IETF Logo Mail Archive

Re: [Netconf] Alexey Melnikov's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)

Alexey Melnikov <aamelnikov@fastmail.fm> Tue, 11 December 2018 16:45 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 130EE130E6C; Tue, 11 Dec 2018 08:45:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=uT7BmN/h; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=HP25Z/MX
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJ0l0z9F26Sl; Tue, 11 Dec 2018 08:45:47 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F587130E68; Tue, 11 Dec 2018 08:45:47 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 6000621F4F; Tue, 11 Dec 2018 11:45:46 -0500 (EST)
Received: from web5 ([10.202.2.215]) by compute7.internal (MEProxy); Tue, 11 Dec 2018 11:45:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= message-id:from:to:cc:mime-version:content-transfer-encoding :content-type:date:references:subject:in-reply-to; s=fm1; bh=7qI H45ya3PV0noGOwCtFQ64/u/+8R+hOlkc/fhaR4qU=; b=uT7BmN/hROfeD7+wOEe PT0xp49YJgtdqrU/RkZZZtLtYkLxLSYfGJ/5ekyg6/fh31MR9dMCjFRy3+ErORrf 9o0qAg2oXg8oknzZt9qDkjNteFGZcQsVd0Tk0B/L98Grfq675CsbAtIkb+pBMaoF hbjx8kVcZhxN+t7ukZsBgLMjcoL+xry1jhHWzCrlzjS1xDWPYVK/JHTUrVzbDtoj To5cBJPBEBnFF0ckBy7NRDurfEVMQOWZYsdFyrMTFTasKNcjsmM+YTcRVhmgzm4Y 4LuOo6fmKY+9XNuxzO32EQ7MFQWJVu8hYV6Fsexc8tXk54jDY2QszHIMGwiu2l4Y e0w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=7qIH45ya3PV0noGOwCtFQ64/u/+8R+hOlkc/fhaR4 qU=; b=HP25Z/MXKQUU59PHOFcWlYxaMKpZwdJokgGxX1nJ42IVH3oNyftp/OEDq T+qGYQkRNc44pgYT2BBi5K8Kq42HKKaoXLH7NNRA4F9bYMB/rtJ8YlP7o7LAn4YY Fom+7U55R1PDW/4sycZU/B1+vfOzZKwMqiEmF0Dl+1bdbVQZhg8ilvXuFk/UaLjW c/gJyqwl2mS0Avq6ODESZ+rOHO4wuUNbIatRVZ8vfMC/4U/eITfz1bMK0MOSNvhi MFIzkCUksldCF4wxjCX8MD43PPmfxSRURzepEy7sfoNYMJMpIriIKwws+sfhlscu iRMbUFgEBpxg74HFj4m6HNqQ6LyJg==
X-ME-Sender: <xms:uekPXMav6ucJ63A2AQ-SlDyGf_QfF8C672mJy2DRwHSw8lF5N4KRTA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtkedrudegjedgleefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhhtnecuuegrihhlohhuthemucef tddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkhffvggfgtg foffhfufgjsehtjeertdertdejnecuhfhrohhmpeetlhgvgigvhicuofgvlhhnihhkohhv uceorggrmhgvlhhnihhkohhvsehfrghsthhmrghilhdrfhhmqeenucffohhmrghinhepih hpqdgruggurhgvshhsqdhorhdqhhhoshhtnhgrmhgvphhorhhtrdhsohdpghhithhhuhgs rdgtohhmpdhivghtfhdrohhrghdpphhrohhtohhnmhgrihhlrdgthhdpvgigrghmphhlvg drtghomhdpihgrnhgrrdhorhhgpdhgrggsrdgtohhmnecurfgrrhgrmhepmhgrihhlfhhr ohhmpegrrghmvghlnhhikhhovhesfhgrshhtmhgrihhlrdhfmhenucevlhhushhtvghruf hiiigvpedt
X-ME-Proxy: <xmx:uekPXP7Th2Pddg-lMWp0LceQCmIJu7YXUy3C3MoITdHAIRnnInv1xQ> <xmx:uekPXPySb5FfFOy7YT4pQ-E30T95HEN1KeBUuNVf5vanp51pmvENfQ> <xmx:uekPXApJRgTnQjxHgDy4M_Dxj90dy3w8I_o6qiS66wmBfDK6K8Zk4w> <xmx:uekPXB1Tw8h5hdlxoY38_33oPIScPKZaY4UIojL4-Y7cUuXwtMzydg> <xmx:uekPXJDvyvjU1_dgqwMuP_tCdQANeLQ5xRTTy7sanjXbsfhQVQ5pCA> <xmx:uukPXChWaZ2kORRb3jGg4SkGFCjyp3FHleG4yLMvSi527Z9Urvz30g>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 9FF739E149; Tue, 11 Dec 2018 11:45:45 -0500 (EST)
Message-Id: <1544546745.239011.1606019152.63663D44@webmail.messagingengine.com>
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Kent Watsen <kwatsen@juniper.net>, The IESG <iesg@ietf.org>
Cc: draft-ietf-netconf-zerotouch@ietf.org, netconf-chairs@ietf.org, netconf@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-2f590f9a
Date: Tue, 11 Dec 2018 16:45:45 +0000
References: <154403409772.31942.18387130156502248943.idtracker@ietfa.amsl.com> <C6DF1C92-1132-4E8E-A27F-70B79157C9E7@juniper.net>
In-Reply-To: <C6DF1C92-1132-4E8E-A27F-70B79157C9E7@juniper.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/shT8ywUuQYSCmVqneu6Sd5PwW3c>
Subject: Re: [Netconf] Alexey Melnikov's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 16:45:50 -0000

