[NSIS] Re: New version of NSIS Req submitted
Harald Tveit Alvestrand <harald@alvestrand.no> Sat, 16 August 2003 04:48 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA22949 for <nsis-archive@odin.ietf.org>; Sat, 16 Aug 2003 00:48:27 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19nsyw-0005fp-Jb for nsis-archive@odin.ietf.org; Sat, 16 Aug 2003 00:48:03 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h7G4m2nE021805 for nsis-archive@odin.ietf.org; Sat, 16 Aug 2003 00:48:02 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19nsyv-0005fP-ID; Sat, 16 Aug 2003 00:48:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19nf0p-0003YP-OJ for nsis@optimus.ietf.org; Fri, 15 Aug 2003 09:53:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA27291 for <nsis@ietf.org>; Fri, 15 Aug 2003 09:52:58 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19nf0k-0002fa-00 for nsis@ietf.org; Fri, 15 Aug 2003 09:52:58 -0400
Received: from eikenes.alvestrand.no ([158.38.152.233]) by ietf-mx with esmtp (Exim 4.12) id 19nf0j-0002ex-00 for nsis@ietf.org; Fri, 15 Aug 2003 09:52:58 -0400
Received: from HALVESTR-W2K1.cisco.com (localhost.localdomain [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 1A5C861B95; Fri, 15 Aug 2003 15:52:25 +0200 (CEST)
Date: Fri, 15 Aug 2003 06:36:46 -0700
From: Harald Tveit Alvestrand <harald@alvestrand.no>
To: Marcus Brunner <brunner@ccrle.nec.de>, Loughney <john.loughney@nokia.com>, Allison Mankin <mankin@isi.edu>
Cc: nsis@ietf.org, Steve Bellovin <smb@research.att.com>
Message-ID: <379870995.1060929406@localhost>
In-Reply-To: <91739274.1060687981@[10.1.1.130]>
References: <91739274.1060687981@[10.1.1.130]>
X-Mailer: Mulberry/3.0.2 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Subject: [NSIS] Re: New version of NSIS Req submitted
Sender: nsis-admin@ietf.org
Errors-To: nsis-admin@ietf.org
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Marcus, thanks! --On 12. august 2003 11:33 +0200 Marcus Brunner <brunner@ccrle.nec.de> wrote: > John, Allison, > > I have a new version of the requirements submitted > (draft-ietf-nsis-req-09.txt). The comments from Harald and Steve have > been addressed (see below for the difference between the 08 and 09 of the > draft. > > Marcus > > Section 5 (Harald's comment #1) > > OLD > > 5 Requirements > > This section defines more detailed requirements for a signaling solution, > respecting the framework, scoping assumptions, and terminology considered > earlier. The requirements are in subsections, grouped roughly according > to general technical aspects: architecture and design goals, topology > issues, parameters, performance, security, information, and flexibility. > > Two general (and potentially contradictory) goals for the solution are > that it should be applicable in a very wide range of scenarios, and at > the same time lightweight in implementation complexity and resource > consumption requirements in NSIS Entities. One approach to this is that > the solution could deal with certain requirements via modular components > or capabilities, which are optional to implement or use in individual > nodes. > > In order to prioritize the various requirements we informally define > different 'parts of the network'. In the different parts of the network a > particular requirement might have a different priority. > > The parts of the networks we differentiate are the host-to-first router, > the access network, and the core network. The host to first router part > includes all the layer 2 technologies to access to the Internet. This > part of the division is especially informal and may incorporate several > access segments. In many cases, there is an application and/or user > running on the host initiating signaling. The access network can be > characterized by low capacity links, medium speed IP processing > capabilities, and it might consist of a complete layer 2 network as well. > The core network characteristics include high-speed forwarding capacities > and inter-domain issues. These divisions between network types are not > strict and do not appear in all networks, but where they do exist they > may influence signaling requirements and will be highlighted as necessary. > > NEW > > 5 Requirements > > This section defines more detailed requirements for a signaling solution, > respecting the framework, scoping assumptions, and terminology considered > earlier. The requirements are in subsections, grouped roughly according > to general technical aspects: architecture and design goals, topology > issues, parameters, performance, security, information, and flexibility. > > Two general (and potentially contradictory) goals for the solution are > that it should be applicable in a very wide range of scenarios, and at > the same time lightweight in implementation complexity and resource > consumption requirements in NSIS Entities. We use the terms 'access' and > 'core' informally in the discussion of some particular requirements to > refer to deployment conditions where particular protocol attributes, > especially performance characteristics, have special importance. > Specifically, 'access' refers to lower capacity networks and fewer users > and sessions. 'Core' refers to high capacity networks with a large number > of users and sessions. > > One approach to this is that the solution could deal with certain > requirements via modular components or capabilities, which are optional > to implement or use in individual nodes. This one is fine with me. It's now clear that it's an informal definition, and the "first hop" thing has entirely gone. > > ==================================================== > Req 5.5.1 Scalability (Harald's comment #2) > > NEW added the following paragraph at the end of req 5.5.1 > > Specifically, NSIS MUST work in Internet scale deployments, where the use > of signaling by hosts becomes universal. Note that requirement 5.2.4 > requires the functionality of transparently signal through networks > without interpretation. Additionally, requirement 5.6.1 lists the > capability to aggregate. Furthermore, requirement 5.5.4 states that NSIS > should be able to constrain the load on devices. Basically, the > performance of the signaling MUST degrade gracefully rather than > catastrophically under overload conditions. This one works for me, too. > > ============================ > section 3, last paragraph (Steve Bellovin comment #1) > > OLD > 5. We can see the network at the level of domains/subdomains rather than > individual routers (except in the special case that the domain contains > one link). Domains are assumed to be administrative entities, so security > requirements apply to the signaling between them. > > NEW > 5. We can see the network at the level of domains/subdomains rather than > individual routers (except in the special case that the domain contains > one link). Domains are assumed to be administrative entities. So security > requirements might apply differently for the signaling between the > domains and within a domain. Both cases we deal with in this document. > > ============================ > Requirement 5.7.8 (Steve Bellovin comment #2) > > OLD > > 5.7.8 Confidentiality of signaling messages > > Based on the signaling information exchanged between nodes participating > in the signaling protocol an adversary may learn both the identities and > the content of the signaling messages. To prevent this from happening, > confidentiality of the signaling message in a hop-by-hop manner MAY be > provided. Note that the protection can be provided on a hop-by-hop basis > for most message payloads since it is required that entities which > actively participating in the signaling protocol must be able to read and > eventually modify the content of the signaling messages. > > NEW > > 5.7.8 Confidentiality of signaling messages > > Based on the signaling information exchanged between nodes participating > in the signaling protocol an adversary may learn both the identities and > the content of the signaling messages. Since the ability to listen to > signaling channels is a major guide to what data channels are interesting > ones. note: the last sentence does not parse. If you drop "Since", it both parses and makes sense (I think). If this is the only problem in -09, it can be fixed with an RFC Editor's note. > > To prevent this from happening, confidentiality of the signaling message > in a hop-by-hop manner SHOULD be provided. Note that most messages must > be protected on a hop-by-hop basis, since entities, which actively > participate in the signaling protocol, must be able to read and > eventually modify the signaling messages. _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] New version of Req submitted Marcus Brunner
- [NSIS] Re: New version of NSIS Req submitted Harald Tveit Alvestrand