IETF Logo Mail Archive

[mif] AD review of MPVD Architecture

Ted Lemon <Ted.Lemon@nominum.com> Wed, 17 December 2014 15:49 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E0C21A1B76 for <mif@ietfa.amsl.com>; Wed, 17 Dec 2014 07:49:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4mbYpNpCQkn for <mif@ietfa.amsl.com>; Wed, 17 Dec 2014 07:49:00 -0800 (PST)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB0AA1A1B89 for <mif@ietf.org>; Wed, 17 Dec 2014 07:48:55 -0800 (PST)
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 05C1FDA00BA for <mif@ietf.org>; Wed, 17 Dec 2014 15:48:58 +0000 (UTC)
Received: from webmail.nominum.com (cas-02.win.nominum.com [64.89.228.132]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id 2ED1553E084 for <mif@ietf.org>; Wed, 17 Dec 2014 07:48:25 -0800 (PST)
Received: from [10.0.20.107] (71.233.43.215) by CAS-02.WIN.NOMINUM.COM (192.168.1.101) with Microsoft SMTP Server (TLS) id 14.3.195.1; Wed, 17 Dec 2014 07:48:25 -0800
From: Ted Lemon <Ted.Lemon@nominum.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-ID: <9071C858-BBCA-483C-94CD-E7C2584980F0@nominum.com>
Date: Wed, 17 Dec 2014 10:48:10 -0500
To: "mif@ietf.org List" <mif@ietf.org>
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
X-Originating-IP: [71.233.43.215]
Archived-At: http://mailarchive.ietf.org/arch/msg/mif/I7DGByRJqm0N9mRo51vZWMcI4Ok
Subject: [mif] AD review of MPVD Architecture
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif/>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Dec 2014 15:49:07 -0000

I'm sorry this has taken so long.   It got lost in the tracker, only to surface just as an unrelated cluster of documents was soaking up a lot of my time.   I am very excited to get this document to the IESG, so please don't take this delay as being indicative of a lack of interest.   On to the comments:

This is a bit hard to parse, and I suggest the following change:
OLD:
   3.  Usage of a particular network that is not consistent with the
       intent of the scenario or involved parties leading to
       connectivity failure and / or other undesired consequences.
NEW:
   3.  Use of a particular network that is not consistent with the
       intended use of the network, or the intent of the
       communicating parties, leading to connectivity failure
       and / or other undesired consequences.

What's the rationale for the third sentence in the paragraph below?

   In some network topologies, network infrastructure elements may need
   to advertise multiple PvDs.  Generally, the details of how this is
   performed will be defined in companion design documents.  However,
   where different design choices are possible, the choice that requires
   a smaller number of packets shall be preferred for efficiency.

I ask because I think this is DISCUSS fodder: someone is going to want details.   If it's important, let's keep it and defend it.   If it's more of an aside, let's get rid of it.

Difficult to parse:
OLD:
   For some time it is likely that there will be networks which do not
   advertise explicit PvD information as the deployment of new features
   in networking protocols is a relatively slow process.
NEW:
   For the foreseeable future, there will be networks which do not
   advertise explicit PvD information, because deployment of new
   features in networking protocols is a relatively slow process.

I think the last sentence in this paragraph serves two purposes, and would be better separated:
OLD:
   Through the use of implicit PvDs, PvD-aware nodes may still provide
   benefits to their users (when compared to non-PvD aware nodes) by
   following the best practices described in Section 5, using the
   network information from different interfaces separately to
   consistently serve network connection request.
NEW:
   Through the use of implicit PvDs, PvD-aware nodes may still provide
   benefits to their users (when compared to non-PvD aware nodes) by
   following the best practices described in Section 5.

   PvD-aware nodes shall treat betwork information from different
   interfaces, which is not identified as belonging explicitly to some
   PvD, as belonging to separate PvDs, one per interface.

The reason I propose this is that the last paragraph in the section imposes an explicit requirement on PvD-aware nodes that they separate out PvD-labeled and non-PvD-labeled information into explicit and implicit PvDs, but the section as a whole never explicitly states a requirement that information from different interfaces that is not labeled is treated as belonging to separate PvDs.   Whether this change as taken as I have made it, or done some other way, I think you need to state a requirement for both cases.

