Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
Tommy Pauly <tpauly@apple.com> Wed, 22 January 2020 17:22 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 318DC12021C; Wed, 22 Jan 2020 09:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrMMa6tIhf0S; Wed, 22 Jan 2020 09:22:50 -0800 (PST)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4AD6120108; Wed, 22 Jan 2020 09:22:50 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.27/8.16.0.27) with SMTP id 00MHM71g017005; Wed, 22 Jan 2020 09:22:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=VE5dEC5j+n1HdOjuutvPxyZNNLwG+qHuwT5OXcTOsbM=; b=ZGBYQBpsqO3s0qtqTN8bjW/nipXKMuclQ3t82bio4eeWkUKBWJxq42iYSIYySarnSp7d ZRiapHuWEh0gap99MrtsprLO12uytiidrK6tAdgeTGDU9SYM9motg7mCkTq0Ktna0Rpi c0JxEltT3JhJcZqzuDUmtr1XAaNUUNGRoiiDI1zg5Nr3BmLOprrFWOEKQMVfSIlld9lY dxv2BOC1vhvEHQ/XzbJsose1MIWByfwc6OmQ17m5OiVTE1oY0NZVD7Wj2kQe/Nm9VWvz QJVkZ69akUYX82i52hohaIDPctL2IMqmzTbN00SuD47lgiuRFpnrSikIgwneT6aG237U 1Q==
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 2xm1w143m2-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 22 Jan 2020 09:22:49 -0800
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0Q4I00J9SQY0AX10@ma1-mtap-s02.corp.apple.com>; Wed, 22 Jan 2020 09:22:49 -0800 (PST)
Received: from process_milters-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0Q4I00L00QVLU500@nwk-mmpp-sz12.apple.com>; Wed, 22 Jan 2020 09:22:48 -0800 (PST)
X-Va-A:
X-Va-T-CD: f3fe944e6c679f2c3d972f4bd0691c8b
X-Va-E-CD: d60a7396dd592520d25d54063e76f07d
X-Va-R-CD: bd63ceb45b8fd24fe4c278576743557a
X-Va-CD: 0
X-Va-ID: 353f8b1d-79f2-4e4f-b23b-92d9b6e508c6
X-V-A:
X-V-T-CD: f3fe944e6c679f2c3d972f4bd0691c8b
X-V-E-CD: d60a7396dd592520d25d54063e76f07d
X-V-R-CD: bd63ceb45b8fd24fe4c278576743557a
X-V-CD: 0
X-V-ID: 982e606b-933d-4e07-a996-ba5ce8af06c8
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2020-01-22_07:,, signatures=0
Received: from [17.230.170.238] by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0Q4I00BY4QXZPA00@nwk-mmpp-sz12.apple.com>; Wed, 22 Jan 2020 09:22:48 -0800 (PST)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <1CCF1EEE-BB5A-431A-B85C-D389EA161949@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_51AB8444-E2F7-4447-A550-B06762782E88"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3594.4.17\))
Date: Wed, 22 Jan 2020 09:22:45 -0800
In-reply-to: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, ek@loon.com, draft-ietf-intarea-provisioning-domains@ietf.org, int-area@ietf.org, intarea-chairs@ietf.org
To: Adam Roach <adam@nostrum.com>
References: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3594.4.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2020-01-22_07:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/s1KUkvsR4Gr7Byk2nCbVg4DxaIM>
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 17:22:53 -0000
Hi Adam, As we discuss the main DDoS attack case, I did want to also reply to the other comments (see inline). I'm keeping pending changes available here, to be published after the telechat: https://github.com/IPv6-mPvD/mpvd-ietf-drafts/pull/25 <https://github.com/IPv6-mPvD/mpvd-ietf-drafts/pull/25> Thanks! Tommy > On Jan 21, 2020, at 9:26 PM, Adam Roach via Datatracker <noreply@ietf.org> wrote: > > Adam Roach has entered the following ballot position for > draft-ietf-intarea-provisioning-domains-10: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-intarea-provisioning-domains/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thanks to the authors and working group for their work on this document. I > have one major concern about the ability for this mechanism to be abused to > form DDoS attacks, described below. Unfortunately, while I have identified the > attack, I don't have an easy solution to propose that mitigates it satisfactorily. > > I also have a handful of mostly editorial comments on the document. > > --------------------------------------------------------------------------- > > §6: > > I was expecting to see a discussion of the DDoS attack that may result from a > large network (or a rogue host on such a network) sending out a PvD ID > containing the hostname of a victim machine, and setting the "H" flag. > > Since the messages used to trigger these HTTP connections are extremely > lightweight, unauthenticated UDP messages, and the resulting HTTP connections > require the exchange of a significant number of packets in addition to a > number of cryptographic operations, this is a very high ratio amplification > attack, both in terms of network and CPU resources. > > Given that the delay setting comes from the network instead of being > independently computed by the host, such an attack could be honed to be > particularly devastating. Although it isn't a complete mitigation, one > approach to consider would be moving computation of the delay upper bound to > the host, or specifying a minimum upper bound of several minutes (where a > smaller value will cause the host to use this minimum upper bound). > > Regardless of how this is ultimately handled, I think this is a pretty severe > risk that needs addressing in the document prior to publication. