[Int-dir] Re: Intdir telechat review of draft-ietf-dtn-ipn-update-11
Rick Taylor <rick.taylor@highfrontier.co.uk> Tue, 25 June 2024 11:00 UTC
Return-Path: <rick.taylor@highfrontier.co.uk>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DD1AC169425 for <last-call@ietfa.amsl.com>; Tue, 25 Jun 2024 04:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=highfrontier-co-uk.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTE57bhP-g8K for <last-call@ietfa.amsl.com>; Tue, 25 Jun 2024 04:00:41 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEC84C169414 for <last-call@ietf.org>; Tue, 25 Jun 2024 04:00:41 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-52ce6c93103so2232015e87.3 for <last-call@ietf.org>; Tue, 25 Jun 2024 04:00:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=highfrontier-co-uk.20230601.gappssmtp.com; s=20230601; t=1719313239; x=1719918039; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=r2NAp7RAb8+NuqKaB3hCfXDmYNGcIzMIx+sLyAObl30=; b=nISZ2EtMHOQIR5IIwuZWxHCKn1fh1EXLx0mfYSutogJ3S858dzSe7yR1GWh3QWNpBR vaxORJdVJZrfvTch5CoU0asZXEotFyZVGkc9xdbvt4eDfYygtuqLnQpQCKfxE0iEPSrG amCkXICeaWY612YGAiJKFVVEEC54Oq+JVjBX7e6xco9i7BPwXZoS533tf1ms/xdtqLXK Ejhd39RtW+QVOKHhvhBW0jMgL2jGgwuls2sCPzm0V8avUwcweRMMMWvS9VbYiJwE69Lr MMs0N0U58LNyhT4xzYYdITANVPefRWSsblLMfKwGYB2P9JYH7rcu4F0gvz8gdr0s2r7k WLrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719313239; x=1719918039; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=r2NAp7RAb8+NuqKaB3hCfXDmYNGcIzMIx+sLyAObl30=; b=ZuMJuHJTlRGaHiZbc8LzNd50BmNhBhxzzzNBru1NT/symbbazjiUxUsGPuEb4aws58 NHlG3jDBzqusF1Szxga1bdgPyys9jqQh/q762nOjfy1UvDbu+bvNAkBcHfOMyzBPC3Ql UmfqpQWam9J7xkW0IfD9o017AVbFQLlU0Ozf93F+ZQULBB+v/aZSHEBTws/V3JcY4WKr 7UiV2ngaghsmlG7G2EJa72gghV5if0sT3TLd2W6deE/6MbvSHDNGhI8NPnrNS6wcJ2Wq /CA9USXxw+tLa7VxQ2oV/UJ8F9eGqdt1UVQ8k221CIXxzaIBMyiYemQaLBKNkskiUefA LgVA==
X-Forwarded-Encrypted: i=1; AJvYcCUwYfCc/KZRtgqN086+S9P07v9Ud55E53dQqE0vSL5pqvpW+Qxcom9JLer3GbhyHoCVF4+TZ7kyrar3uCtDEL7GaOo=
X-Gm-Message-State: AOJu0Yx8EqW5smHPe3tkva1tnohHXPH683M/ZQXZ6S8FivFKPDDjBLyH UJbojQhNe1VGjxcd5F7DF/B+IoCwTdfO/ho5TIIFpe0AeUNgaw8TywcF6rvypJH9K0II7u9LxJK WB0TPKOoQZCM9pQ6biq7LMbTEE54zu+zm83oskP3Q5QehMFedZHI=
X-Google-Smtp-Source: AGHT+IGl3GIIdjuLIbp9z6PpTOhPbyldJr5VuBZchbDhDk7f8SnREtrbk2Rl6mKlgiBtVd5q7b7xhj7klnOgcIR7k/k=
X-Received: by 2002:a05:6512:108c:b0:52c:dd25:9ac6 with SMTP id 2adb3069b0e04-52ce1835607mr6122289e87.29.1719313239342; Tue, 25 Jun 2024 04:00:39 -0700 (PDT)
MIME-Version: 1.0
References: <171872484903.3149.4835295336948326044@ietfa.amsl.com>
In-Reply-To: <171872484903.3149.4835295336948326044@ietfa.amsl.com>
From: Rick Taylor <rick.taylor@highfrontier.co.uk>
Date: Tue, 25 Jun 2024 12:00:28 +0100
Message-ID: <CA+cu9C_jtjauQGQ4H1Jc8SSvaLiT_N2ppyf9fkG5FAkDa0C7Uw@mail.gmail.com>
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e3997f061bb4ce6d"
X-MailFrom: rick.taylor@highfrontier.co.uk
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: 74HQS34YGNLKOGXZBSB53AO7ZTRCP52E
X-Message-ID-Hash: 74HQS34YGNLKOGXZBSB53AO7ZTRCP52E
X-Mailman-Approved-At: Tue, 25 Jun 2024 05:13:28 -0700
CC: int-dir@ietf.org, draft-ietf-dtn-ipn-update.all@ietf.org, dtn@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Int-dir] Re: Intdir telechat review of draft-ietf-dtn-ipn-update-11
List-Id: "This list is for discussion between the members of the Internet Area directorate." <int-dir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-dir/KD8XJvG9W3GxD0NNRLEIygVmJf8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-dir>
List-Help: <mailto:int-dir-request@ietf.org?subject=help>
List-Owner: <mailto:int-dir-owner@ietf.org>
List-Post: <mailto:int-dir@ietf.org>
List-Subscribe: <mailto:int-dir-join@ietf.org>
List-Unsubscribe: <mailto:int-dir-leave@ietf.org>
Hi Jean-Michel, Thanks for the review, comments inline... Cheers, Rick On Tue, 18 Jun 2024 at 16:34, Jean-Michel Combes via Datatracker < noreply@ietf.org> wrote: > Reviewer: Jean-Michel Combes > Review result: On the Right Track > > Hi, > > I am an assigned INT directorate reviewer for > draft-ietf-dtn-ipn-update-11.txt. > These comments were written primarily for the benefit of the Internet Area > Directors. Document editors and shepherd(s) should treat these comments > just > like they would treat comments from any other IETF contributors and resolve > them along with any other Last Call comments that have been received. For > more > details on the INT Directorate, see > https://datatracker.ietf.org/group/intdir/about/ > <https://datatracker.ietf.org/group/intdir/about/>. > > Based on my review, if I was on the IESG I would ballot this document as NO > OBJECTION. > > The following are other issues I found with this document that SHOULD be > corrected/clarified before publication: > > 3.2. Allocator Identifiers > > <snip> > > If a system does not