Re: [Netconf] Alexey Melnikov's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 11 December 2018 16:45 UTC
Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 130EE130E6C; Tue, 11 Dec 2018 08:45:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=uT7BmN/h; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=HP25Z/MX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJ0l0z9F26Sl; Tue, 11 Dec 2018 08:45:47 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F587130E68; Tue, 11 Dec 2018 08:45:47 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 6000621F4F; Tue, 11 Dec 2018 11:45:46 -0500 (EST)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Tue, 11 Dec 2018 11:45:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= message-id:from:to:cc:mime-version:content-transfer-encoding :content-type:date:references:subject:in-reply-to; s=fm1; bh=7qI H45ya3PV0noGOwCtFQ64/u/+8R+hOlkc/fhaR4qU=; b=uT7BmN/hROfeD7+wOEe PT0xp49YJgtdqrU/RkZZZtLtYkLxLSYfGJ/5ekyg6/fh31MR9dMCjFRy3+ErORrf 9o0qAg2oXg8oknzZt9qDkjNteFGZcQsVd0Tk0B/L98Grfq675CsbAtIkb+pBMaoF hbjx8kVcZhxN+t7ukZsBgLMjcoL+xry1jhHWzCrlzjS1xDWPYVK/JHTUrVzbDtoj To5cBJPBEBnFF0ckBy7NRDurfEVMQOWZYsdFyrMTFTasKNcjsmM+YTcRVhmgzm4Y 4LuOo6fmKY+9XNuxzO32EQ7MFQWJVu8hYV6Fsexc8tXk54jDY2QszHIMGwiu2l4Y e0w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=7qIH45ya3PV0noGOwCtFQ64/u/+8R+hOlkc/fhaR4 qU=; b=HP25Z/MXKQUU59PHOFcWlYxaMKpZwdJokgGxX1nJ42IVH3oNyftp/OEDq T+qGYQkRNc44pgYT2BBi5K8Kq42HKKaoXLH7NNRA4F9bYMB/rtJ8YlP7o7LAn4YY Fom+7U55R1PDW/4sycZU/B1+vfOzZKwMqiEmF0Dl+1bdbVQZhg8ilvXuFk/UaLjW c/gJyqwl2mS0Avq6ODESZ+rOHO4wuUNbIatRVZ8vfMC/4U/eITfz1bMK0MOSNvhi MFIzkCUksldCF4wxjCX8MD43PPmfxSRURzepEy7sfoNYMJMpIriIKwws+sfhlscu iRMbUFgEBpxg74HFj4m6HNqQ6LyJg==
X-ME-Sender: <xms:uekPXMav6ucJ63A2AQ-SlDyGf_QfF8C672mJy2DRwHSw8lF5N4KRTA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtkedrudegjedgleefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkhffvggfgtg foffhfufgjsehtjeertdertdejnecuhfhrohhmpeetlhgvgigvhicuofgvlhhnihhkohhv uceorggrmhgvlhhnihhkohhvsehfrghsthhmrghilhdrfhhmqeenucffohhmrghinhepih hpqdgruggurhgvshhsqdhorhdqhhhoshhtnhgrmhgvphhorhhtrdhsohdpghhithhhuhgs rdgtohhmpdhivghtfhdrohhrghdpphhrohhtohhnmhgrihhlrdgthhdpvgigrghmphhlvg drtghomhdpihgrnhgrrdhorhhgpdhgrggsrdgtohhmnecurfgrrhgrmhepmhgrihhlfhhr ohhmpegrrghmvghlnhhikhhovhesfhgrshhtmhgrihhlrdhfmhenucevlhhushhtvghruf hiiigvpedt
X-ME-Proxy: <xmx:uekPXP7Th2Pddg-lMWp0LceQCmIJu7YXUy3C3MoITdHAIRnnInv1xQ> <xmx:uekPXPySb5FfFOy7YT4pQ-E30T95HEN1KeBUuNVf5vanp51pmvENfQ> <xmx:uekPXApJRgTnQjxHgDy4M_Dxj90dy3w8I_o6qiS66wmBfDK6K8Zk4w> <xmx:uekPXB1Tw8h5hdlxoY38_33oPIScPKZaY4UIojL4-Y7cUuXwtMzydg> <xmx:uekPXJDvyvjU1_dgqwMuP_tCdQANeLQ5xRTTy7sanjXbsfhQVQ5pCA> <xmx:uukPXChWaZ2kORRb3jGg4SkGFCjyp3FHleG4yLMvSi527Z9Urvz30g>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 9FF739E149; Tue, 11 Dec 2018 11:45:45 -0500 (EST)
Message-Id: <1544546745.239011.1606019152.63663D44@webmail.messagingengine.com>
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Kent Watsen <kwatsen@juniper.net>, The IESG <iesg@ietf.org>
Cc: draft-ietf-netconf-zerotouch@ietf.org, netconf-chairs@ietf.org, netconf@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-2f590f9a
Date: Tue, 11 Dec 2018 16:45:45 +0000
References: <154403409772.31942.18387130156502248943.idtracker@ietfa.amsl.com> <C6DF1C92-1132-4E8E-A27F-70B79157C9E7@juniper.net>
In-Reply-To: <C6DF1C92-1132-4E8E-A27F-70B79157C9E7@juniper.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/shT8ywUuQYSCmVqneu6Sd5PwW3c>
Subject: Re: [Netconf] Alexey Melnikov's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 16:45:50 -0000
Hi Kent, On Mon, Dec 10, 2018, at 11:03 PM, Kent Watsen wrote: > Hi Alexey, > > Thanks for your review! > See below for responses. > > > Kent // coauthor > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > Thank you for a well written document, it was a pleasure to read. > > I have a small list of issues that I would like to discuss before > > recommending approval of this document: > > > > > > In Section 5.3: > > > > If the zero touch information artifact contains redirect information, > > the device MUST, within limits of how many recursive loops the device > > allows, process the redirect information as described in Section 5.5. > > This is the recursion step, it will cause the device to reenter this > > algorithm, but this time the data source will definitely be a > > bootstrap server, as that is all redirect information is able to > > redirect a device to. > > > > I think you need to specify a "max redirect" value in order to > > prevent intentional or unintentional misconfigurations. Without > > such limit it is trivial to introduce denial-of-service attack > > on naive device implementations. > > There is a Security Consideration on this very point, where is says: > > Implementations SHOULD limit the maximum number of recursive > redirects allowed; no more than a half dozen seems reasonable. I think this is weaker than I would like. I also didn't read the second part (half dozen) as normative. So my suggestion is below. > Here's direct link: > https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-25#section-9.9 > > Is this now acceptable as is? If not, would it be suffice to > add a reference the Security Consideration? If not, then, yes, > a max-redirect value could be defined, but it would have to be > somewhat high (25?) so that the standard doesn't prematurely > limit some unforeseen use. Please advise. I think I prefer something like this: Implementations MUST limit the maximum number of recursive redirects allowed; the maximum number of recursive redirects allowed SHOULD be 25. And adding a reference to the Security Considerations. I.e., I think imposing a limit should be a MUST with the value 25 recommended. > > 2) > > 10.3. The SMI Security for S/MIME CMS Content Type Registry > > > > IANA is kindly requested to add two entries in the "SMI Security for > > S/MIME CMS Content Type" registry (1.2.840.113549.1.9.16.1), with > > values as follows: > > > > Decimal Description References > > ------- -------------------------------------- ---------- > > TBD1 id-ct-zerotouchInformationXML [RFCXXXX] > > TBD2 id-ct-zerotouchInformationJSON [RFCXXXX] > > > > id-ct-zerotouchInformationXML indicates that the "zerotouch- > > information" is encoded using XML. id-ct-zerotouchInformationJSON > > indicates that the "zerotouch-information" is encoded using JSON. > > > > You define these values, but they are not used anywhere in the document. > > Aye, you're right! At least, they're not referenced by name, which > complicates searching for them... (see my next response for more) > > > > > It looks like you intended for this to be used in several places, > > for example: > > > > 3.1. Zero Touch Information > > > > When the zero touch information artifact is unsigned, as it might be > > when communicated over trusted channels, the CMS structure's top-most > > content type MUST be one of the OIDs described in Section 10.3, or > > the OID id-data (1.2.840.113549.1.7.1), in which case the encoding > > (JSON, XML, etc.) SHOULD be communicated externally. In either > > case, the associated content is an octet string containing > > "zerotouch-information" data in the expected encoding. > > > > Did you intend to use the above OIDs here? > > Yes, exactly, and also in two other places in Section 3.1. In > all three instances, we could either: > > OLD: > ...one of the OIDs described in Section 10.3, > > NEW1: > ...one of the OIDs described in Section 10.3 (i.e., > id-ct-zerotouchInformationXML or id-ct-zerotouchInformationJSON), > > or > > NEW2: > ...one of the OIDs described in Section 10.3 (i.e., > 1.2.840.113549.1.9.16.1.TBD1 or 1.2.840.113549.1.9.16.1.TBD2), > > Do you have a preference? I think NEW1 is clearer. > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > 4.2. DNS Server > > > > To use a DNS server as a source of bootstrapping data, a device MAY > > perform a multicast DNS [RFC6762] query searching for the service > > "_zerotouch._tcp.local.". Alternatively the device MAY perform DNS- > > SD [RFC6763] via normal DNS operation, using the domain returned to > > it from the DHCP server; for example, searching for the service > > "_zerotouch._tcp.example.com". > > > > I agree with Adam that "zerotouch" much be a registered as service > > name, see https://www.iana.org/assignments/service-names-port-numbers\ /service-names-port-numbers.xhtml. > > Agreed, and I responded to Adam previously as follows: > > ===start=== > You are quite right. Here is the Github commit to add an IANA > registration > for the "zerotouch" service: > https://github.com/netconf-wg/zero-touch/commit/6280763339a3e91b9efb21703b26a6bdbf05349b. This looks reasonable. (Note, saying that this is an extension of HTTPS in a note doesn't help. I think it would be better to say "this protocol uses HTTPS as a substrate". The current text would make people wonder why you need to register a new service name.) > Please let me know if you suggest any further changes. > ===stop=== > > And likewise, Alexey, please also let me know if you suggest any > further changes. > > > > > > Artifact to Resource Record Mapping: > > > > Zero Touch Information: Mapped to a TXT record called "zt-info" > > containing the base64-encoding of the binary artifact described > > in Section 3.1. > > > > Owner Certificate: Mapped to a TXT record called "zt-cert" > > containing the base64-encoding of the binary artifact described > > in Section 3.2. > > > > Ownership Voucher: Mapped to a TXT record called "zt-voucher" > > containing the base64-encoding of the binary artifact described > > in Section 3.3. > > > > So just to double check, these would be zt-info._zerotouch._tcp.example.com, > > etc? > > I'm not a DNS expert, but my understanding is that lookup would be on, > e.g., _zerotouch._tcp.example.com and that the TXT records would be > returned as follows: > > _zerotouch._tcp.example.com. 3600 IN TXT "zt_info=base64encodedvalue==" > _zerotouch._tcp.example.com. 3600 IN TXT "zt_cert=base64encodedvalue==" > _zerotouch._tcp.example.com. 3600 IN TXT "zt_voucher=base64encodedvalue==" This is not what your text is saying. I also don't think that your description is correct. "TXT record called X" is not something defined. You need to define TXT record which can contain attribute=value syntax and allowed attributes are one of 3 you define. > For instance ['\' added for readability]: > > # dig txt gab.com > <snip/> > ;; ANSWER SECTION: > gab.com. 300 IN TXT "v=spf1 include:_spf.protonmail.ch mx ~all" > gab.com. 300 IN TXT "ca3-56e3739f7f644cdaaa0e7edc903cf648" > gab.com. 300 IN TXT "protonmail-verification=\ > 96ca5019e36fc3a6dc5c4399efabe68792e55cc7" > <snip/> > > Do you feel that an example in the document is warranted? Definitely you should add some examples. > > 8.1. DHCPv4 Zero Touch Option > > > > o bootstrap-server-list: A list of servers for the > > client to attempt contacting, in order to obtain > > further bootstrapping data, in the format shown > > in [common-field-encoding]. > > > > [common-field-encoding] in this and subsequent sections looks like a > > reference to Section 8.3. Please fix before publication, as this looks > > like an undefined reference. > > Good grief, fixed (in both locations)! > > s/[common-field-encoding]/Section 8.3/ > > > > > 8.3. Common Field Encoding > > > > Both of the DHCPv4 and DHCPv6 options defined in this section encode > > a list of bootstrap server URIs. The "URI" structure is an option > > that can contain multiple URIs (see [RFC7227], Section 5.7). > > > > bootstrap-server-list: > > > > This is confusing, because I believe the following is a single entry > > in the list, not the whole list syntax: > > > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+ > > | uri-length | URI | > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+ > > > > o uri-length: 2 octets long, specifies the length of the URI data. > > > > o URI: URI of zerotouch bootstrap server, using the HTTPS URI > > scheme defined in Section 2.7.2 of RFC7230. URI MUST be in > > form "https://<ip-address-or-hostname>[:<port>]". > > > > So if I am correct above, please clarify this by changing > > "bootstrap-server-list:" to "bootstrap-server-list is a list of 1 or more > > items, each with the following syntax:" (Or something like this.) > > > > Also, "URI" deserve to be a Normative Reference, as it defines the > > generic syntax you are referring to. > > > I have ask my coauthor, Ian, to respond to this comment. Ok. Best Regards, Alexey
- [Netconf] Alexey Melnikov's Discuss on draft-ietf… Alexey Melnikov
- Re: [Netconf] Alexey Melnikov's Discuss on draft-… Kent Watsen
- Re: [Netconf] Alexey Melnikov's Discuss on draft-… ianfarrer
- Re: [Netconf] Alexey Melnikov's Discuss on draft-… Alexey Melnikov
- Re: [Netconf] Alexey Melnikov's Discuss on draft-… Alexey Melnikov
- Re: [Netconf] Alexey Melnikov's Discuss on draft-… Kent Watsen