[NSIS] RE: AD comments on draft-ietf-nsis-ntlp-14
"Hancock, Robert" <robert.hancock@roke.co.uk> Mon, 26 November 2007 16:53 UTC
Return-path: <nsis-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IwhD7-0002Ut-By; Mon, 26 Nov 2007 11:53:29 -0500
Received: from nsis by megatron.ietf.org with local (Exim 4.43) id 1IwhD6-0002PW-Cn for nsis-confirm+ok@megatron.ietf.org; Mon, 26 Nov 2007 11:53:28 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IwhD5-0002Kj-Tu for nsis@ietf.org; Mon, 26 Nov 2007 11:53:27 -0500
Received: from rsys002x.roke.co.uk ([193.118.201.109]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IwhCy-0003MQ-Gm for nsis@ietf.org; Mon, 26 Nov 2007 11:53:27 -0500
Received: from rsys005a.comm.ad.roke.co.uk (rsys005a [193.118.193.85]) by rsys002x.roke.co.uk (8.13.1/8.13.1) with ESMTP id lAQGq65p014741; Mon, 26 Nov 2007 16:52:06 GMT
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 26 Nov 2007 16:52:32 -0000
Message-ID: <A632AD91CF90F24A87C42F6B96ADE5C50157AAEB@rsys005a.comm.ad.roke.co.uk>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: AD comments on draft-ietf-nsis-ntlp-14
Thread-Index: AcgwRxG3TGkPsnRWR3Wye3VDZYwzCwAAOsmA
References: <474AEFC9.8090204@ericsson.com>
From: "Hancock, Robert" <robert.hancock@roke.co.uk>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, draft-ietf-nsis-ntlp@tools.ietf.org, NSIS <nsis@ietf.org>
X-MailScanner-roke-co-uk: Found to be clean
X-MailScanner-roke-co-uk-SpamCheck:
X-MailScanner-From: robert.hancock@roke.co.uk
X-Spam-Score: -1.0 (-)
X-Scan-Signature: 501044f827b673024f6a4cb1d46e67d2
Cc:
Subject: [NSIS] RE: AD comments on draft-ietf-nsis-ntlp-14
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Errors-To: nsis-bounces@ietf.org
magnus, thanks for the encouragement. i'll send a separate response for your comments (1) and (2) [which need some work]. for the rest, i have proposed solutions below - discussion welcome. robert h. > -----Original Message----- > From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com] > Sent: 26 November 2007 16:10 > To: draft-ietf-nsis-ntlp@tools.ietf.org; NSIS > Subject: AD comments on draft-ietf-nsis-ntlp-14 > > Hi, > > I am sorry for the long time this AD review has taken. I > really liked to read the document from first to last word > before progressing it. I have now done this and thinks the > document is in pretty good shape. I would appreciate an > updated version as soon as we have resolved the questions. [snip] > > 3. Section 5.3.3, page 59: > > "A suitable approach > is to restrict the token bucket parameters so that the mean output > rate is a small fraction, such as 5%, of the node's lowest-speed > interface." > > I think it should be made clear that the token bucket > parameter for bit-rate is "no larger than 5%" rather than > suggesting that 5% is a general good value. something like: A suitable approach is to restrict the token bucket parameters so that the mean output rate is a small fraction of the node's lowest-speed interface. It is RECOMMENDED that this rate is no more than 5%. (I don't think this can really be MUST - a silly counterexample would be a terabit router which you can telnet into over GSM. but the RECOMMENDED should make it clear to the implementor that this is a serious piece of advice.) > > 4. Section 5.7.3.1: > > "For > example, *.example.com in the APD would match certificates for > a.example.com, foo.example.com, *.example.com, etc., but would not > match example.com. Similarly, a certificate for > *.example.com would > be valid for APD identities of a.example.com, foo.example.com, > *.example.com, etc., but not example.com." > > Is it intentional to have two sentences saying the same > thing, or am I dense here. It looks very much like a repeat. Not quite: *) The first sentence states that if you populate your authorised peer database with an entry like *.example.com ALLOW then a node presenting a certificate with an identity like a.example.com will be authorised. *) The second sentence states this if you have an entry in your APD like a.example.com ALLOW then a node presenting a certificate presenting the identity *.example.com will be authorised. > > 5. Section 9: NSLP ID > > I actually wonder about the selection of IESG approval for > new NSLP IDs. > Isn't that kind of restricting? Sure, it can potentially be > easier to register than specification