IETF Logo Mail Archive

Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Sun, 06 March 2016 19:22 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57A8E1B319B for <ipv6@ietfa.amsl.com>; Sun, 6 Mar 2016 11:22:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.801
X-Spam-Level:
X-Spam-Status: No, score=0.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, URIBL_DBL_ABUSE_BOTCC=2.5] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKRoBlmYVOnC for <ipv6@ietfa.amsl.com>; Sun, 6 Mar 2016 11:22:30 -0800 (PST)
Received: from mail-yk0-x241.google.com (mail-yk0-x241.google.com [IPv6:2607:f8b0:4002:c07::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4ABA1B319A for <ipv6@ietf.org>; Sun, 6 Mar 2016 11:22:29 -0800 (PST)
Received: by mail-yk0-x241.google.com with SMTP id z7so262034yka.3 for <ipv6@ietf.org>; Sun, 06 Mar 2016 11:22:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Cy72A42FRLkqxL++qn5aWFFXh0MF/s/hQfhEfuz0fks=; b=n+HGE48oVg6UOlkPFZ5nbUt8Tkkc+E00UtQyut7kYmMh4ADFjEGe+FGPK+/oP5S9Q7 eYV3cGME825RDfF6Wl+xK6eXa9oN6zKKuFg+k4iRjFTz0jr++eA4j5J7bLZtQN8wch+Z u1qQOVZxP1P/+kAJqFd4T6P/hVeJnrRtnB/LUEkBcYirA+CPRQzi3wOa0diEVrDhWOQb I7WPhL537nHucaB4zqSKbcg9ZSU9fCLSvHrD8Su8FY4JD3byWW7PFSJAQ/Ow8n+SJv4z wE13c1KUudqaboOw3UIT5kTLqoSJ6bXABPsII3upW8gylK0jsKOC8tfx0cLuwWywT+7w 9aYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Cy72A42FRLkqxL++qn5aWFFXh0MF/s/hQfhEfuz0fks=; b=OicJ4o8OxNE3vaY6QeQx8WZMXNAAGMPkjbYEiE0B22thUwk1rBV76yYk8CHkR4/IAZ QOD+IXQlatkjnkD4R0/eXnhaLaVjrB5JADRnaOC/T8i88k558DJKpNrJddbEpDKZQzfL lPiryJK+pkG9W2Xjb5eyd2m5jTY0DP8re2VXdTsbOEbbGxj05vfWjVCR0UFE7aw1dOXB L310YECawcRZnw3hYIxqPgSsAPtUYdRGd7wGRAaLrSkQvcR+vvf+iSqHn80bVCXs4oSz gXjloAkqsirzT3Ll+I/TnCAAno6pepmL/e5cNpu6Q1+trr5wubtwaZLq9Px2m0NkjJlv bUEA==
X-Gm-Message-State: AD7BkJJRG/az7IBkB8+0VOKssQB2UG4kPoHLw3A5PRT8oCENE4cpcNrwHonUJ8YoE/3GFCfRhzKnW+O/mTiBAA==
X-Received: by 10.37.83.68 with SMTP id h65mr10187118ybb.124.1457292148990; Sun, 06 Mar 2016 11:22:28 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.83.87 with HTTP; Sun, 6 Mar 2016 11:21:59 -0800 (PST)
In-Reply-To: <CAJE_bqfvE0jGoRi2X=ohpqsXmGx9AVKnjeGH-P8zWp6=3_kbVA@mail.gmail.com>
References: <6AC58C26-01B6-4C16-851F-0C1228CDD2AF@employees.org> <CAJE_bqfvE0jGoRi2X=ohpqsXmGx9AVKnjeGH-P8zWp6=3_kbVA@mail.gmail.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Mon, 07 Mar 2016 04:21:59 +0900
Message-ID: <CAPK2DewJ0uF9i_uaKLCn5gM_KGm2uv5B0a2VFm7cmNNn5acQPQ@mail.gmail.com>
Subject: Re: 6MAN Working group last call: draft-ietf-6man-rdnss-rfc6106bis
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a113e5ed8dfe9d9052d66446b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/45WIVobiGGS_v_rMRVPnm1ZM0bM>
Cc: 6man WG <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Mar 2016 19:22:33 -0000

Hi Jinmei,
I tried to address your comments in the following draft:
https://tools.ietf.org/html/draft-ietf-6man-rdnss-rfc6106bis-08

Could you double-check whether your comments are resolved well or not?

