IETF Logo Mail Archive

Re: [Netconf] Alexey Melnikov's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)

Kent Watsen <kwatsen@juniper.net> Thu, 20 December 2018 19:49 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57A1130E64; Thu, 20 Dec 2018 11:49:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.765
X-Spam-Level:
X-Spam-Status: No, score=-2.765 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W_4cGgXOSMXI; Thu, 20 Dec 2018 11:49:04 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 811EF1311B3; Thu, 20 Dec 2018 11:49:04 -0800 (PST)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wBKJikoI024146; Thu, 20 Dec 2018 11:48:53 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=BmV8hMuh2IkZMD6w7hhQ2hArVRaUGlMIEJoCWCaAP7M=; b=ZsATF6/Hrxruh2qtac/VWzqhwCyVGUik4prUYvY/LVXf6FJl9TdqhIwrLOaI0g2A7g4T 6C712CIeVCzr2/8ytv8nThXGLdSguqbUT/qdFC6r7swktZzkNSpBQE/KxnyUwnHo+VpE 1XU27z61MY/8lxmfeWZvVwe+IFKhGs31jCAuGGdaLZ0Nxcm3VOHWlAMDpXS66OkHol2h twNjHe4ZQAqfaRCjUWylQTM/c8uZZsKzQ8neBfC+SuH1vc2zFbDgzIwe2aMh6vVDaSO8 fnxrT+A82mSCgXh08lp9Z4VwGMqzDcs9EnkT9Ibezs8w+xsEMySimQidd/hYAdR4F5p9 1A==
Received: from nam01-sn1-obe.outbound.protection.outlook.com (mail-sn1nam01lp2056.outbound.protection.outlook.com [104.47.32.56]) by mx0b-00273201.pphosted.com with ESMTP id 2pggqv038n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 20 Dec 2018 11:48:53 -0800
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB6297.namprd05.prod.outlook.com (20.178.27.206) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1471.10; Thu, 20 Dec 2018 19:48:48 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::f0f3:20f0:2104:638c]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::f0f3:20f0:2104:638c%2]) with mapi id 15.20.1446.015; Thu, 20 Dec 2018 19:48:47 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>
CC: "draft-ietf-netconf-zerotouch@ietf.org" <draft-ietf-netconf-zerotouch@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Alexey Melnikov's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
Thread-Index: AQHUjMdfcgz3uvchk06pPxfK6ViltaV4S9WAgAF8iICADgRMAA==
Date: Thu, 20 Dec 2018 19:48:47 +0000
Message-ID: <6058F165-D099-4279-A27D-BA415AC4548A@juniper.net>
References: <154403409772.31942.18387130156502248943.idtracker@ietfa.amsl.com> <C6DF1C92-1132-4E8E-A27F-70B79157C9E7@juniper.net> <1544546745.239011.1606019152.63663D44@webmail.messagingengine.com>
In-Reply-To: <1544546745.239011.1606019152.63663D44@webmail.messagingengine.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.4.181110
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB6297; 6:suHFurEwGgVPZWXwxNjsmNQbGx7XDXVuOpnyUxt/N1d6Mqr8ieySb6sOTMosi+Xg1pFP9qcpf7rxQ8EuBrY/SvE+0IzRYyI0NiA0vF5hpjK+hwSxunmJOAisTkPJ59MgDVfqCJX8i2MWqQw/PPMKjYI8X+nrSZDu/bFY/MYvypdkOhX5lU1Z8Ey0UGpMjUpWgtAiGj87HUzjizTRMWa960mhBIhBAWCK3XYEQ9VNFcfSl0IC8OMJGji2j2GDhyDtMiugoIR82CQfv16IDaARNc9JDBIxEg/33FZhM43k4PFI+stWZ0yMS1zr/vMb84IsfVhA26VbVQydXLUaFRI6uW9rTgZWQ8iEzFVVKIW6EbP3SQefBeiDZ7njh3lb/EiZ5r/DoMBMxdA4xZ47PzBnfX8eXzDLfI7v83fufi1Hf2c18W9dxsS4eY73qSiLm4Zl01tJ2O1gk2BlYiBPrahBNg==; 5:VrKCK2H5oZsvoLsISfbKNa7Uw/T/tkOCuksUI57t66q1iK5lugcFhmPaXo2Jivj6AeFU6+zErDT9E30VfQHsKEXqc2SA7mpeE7vVPvXcpQdlGh6lastcbUiJzU62IoQKVleW4F5r3ApSH5/5oevRGin0SR5L5u1/AuFmUp3/09E=; 7:q3pzyhrJTtlfl74vIyFj/oJEyyWzFonS6ueubtIQoU+eMV/xeF8oG1Udz4oNzOnQJGePzW4prHsQBZxwDTz/TmZNqVuahb9NZbCVbYXEizu4lByFm2tGYi1dEadUnY0hgwGfLjSNGVUN6EPocYw3IA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 4c40e91d-1e95-4818-536e-08d666b42887
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB6297;
x-ms-traffictypediagnostic: DM6PR05MB6297:
x-microsoft-antispam-prvs: <DM6PR05MB6297AE9520217A69A58AE7D8A5BF0@DM6PR05MB6297.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(5005026)(6040522)(2401047)(8121501046)(3002001)(10201501046)(3231475)(944501520)(52105112)(93006095)(93001095)(6055026)(149066)(150057)(6041310)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:DM6PR05MB6297; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB6297;
x-forefront-prvs: 0892FA9A88
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(136003)(366004)(346002)(39860400002)(189003)(199004)(58126008)(4326008)(6436002)(316002)(68736007)(53936002)(97736004)(4744004)(106356001)(6486002)(110136005)(6306002)(345774005)(6246003)(6512007)(229853002)(86362001)(54906003)(575784001)(2616005)(478600001)(81156014)(81166006)(966005)(14454004)(3846002)(7736002)(105586002)(11346002)(186003)(14444005)(256004)(8936002)(446003)(82746002)(2906002)(76176011)(486006)(102836004)(33656002)(6116002)(71190400001)(305945005)(71200400001)(5660300001)(83716004)(8676002)(99286004)(25786009)(26005)(66066001)(476003)(6506007)(36756003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB6297; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: O32vRk4vnLwKDGMtp1s6K7EiOoHmqBQPgi3Msv7jj+3PZi80osnl4FVTFAmSHq+lzBMOoS1d0+IWSS7BMMG5UdlJK+4+oZNmev/t3/UvbwNrw3z5YLXj+Xjn+izjyoOz3e96Tc2Q29DFPPqmuM6FU7c2EY5nCOzk9IpEx63Jg71J0GnMbrnIfJWYl4oyfhxkhCj9G0AU7CL4pQ+2CEb6oJQ+N7lydgcSOwDbHGZQswiRkgFZXbX9ANQylR/ECGlBbJ0bTCp0jwzw7N26F49INS3kGL4C4xH09H87jUR8JndH5RRFWcIQBKC5b5nqxCwW
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <73BAA3307887814F94ECC4B096734606@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c40e91d-1e95-4818-536e-08d666b42887
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2018 19:48:47.7926 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB6297
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-20_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812200161
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/vfdsSAcO-kKuGpO9-kj7JQZFd5Y>
Subject: Re: [Netconf] Alexey Melnikov's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2018 19:49:09 -0000