Hi Kent,

On Mon, Dec 10, 2018, at 11:03 PM, Kent Watsen wrote:
> Hi Alexey,
> 
> Thanks for your review!
> See below for responses.
> 
> 
> Kent // coauthor
> 
> 
> 
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Thank you for a well written document, it was a pleasure to read.
> > I have a small list of issues that I would like to discuss before
> > recommending approval of this document:
> >
> >
> > In Section 5.3:
> >
> >   If the zero touch information artifact contains redirect information,
> >   the device MUST, within limits of how many recursive loops the device
> >   allows, process the redirect information as described in Section 5.5.
> >   This is the recursion step, it will cause the device to reenter this
> >   algorithm, but this time the data source will definitely be a
> >   bootstrap server, as that is all redirect information is able to
> >   redirect a device to.
> >
> > I think you need to specify a "max redirect" value in order to
> > prevent intentional or unintentional misconfigurations. Without
> > such limit it is trivial to introduce denial-of-service attack
> > on naive device implementations.
> 
> There is a Security Consideration on this very point, where is says:
> 
>    Implementations SHOULD limit the maximum number of recursive
>    redirects allowed; no more than a half dozen seems reasonable.

I think this is weaker than I would like. I also didn't read the second part (half dozen) as normative. So my suggestion is below.

> Here's direct link:
>   https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-25#section-9.9
> 
> Is this now acceptable as is?  If not, would it be suffice to 
> add a reference the Security Consideration?  If not, then, yes,
> a max-redirect value could be defined, but it would have to be 
> somewhat high (25?) so that the standard doesn't prematurely
> limit some unforeseen use.  Please advise.

I think I prefer something like this:

    Implementations MUST limit the maximum number of recursive
    redirects allowed; the maximum number of recursive
    redirects allowed SHOULD be 25.

And adding a reference to the Security Considerations.

I.e., I think imposing a limit should be a MUST with the value 25 recommended.

> > 2)
> > 10.3.  The SMI Security for S/MIME CMS Content Type Registry
> >
> >   IANA is kindly requested to add two entries in the "SMI Security for
> >   S/MIME CMS Content Type" registry (1.2.840.113549.1.9.16.1), with
> >   values as follows:
> >
> >   Decimal  Description                             References
> >   -------  --------------------------------------  ----------
> >   TBD1      id-ct-zerotouchInformationXML          [RFCXXXX]
> >   TBD2      id-ct-zerotouchInformationJSON         [RFCXXXX]
> >
> >   id-ct-zerotouchInformationXML indicates that the "zerotouch-
> >   information" is encoded using XML.  id-ct-zerotouchInformationJSON
> >   indicates that the "zerotouch-information" is encoded using JSON.
> >
> > You define these values, but they are not used anywhere in the document.
> 
> Aye, you're right!  At least, they're not referenced by name, which
> complicates searching for them...  (see my next response for more)
> 
> 
> 
> > It looks like you intended for this to be used in several places,
> > for example:
> >
> > 3.1.  Zero Touch Information
> >
> >   When the zero touch information artifact is unsigned, as it might be
> >   when communicated over trusted channels, the CMS structure's top-most
> >   content type MUST be one of the OIDs described in Section 10.3, or
> >   the OID id-data (1.2.840.113549.1.7.1), in which case the encoding
> >   (JSON, XML, etc.)  SHOULD be communicated externally.  In either
> >   case, the associated content is an octet string containing
> >   "zerotouch-information" data in the expected encoding.
> >
> > Did you intend to use the above OIDs here?
> 
> Yes, exactly, and also in two other places in Section 3.1.  In
> all three instances, we could either:
> 
>   OLD:
>     ...one of the OIDs described in Section 10.3,
> 
>   NEW1:
>     ...one of the OIDs described in Section 10.3 (i.e., 
>     id-ct-zerotouchInformationXML or id-ct-zerotouchInformationJSON),
> 
> or
> 
>   NEW2:
>     ...one of the OIDs described in Section 10.3 (i.e., 
>     1.2.840.113549.1.9.16.1.TBD1 or 1.2.840.113549.1.9.16.1.TBD2),
> 
> Do you have a preference?

I think NEW1 is clearer.

> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > 4.2.  DNS Server
> >
> >   To use a DNS server as a source of bootstrapping data, a device MAY
> >   perform a multicast DNS [RFC6762] query searching for the service
> >   "_zerotouch._tcp.local.".  Alternatively the device MAY perform DNS-
> >   SD [RFC6763] via normal DNS operation, using the domain returned to
> >   it from the DHCP server; for example, searching for the service
> >   "_zerotouch._tcp.example.com".
> >
> > I agree with Adam that "zerotouch" much be a registered as service 
> > name, see https://www.iana.org/assignments/service-names-port-numbers\ /service-names-port-numbers.xhtml.
> 
> Agreed, and I responded to Adam previously as follows:
> 
>   ===start===
>   You are quite right.  Here is the Github commit to add an IANA 
> registration
>   for the "zerotouch" service:  
> https://github.com/netconf-wg/zero-touch/commit/6280763339a3e91b9efb21703b26a6bdbf05349b.

This looks reasonable. (Note, saying that this is an extension of HTTPS in a note doesn't help. I think it would be better to say "this protocol uses HTTPS as a substrate". The current text would make people wonder why you need to register a new service name.)
 
>   Please let me know if you suggest any further changes.  
>   ===stop===
> 
> And likewise, Alexey, please also let me know if you suggest any 
> further changes.  
> 
> 
> 
> 
> >   Artifact to Resource Record Mapping:
> >
> >      Zero Touch Information:  Mapped to a TXT record called "zt-info"
> >        containing the base64-encoding of the binary artifact described
> >         in Section 3.1.
> >
> >      Owner Certificate:  Mapped to a TXT record called "zt-cert"
> >         containing the base64-encoding of the binary artifact described
> >         in Section 3.2.
> >
> >      Ownership Voucher:  Mapped to a TXT record called "zt-voucher"
> >         containing the base64-encoding of the binary artifact described
> >         in Section 3.3.
> >
> > So just to double check, these would be zt-info._zerotouch._tcp.example.com,
> > etc?
> 
> I'm not a DNS expert, but my understanding is that lookup would be on, 
> e.g., _zerotouch._tcp.example.com and that the TXT records would be 
> returned as follows:
> 
> _zerotouch._tcp.example.com.  3600  IN  TXT  "zt_info=base64encodedvalue=="
> _zerotouch._tcp.example.com.  3600  IN  TXT  "zt_cert=base64encodedvalue=="
> _zerotouch._tcp.example.com.  3600  IN  TXT  "zt_voucher=base64encodedvalue=="

This is not what your text is saying. I also don't think that your description is correct. "TXT record called X" is not something defined. You need to define TXT record which can contain attribute=value syntax and allowed attributes are one of 3 you define.

> For instance ['\' added for readability]:
> 
>   # dig txt gab.com
>   <snip/>
>   ;; ANSWER SECTION:
>   gab.com.		300	IN	TXT	"v=spf1 include:_spf.protonmail.ch mx ~all"
>   gab.com.		300	IN	TXT	"ca3-56e3739f7f644cdaaa0e7edc903cf648"
>   gab.com.		300	IN	TXT	"protonmail-verification=\
>                                   96ca5019e36fc3a6dc5c4399efabe68792e55cc7"
>   <snip/>
> 
> Do you feel that an example in the document is warranted?

Definitely you should add some examples. 

> > 8.1.  DHCPv4 Zero Touch Option
> >
> >      o bootstrap-server-list: A list of servers for the
> >         client to attempt contacting, in order to obtain
> >         further bootstrapping data, in the format shown
> >         in [common-field-encoding].
> >
> > [common-field-encoding] in this and subsequent sections looks like a
> > reference to Section 8.3. Please fix before publication, as this looks
> > like an undefined reference.
> 
> Good grief, fixed (in both locations)!
> 
>   s/[common-field-encoding]/Section 8.3/
> 
> 
> 
> > 8.3.  Common Field Encoding
> >
> >   Both of the DHCPv4 and DHCPv6 options defined in this section encode
> >   a list of bootstrap server URIs.  The "URI" structure is an option
> >   that can contain multiple URIs (see [RFC7227], Section 5.7).
> >
> >     bootstrap-server-list:
> >
> > This is confusing, because I believe the following is a single entry
> > in the list, not the whole list syntax:
> >
> >     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
> >     |       uri-length              |          URI                  |
> >     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
> >
> >     o uri-length: 2 octets long, specifies the length of the URI data.
> >
> >     o URI: URI of zerotouch bootstrap server, using the HTTPS URI
> >       scheme defined in Section 2.7.2 of RFC7230.  URI MUST be in
> >       form "https://<ip-address-or-hostname>[:<port>]".
> >
> > So if I am correct above, please clarify this by changing
> > "bootstrap-server-list:" to "bootstrap-server-list is a list of 1 or more
> > items, each with the following syntax:" (Or something like this.)
> >
> > Also, "URI" deserve to be a Normative Reference, as it defines the
> > generic syntax you are referring to.
> 
> 
> I have ask my coauthor, Ian, to respond to this comment.

Ok.

Best Regards,
Alexey

v2.23.0 | Report a Bug | By Email