Also, I put my answers inline with =>.

If you have some unclear parts, please let me clarify them.

Thanks.

Paul

On Thu, Feb 25, 2016 at 4:27 AM, 神明達哉 <jinmei@wide.ad.jp> wrote:

> At Tue, 9 Feb 2016 10:54:16 +0100,
> otroan@employees.org wrote:
>
> > This message starts a two week 6MAN Working Group Last Call on advancing:
> >
> >      Title    : IPv6 Router Advertisement Options for DNS Configuration
> >      Authors  : J. Jeong, S. Park, L. Beloeil, S. Madanapalli
> >      Filename : draft-ietf-6man-rdnss-rfc6106bis-06
> >      Pages    : 17
> >      Date     : 2015-10-09
> >
> >     https://tools.ietf.org/html/draft-ietf-6man-rdnss-rfc6106bis-06
> >
> > as a Proposed Standard.  Substantive comments and statements of
> > support for publishing this document should be directed to the
> > mailing list.  Editorial suggestions can be sent to the authors.
> > This last call will end on 23 February 2016.
>
> I've reviewed the 06 version.  I don't have a particular opinion on
> whether to publish it, but I have some comments:
>
> - Section 5
>
>    The IPv6 DNS configuration mechanism in this document needs two new
>    ND options in Neighbor Discovery: (i) the Recursive DNS Server
>    (RDNSS) option and (ii) the DNS Search List (DNSSL) option.
>
>   "new" sounds like awkward since, well, it's not new any more.  I
>   don't know the usual practice (if any) in cases like this for "-bis"
>   specifications, but I'd suggest just removing "new".
>
>  => Done.


> - Section 5.1
>
>      Lifetime      32-bit unsigned integer.  The maximum time, in
>                    seconds (relative to the time the packet is sent),
>                    over which this RDNSS address MAY be used for name
>                    resolution.
>
>   Shouldn't "relative to the time the packet is sent" actually be
>   "relative to the time the packet is received"?  In practice these
>   two wouldn't be different very much anyway, but, technically, the
>   former looks awkward to me since the recipient can't know that time.
>
>  => Done.


> - Section 5.1
>
>    Note:  [...]  The link zone indices SHOULD be
>       represented in the textual format for scoped addresses as
>       described in [RFC4007].
>
>   Perhaps the actual intent is "The link-local addresses SHOULD be
>   represented with their link zone indices in the textual format for
>   scoped addresses as described in [RFC4007]."?  Also, it's not very
>   clear to me why it's a "SHOULD".  Maybe because it's convenient as
>   the DNS client (stub resolver) implementation can simply pass the
>   textual text (whether it's link-local or not) to a utility function
>   like getaddrinfo()?  If so, that's understandable, but I guess it's
>   not obvious and should be explained explicitly.  Also, I'm not sure
>   if this convenience (if that's the reason for the SHOULD) is worth
>   the RFC2119 keyword.  While it'd certainly be convenient, this seems
>   to be a pure implementation choice.
>
>  => Done.


> - Section 5.2: s/name/names/
>
>      Lifetime      32-bit unsigned integer.  The maximum time, in
>                    [...]
>                    (0xffffffff) represents infinity.  A value of zero
>                    means that the DNSSL domain name MUST no longer be
>                    used.
>
>  => Done.


> - Section 5.2
>
>      Domain Names of DNS Search List
>                    One or more domain names of DNS Search List that MUST
>                    be encoded using the technique described in Section
>                    3.1 of [RFC1035].
>
>   The word "technique" sounds awkward to me as it's the standard wire
>   format of domain names.  I suggest, e.g., just saying "...encoded as
>   described in Section 3.1 of [RFC1035]".
>
>  => Done.