Hi Alexey,

Responses below.

Also, please be advised that an update has been published that
we hope addresses all your comments:

    https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-26

Thanks,
Kent


>> > ----------------------------------------------------------------------
>> > DISCUSS:
>> > ----------------------------------------------------------------------
>> >
>> > Thank you for a well written document, it was a pleasure to read.
>> > I have a small list of issues that I would like to discuss before
>> > recommending approval of this document:
>> >
>> >
>> > In Section 5.3:
>> >
>> >   If the zero touch information artifact contains redirect information,
>> >   the device MUST, within limits of how many recursive loops the device
>> >   allows, process the redirect information as described in Section 5.5.
>> >   This is the recursion step, it will cause the device to reenter this
>> >   algorithm, but this time the data source will definitely be a
>> >   bootstrap server, as that is all redirect information is able to
>> >   redirect a device to.
>> >
>> > I think you need to specify a "max redirect" value in order to
>> > prevent intentional or unintentional misconfigurations. Without
>> > such limit it is trivial to introduce denial-of-service attack
>> > on naive device implementations.
>> 
>> There is a Security Consideration on this very point, where is says:
>> 
>>    Implementations SHOULD limit the maximum number of recursive
>>    redirects allowed; no more than a half dozen seems reasonable.
>
> I think this is weaker than I would like. I also didn't read the second
> part (half dozen) as normative. So my suggestion is below.
>
>> Here's direct link: https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-25#section-9.9
>> 
>> Is this now acceptable as is?  If not, would it be suffice to 
>> add a reference the Security Consideration?  If not, then, yes,
>> a max-redirect value could be defined, but it would have to be 
>> somewhat high (25?) so that the standard doesn't prematurely
>> limit some unforeseen use.  Please advise.
>
> I think I prefer something like this:
>
>    Implementations MUST limit the maximum number of recursive
>    redirects allowed; the maximum number of recursive
>    redirects allowed SHOULD be 25.
>
> And adding a reference to the Security Considerations.
>
> I.e., I think imposing a limit should be a MUST with the value 25 recommended.

