Re: [manet] Benjamin Kaduk's Discuss on draft-ietf-manet-dlep-pause-extension-06: (with DISCUSS and COMMENT)
Lou Berger <lberger@labn.net> Thu, 13 June 2019 18:26 UTC
Return-Path: <lberger@labn.net>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EA2E12023C for <manet@ietfa.amsl.com>; Thu, 13 Jun 2019 11:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.686
X-Spam-Level: **
X-Spam-Status: No, score=2.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, GB_SUMOF=5, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.415, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=labn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OEvRVkbLKkZM for <manet@ietfa.amsl.com>; Thu, 13 Jun 2019 11:26:23 -0700 (PDT)
Received: from gproxy1-pub.mail.unifiedlayer.com (gproxy1-pub.mail.unifiedlayer.com [69.89.25.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FB34120229 for <manet@ietf.org>; Thu, 13 Jun 2019 11:26:20 -0700 (PDT)
Received: from cmgw10.unifiedlayer.com (unknown [10.9.0.10]) by gproxy1.mail.unifiedlayer.com (Postfix) with ESMTP id 25E37B42873F6 for <manet@ietf.org>; Thu, 13 Jun 2019 12:26:17 -0600 (MDT)
Received: from box313.bluehost.com ([69.89.31.113]) by cmsmtp with ESMTP id bUQShWGXjsFwgbUQShP3jx; Thu, 13 Jun 2019 12:26:17 -0600
X-Authority-Reason: nr=8
X-Authority-Analysis: v=2.3 cv=J/aEEjvS c=1 sm=1 tr=0 a=h1BC+oY+fLhyFmnTBx92Jg==:117 a=h1BC+oY+fLhyFmnTBx92Jg==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=IkcTkHD0fZMA:10:nop_charset_1 a=xqWC_Br6kY4A:10:nop_ipv6 a=dq6fvYVFJ5YA:10:nop_rcvd_month_year a=Vy_oeq2dmq0A:10:endurance_base64_authed_username_1 a=48vgC7mUAAAA:8 a=oVDSxFbo9Ya9f_9SELMA:9 a=vVICH83cBykVrxfP:21 a=8MauNC88WcY10SuP:21 a=QEXdDO2ut3YA:10:nop_charset_2 a=mYAOWqAtFUkA:10:demote_hacked_domain_1 a=1dbGxDndw2gA:10:demote_hacked_domain_7 a=w1C3t2QeGrPiZgrLijVG:22
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=labn.net; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:References:Cc:To:Subject:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ojKvDzd1IzbK8phQpCfzpADW/pMWDmSpi//D3dhRVqQ=; b=KUwkBsb9MnD57KEeyOiN+AEwTx B/eo+Tsbp+tna9TjBckcfHLbYe8UnrxTH/EsDF2Koc98+mJ0D530+PtbvXmEWwBJa9GOAItPNfBvQ R33JEWU7ZyMNZ3soOjubR6Acc;
Received: from [127.0.0.1] (port=10801 helo=[IPv6:::1]) by box313.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <lberger@labn.net>) id 1hbUQS-001eaG-O6; Thu, 13 Jun 2019 12:26:16 -0600
From: Lou Berger <lberger@labn.net>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-manet-dlep-pause-extension@ietf.org, manet@ietf.org, The IESG <iesg@ietf.org>, manet-chairs@ietf.org
References: <155494445891.22757.7399588752085896470.idtracker@ietfa.amsl.com> <e20c4e6d-b36f-690c-2049-4bc81f5cd37a@labn.net> <20190506224055.GX19509@kduck.mit.edu> <10c43c45-877d-842d-b527-8ff0dd9cb600@labn.net> <20190606182224.GC23396@kduck.mit.edu>
Message-ID: <93f68bb0-0366-4def-48c3-2a2465ccdcde@labn.net>
Date: Thu, 13 Jun 2019 14:26:11 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
In-Reply-To: <20190606182224.GC23396@kduck.mit.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box313.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - labn.net
X-BWhitelist: no
X-Source-IP: 127.0.0.1
X-Source-L: Yes
X-Exim-ID: 1hbUQS-001eaG-O6
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([IPv6:::1]) [127.0.0.1]:10801
X-Source-Auth: lberger@labn.net
X-Email-Count: 12
X-Source-Cap: bGFibm1vYmk7bGFibm1vYmk7Ym94MzEzLmJsdWVob3N0LmNvbQ==
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/manet/fXbyEIQn4X5_J-NeCmjZZ8OKcH8>
Subject: Re: [manet] Benjamin Kaduk's Discuss on draft-ietf-manet-dlep-pause-extension-06: (with DISCUSS and COMMENT)
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 18:26:27 -0000
