IETF Logo Mail Archive

Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)

Tommy Pauly <tpauly@apple.com> Wed, 22 January 2020 17:22 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 318DC12021C; Wed, 22 Jan 2020 09:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrMMa6tIhf0S; Wed, 22 Jan 2020 09:22:50 -0800 (PST)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4AD6120108; Wed, 22 Jan 2020 09:22:50 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.27/8.16.0.27) with SMTP id 00MHM71g017005; Wed, 22 Jan 2020 09:22:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=VE5dEC5j+n1HdOjuutvPxyZNNLwG+qHuwT5OXcTOsbM=; b=ZGBYQBpsqO3s0qtqTN8bjW/nipXKMuclQ3t82bio4eeWkUKBWJxq42iYSIYySarnSp7d ZRiapHuWEh0gap99MrtsprLO12uytiidrK6tAdgeTGDU9SYM9motg7mCkTq0Ktna0Rpi c0JxEltT3JhJcZqzuDUmtr1XAaNUUNGRoiiDI1zg5Nr3BmLOprrFWOEKQMVfSIlld9lY dxv2BOC1vhvEHQ/XzbJsose1MIWByfwc6OmQ17m5OiVTE1oY0NZVD7Wj2kQe/Nm9VWvz QJVkZ69akUYX82i52hohaIDPctL2IMqmzTbN00SuD47lgiuRFpnrSikIgwneT6aG237U 1Q==
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 2xm1w143m2-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Jan 2020 09:22:49 -0800
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0Q4I00J9SQY0AX10@ma1-mtap-s02.corp.apple.com>; Wed, 22 Jan 2020 09:22:49 -0800 (PST)
Received: from process_milters-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0Q4I00L00QVLU500@nwk-mmpp-sz12.apple.com>; Wed, 22 Jan 2020 09:22:48 -0800 (PST)
X-Va-A:
X-Va-T-CD: f3fe944e6c679f2c3d972f4bd0691c8b
X-Va-E-CD: d60a7396dd592520d25d54063e76f07d
X-Va-R-CD: bd63ceb45b8fd24fe4c278576743557a
X-Va-CD: 0
X-Va-ID: 353f8b1d-79f2-4e4f-b23b-92d9b6e508c6
X-V-A:
X-V-T-CD: f3fe944e6c679f2c3d972f4bd0691c8b
X-V-E-CD: d60a7396dd592520d25d54063e76f07d
X-V-R-CD: bd63ceb45b8fd24fe4c278576743557a
X-V-CD: 0
X-V-ID: 982e606b-933d-4e07-a996-ba5ce8af06c8
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2020-01-22_07:,, signatures=0
Received: from [17.230.170.238] by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0Q4I00BY4QXZPA00@nwk-mmpp-sz12.apple.com>; Wed, 22 Jan 2020 09:22:48 -0800 (PST)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <1CCF1EEE-BB5A-431A-B85C-D389EA161949@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_51AB8444-E2F7-4447-A550-B06762782E88"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
Date: Wed, 22 Jan 2020 09:22:45 -0800
In-reply-to: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, ek@loon.com, draft-ietf-intarea-provisioning-domains@ietf.org, int-area@ietf.org, intarea-chairs@ietf.org
To: Adam Roach <adam@nostrum.com>
References: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3594.4.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-22_07:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/s1KUkvsR4Gr7Byk2nCbVg4DxaIM>
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 17:22:53 -0000

Hi Adam,

As we discuss the main DDoS attack case, I did want to also reply to the other comments (see inline).

I'm keeping pending changes available here, to be published after the telechat: https://github.com/IPv6-mPvD/mpvd-ietf-drafts/pull/25 <https://github.com/IPv6-mPvD/mpvd-ietf-drafts/pull/25>

Thanks!
Tommy

> On Jan 21, 2020, at 9:26 PM, Adam Roach via Datatracker <noreply@ietf.org> wrote:
> 
> Adam Roach has entered the following ballot position for
> draft-ietf-intarea-provisioning-domains-10: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-intarea-provisioning-domains/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Thanks to the authors and working group for their work on this document.  I
> have one major concern about the ability for this mechanism to be abused to
> form DDoS attacks, described below. Unfortunately, while I have identified the
> attack, I don't have an easy solution to propose that mitigates it satisfactorily.
> 
> I also have a handful of mostly editorial comments on the document.
> 
> ---------------------------------------------------------------------------
> 
> §6:
> 
> I was expecting to see a discussion of the DDoS attack that may result from a
> large network (or a rogue host on such a network) sending out a PvD ID
> containing the hostname of a victim machine, and setting the "H" flag.
> 
> Since the messages used to trigger these HTTP connections are extremely
> lightweight, unauthenticated UDP messages, and the resulting HTTP connections
> require the exchange of a significant number of packets in addition to a
> number of cryptographic operations, this is a very high ratio amplification
> attack, both in terms of network and CPU resources.
> 
> Given that the delay setting comes from the network instead of being
> independently computed by the host, such an attack could be honed to be
> particularly devastating.  Although it isn't a complete mitigation, one
> approach to consider would be moving computation of the delay upper bound to
> the host, or specifying a minimum upper bound of several minutes (where a
> smaller value will cause the host to use this minimum upper bound).
> 
> Regardless of how this is ultimately handled, I think this is a pretty severe
> risk that needs addressing in the document prior to publication.
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
>> This document also introduces a mechanism for hosts to retrieve
>> optional additional information related to a specific PvD by means of
>> an HTTP over TLS query using an URI derived from the PvD ID.
> 
> Nit: "...a URI..."