required. However, it > does put load on the IESG. It also assumes that the IESG will > have enough clue in the future to know what the correct way > to handle a registration requests. Can someone provide me > with the WGs reasoning behind this policy? Here there may be some history (John channelling your predecessor ADs). I think the rationale is as follows: - IESG review includes standards action as a sort of sub-case - we didn't want a plethora of proprietary protocols - we anticipated that one source of proposals would be SDOs (for which the evaluation needs to take into account the IETF's interaction with that SDO in handling some bigger standardisation question, and so is not simply a matter of expert review) It's obviously easy to modify the assignment rules, and to be honest I have no really strong opinions against a more relaxed set of policies here. > > 6. Appendix A. I think the text about "reserved" and its > meaning needs to be moved from section A.2 to the front text > for Appendix A. Otherwise it is wrongly scoped and does not > cover A.1 or any A.3... OK > > 7. Section A.1: There is no explicit mention of what values > should be listed in the version field for this spec. Earlier > it says this is Version 1 of GIST, but that could be encoded > both a 0 and 1 in this field based on previous protocols from IETF. I would say '1'. > > 8. ID-nits warnings: > > == Unused Reference: '14' is defined on line 5231, but no explicit > reference was found in the text I would propose to add that as an additional reference (alongside the framework). > > -- Obsolete informational reference (is this intentional?): > RFC 2246 (ref. > '15') (Obsoleted by RFC 4346) aaaaaaaaaaaaargh - the TLS specification version game ... The place where this is referred from (section 5.7.3) was worked over in conjuction with the security ADs; note that there is a normative reference to 4346 also. but since we allow falling back to v1.0, we have this reference also. [this particular open sore seems to pop up for any protocol which can be layered on TLS - see the discussion on draft-ietf-atompub-protocol for example. in this particular case, i think the text and references are OK. personally I think it would be more rationale for the reference to 2246 to be normative, but then we would get into a much more complicated set of procedural questions.] > > -- Obsolete informational reference (is this intentional?): > RFC 2766 (ref. > '18') (Obsoleted by RFC 4966) will update > > -- Obsolete informational reference (is this intentional?): > RFC 2960 (ref. > '19') (Obsoleted by RFC 4960) will update > > I definitely like to know if the new versions are fine or not. summary: yes for all of them, but the informational reference to TLS1.0 should remain (IMHO). > > > == Outdated reference: A later version (-04) exists of > draft-ietf-behave-turn-03 > > == Outdated reference: A later version (-15) exists of > draft-ietf-nsis-nslp-natfw-14 > > == Outdated reference: A later version (-02) exists of > draft-pashalidis-nsis-gist-legacynats-01 > > == Outdated reference: A later version (-05) exists of > draft-pashalidis-nsis-gimps-nattraversal-04 > > == Outdated reference: A later version (-04) exists of > draft-ietf-nsis-ntlp-statemachine-03 > > == Outdated reference: A later version (-08) exists of > draft-ietf-tcpm-tcpsecure-07 will fix all of these. nice to see that we have ony fallen one version behind. > > Cheers > > Magnus Westerlund > > IETF Transport Area Director & TSVWG Chair > ---------------------------------------------------------------------- > Multimedia Technologies, Ericsson Research EAB/TVM/M > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 8 4048287 > Torshamsgatan 23 | Fax +46 8 7575550 > S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ---------------------------------------------------------------------- > _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] AD comments on draft-ietf-nsis-ntlp-14 Magnus Westerlund
- [NSIS] RE: AD comments on draft-ietf-nsis-ntlp-14 Hancock, Robert
- [NSIS] IPv6 options (was: RE: AD comments on draf… Hancock, Robert
- [NSIS] Re: IPv6 options Magnus Westerlund
- [NSIS] Re: AD comments on draft-ietf-nsis-ntlp-14 Magnus Westerlund
- [NSIS] RE: AD comments on draft-ietf-nsis-ntlp-14 Hancock, Robert
- [NSIS] Re: AD comments on draft-ietf-nsis-ntlp-14 Magnus Westerlund