[Int-dir] Re: Intdir telechat review of draft-ietf-dtn-ipn-update-11

Rick Taylor <rick.taylor@highfrontier.co.uk> Tue, 25 June 2024 11:00 UTC

Return-Path: <rick.taylor@highfrontier.co.uk>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DD1AC169425 for <last-call@ietfa.amsl.com>; Tue, 25 Jun 2024 04:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=highfrontier-co-uk.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTE57bhP-g8K for <last-call@ietfa.amsl.com>; Tue, 25 Jun 2024 04:00:41 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEC84C169414 for <last-call@ietf.org>; Tue, 25 Jun 2024 04:00:41 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-52ce6c93103so2232015e87.3 for <last-call@ietf.org>; Tue, 25 Jun 2024 04:00:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=highfrontier-co-uk.20230601.gappssmtp.com; s=20230601; t=1719313239; x=1719918039; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=r2NAp7RAb8+NuqKaB3hCfXDmYNGcIzMIx+sLyAObl30=; b=nISZ2EtMHOQIR5IIwuZWxHCKn1fh1EXLx0mfYSutogJ3S858dzSe7yR1GWh3QWNpBR vaxORJdVJZrfvTch5CoU0asZXEotFyZVGkc9xdbvt4eDfYygtuqLnQpQCKfxE0iEPSrG amCkXICeaWY612YGAiJKFVVEEC54Oq+JVjBX7e6xco9i7BPwXZoS533tf1ms/xdtqLXK Ejhd39RtW+QVOKHhvhBW0jMgL2jGgwuls2sCPzm0V8avUwcweRMMMWvS9VbYiJwE69Lr MMs0N0U58LNyhT4xzYYdITANVPefRWSsblLMfKwGYB2P9JYH7rcu4F0gvz8gdr0s2r7k WLrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719313239; x=1719918039; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=r2NAp7RAb8+NuqKaB3hCfXDmYNGcIzMIx+sLyAObl30=; b=ZuMJuHJTlRGaHiZbc8LzNd50BmNhBhxzzzNBru1NT/symbbazjiUxUsGPuEb4aws58 NHlG3jDBzqusF1Szxga1bdgPyys9jqQh/q762nOjfy1UvDbu+bvNAkBcHfOMyzBPC3Ql UmfqpQWam9J7xkW0IfD9o017AVbFQLlU0Ozf93F+ZQULBB+v/aZSHEBTws/V3JcY4WKr 7UiV2ngaghsmlG7G2EJa72gghV5if0sT3TLd2W6deE/6MbvSHDNGhI8NPnrNS6wcJ2Wq /CA9USXxw+tLa7VxQ2oV/UJ8F9eGqdt1UVQ8k221CIXxzaIBMyiYemQaLBKNkskiUefA LgVA==
X-Forwarded-Encrypted: i=1; AJvYcCUwYfCc/KZRtgqN086+S9P07v9Ud55E53dQqE0vSL5pqvpW+Qxcom9JLer3GbhyHoCVF4+TZ7kyrar3uCtDEL7GaOo=
X-Gm-Message-State: AOJu0Yx8EqW5smHPe3tkva1tnohHXPH683M/ZQXZ6S8FivFKPDDjBLyH UJbojQhNe1VGjxcd5F7DF/B+IoCwTdfO/ho5TIIFpe0AeUNgaw8TywcF6rvypJH9K0II7u9LxJK WB0TPKOoQZCM9pQ6biq7LMbTEE54zu+zm83oskP3Q5QehMFedZHI=
X-Google-Smtp-Source: AGHT+IGl3GIIdjuLIbp9z6PpTOhPbyldJr5VuBZchbDhDk7f8SnREtrbk2Rl6mKlgiBtVd5q7b7xhj7klnOgcIR7k/k=
X-Received: by 2002:a05:6512:108c:b0:52c:dd25:9ac6 with SMTP id 2adb3069b0e04-52ce1835607mr6122289e87.29.1719313239342; Tue, 25 Jun 2024 04:00:39 -0700 (PDT)
MIME-Version: 1.0
References: <171872484903.3149.4835295336948326044@ietfa.amsl.com>
In-Reply-To: <171872484903.3149.4835295336948326044@ietfa.amsl.com>
From: Rick Taylor <rick.taylor@highfrontier.co.uk>
Date: Tue, 25 Jun 2024 12:00:28 +0100
Message-ID: <CA+cu9C_jtjauQGQ4H1Jc8SSvaLiT_N2ppyf9fkG5FAkDa0C7Uw@mail.gmail.com>
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e3997f061bb4ce6d"
X-MailFrom: rick.taylor@highfrontier.co.uk
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: 74HQS34YGNLKOGXZBSB53AO7ZTRCP52E
X-Message-ID-Hash: 74HQS34YGNLKOGXZBSB53AO7ZTRCP52E
X-Mailman-Approved-At: Tue, 25 Jun 2024 05:13:28 -0700
CC: int-dir@ietf.org, draft-ietf-dtn-ipn-update.all@ietf.org, dtn@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Int-dir] Re: Intdir telechat review of draft-ietf-dtn-ipn-update-11
List-Id: "This list is for discussion between the members of the Internet Area directorate." <int-dir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-dir/KD8XJvG9W3GxD0NNRLEIygVmJf8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-dir>
List-Help: <mailto:int-dir-request@ietf.org?subject=help>
List-Owner: <mailto:int-dir-owner@ietf.org>
List-Post: <mailto:int-dir@ietf.org>
List-Subscribe: <mailto:int-dir-join@ietf.org>
List-Unsubscribe: <mailto:int-dir-leave@ietf.org>

Hi Jean-Michel,

Thanks for the review, comments inline...

