IETF Logo Mail Archive

Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Sat, 12 March 2016 07:40 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EAE512D507 for <ipv6@ietfa.amsl.com>; Fri, 11 Mar 2016 23:40:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.3
X-Spam-Level: *
X-Spam-Status: No, score=1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_NAME_FM_MR_MRS=1.499, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_DBL_ABUSE_BOTCC=2.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OdWKZ0PGayKN for <ipv6@ietfa.amsl.com>; Fri, 11 Mar 2016 23:40:12 -0800 (PST)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6453512D508 for <ipv6@ietf.org>; Fri, 11 Mar 2016 23:40:12 -0800 (PST)
Received: by mail-yw0-x233.google.com with SMTP id g3so115879506ywa.3 for <ipv6@ietf.org>; Fri, 11 Mar 2016 23:40:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5vlDfTlo7+1qNifKlvbRQPBSPz7n3xaVCsLJjye87UA=; b=TZ0uvpmgcDzg3RQWK9PvFzCAlu6Gm6wQSk5zaf66vF9E1ozlKcrnoYkv+h2I9VXFyE h925+9sg0TRnTnkfJEVZhILldLMwIzyzHyOCpBaJoLdBIm/9RdzSLBg7ili5KK/b4eis ibFGmnLyTqOpYySoYn5eV/yrXzqIHxaCaHfSPGx1rS97njk2mw+TSk4Z4ST9FwLsImUD NqsPCXswyqTTKa0+L/Zev0E4m5oO8I0WheUw/T0raHf/FVeSlsmHizOSaEi6Vaz/XJVs t5BGsfxraYrTTyajc8GQP48EqHjY3GfNjTcOP+vlyo58ESLm/PPsLpbPK0+D6IrhjT5e az0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5vlDfTlo7+1qNifKlvbRQPBSPz7n3xaVCsLJjye87UA=; b=KhGrIEykL6cDIH9ltXJIYrj5660sEjfTNp2TeiqSeJZZkiLNnHqAxSVNHwio0pWnnM WY0uXvni+ovMm7KO+NM4LrQUIUTYyCQKI8KuGvTOmbFcZCnKLUrO4cc2bAMZ8t20CZf6 L9VG+2OPJ5CzHsP+c8OcRKwz3G29u1PgA3DqBIhNLYMAt+ZdebarFqiqZcVTUF7D/HZ4 6XmCnDwOu2hDYrFq9m5shXGZWOLj57CM7to+tOwT1HFBlmS1/yUMyDWh20sZTLHcHah7 txqXLiEw7/qGFJNFk02FIVdKsws7lWaTiQm7KB978/Z/1B+1P3WGwevrcLFxv8RmzCb5 kY4g==
X-Gm-Message-State: AD7BkJKCMeiumh0/OGqttaAkbxEx6FZQbBYLJI8XuRD5aXYD++Zo5wWaxu23pqbBBDiTKChmnujyVozFASBNUw==
X-Received: by 10.37.82.9 with SMTP id g9mr6732474ybb.27.1457768411640; Fri, 11 Mar 2016 23:40:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.83.87 with HTTP; Fri, 11 Mar 2016 23:39:42 -0800 (PST)
In-Reply-To: <CAJE_bqcetbtgsje4TqCpUF+zoUL19RHjWj2-xg+N39i8XodDVQ@mail.gmail.com>
References: <6AC58C26-01B6-4C16-851F-0C1228CDD2AF@employees.org> <CAJE_bqfvE0jGoRi2X=ohpqsXmGx9AVKnjeGH-P8zWp6=3_kbVA@mail.gmail.com> <CAPK2DewJ0uF9i_uaKLCn5gM_KGm2uv5B0a2VFm7cmNNn5acQPQ@mail.gmail.com> <CAJE_bqcetbtgsje4TqCpUF+zoUL19RHjWj2-xg+N39i8XodDVQ@mail.gmail.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Sat, 12 Mar 2016 16:39:42 +0900
Message-ID: <CAPK2Dewz65saO9Mq10ybHTCJWfSG2_BrHvnjNLyOViz0DRbo3A@mail.gmail.com>
Subject: Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a11353122573b7f052dd5285f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/-Wo_FmOFm1RBGRSqSsu1ketUpLU>
Cc: Bob Hinden <bob.hinden@gmail.com>, 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Mar 2016 07:40:15 -0000

Hi Jinmei,
I have submitted the revised draft:
https://tools.ietf.org/html/draft-ietf-6man-rdnss-rfc6106bis-09

Here are my answers for your comments below.