require interoperable deployment of ipn scheme > URIs, then the Private Use Node Number range, reserved by the Default > Allocator (Section 3.2.2) for this purpose SHOULD be used. > > <JMC> > IMHO, it should be clearer (1) to have a reference to Section 3.4.3 > instead to > Section 3.2.2 and (2) to add the following information in text: - Allocator > Identifier SHOULD be set to zero (0) - Node Number SHOULD be in the > “Private > Use” range (cf. Section 9.2) </JMC> > > <snip> > You make a valid point, but we have decided to replace the "SHOULD be used" with "are to be used" (not canonical). I'm not keen to start talking about Id 0 at this point, as we have yet to introduce numeric values (representation detail) and are just talking about generalities, but I have added a cross reference to 3.4.3 > > 3.2.1. Allocator Identifier Ranges > > <snip> > > With these assignments, any Allocator Identifier whose most- > significant 25 bits match 0xEE000 belong to organization A. > Similarly, any Allocator Identifier whose most-significant 28 bits > match 0xEE080 belong to organization B, and any Allocator Identifier > whose most-significant 31 bits are 0xEE090 belong to organization C. > Organisation D has a single Allocator Identifier, and hence a range > of bit-length 0. > > <JMC> > Sorry, but I don’t understand how you get 25 bits for organization A, 28 > bits > for organization B and 31 bits for organization B. Is it possible to > provide a > formula, please? By the way, are you assuming that Allocator Identifier is > based on 32 bits? </JMC> > > <snip> > We were really hoping that this read as 'subnet masking' written in longhand. And yes, Allocator Ids are all 32-bit unsigned ints. But having re-read, we don't specify that by this point, will update. > > 3.4. Special Node Numbers > > Some special-case Node Numbers are defined by the Default Allocator, > see 'ipn' Scheme URI Default Allocator Node Numbers registry > (Section 9.2). > > <JMC> > It seems that you assume that there will no need of special-case node > numbers, > except for the Default Allocator, in the future: is it correct? If so, is > it > not dangerous (i.e., complexity to come back from such a decision)? </JMC> > > <snip> > > 5.5. Private Use ipn EIDs > > Bundles destined for EIDs that use an ipn URI with a Fully-qualified > Node Number (Section 3.3.1) that is within the "Private Use" range of > the Default Allocator (Section 3.2.2) are not universally unique, and > therefore are only valid within the scope of the current > administrative domain. This means that any bundle using a Private > Use ipn EID as a bundle source or bundle destination MUST NOT be > allowed to cross administrative domains. All implementations that > could be deployed as a gateway between administrative domains MUST be > sufficiently configurable to ensure that this is enforced, and > operators MUST ensure correct configuration. > > <JMC> > IMHO, “MUST” use may be too strong: it is possible that 2 administrative > domains (e.g., two affiliates in a same company) agree to use ipn URI in > the > “Private Use” range and to choose different subsets of this last one to > ensure > uniqueness. </JMC> > > <snip> > We went back and forth on this, but for the purposes of this text, we define "administrative domain" to include "two cooperating admin domains with an out-of-band mechanism to sub-allocate the private use range to avoid clashes", so I think we have your point covered without explicitly describing it. > > 8.2. Malicious construction > > Malicious construction of a conformant ipn URI is limited to the > malicious selection of Allocator Identifiers, Node Numbers, and > Service Numbers. That is, a maliciously constructed ipn EID could be > used to direct a bundle to an endpoint that might be damaged by the > arrival of that bundle or, alternatively, to declare a false source > for a bundle and thereby cause incorrect processing at a node that > receives the bundle. In both cases (and indeed in all bundle > processing), the node that receives a bundle should verify its > authenticity and validity before operating on it in any way. > > <JMC> > There is no reference to any security mechanism to prevent such a threat: > no > security mechanism – equivalent to IP anti-spoofing, exists regarding this > threat? </JMC> > Yes there is: RFC9172 (BPSec) describes an integrity/confidentiality mechanism which can enforce identity at the bundle layer, and RFC9174 defines a convergence (link) layer protocol that includes TLS with support for Node IDs as part of peer certificate exchange. I'll add a reference. > > Thanks in advance for your reply. > > Best regards, > > JMC. > > > >
- [Int-dir] Intdir telechat review of draft-ietf-dt… Jean-Michel Combes via Datatracker
- [Int-dir] Re: Intdir telechat review of draft-iet… Rick Taylor