Cheers,
Rick

On Tue, 18 Jun 2024 at 16:34, Jean-Michel Combes via Datatracker <
noreply@ietf.org> wrote:

> Reviewer: Jean-Michel Combes
> Review result: On the Right Track
>
> Hi,
>
> I am an assigned INT directorate reviewer for
> draft-ietf-dtn-ipn-update-11.txt.
> These comments were written primarily for the benefit of the Internet Area
> Directors. Document editors and shepherd(s) should treat these comments
> just
> like they would treat comments from any other IETF contributors and resolve
> them along with any other Last Call comments that have been received. For
> more
> details on the INT Directorate, see
> https://datatracker.ietf.org/group/intdir/about/
> <https://datatracker.ietf.org/group/intdir/about/>.
>
> Based on my review, if I was on the IESG I would ballot this document as NO
> OBJECTION.
>
> The following are other issues I found with this document that SHOULD be
> corrected/clarified before publication:
>
> 3.2.  Allocator Identifiers
>
> <snip>
>
>    If a system does not require interoperable deployment of ipn scheme
>    URIs, then the Private Use Node Number range, reserved by the Default
>    Allocator (Section 3.2.2) for this purpose SHOULD be used.
>
> <JMC>
> IMHO, it should be clearer (1) to have a reference to Section 3.4.3
> instead to
> Section 3.2.2 and (2) to add the following information in text: - Allocator
> Identifier SHOULD be set to zero (0) - Node Number SHOULD be in the
> “Private
> Use” range (cf. Section 9.2) </JMC>
>
> <snip>
>

You make a valid point, but we have decided to replace the "SHOULD be used"
with "are to be used" (not canonical).  I'm not keen to start talking about
Id 0 at this point, as we have yet to introduce numeric values
(representation detail) and are just talking about generalities, but I have
added a cross reference to 3.4.3


>
> 3.2.1.  Allocator Identifier Ranges
>
> <snip>
>
> With these assignments, any Allocator Identifier whose most-
>    significant 25 bits match 0xEE000 belong to organization A.
>    Similarly, any Allocator Identifier whose most-significant 28 bits
>    match 0xEE080 belong to organization B, and any Allocator Identifier
>    whose most-significant 31 bits are 0xEE090 belong to organization C.
>    Organisation D has a single Allocator Identifier, and hence a range
>    of bit-length 0.
>
> <JMC>
> Sorry, but I don’t understand how you get 25 bits for organization A, 28
> bits
> for organization B and 31 bits for organization B. Is it possible to
> provide a
> formula, please? By the way, are you assuming that Allocator Identifier is
> based on 32 bits? </JMC>
>
> <snip>
>

We were really hoping that this read as 'subnet masking' written in
longhand.  And yes, Allocator Ids are all 32-bit unsigned ints. But having
re-read, we don't specify that by this point, will update.


>
> 3.4.  Special Node Numbers
>
>    Some special-case Node Numbers are defined by the Default Allocator,
>    see 'ipn' Scheme URI Default Allocator Node Numbers registry
>    (Section 9.2).
>
> <JMC>
> It seems that you assume that there will no need of special-case node
> numbers,
> except for the Default Allocator, in the future: is it correct? If so, is
> it
> not dangerous (i.e., complexity to come back from such a decision)? </JMC>
>
> <snip>
>
> 5.5.  Private Use ipn EIDs
>
>    Bundles destined for EIDs that use an ipn URI with a Fully-qualified
>    Node Number (Section 3.3.1) that is within the "Private Use" range of
>    the Default Allocator (Section 3.2.2) are not universally unique, and
>    therefore are only valid within the scope of the current
>    administrative domain.  This means that any bundle using a Private
>    Use ipn EID as a bundle source or bundle destination MUST NOT be
>    allowed to cross administrative domains.  All implementations that
>    could be deployed as a gateway between administrative domains MUST be
>    sufficiently configurable to ensure that this is enforced, and
>    operators MUST ensure correct configuration.
>
> <JMC>
> IMHO, “MUST” use may be too strong: it is possible that 2 administrative
> domains (e.g., two affiliates in a same company) agree to use ipn URI in
> the
> “Private Use” range and to choose different subsets of this last one to
> ensure
> uniqueness. </JMC>
>
> <snip>
>

We went back and forth on this, but for the purposes of this text, we
define "administrative domain" to include "two cooperating admin domains
with an out-of-band mechanism to sub-allocate the private use range to
avoid clashes", so I think we have your point covered without explicitly
describing it.


>
> 8.2.  Malicious construction
>
>    Malicious construction of a conformant ipn URI is limited to the
>    malicious selection of Allocator Identifiers, Node Numbers, and
>    Service Numbers.  That is, a maliciously constructed ipn EID could be
>    used to direct a bundle to an endpoint that might be damaged by the
>    arrival of that bundle or, alternatively, to declare a false source
>    for a bundle and thereby cause incorrect processing at a node that
>    receives the bundle.  In both cases (and indeed in all bundle
>    processing), the node that receives a bundle should verify its
>    authenticity and validity before operating on it in any way.
>
> <JMC>
> There is no reference to any security mechanism to prevent such a threat:
> no
> security mechanism – equivalent to IP anti-spoofing, exists regarding this
> threat? </JMC>
>

Yes there is: RFC9172 (BPSec) describes an
integrity/confidentiality mechanism which can enforce identity at the
bundle layer, and RFC9174 defines a convergence (link) layer protocol that
includes TLS with support for Node IDs as part of peer certificate
exchange.  I'll add a reference.

>
> Thanks in advance for your reply.
>
> Best regards,
>
> JMC.
>
>
>
>