Hi, No worries on the delay. On 6/6/2019 2:22 PM, Benjamin Kaduk wrote: > Hi Lou, > > Sorry for the long delay here; I'm in the process of moving from St. Louis > to Seattle and have had to take a bunch of time off in the process. > > On Tue, May 07, 2019 at 10:34:57AM -0400, Lou Berger wrote: >> Please see responses below... >> >> On 5/6/2019 6:40 PM, Benjamin Kaduk wrote: >>> On Sun, May 05, 2019 at 09:22:16PM -0400, Lou Berger wrote: >>>> Hi, >>>> My apologies, I thought I responded to this, but can't seem to find the >>>> response (hopefully my responses are consistent if I did!). >>>> >>>> On 4/10/19 9:00 PM, Benjamin Kaduk via Datatracker wrote: >>>>> Benjamin Kaduk has entered the following ballot position for >>>>> draft-ietf-manet-dlep-pause-extension-06: Discuss >>>>> >>>>> When responding, please keep the subject line intact and reply to all >>>>> email addresses included in the To and CC lines. (Feel free to cut this >>>>> introductory paragraph, however.) >>>>> >>>>> >>>>> Please refer tohttps://www.ietf.org/iesg/statement/discuss-criteria.html >>>>> for more information about IESG DISCUSS and COMMENT positions. >>>>> >>>>> >>>>> The document, along with other ballot positions, can be found here: >>>>> https://datatracker.ietf.org/doc/draft-ietf-manet-dlep-pause-extension/ >>>>> >>>>> >>>>> >>>>> ---------------------------------------------------------------------- >>>>> DISCUSS: >>>>> ---------------------------------------------------------------------- >>>>> >>>>> Section 3.1 defines 'Scale' as a four-bit unsigned integer field but only the >>>>> values 0-3 are assigned, leaving 4-16k usable. How will future values be >>>>> assigned? >>>>> >>>> A future revision or update of this document. We discussed a IANA >>>> registry, but thought it overkill as future additions seem quite unlikely. >>> Okay. The Discuss was just to make sure it was considered in some fashion; >>> we do have a bunch of documents that explictly note "additional values are >>> to be allocated by updates to this specification" but I do not insist on >>> it. >>> >>>>> In Section 3.1.1: >>>>> >>>>> DS Field Qn: >>>>> >>>>> The data item contains a sequence of 8 bit DS Fields. The number >>>>> of DS Fields present MUST equal the sum of all Num DSCPs field >>>>> values. >>>>> >>>>> Perhaps I'm misreading, but I thought the Num DSCPs Qn field was global >>>>> for this queue index, so there would just be one of them and no need to >>>>> take a sum. >>>> It's just saying that more than one DSCP can match to a single queue >>>> index value. >>> Okay, if I'm looking at the figure properly then this is just an editorial >>> issue, then: >>> >>> 0 1 2 3 >>> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> | Queue Index | Queue Size Qn | >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> | Num DSCPs Qn | DS Field Qn | ... : >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> : ... | DS Field Qn | >>> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ >>> >>> So we have the chunk of stuff for a given queue (index), and the size of >>> that queue, then a separate array/length for the DS values. The various DS >>> values that can match this queue index are the contents of this array, but >>> this is the only array in the sub data item describing this queue index. >>> If that's correct, then isn't the description of "DS Field Qn" just "The >>> sub data item contains a sequence of 8 bit DS Fields for this queue index. >>> The number of DS Fields present MUST equal this value."