IETF Logo Mail Archive

Re: [mif] Comments on draft-ietf-mif-mpvd-ndp-support

Jouni Korhonen <jouni.nospam@gmail.com> Thu, 23 July 2015 11:08 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD4011A89FF for <mif@ietfa.amsl.com>; Thu, 23 Jul 2015 04:08:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WWL8ElHJvDre for <mif@ietfa.amsl.com>; Thu, 23 Jul 2015 04:07:59 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 611AE1A89B1 for <mif@ietf.org>; Thu, 23 Jul 2015 04:07:59 -0700 (PDT)
Received: by wicmv11 with SMTP id mv11so18858751wic.0 for <mif@ietf.org>; Thu, 23 Jul 2015 04:07:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=+DVbSyb80tkVCf8ECTKU5QGg5yp0Wm7m25+8cjL53O4=; b=g/APW+8/EO0vZiva8f7kbGmab7LXEHPScOvl2DF5TuNkDR8V3ZT603I456Utxc9bMT UDOGgE81OedyKarRK4PP9s+HBSTFQnqC8qlvNpvnJIkULxyT3JJZ7uCQbhN27o9TEz/+ B1Gsk57y/gKhv7VV9WCpoGAHpasve6VpV2ENm8+hfPTkagssqcnEylBL5UFttMbY93Ea LyAmdlVrU2RwCTujNAIQw4+mpnYxpZE/Uu9ufUFyAkHhGpvQB/x4IfX7+2W2QWn3XgT4 eo5YkjeXixkWdpq6vAU78FELjdLPWZy7J7KkfgjtLLi7aLYKTDziI1T72pcrnnFGtIZC mOPg==
X-Received: by 10.194.83.70 with SMTP id o6mr14555593wjy.44.1437649678144; Thu, 23 Jul 2015 04:07:58 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:136:688d:6fe9:d384:b1f6? ([2001:67c:370:136:688d:6fe9:d384:b1f6]) by smtp.googlemail.com with ESMTPSA id gw7sm26624596wib.15.2015.07.23.04.07.56 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Jul 2015 04:07:57 -0700 (PDT)
To: Steven Barth <cyrus@openwrt.org>, "mif@ietf.org" <mif@ietf.org>
References: <55AF52F1.2040802@openwrt.org>
From: Jouni Korhonen <jouni.nospam@gmail.com>
Message-ID: <55B0CB0C.1010301@gmail.com>
Date: Thu, 23 Jul 2015 04:07:56 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <55AF52F1.2040802@openwrt.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/mif/VnTr5a3DR6XahFl87rYlcFs-Bu4>
Subject: Re: [mif] Comments on draft-ietf-mif-mpvd-ndp-support
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mif/>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 11:08:03 -0000

Hi Steve,

Thanks for the review. See my intial comments inline:

7/22/2015, 1:23 AM, Steven Barth kirjoitti:
> Hello everyone,
>
> some probably non-conclusive comments on the NDP-support draft.
>
> 3 "However, including a PVD container or identity
>     options inside a Router Solicitation (RS) NDP messages is also
>     possible (actually, in this way a host can solicit for information
>     from a specific provisioning domain)."
>
> This is awkward. Foremost, hosts only send RSs when they change links
> and also replies to RS may be multicasted to all hosts on the links
> (and often in practice still are).

And what is the issue in that case if all others on the same link see 
what you are asking for?

> In any case I don't see the point of adding the container to the RS and / or
> maybe the Identity. This is just plain ambiguous.

Could you open more the "plain ambiguous" part? Ambiguous how to 
implement or how/when to use? If you have a better wording in mind I am 
happy to see it & incorporate it.

> 3 "The PVD container MUST NOT be fragmented i.e., should the
>     IPv6 packet be fragmented, the PVD container and the accompanying PVD
>     identity MUST both be inside the same fragment."
>
> The i.e. makes it ambiguous. Now MUST the whole container NOT be fragmented or
> MUST every fragment have a PVD Identity or only the first one?

Again, what is ambiguous here? The container must not be fragmented. If 
the ipv6 packet itself is fragmented the container has to be as a whole 
in one of those fragment. If you have a better wording in mind I am 
happy to see it & incorporate it.

>
>
> 3 S-bit: Could this not just be encoded as "Name Type" = 0?

It could. The reason why that is not the case now is that we use RFC6487 
name type registry here are currently value 0 is reserved and therefore 
overloading its meaning in this I-D could be a bit risky.

> 3 "Name Type": I find it peculiar that the name type is selectable but not
> the signature algorithm (at least to my understanding).

Algorithms that are directly mapped to name types are listed in RFC6487.

>
> 3 "Key Hash": Since this doesn't have a length field a client not understanding
> the name type cannot interpret anything in the container even if it does not
> want to check the signature. I'm not sure if this is intended.

Ok. This is a good point. I'll look into this. My earlier assumption was 
that if security is in place and the host does not understand the name 
type -> skip the entire container. But I think we may need to address 
the case where the end host just does not care i.e. "approve exception" 
that is very typical when surfing web and ignoring expired certificates..

> 3 "This MAY imply adding
>     padding zero octets to the tail of the PVD container option until the
>     alignment requirement has been met"
>
> A MAY padding seems awkward and actually ambiguous. (This also applies to
> 4 to a lesser degree)

Care to explain more what is ambiguous? You may end up doing padding but 
not in all cases. If you have a better wording in mind I am happy to see 
it & incorporate it.

> 4 Is it useful that PVD ID is a separate TLV if a container MUST have exactly 1 in it
> and the stand-alone use (e.g. in RS) is probably questionable?

Until the RS piece is resolved a separate option is imho justified.

> 6 Again as for dhcpv6, timestamps may not be ready for checking at the point
> where RAs are evaluated since these are essentially bootstrap protocol and
> not all devices do have RTCs or unauthenticated NTP server options may be used
> to tamper with wallclock settings.

I assume you are now in Section 6?  It says "..some replay protection 
mechanism such as a.. This specification does not define a replay 
protection solution.."

I understand the point that timestamp may not answer the replay 
protection issue but this I-D is not also relying on it either. I am 
happy to remove the "..such as.." part if that is contentious.

>
> 9 RFC 3971 is in informative references but since you use it as source for
> your signature algorithm should it not be normative?

Hmm.. good point. However, we do not want to mandate entire RFC3971 but 
only parts of it. I wonder how to express that in the 
normative/informative references.

- Jouni

>
>
>
>
> Cheers,
>
> Steven
>
> _______________________________________________
> mif mailing list
> mif@ietf.org
> https://www.ietf.org/mailman/listinfo/mif
>

v2.23.0 | Report a Bug | By Email