Re: [mif-arch-dt] New Version Notification for draft-anipko-mif-mpvd-arch-00.txt
Ted Lemon <Ted.Lemon@nominum.com> Mon, 15 July 2013 18:12 UTC
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: mif-arch-dt@ietfa.amsl.com
Delivered-To: mif-arch-dt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB86011E8101 for <mif-arch-dt@ietfa.amsl.com>; Mon, 15 Jul 2013 11:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.592
X-Spam-Level:
X-Spam-Status: No, score=-106.592 tagged_above=-999 required=5 tests=[AWL=0.007, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vw+-3x0wdLBb for <mif-arch-dt@ietfa.amsl.com>; Mon, 15 Jul 2013 11:12:24 -0700 (PDT)
Received: from exprod7og102.obsmtp.com (exprod7og102.obsmtp.com [64.18.2.157]) by ietfa.amsl.com (Postfix) with ESMTP id 6244A11E8105 for <mif-arch-dt@ietf.org>; Mon, 15 Jul 2013 11:11:59 -0700 (PDT)
Received: from shell-too.nominum.com ([64.89.228.229]) (using TLSv1) by exprod7ob102.postini.com ([64.18.6.12]) with SMTP ID DSNKUeQ7brRdKI95aJVKOw4TUgwbwYFZo4xO@postini.com; Mon, 15 Jul 2013 11:11:59 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id AC7DB1B8250 for <mif-arch-dt@ietf.org>; Mon, 15 Jul 2013 11:11:58 -0700 (PDT)
Received: from webmail.nominum.com (cas-02.win.nominum.com [64.89.228.132]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id 9256E190052; Mon, 15 Jul 2013 11:11:58 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from MBX-01.WIN.NOMINUM.COM ([64.89.228.133]) by CAS-02.WIN.NOMINUM.COM ([64.89.228.132]) with mapi id 14.02.0318.004; Mon, 15 Jul 2013 11:11:58 -0700
From: Ted Lemon <Ted.Lemon@nominum.com>
To: Dmitry Anipko <Dmitry.Anipko@microsoft.com>
Thread-Topic: [mif-arch-dt] New Version Notification for draft-anipko-mif-mpvd-arch-00.txt
Thread-Index: AQHOgYbMqJIiymdLk0y5vgVivkQYRQ==
Date: Mon, 15 Jul 2013 18:11:58 +0000
Message-ID: <8D23D4052ABE7A4490E77B1A012B630775211E39@mbx-01.win.nominum.com>
References: <20130714041913.29430.66253.idtracker@ietfa.amsl.com> <e7573b69f58a4f0b903cf7a3ae03cf48@SN2PR03MB077.namprd03.prod.outlook.com>
In-Reply-To: <e7573b69f58a4f0b903cf7a3ae03cf48@SN2PR03MB077.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.1.10]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <7A90C5BB31B9D54889427252DCAB6754@nominum.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "mif-arch-dt@ietf.org" <mif-arch-dt@ietf.org>
Subject: Re: [mif-arch-dt] New Version Notification for draft-anipko-mif-mpvd-arch-00.txt
X-BeenThere: mif-arch-dt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: MIF Architecture Design Team mailing list <mif-arch-dt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif-arch-dt>, <mailto:mif-arch-dt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif-arch-dt>
List-Post: <mailto:mif-arch-dt@ietf.org>
List-Help: <mailto:mif-arch-dt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif-arch-dt>, <mailto:mif-arch-dt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 18:12:31 -0000
Observations about the document: In section 2, I think you should say "classically" rather than "usually," because I think "usually" is true right now, but probably won't be in the future. There's probably a better way to put it, but that's the point I think needs to be gotten across. I think also that the beginning of section 2 doesn't quite capture the definition of PVD because of the classical approach. It might be better not to focus on that, and just talk about it in terms of a collection of information. So maybe something like this: Provisioning Domain: a consistent set of network configuration information. Classically, the entire set available on a single interface is provided by a single source, such as network administrator, and can therefore be treated as a single provisioning domain. In modern IPv6 networks, multihoming can result in more than one provisioning domain being present on a single link. Typical examples of information in a provisioning domain, learned from the network, are: source address prefixes used on the link, IP address of DNS server, name of HTTP proxy server if available, DNS suffixes associated with the network etc. In some cases, other sources, such as e.g. node local policy, user input or other out of band mechanisms may be used to either construct a PVD entirely (analogously to static IP configuration of an interface), or supplement with particular elements all or some PVDs learned from the network. As an example, node administrator could inject a not ISP-specific DNS server into PVDs for any of the networks the node could become attached to. Such creation / augmentation of PVD could be static or dynamic. The particular implementation mechanisms are outside of the scope of this document. PVD-aware node: a node that supports association of network configuration information into PVDs, and using the resultant PVDs to serve requests for network connections in a way, consistent with recommendations of this architecture. In 4.2.1, I suggest the following change: OLD: In either case, by default the node shall use for the following connection request the PVD, where the lookup results were obtained. NEW: In either case, by default the node uses information obtained in a name service lookup to establish connections only within the same PVD from which the lookup results were obtained. For simplicity, when we say that name service lookup results were obtained from a PVD, what we mean is that the name service query was issued against a name service the configuration of which is present in a particular PVD. In that sense, the