? >> Yes - I'm fine with a specific text revision if you have one. > How about: > > OLD: > > The data item contains a sequence of 8 bit DS Fields. The number > of DS Fields present MUST equal the sum of all Num DSCPs field > values. > > NEW: > > The data item contains a sequence of 8 bit DS Fields. The number > of DS Fields present MUST equal the value of the Num DSCPs field. yes, this is better. >>>>> In Section 3.3: >>>>> >>>>> A router which receives the Restart Data Item SHOULD resume >>>>> transmission of the identified traffic to the modem. >>>>> >>>>> Why is this only a "SHOULD"? >>>> to cover the case where the router is choosing not to send data, e.g., >>>> due to lack of available data or other policy such as traffic rate shaping. >>> Okay. Frequently documents will give the reader some hint as to what the >>> exceptional cases might be, but I will not insist on it here. >>> >>> >>>>> Section 4 >>>>> >>>>> The extension does not inherently >>>>> introduce any additional vulnerabilities above those documented in >>>>> [RFC8175]. [...] >>>>> >>>>> As noted by others, this sentence is just not true. >>>>> I will not duplicate the suggestions for additional considerations that >>>>> need to be documented. >>>> Please see comments / discussion elsewhere on this. >>> Sorry, most of these threads have aged out of my cache; could you give me a >>> hint about whose ballot thread to look in, or a link? >> Perhaps it's just best to point you at the current text and see if >> you're okay with it -- see >> >> https://tools.ietf.org/html/draft-ietf-manet-dlep-pause-extension-07#section-4 >> >> and let me/us know if you still have any unresolved comments. > My main issue is with "does not inherently introduce any additional > vunlerabilities" -- there's a new signal that if received by the router, > causes all traffic to stop. There is some inherent risk of such a signal > being received erroneously, even if an attacker that could introduce such a > signal would need to be highly capable (and thus also capable of doing > damage in other ways), and of course the risk of random accidents is always > present. > > So I think the intent here may be to say instead that "this extension does > not introduce any vulnerabilities that are inherently different from those > documented in [RFC8175]", since there are already other ways that an > attacker could cause the router to stop sending traffic to the modem. This works for me too. I'll push a new version in a few moments. Thanks, Lou >>>>> In particular, I agree with Roman that the use >>>>> of TLS needs to be mandatory, especially since this protocol is >>>>> nominally only defined for use with radio links. >>>> As covered elsewhere, in particular this is really a comment on base >>>> DLEP and I think this extension should be consistent with that document. >>>> (Consider an example from when 8175 was issued, consider the case where >>>> the modem and router use MACsec, 802.1X and 802.1 AE, why is TLS needed >>>> as well.) >>> Perhaps. I think it's highly dependent on whether DLEP is only conveyed >>> over wired links and the physical scope of those links, though -- my >>> understanding is that most of the IESG was treating this protocol as >>> running over the radio link. >> umm, DLEP is *NEVER* expected to run over the air. This is covered in >> RFC8175 and is not impacted by this extension. > I'm sorry that I (and the collective IESG) missed that; you are quite > correct. (I think I was under severe time pressure reviewing this document > and only did targetted keyword searches in 8175 as I was reading.) > > -Ben > >
- [manet] Benjamin Kaduk's Discuss on draft-ietf-ma… Benjamin Kaduk via Datatracker
- Re: [manet] Benjamin Kaduk's Discuss on draft-iet… Lou Berger
- Re: [manet] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [manet] Benjamin Kaduk's Discuss on draft-iet… Lou Berger
- Re: [manet] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [manet] Benjamin Kaduk's Discuss on draft-iet… Lou Berger