Fixed!
> 
> ---------------------------------------------------------------------------
> 
> §3.4.1:
> 
>> This is intended to
>> resolve backward compatibility issues with rare deployments choosing
>> to assign addresses with DHCPv6 while not sending any matching PIO.
> 
> It seems that this set of circumstances could also arise due to a
> misconfiguration of DHCPv6. If this is expected to be only rarely
> intended, perhaps some oprationational/implementation guidance to log
> a warning or otherwise alert the operator would be helpful.


Added the following sentence at the end of the paragraph:

 Implementations are suggested to flag or log
such scenarios as errors to help detect misconfigurations.

> 
> ---------------------------------------------------------------------------
> 
> §4.1:
> 
>> HTTP requests and responses for PvD additional information use the
>> "application/pvd+json" media type (see Section 8).  Clients SHOULD
>> include this media type as an Accept header in their GET requests,
> 
> Nit: "...Accept header field..."

Fixed
> 
> ---------------------------------------------------------------------------
> 
> §4.1:
> 
>> If the HTTP
>> status of the answer is between 200 and 299, inclusive, the host MAY
>> get a file containing a single JSON object.
> 
> This is very confusing phrasing. The sentence -- and the use of a normative
> "MAY" in particular -- indicates that the host is given permission to take
> some additional action that "gets" a JSON object from somewhere. I think it's
> intending to say that a 200-class HTTP response will contain such an object.
> 
> Consider rephrasing.

This is similar to Alissa's comment. The new text is:

If the HTTP status of
the answer is between 200 and 299, inclusive, the response is expected to
be a single JSON object.
> 
> ---------------------------------------------------------------------------
> 
> §4.3:
> 
>> Private-use or experimental keys MAY be used in the JSON dictionary.
>> In order to avoid such keys colliding with IANA registry keys,
>> implementers or vendors defining private-use or experimental keys
>> MUST create sub-dictionaries, where the sub-dictionary is added into
>> the top-level JSON dictionary with a key of the format "vendor-*"
>> where the "*" is replaced by the implementer's or vendor's
>> identifier.  For example, keys specific to the FooBar organization
>> could use "vendor-foobar".  Upon receiving such a sub-dictionary,
>> host MUST ignore this sub-dictionary if it is unknown.  When the
>> vendor or implementer is part of an IANA URN namespace [URN], the URN
>> namespace SHOULD be used rather than the "vendor-*" format.
> 
> This is kind of a minor nit, but this paragraph is a bit confusing.  It
> starts off with a less-preferred convention ("vendor-*") and discusses
> it as if it were the only way to do things; and then it throws in a
> SHOULD-strength different encoding at the end as a surprise twist.
> I would suggest reworking the paragraph so that the preferred encoding
> (URNs) are mentioned first, as a SHOULD-strength statement, followed by
> the less-preferred "vendor-*" as a fallback.

This is also similar to Alissa's comment. I've updated the URN text, but also reordered the text. The paragraph now reads:

Private-use or experimental keys MAY be used in the JSON
dictionary. In order to avoid such keys colliding with IANA registry
keys, implementers or vendors defining private-use or experimental
keys MUST create sub-dictionaries. If a set of PvD Additional Information keys
are defined by an organization that has a Formal URN Namespace {{URN}},
the URN namespace SHOULD be used as the top-level JSON key for
the sub-dictionary. For other private uses, the sub-dictionary key
SHOULD follow the format of "vendor-\*", where the "\*" is replaced by the
implementer's or vendor's identifier. For example, keys specific to the FooBar
organization could use "vendor-foobar". If a host receives a sub-dictionary with
an unknown key, the host MUST ignore the contents of the sub-dictionary.
> 
> ---------------------------------------------------------------------------
> 
> §4.3:
> 
>> +------------+-----------------+-----------+------------------------+
>> | JSON key   | Description     | Type      | Example                |
>> +------------+-----------------+-----------+------------------------+
>> | identifier | PvD ID FQDN     | String    | "pvd.example.com."     |
> 
> ...
> 
>> {
>>   "identifier": "cafe.example.com",
>>   "expires": "2017-07-23T06:00:00Z",
>>   "prefixes": ["2001:db8:1::/48", "2001:db8:4::/48"],
>> }
> 
> I'm concerned about the variation in the identifier field alternately
> containing and not containing the terminal dot of the FQDN. If the
> intention that these are to be equivalent, it would probably head off
> some implementation incompatibilities if the document were to say so
> explicitly.

I've updated the examples to all use a trailing dot.

> 
> ---------------------------------------------------------------------------
> 
> §7:
> 
>> without leaking identity information, SHOULD make use of an IPv6
>> Privacy Address and SHOULD NOT include any privacy sensitive data,
>> such as User Agent header or HTTP cookie, while performing the HTTP
> 
> Nit: "...User-Agent header field..."
>             ^             ^^^^^

Fixed!
> 
> 
> _______________________________________________
> Int-area mailing list
> Int-area@ietf.org
> https://www.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email