IETF Logo Mail Archive

Re: Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03.txt> (IPv6 AAAA DNS Whitelisting Implications) to Informational RFC

Pekka Savola <pekkas@netcore.fi> Tue, 26 April 2011 09:51 UTC

Return-Path: <pekkas@netcore.fi>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F001E06B2; Tue, 26 Apr 2011 02:51:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GC5sDMnIG2H; Tue, 26 Apr 2011 02:51:17 -0700 (PDT)
Received: from netcore.fi (eunet-gw.ipv6.netcore.fi [IPv6:2001:670:86:3001::1]) by ietfa.amsl.com (Postfix) with ESMTP id BA583E06B1; Tue, 26 Apr 2011 02:51:16 -0700 (PDT)
Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id p3Q9p6pl023739 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 26 Apr 2011 12:51:06 +0300
Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id p3Q9p5i1023735; Tue, 26 Apr 2011 12:51:06 +0300
Date: Tue, 26 Apr 2011 12:51:05 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: ietf@ietf.org
Subject: Re: Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03.txt> (IPv6 AAAA DNS Whitelisting Implications) to Informational RFC
In-Reply-To: <20110415205113.13704.48681.idtracker@ietfc.amsl.com>
Message-ID: <alpine.LRH.2.02.1104261249510.23669@netcore.fi>
References: <20110415205113.13704.48681.idtracker@ietfc.amsl.com>
User-Agent: Alpine 2.02 (LRH 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Virus-Scanned: clamav-milter 0.97 at otso.netcore.fi
X-Virus-Status: Clean
Cc: v6ops@ietf.org, v6ops-chairs@tools.ietf.org, draft-ietf-v6ops-v6-aaaa-whitelisting-implications@tools.ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2011 09:51:18 -0000

On Fri, 15 Apr 2011, The IESG wrote:
> The IESG has received a request from the IPv6 Operations WG (v6ops) to
> consider the following document:
> - 'IPv6 AAAA DNS Whitelisting Implications'
>  <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03.txt> as an
> Informational RFC

This is an ops-dir review of
draft-ietf-v6ops-v6-aaaa-whitelisting-implications-03.

The document is readable and could be published as-is.  I share some of the
concerns already expressed in the document, but I think the doc strikes a
reasonable balance between the concerns and practical points.

One bigger comment:
-------------------

Section 6 on deployment scenarios seems too black and white: either it is
done ad-hoc or (completely) universally.  The latter is unfeasible.

The document should cover a middle ground which is already discussed in
[NW-Article-DNS-WL], i.e., one or more whitelisting information providers
would be used by multiple content networks.  This has many benefits compared
to completely ad-hoc model, and is feasible compared to universal model.

The "universal deployment model" proposition has created ripples throughout
the document (one such place is S 7.3.7), and I think the document might
have been clearer if that was taken out completely -- or at least, issues
related to each deployment model would be more clearly separated.

......


8.3.1. Solving Current End User IPv6 Impairments
...
    One challenge with this option is the potential difficulty of
    motivating members of the Internet community to work collectively
    towards this goal, sharing the labor, time, and costs related to such
    an effort.  Of course, since just such a community effort is now
    underway for IPv6, it is possible that this would call for only a
    moderate amount of additional work.

... I would observe that ad-hoc whitelisting is already requiring a lot of
work from each of whitelisting providers.  Would this require more than
that?  If the alternative is to do nothing (no whitelisting, no user
impairment notification) that is clear the winner from the selfish POV. But
if the choice is between whitelisting and alerting, I don't see much
difference between the two.  Both could benefit from joint activities, but
both can also be operated in an ad-hoc fashion.


editorial:
----------

7.3.7. Additional Implications If Deployed On An Ad Hoc Basis

    Additional implications, should this be deployed on an ad hoc basis,
    could include scalability problems relating to operational processes,
    monitoring, and ACL updates.

... this could be read to imply that S 7.3.1-6 would be applicable to
universal deployment.  This is not what is meant.  Maybe clarify somewhat
like as follows:

    Previous subsections described implications that apply to both ad-hoc and
    universal deployment models.  Some additional implications are specific
    to ad-hoc deployment models, namely ...

S 7.5

    governmental, and/or cultural conflicts, given the new control point
    which has be established with DNS whitelisting.  For example, in one

s/be/been/

    [IPv6 Brokenness]
               Anderson, T., "Measuring and Combating IPv6 Brokenness",
               Reseaux IP Europeens (RIPE) 61st Meeting, November 2011,
               <http://ripe61.ripe.net/presentations/162-ripe61.pdf>.


s/2011/2010/

v2.23.0 | Report a Bug | By Email