The last paragraph in the section also doesn't parse very well:
OLD:
   In mixed mode, i.e., where of multiple networks are available on an
   attached link only some of which advertise PvD information, the PvD-
   aware node shall create explicit PvDs from explicitly learned PvD
   information and associate other learned configuration (without an
   explicit PvD) with implicit PvD(s) created for that interface.
NEW:
   Implicit PvDs can also occur in a mixed mode, i.e., where of multiple
   networks that are available on an attached link, only some advertise
   PvD information.  In this case, the PvD-
   aware node shall create explicit PvDs from information explicitly 
   labeled as beloinging to PvDs.   It shall associate 
   configuration information not labeled with an explicit PvD with
   an implicit PvD created for that interface.

(Is there a case where two implicit PvDs would be created on the same interface?)

This seems a bit too definite to me:
OLD:
   Explicit PvDs, in practice will often also be scoped only for
   configuration related to a particular interface.  However, there are
   no such requirements or limitations defined in this architecture.
NEW:
   In the simplest case, explicit PvDs will be scoped for
   configuration related only to a specific interface.  However, 
   there is no requirement in this architecture for such a
   limitation.

I don't know what "generally" means here, suggest you delete it:
   generally, authentication of a PvD ID
   may be also required in scenarios involving only one connected
   interface and / or PvD

You could take out some equivocating here:
OLD:
   This architecture intends to support such scenarios, among others.
   Hence, it shall be noted that no hierarchical relationship exists
   between interfaces and PvDs: it is possible for multiple PvDs to be
   simultaneously accessible over one interface, as well as a single PvD
   to be simultaneously accessible over multiple interfaces.
NEW:
   This architecture supports such scenarios.
   Hence, no hierarchical relationship exists
   between interfaces and PvDs: it is possible for multiple PvDs to be
   simultaneously accessible over one interface, as well as a single PvD
   to be simultaneously accessible over multiple interfaces.

I think you need a signature, not an authorization token, here:
   To resolve this, there must be
   a mechanism for the PvD owner to attach some form of authorization
   token to the configuration information that is delivered.

I don't remember the details of the discussion we had anymore, but the issue with a token is that it doesn't actually solve the problem of proving that the PvD information supplied is actually associated with the named PvD.   Having said this, I know the working group thought about this, and I'm not proposing to change the consensus.   If the term "token" was preferred over "signature", it's fine to leave it that way and duke it out during IESG review. :)

This doesn't make sense:
   One way to
   restrict the propagation of information which is of no use to a
   specific host is for the host to indicate the PvD information they
   require within their configuration request.  One way this could be
   accomplished is by using a DHCPv6 ORO containing the PvDs that are of
   interest.  The configuration source can then respond with only the
   requested information.

The ORO just lists options.   There's no way to name a PvD.   I vaguely recall that the idea here was to provide a per-PvD ORO, not list PvDs in the ORO.

Do you really want to advocate the use of shared-secret authentication of PvD identities?   This would mean that any node that can authenticate the assertion of the PvD identity can also spoof it:

   One way to validate the trust relationship between a node and the
   source of a PvD is through the combination of cryptographic
   authentication and an identifier configured on the node.  In some
   cases, the two could be the same; for example, if authentication is
   by a shared secret, the secret would have to be associated with the
   PvD identifier.  Without a PvD Identifier / shared key tuple,
   authentication would be impossible, and hence authentication and
   authorization are combined.

Slight clarification called for here:
   Rogue configuration source: A compromised configuration source, such
      as a router or a DHCPv6 server, may advertise information about
      PvDs that it is not authorized to advertise.  e.g.  A coffee shop
      WLAN may advertise configuration information purporting to be from
      an enterprise and may try to attract enterprise related traffic.
      The only real way to prevent this is is for the PvD related
      configuration container to contain embedded authentication and
      authorization information from the owner of the PvD. This provides
      the client with a way of detecting the attack by verifying the
      authentication and authorization information provided inside the
      PvD container option, after verifying its trust of the PvD owner
      (e.g.  a certificate with a well-known / common trust anchor).

What prevents this attack is not the provision of authentication information, but an explicit configuration on the client to reject this PvD if it is _not_ authenticated.   The way you've stated it, it's fairly obvious that that's the case, but you don't actually say so.

v2.23.0 | Report a Bug | By Email