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > >> This document also introduces a mechanism for hosts to retrieve >> optional additional information related to a specific PvD by means of >> an HTTP over TLS query using an URI derived from the PvD ID. > > Nit: "...a URI..." Fixed! > > --------------------------------------------------------------------------- > > §3.4.1: > >> This is intended to >> resolve backward compatibility issues with rare deployments choosing >> to assign addresses with DHCPv6 while not sending any matching PIO. > > It seems that this set of circumstances could also arise due to a > misconfiguration of DHCPv6. If this is expected to be only rarely > intended, perhaps some oprationational/implementation guidance to log > a warning or otherwise alert the operator would be helpful. Added the following sentence at the end of the paragraph: Implementations are suggested to flag or log such scenarios as errors to help detect misconfigurations. > > --------------------------------------------------------------------------- > > §4.1: > >> HTTP requests and responses for PvD additional information use the >> "application/pvd+json" media type (see Section 8). Clients SHOULD >> include this media type as an Accept header in their GET requests, > > Nit: "...Accept header field..." Fixed > > --------------------------------------------------------------------------- > > §4.1: > >> If the HTTP >> status of the answer is between 200 and 299, inclusive, the host MAY >> get a file containing a single JSON object. > > This is very confusing phrasing. The sentence -- and the use of a normative > "MAY" in particular -- indicates that the host is given permission to take > some additional action that "gets" a JSON object from somewhere. I think it's > intending to say that a 200-class HTTP response will contain such an object. > > Consider rephrasing. This is similar to Alissa's comment. The new text is: If the HTTP status of the answer is between 200 and 299, inclusive, the response is expected to be a single JSON object. > > --------------------------------------------------------------------------- > > §4.3: > >> Private-use or experimental keys MAY be used in the JSON dictionary. >> In order to avoid such keys colliding with IANA registry keys, >> implementers or vendors defining private-use or experimental keys >> MUST create sub-dictionaries, where the sub-dictionary is added into >> the top-level JSON dictionary with a key of the format "vendor-*" >> where the "*" is replaced by the implementer's or vendor's >> identifier. For example, keys specific to the FooBar organization >> could use "vendor-foobar". Upon receiving such a sub-dictionary, >> host MUST ignore this sub-dictionary if it is unknown. When the >> vendor or implementer is part of an IANA URN namespace [URN], the URN >> namespace SHOULD be used rather than the "vendor-*" format. > > This is kind of a minor nit, but this paragraph is a bit confusing. It > starts off with a less-preferred convention ("vendor-*") and discusses > it as if it were the only way to do things; and then it throws in a > SHOULD-strength different encoding at the end as a surprise twist. > I would suggest reworking the paragraph so that the preferred encoding > (URNs) are mentioned first, as a SHOULD-strength statement, followed by > the less-preferred "vendor-*" as a fallback. This is also similar to Alissa's comment. I've updated the URN text, but also reordered the text. The paragraph now reads: Private-use or experimental keys MAY be used in the JSON dictionary. In order to avoid such keys colliding with IANA registry keys, implementers or vendors defining private-use or experimental keys MUST create sub-dictionaries. If a set of PvD Additional Information keys are defined by an organization that has a Formal URN Namespace {{URN}}, the URN namespace SHOULD be used as the top-level JSON key for the sub-dictionary. For other private uses, the sub-dictionary key SHOULD follow the format of "vendor-\*", where the "\*" is replaced by the implementer's or vendor's identifier. For example, keys specific to the FooBar organization could use "vendor-foobar". If a host receives a sub-dictionary with an unknown key, the host MUST ignore the contents of the sub-dictionary. > > --------------------------------------------------------------------------- > > §4.3: > >> +------------+-----------------+-----------+------------------------+ >> | JSON key | Description | Type | Example | >> +------------+-----------------+-----------+------------------------+ >> | identifier | PvD ID FQDN | String | "pvd.example.com." | > > ... > >> { >> "identifier": "cafe.example.com", >> "expires": "2017-07-23T06:00:00Z", >> "prefixes": ["2001:db8:1::/48", "2001:db8:4::/48"], >> } > > I'm concerned about the variation in the identifier field alternately > containing and not containing the terminal dot of the FQDN. If the > intention that these are to be equivalent, it would probably head off > some implementation incompatibilities if the document were to say so > explicitly. I've updated the examples to all use a trailing dot. > > --------------------------------------------------------------------------- > > §7: > >> without leaking identity information, SHOULD make use of an IPv6 >> Privacy Address and SHOULD NOT include any privacy sensitive data, >> such as User Agent header or HTTP cookie, while performing the HTTP > > Nit: "...User-Agent header field..." > ^ ^^^^^ Fixed! > > > _______________________________________________ > Int-area mailing list > Int-area@ietf.org > https://www.ietf.org/mailman/listinfo/int-area
- [Int-area] Adam Roach's Discuss on draft-ietf-int… Adam Roach via Datatracker
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Warren Kumari
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Suresh Krishnan
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Eric Vyncke (evyncke)
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly