
> >
> > —John
> >
> 
> 
> ------------------------------------------------------------------------
> --------
> 
> 
> > _______________________________________________
> > Idr mailing list
> > Idr@ietf.org
> > https://www.ietf.org/mailman/listinfo/idr
> >
> 
> _______________________________________________
> Idr mailing list
> Idr@ietf.org
> https://www.ietf.org/mailman/listinfo/idr

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.