> - Section 6
>
>    In environments where the DNS information is stored in user space and
>    ND runs in the kernel, it is necessary to synchronize the DNS
>    information (i.e., RDNSS addresses and DNS search domain names) in
>    kernel space and the Resolver Repository in user space.  For the
>    synchronization, an implementation where ND works in the kernel
>    should provide a write operation for updating DNS information from
>    the kernel to the Resolver Repository.  One simple approach is to
>    have a daemon (or a program that is called at defined intervals) that
>    keeps monitoring the Lifetimes of RDNSS addresses and DNS search
>    domain names all the time.  [...]
>
>   This seems to assume that "ND runs in the kernel" means that all
>   information in RAs is managed in the kernel.  I don't know if
>   there's such an implementation (does Linux work that way?), but it
>   doesn't necessarily have to be so, and is actually different from
>   the BSD implementation: the FreeBSD's rtsol(d) completely works as a
>   user space application, receives RA via an ICMPv6 socket using the
>   standard advanced socket API (RFC3542), and manages RDNSS
>   implementation independently from the kernel (even if some other
>   parts of the RA are managed in the kernel).  So, I'd at least
>   suggest clarifying that this kind of approach is only necessary for
>   some deviant protocol stack implementation that doesn't even support
>   RFC3542.  And, I'd also mention the FreeBSD-style approach as it
>   should be more generic and portable.
>
>  => I tried the current text as follows:
      In environments where the DNS information is stored in user space and
      ND runs in the kernel, it is necessary to synchronize the DNS
      information (i.e., RDNSS addresses and DNS search domain names) in
      kernel space and the Resolver Repository in user space.  In these
      environments, a user space application cannot receive RA via an
      ICMPv6 socket using the standard advanced socket Application Program
      Interface (API) in [RFC3542].


> - Section 6.3: this section largely repeats the text of Section 6.2
>   and looks redundant to me.  I'd consider unifying these two sections
>   and eliminate unnecessary duplicates.
>
>  => Done. I removed the redundant ones and specified a different in Step
(b).
      In Step (b), if the DNSSL domain name already exists in the DNS
      Search List and the DNSSL option's Lifetime field is set to zero,
      delete the corresponding DNSSL entry from both the DNS Search List
      and the Resolver Repository in order to prevent the DNSSL domain name
      from being used any more for certain reasons in network management,
      e.g., the termination of the usage of the DNSSL domain name.  That
      is, the DNSSL domain name may not be used any more by the policy of
      the network.


> - Section 6.3: on a related point, this text looks awkward:
>
>       Step (b): For each DNSSL domain name, check the following: [...]
>       [...] for certain reasons in network management,
>       e.g., the termination of the RDNSS or a renaming situation.  That
>       is, the RDNSS can resign from its DNS service because the machine
>       running the RDNSS is out of service intentionally or
>       unintentionally.  Also, under the renaming situation, the DNSSL
>
>   How can the termination of a particular RDNSS mean that DNSSL names
>   are not usable anymore?  There may be a case where one event is
>   realted to the other, but I don't see any obvious relationship
>   between these two (the RDNSS may simply be replaced with a new,
>   different node).  This text rather seems to be a result of a naive
>   copy of Section 6.2.
>
>  => Done like the previous answer.


> - Section 7.1, second paragraph.  Most of the text in this paragraph
>   is irrelevant to this protocol and looks redundant to me.  I'd
>   consider just referring to some other document for the general
>   issue.
>
>  => Removed.


> - Section 7.2
>
>    The Secure Neighbor Discovery (SEND) protocol [RFC3971] is used as a
>    security mechanism for ND.  It is RECOMMENDED that ND use SEND to
>    allow all the ND options including the RDNSS and DNSSL options to be
>    automatically included in the signatures.
>
>   I don't think this "RECOMMENDED" is realistic.  As a matter of fact,
>   SEND isn't even widely implemented, and, IMO, its deployability
>   issues are not easily resolved.  I don't have a specific suggestion
>   on how to make the whole text realistic, but I'd at least suggest
>   stopping to make such an unrealistic requirement, especially with an
>   RFC2119 keyword.
>
>  => I replaced "RECOMMENDED" with "MAY" as follows:
      The Secure Neighbor Discovery (SEND) protocol [RFC3971] MAY be used
      as a security mechanism for ND.  In this case, ND can use SEND to
      allow all the ND options including the RDNSS and DNSSL options to be
      automatically included in the signatures.  Other approaches specified
      in [RFC4861] can be used for securing the RA options for DNS
      configuration.

 Thanks.

 Best Regards,
 Paul


--
> JINMEI, Tatuya
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>



-- 
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>

v2.23.0 | Report a Bug | By Email