I incorporated your text, but in a slightly different way.  Instead of 
changing the Security Consideration, I changed the text in Section 5.3
directly and the *removed* that Security Consideration, as it is no 
longer needed with the new normative text.  Here's the new text:

   If the zero touch information artifact contains redirect information,
   the device MUST, within limits of how many recursive loops the device
   allows, process the redirect information as described in Section 5.5.
   Implementations MUST limit the maximum number of recursive redirects
   allowed; the maximum number of recursive redirects allowed SHOULD be
   no more than ten.  This is the recursion step, it will cause the
   device to reenter this algorithm, but this time the data source will
   definitely be a bootstrap server, as redirect information is only
   able to redirect devices to bootstrap servers.




>> > 2)
>> > 10.3.  The SMI Security for S/MIME CMS Content Type Registry
>> >
>> >   IANA is kindly requested to add two entries in the "SMI Security for
>> >   S/MIME CMS Content Type" registry (1.2.840.113549.1.9.16.1), with
>> >   values as follows:
>> >
>> >   Decimal  Description                             References
>> >   -------  --------------------------------------  ----------
>> >   TBD1      id-ct-zerotouchInformationXML          [RFCXXXX]
>> >   TBD2      id-ct-zerotouchInformationJSON         [RFCXXXX]
>> >
>> >   id-ct-zerotouchInformationXML indicates that the "zerotouch-
>> >   information" is encoded using XML.  id-ct-zerotouchInformationJSON
>> >   indicates that the "zerotouch-information" is encoded using JSON.
>> >
>> > You define these values, but they are not used anywhere in the document.
>> 
>> Aye, you're right!  At least, they're not referenced by name, which
>> complicates searching for them...  (see my next response for more)
>> 
>> 
>> 
>> > It looks like you intended for this to be used in several places,
>> > for example:
>> >
>> > 3.1.  Zero Touch Information
>> >
>> >   When the zero touch information artifact is unsigned, as it might be
>> >   when communicated over trusted channels, the CMS structure's top-most
>> >   content type MUST be one of the OIDs described in Section 10.3, or
>> >   the OID id-data (1.2.840.113549.1.7.1), in which case the encoding
>> >   (JSON, XML, etc.)  SHOULD be communicated externally.  In either
>> >   case, the associated content is an octet string containing
>> >   "zerotouch-information" data in the expected encoding.
>> >
>> > Did you intend to use the above OIDs here?
>> 
>> Yes, exactly, and also in two other places in Section 3.1.  In
>> all three instances, we could either:
>> 
>>   OLD:
>>     ...one of the OIDs described in Section 10.3,
>> 
>>   NEW1:
>>     ...one of the OIDs described in Section 10.3 (i.e., 
>>     id-ct-zerotouchInformationXML or id-ct-zerotouchInformationJSON),
>> 
>> or
>> 
>>   NEW2:
>>     ...one of the OIDs described in Section 10.3 (i.e., 
>>     1.2.840.113549.1.9.16.1.TBD1 or 1.2.840.113549.1.9.16.1.TBD2),
>> 
>> Do you have a preference?
>
> I think NEW1 is clearer.

Done!  (Section 3.1 updated)
Here's the new text:

   When the zero touch information artifact is unsigned, as it might be
   when communicated over trusted channels, the CMS structure's top-most
   content type MUST be one of the OIDs described in Section 10.3 (i.e.,
   id-ct-zerotouchInformationXML or id-ct-zerotouchInformationJSON), or
   the OID id-data (1.2.840.113549.1.7.1).  When the OID id-data is
   used, the encoding (JSON, XML, etc.)  SHOULD be communicated
   externally.  In either case, the associated content is an octet
   string containing "zerotouch-information" data in the expected
   encoding.







>> > ----------------------------------------------------------------------
>> > COMMENT:
>> > ----------------------------------------------------------------------
>> >
>> > 4.2.  DNS Server
>> >
>> >   To use a DNS server as a source of bootstrapping data, a device MAY
>> >   perform a multicast DNS [RFC6762] query searching for the service
>> >   "_zerotouch._tcp.local.".  Alternatively the device MAY perform DNS-
>> >   SD [RFC6763] via normal DNS operation, using the domain returned to
>> >   it from the DHCP server; for example, searching for the service
>> >   "_zerotouch._tcp.example.com".
>> >
>> > I agree with Adam that "zerotouch" much be a registered as service 
>> > name, see https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.
>> 
>> Agreed, and I responded to Adam previously as follows:
>> 
>>   ===start===
>>   You are quite right.  Here is the Github commit to add an IANA 
>>   registration for the "zerotouch" service:  
>> https://github.com/netconf-wg/zero-touch/commit/6280763339a3e91b9efb21703b26a6bdbf05349b.
>>   Please let me know if you suggest any further changes.  
>>   ===stop===
>> And likewise, Alexey, please also let me know if you suggest any 
>> further changes.  
>
> This looks reasonable. (Note, saying that this is an extension of HTTPS
> in a note doesn't help. I think it would be better to say "this protocol
> uses HTTPS as a substrate". The current text would make people wonder
> why you need to register a new service name.)
 