On Tue, Mar 8, 2016 at 3:21 AM, 神明達哉 <jinmei@wide.ad.jp> wrote:

> At Mon, 7 Mar 2016 04:21:59 +0900,
> "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> wrote:
>
> > > - Section 6
>
> > >   This seems to assume that "ND runs in the kernel" means that all
> > >   information in RAs is managed in the kernel.  I don't know if
> > >   there's such an implementation (does Linux work that way?), but it
> > >   doesn't necessarily have to be so, and is actually different from
> > >   the BSD implementation: [...]  So, I'd at least
> > >   suggest clarifying that this kind of approach is only necessary for
> > >   some deviant protocol stack implementation that doesn't even support
> > >   RFC3542.  And, I'd also mention the FreeBSD-style approach as it
> > >   should be more generic and portable.
> > >
> > >  => I tried the current text as follows:
>
> I don't think the revised text really addresses my point (or I was not
> clear enough).  According to a follow-up message from the chairs they
> don't seem to be willing to change text that hasn't been changed from
> RFC6106, but just in case we can still make it the document more
> sense, I'd like to propose alternate text.  It replaces the entire
> Section 6, although the first paragraph is intact:
>
>    For the configuration and management of DNS information, the
>    advertised DNS configuration information can be stored and managed in
>    both the DNS Repository and the Resolver Repository.
>
>    Since there is nothing special in an RA message as a link-local
>    ICMPv6 message, a user space application should be readily able to
>    get access to its content including the RDNSS or DNSSL option by
>    the standard socket API [RFC3542].  Environments where the DNS
>    information (i.e., RDNSS addresses and DNS search domain names) is
>    stored in the user space can take this approach.  Note that this is
>    the case even if some other parts of the ND protocol such as router
>    discovery or link-layer address resolution are performed within the
>    kernel.
>
>    For some peculiar environments that do not provide such an API and
>    still need to store the DNS information in the user space, it is
>    necessary to synchronize the DNS information in the kernel space
>    and the Resolver Repository in user space.  For the
>    synchronization, the implementation should provide a write
>    operation for updating DNS information from the kernel to the
>    Resolver Repository.  One approach is to have a daemon (or a
>    program that is called at defined intervals) that keeps monitoring
>    the Lifetimes of RDNSS addresses and DNS search domain names all
>    the time.  Whenever there is an expired entry in the DNS
>    Repository, the daemon can delete the corresponding entry from the
>    Resolver Repository.
>
> BTW, out of curiosity is there any such "peculiar" environment?  As I
> said BSDs shouldn't need such an ugly hack.  I don't know much detail
> of Linux, but a quick look at the man page of its rdnssd(8) it also
> seems to work on the received RA content directly (though not using
> the standard API - Linux is notorious about its lack of support of the
> API).  If this "environment" is only an imaginary thing, I'd even
> consider removing the third paragraph (or the second paragraph of the
> original draft).
>
> > > - Section 6.3: this section largely repeats the text of Section 6.2
> > >   and looks redundant to me.  I'd consider unifying these two sections
> > >   and eliminate unnecessary duplicates.
> > >
> > >  => Done.
>
>  => Along with Ole's comments, I prefer to leave Section 6 for the general
guidelines of the implementation of the RA DNS Options.
I modified the beginning of Section 6 as follows:

   For the configuration and management of DNS information, the
   advertised DNS configuration information can be stored and managed in
   both the DNS Repository and the Resolver Repository.  These two
   repositories should be synchronized however the processing of RA DNS
   options are implemented in the kernel space or user space.

 => Also, I specified this change in Appendix A:

   o  The guidance of the specific implementation for the
      synchronization of the DNS Repository and Resolver Repository on
      the kernel space and user space is removed.


> I'd also remove the duplicate 'e.g.' from the first sentence of
> Section 6.3:
>
>    When an IPv6 host receives the information of multiple DNSSL domain
>    names within a network (e.g., campus network and company network)
>
>  => I removed the 'e.g.' as follows:

   When an IPv6 host receives the information of multiple DNSSL domain
   names within a network through an RA message with DNSSL option(s), it
   stores the DNSSL domain names (in order) into both the DNS Search
   List and the Resolver Repository.

> >   I don't think this "RECOMMENDED" is realistic.  As a matter of fact,
> > >   SEND isn't even widely implemented, and, IMO, its deployability
> > >   issues are not easily resolved.  I don't have a specific suggestion
> > >   on how to make the whole text realistic, but I'd at least suggest
> > >   stopping to make such an unrealistic requirement, especially with an
> > >   RFC2119 keyword.
> > >
> > >  => I replaced "RECOMMENDED" with "MAY" as follows:
> >       The Secure Neighbor Discovery (SEND) protocol [RFC3971] MAY be used
> >       as a security mechanism for ND.  In this case, ND can use SEND to
> >       allow all the ND options including the RDNSS and DNSSL options to
> be
> >       automatically included in the signatures.  Other approaches
> specified
> >       in [RFC4861] can be used for securing the RA options for DNS
> >       configuration.
>
> Personally, I don't even see the need for using an RFC2119 keyword
> here, but if non one else bothers I wouldn't object.  But in any case
> I think this change has to be noted in Appendix A.
>
>  => I removed the keyword "MAY" for SEND and have the following text:

   The Secure Neighbor Discovery (SEND) protocol [RFC3971] is designed
   as a security mechanism for ND.  In this case, ND can use SEND to
   allow all the ND options including the RDNSS and DNSSL options to be
   automatically included in the signatures.

 => Also, I specified this change in Appendix A:

   o  The usage of the keywords of SHOULD and RECOMMENDED in RFC 2119 is
       removed in the recommendation of using SEND for secure ND.
       Instead of the keywords, SEND is specified as a possible solution
       for secure ND.

 Thanks.

 Best Regards,
 Paul

--
> JINMEI, Tatuya
>



-- 
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>

v2.23.0 | Report a Bug | By Email