Re: Secdir early review of draft-ietf-babel-dtls-03

Sean Turner <sean@sn3rd.com> Wed, 06 February 2019 23:29 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69BFA130E25 for <ietf@ietfa.amsl.com>; Wed, 6 Feb 2019 15:29:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2OI7e2md_wb for <ietf@ietfa.amsl.com>; Wed, 6 Feb 2019 15:29:06 -0800 (PST)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EE2A130F4D for <ietf@ietf.org>; Wed, 6 Feb 2019 15:29:06 -0800 (PST)
Received: by mail-qk1-x734.google.com with SMTP id m17so5422633qki.5 for <ietf@ietf.org>; Wed, 06 Feb 2019 15:29:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3NBhWI59asL2Hd+Alt0WOXqD8e6ROWqoAvsKq/AXUZA=; b=m+rgTTT+zzgb5rGh+RVAY6UE/YbMoGyMLW9HxAy2BlJWYpL8xy/0K9e3EgNhzmEz9c 61aHCohdRDztUJZZhr2MvFIg+Kt/pRZHILoNENOGIux6MCyh3jOoNwVoFPvFq6qbcBHp pmJDisjD+LhvcoYjU4rW64bZPnoWXTOkEhoo8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3NBhWI59asL2Hd+Alt0WOXqD8e6ROWqoAvsKq/AXUZA=; b=prNXRJVgEZyIXkoj7x6Nv04yEjF2ubjohi+uiIccqQ4SqXSfqdpnZ+ljKKLa5K4ir+ MES57+TgSSveR4NCWmTsUCFNM+2H3GNO5yQJDrqxV8Kvd3XSZ4ALdcPMiTw/GiZmCPxx 2t2IIeW9EVLAITuJZ2/5BMqoK6d1TSDvl4wAJtGSNn+1we2Kd20nNC3F7ALJpO+77KKw GJUiYgpE8o2opLifzi++4VgzBai7p5P+/wPTq/WMnz2eF7IGPoGH6maNX10aaquniHgN zCY+8eSlkxRRDS3IpWG1BJxK8lkeAdBhx6wSL+VjscjlSTaMBQRXenWbZMLJyA3wXlhJ xhiQ==
X-Gm-Message-State: AHQUAuZGUh+ksFAsK1BRnW+VHaUNjNPTC3RAdsYEEzrFnxzDYGhCEkNO Ya3aMnX6+Rt9ero9hLVwVJ/2JQ==
X-Google-Smtp-Source: AHgI3Ib9/csqKMBd+gQW9iYuALC43Wo50HnRk+cOJZo/+UJrbQRhFAtq+Q5MRUuFdHb3nQ4AIz7JZw==
X-Received: by 2002:ae9:d8c2:: with SMTP id u185mr9038663qkf.107.1549495745755; Wed, 06 Feb 2019 15:29:05 -0800 (PST)
Received: from [172.16.0.18] ([96.231.217.246]) by smtp.gmail.com with ESMTPSA id m124sm5363696qkc.16.2019.02.06.15.29.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Feb 2019 15:29:04 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Subject: Re: Secdir early review of draft-ietf-babel-dtls-03
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CAPDSy+6KNeNE1xifU4sONBZbmNJn_=QCZzHk0X-vu50T6zgfDw@mail.gmail.com>
Date: Wed, 06 Feb 2019 18:29:02 -0500
Cc: secdir@ietf.org, draft-ietf-babel-dtls.all@ietf.org, ietf@ietf.org, Babel at IETF <babel@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <06C98B7B-4D3A-4DF6-AE9F-E82C7B8BF439@sn3rd.com>
References: <154881379920.7794.15439486195773911279@ietfa.amsl.com> <CAPDSy+6KNeNE1xifU4sONBZbmNJn_=QCZzHk0X-vu50T6zgfDw@mail.gmail.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Tn2glZcTjQQRiqwVXhEm7N0mTko>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2019 23:29:10 -0000

David,

Thanks for following up.  I am personally happy with your suggested resolutions.

spt

> On Feb 1, 2019, at 19:40, David Schinazi <dschinazi.ietf@gmail.com> wrote:
> 
> Thanks for the review Sean!
> 
> I've updated the doc with your comments:
> https://github.com/jech/babel-drafts/commit/e202f664712772a4db2bd88c5665ba3193cd4c99
> 
> Detailed responses inline.
> 
> David
> 
> 
> On Wed, Jan 30, 2019 at 11:03 AM Sean Turner <sean@sn3rd.com> wrote:
> Reviewer: Sean Turner
> Review result: Has Nits
> 
> Hi,
> 
> David wanted to make it really easy on me and get as much early input as he
> could get by sending a msg to the TLS list asking for comments [0].  Version
> -02 addressed those comments.
> 
> I'm no babel expert, but I did take the time to read/skim the base protocol
> document to get more familiar with it as well as re-read the babel-tls draft. 
> The tl;dr here is that babel is multicast but DTLS is not so changes to babel
> are needed.
> 
> To clarify, the changes to make Babel work over unicast have all gone into
> the base spec: draft-ietf-babel-rfc6126bis
>  
> Here are my comments in no particular order.  No show stoppers here.
> 
> 0) Since DTLS is in the RFC Editor's Abbreviations List - I think you can get
> away with: Babel Routing Protocol over DTLS But, that's up to you.
> 
> I personally prefer spelling it out, but I don't feel too strongly about it.
>  
> 1) (IEGS food fight alert) I see that the updates header updates 6126bis.  Not
> sure how this will fly in the face of the draft IESG Statement [1].
> 
> Thanks for pointing this out. We'll follow any guidance the IESG gives us
> during their review.
>  
> 2) (This might just be document organization) The applicability section kind of
> jumped out at me because there's also an applicability draft.  Further, it and
> 6126bis says the HMAC mechanism is preferred.  I'd just drop the entire section
> ;)
> 
> The authors felt we should insist that HMAC is better suited for many deployments
> as it better fits with the traditional Babel multicast model. The applicability draft
> focuses on Babel itself.
>  
> 3) s2.1 - maybe add a pointer to the IANA considerations section.
> 
> Done
> 
> 4) s2.1 - Because you're doing client authentication do you need say anything
> about the type of cert, whether certificate_authorities,
> signature_algorithms_cert, signature_algorithms should be sent (for 1.3
> connections)?
> 
> We've had this conversation on the Babel mailing list, and we landed on having the
> babel-dtls draft not define any of these, punting that to the usage profiles drafts.
> For example, the Babel Homenet profile draft will define all of these.
>  
> 5) s4 - add that IANA is requested to point to this specification for the
> reference.
> 
> Done 
> 
> 6) AppA - I think you might need to tweak the last sentence in light 1.3?
> 
> Unfortunately DTLS 1.3 hasn't been published yet, and I'd rather not make
> assumptions on what the RFC will say (even though we're pretty sure the
> handshake won't change between the current draft and RFC). If it gets
> published as RFC before this document does, I'll make these changes.
>  
> 
> Cheers,
> spt
> 
> [0] https://mailarchive.ietf.org/arch/msg/tls/tIaK0rgm5zCVuYmLm5qsCIvKXKw
> [1] https://mailarchive.ietf.org/arch/msg/ietf/-1u_1-peHKAmUDuLyGAJYu0fPCE
>