Section 10.6 now says "This protocol uses HTTPS as a substrate."




>> >   Artifact to Resource Record Mapping:
>> >
>> >      Zero Touch Information:  Mapped to a TXT record called "zt-info"
>> >        containing the base64-encoding of the binary artifact described
>> >         in Section 3.1.
>> >
>> >      Owner Certificate:  Mapped to a TXT record called "zt-cert"
>> >         containing the base64-encoding of the binary artifact described
>> >         in Section 3.2.
>> >
>> >      Ownership Voucher:  Mapped to a TXT record called "zt-voucher"
>> >         containing the base64-encoding of the binary artifact described
>> >         in Section 3.3.
>> >
>> > So just to double check, these would be zt-info._zerotouch._tcp.example.com,
>> > etc?
>> 
>> I'm not a DNS expert, but my understanding is that the lookup would be 
>> on, e.g., _zerotouch._tcp.example.com and that the TXT records would
>> be returned as follows:
>> 
>> _zerotouch._tcp.example.com.  3600  IN  TXT  "zt_info=base64encodedvalue=="
>> _zerotouch._tcp.example.com.  3600  IN  TXT  "zt_cert=base64encodedvalue=="
>> _zerotouch._tcp.example.com.  3600  IN  TXT  "zt_voucher=base64encodedvalue=="
>
> This is not what your text is saying. I also don't think that your description
> is correct. "TXT record called X" is not something defined. You need to define
> TXT record which can contain attribute=value syntax and allowed attributes are
> one of 3 you define.

Responding to this item turned out to be way more effort than anticipated.
The more I looked into DNS, the more I realized that a lot of what was
written wasn't saying things quite right.  In the end, after getting up
to speed on DNS and conferring with a DNS expert (Wes Hardaker), I updated
this section to more accurately say what was intended.  Here's a direct
link to the section in the just posted draft update:

  https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-26#section-4.2






>> For instance ['\' added for readability]:
>> 
>>   # dig txt gab.com
>>   <snip/>
>>   ;; ANSWER SECTION:
>>   gab.com.		300	IN	TXT	"v=spf1 include:_spf.protonmail.ch mx ~all"
>>   gab.com.		300	IN	TXT	"ca3-56e3739f7f644cdaaa0e7edc903cf648"
>>   gab.com.		300	IN	TXT	"protonmail-verification=\
>>                                   96ca5019e36fc3a6dc5c4399efabe68792e55cc7"
>>   <snip/>
>> 
>> Do you feel that an example in the document is warranted?
>
> Definitely you should add some examples. 
>
>
> Section 4.2 in the updated draft now has examples for both queries and responses.



>> > 8.1.  DHCPv4 Zero Touch Option
>> >
>> >      o bootstrap-server-list: A list of servers for the
>> >         client to attempt contacting, in order to obtain
>> >         further bootstrapping data, in the format shown
>> >         in [common-field-encoding].
>> >
>> > [common-field-encoding] in this and subsequent sections looks like a
>> > reference to Section 8.3. Please fix before publication, as this looks
>> > like an undefined reference.
>> 
>> Good grief, fixed (in both locations)!
>> 
>>   s/[common-field-encoding]/Section 8.3/



 
>> > 8.3.  Common Field Encoding
>> >
>> >   Both of the DHCPv4 and DHCPv6 options defined in this section encode
>> >   a list of bootstrap server URIs.  The "URI" structure is an option
>> >   that can contain multiple URIs (see [RFC7227], Section 5.7).
>> >
>> >     bootstrap-server-list:
>> >
>> > This is confusing, because I believe the following is a single entry
>> > in the list, not the whole list syntax:
>> >
>> >     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
>> >     |       uri-length              |          URI                  |
>> >     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
>> >
>> >     o uri-length: 2 octets long, specifies the length of the URI data.
>> >
>> >     o URI: URI of zerotouch bootstrap server, using the HTTPS URI
>> >       scheme defined in Section 2.7.2 of RFC7230.  URI MUST be in
>> >       form "https://<ip-address-or-hostname>[:<port>]".
>> >
>> > So if I am correct above, please clarify this by changing
>> > "bootstrap-server-list:" to "bootstrap-server-list is a list of 1 or more
>> > items, each with the following syntax:" (Or something like this.)
>> >
>> > Also, "URI" deserve to be a Normative Reference, as it defines the
>> > generic syntax you are referring to.
>> 
>> 
>> I have ask my coauthor, Ian, to respond to this comment.
>
> Ok.

Section 8.3 in the update draft includes the text that you and Ian agreed on.

v2.23.0 | Report a Bug | By Email