results are "from" that particular PVD. In 5.1, maybe the following change? OLD: Applications are not PVD-aware in any manner, and only submit connection requests. The node performs PVD selection implicitly, without any otherwise applications participation, and based purely on policies and/or user choice. NEW: Applications are not PVD-aware in any manner, and only submit connection requests. The node performs PVD selection implicitly, without any otherwise applications participation, and based purely on node-specific administrative policies and/or choices made by the user in a user interface provided by the operating environment, not by the application. I'd like to see more text talking about the user interface aspect of this. Section 5.3 suggests that the information configured by local policy or user interface is not visible to the application. This is probably correct, but needs to be explored in more detail, IMHO. I would suggest the following for the trust section, since there's no text yet: 6.1 Untrusted PVDs Implicit and explicit PVDs for which no trust relationship exists are considered untrusted. Only PVDs which meet the requirements in section 6.2 are trusted; any other PVD is untrusted. In order to avoid various forms of misinformation that can be asserted when PVDs are trusted, hosts that implement PVD separation cannot assume that two explicit PVDs with the same identifier are actually the same PVD. A node that did make this assumption would be vulnerable to attacks where for example an open Wifi hotspot might assert that it was part of a well known PVD, and thereby draw traffic intended for that PVD onto its own link. Since implicit PVD identifiers are synthesized by the node, this issue cannot arise with implicit PVDs. Mechanisms exist (for example [RFC6731]) whereby a PVD can provide configuration information that asserts special knowledge about the reachability of resources through that PVD. Such assertions cannot be validated unless the node has a trust relationship with the PVD; assertions of this type therefore must be ignored by hosts that receive them from untrusted PVDs. Failure to ignore such assertions could result in traffic being diverted from legitimate destinations to spoofed destinations. 6.2 Trusted PVDs Trusted PVDs are PVDs for which two conditions apply. First, a trust relationship must exist between the node that is using the PVD configuration and the operator that provided that configuration; this is the authorization portion of the trust relationship. Second, there must be some way to validate the trust relationship. This is the authentication portion of the trust relationship. Two mechanisms for validating the trust relationship are defined. 6.2.1 Authenticated PVDs One way to validate the trust relationship between a node and the operator of a PVD is through the combination of cryptographic authentication and an identifier configured on the node. In some cases, the two could be the same; for example, if authentication is done with a shared secret, the secret would have to be associated with the PVD identifier. Without a (PVD Identifier, shared key) tuple, authentication would be impossible, and hence authentication and authorization are combined. However, if authentication is done using some public key mechanism such as a TLS cert or DANE, authentication by itself isn't enough, since theoretically any PVD could be authenticated in this way. In addition to authentication, the node would need to be configured to trust the identifier being authenticated. Validating the authenticated PVD name against a list of PVD names configured as trusted on the host would constitute the authorization step in this case. 6.2.2 PVDs trusted by attachment In some cases a trust relationship may be validated by some means other than described in 6.2.1, simply by virtue of the connection through which the PVD was obtained. For instance, a handset connected to a mobile network will know through the mobile network infrastructure that it is connected to a trusted PVD, and whatever mechanism was used to validate that connection constitutes the authentication portion of the trust relationship. Presumably such a handset would be configured from the factory, or else through user preference settings, to trust the PVD, and this would constitute the authorization portion of this type of trust relationship. That's all I've got for today—I hope it helps. Thanks for writing this up!
- [mif-arch-dt] FW: New Version Notification for dr… Dmitry Anipko
- Re: [mif-arch-dt] New Version Notification for dr… Ted Lemon
- Re: [mif-arch-dt] New Version Notification for dr… Hui Deng
- Re: [mif-arch-dt] New Version Notification for dr… Ted Lemon
- Re: [mif-arch-dt] New Version Notification for dr… Ted Lemon
- Re: [mif-arch-dt] New Version Notification for dr… Alper Yegin
- Re: [mif-arch-dt] FW: New Version Notification fo… Dapeng Liu
- Re: [mif-arch-dt] FW: New Version Notification fo… Dmitry Anipko
- Re: [mif-arch-dt] New Version Notification for dr… Dmitry Anipko
- Re: [mif-arch-dt] New Version Notification for dr… Dmitry Anipko
- Re: [mif-arch-dt] FW: New Version Notification fo… Dapeng Liu
- Re: [mif-arch-dt] New Version Notification for dr… Ted Lemon
- Re: [mif-arch-dt] New Version Notification for dr… Alper Yegin
- Re: [mif-arch-dt] New Version Notification for dr… Tim Chown
- Re: [mif-arch-dt] New Version Notification for dr… Dmitry Anipko
- [mif-arch-dt] FW: Slide for MIF arch DT Dmitry Anipko
- Re: [mif-arch-dt] New Version Notification for dr… Tim Chown