[OPSAWG] Review comments on draft-ietf-opsawg-mud-iot-dns-considerations-10
Mahesh Jethanandani <mjethanandani@gmail.com> Thu, 08 February 2024 20:27 UTC
Return-Path: <mjethanandani@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8181C15107A; Thu, 8 Feb 2024 12:27:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8dT0ewu24qnQ; Thu, 8 Feb 2024 12:27:37 -0800 (PST)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49AA3C14CE40; Thu, 8 Feb 2024 12:27:37 -0800 (PST)
Received: by mail-pf1-x42d.google.com with SMTP id d2e1a72fcca58-6da6b0eb2d4so248306b3a.1; Thu, 08 Feb 2024 12:27:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707424056; x=1708028856; darn=ietf.org; h=to:cc:date:message-id:subject:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=6akfVYGEk05XlwApMamLToSAmdRux/KHNwPUJkQ5Yak=; b=LuHIzE9YAOMs6lY1Y0TqbudPlMad6WhNc0ATdQ962ZnwoTgoR4pT9G8P/J9x3Y2sFA NwOkdpt7BZP/FsN1WSZsEPdXBLj/lyQZhx9BMv0yZpdRbDixtLZdey+/7EgsvnUlhOjH JD1Y23Uhc+imlIgFasnXghkWWHeJD3catzvob7Ez8GDf3q37v0pJkTV7XdWX96JHbSfD Fxp6QAOqrW44wtR3ZLIW9KFkmlujuNepOIiwTTXGso+ii5PHa7hRqjNv1dsZe8xRIfp3 TYGtjBr7eCyDUdmIMAGISvmh9/zrrDjnRNnanQWgbxlMn+scCLpmebdOZO2NucL0DtDv AneA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707424056; x=1708028856; h=to:cc:date:message-id:subject:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=6akfVYGEk05XlwApMamLToSAmdRux/KHNwPUJkQ5Yak=; b=FicDGbPxzjpotDtdyLN5VuRyWBlqoMFFtQjhNzxiIOIhN5q1Mc2ANyiR0VUplGnx4n AWVolFJ6h+9iXw8p90n+BpTOqpUZZ2jyvwGvKb3Ua/j4zRwOIgJiaFJFECfjPtlHbF/N sZuVXd5JYj3NRSfiEDC++Q2hUxQtWs1kP62JL8AzjrlHgiMsl4kcIvi0GsoW3qHUr5Mb dZvvLGa8FWfz7qBv6pEbhS+TmG2bnTtbzvkb++Sy6cd38EKeTRAzTIYXtDkOlJefpwoO nd+tWJQzrGTY4JRDR3Sycnk4xJ5OGz/mD73lCCIznTXypDuevdbN5NHDnmy8t/IJA4kx RFIQ==
X-Gm-Message-State: AOJu0YyIHsiEGhGvo/2GHBfzGpdsro+nbZIEklcJ69oYY+54UxnwG18H pMk1PTqdHs7X/AYtb+lafMKURktE3yuvYOwFaGZDHUwh/yj/nqBoxQx2D96E+3k=
X-Google-Smtp-Source: AGHT+IG82hf3d1AJRuDWUz37Sot6ZlRGwZQRDaKHowO50bof1R2JcwPOt8CEizAjgytE0GWKeDG/RQ==
X-Received: by 2002:a05:6a00:b06:b0:6d9:b941:dbf5 with SMTP id f6-20020a056a000b0600b006d9b941dbf5mr335737pfu.11.1707424055750; Thu, 08 Feb 2024 12:27:35 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCX2WpHoyWlJhsNpYe5Did9GOebXb2ouV/tK8ekrUkdSroamf6qgHkJxjHzipRUfKn6jiUKAAMMaJ+vBy6cMQYMepaUR5+KvJB87YlCm5u0tF7/A3Ur8KeV2GT6yICLt
Received: from smtpclient.apple (c-69-181-169-15.hsd1.ca.comcast.net. [69.181.169.15]) by smtp.gmail.com with ESMTPSA id it16-20020a056a00459000b006e0334e3dd9sm167694pfb.76.2024.02.08.12.27.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Feb 2024 12:27:34 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_62B8D482-DD35-40E3-9C94-E0054DA7E5B4"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Message-Id: <BE33020D-944F-4EE5-BC90-598497A85B3C@gmail.com>
Date: Thu, 08 Feb 2024 12:27:33 -0800
Cc: opsawg@ietf.org, Robert Wilton <rwilton@cisco.com>, Toerless Eckert <tte@cs.fau.de>, lear@lear.ch
To: "draft-ietf-opsawg-mud-iot-dns-considerations@ietf.org" <draft-ietf-opsawg-mud-iot-dns-considerations@ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/DO93OHtcQPG8sHIaVqpiLZavBHM>
Subject: [OPSAWG] Review comments on draft-ietf-opsawg-mud-iot-dns-considerations-10
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 20:27:37 -0000
Hi Authors, Here are my review comments on the above draft. They are divided between Overall, Major, Minor and Nit comments. Rob’s comments might have covered some of them, in which case feel free to ignore. Overall: This document needs a grammar review, preferably by somebody whose task is to edit documents. Also, the abstract refers to use of both IP address and DNS, but the Introduction talks DNS, but makes no reference to use of IP address till Section 3. Shouldn’t the Introduction section expand on the Abstract? It is not clear from the Abstract or from the Introduction, the problem that is being solved. Is it devices trying to access a resource in the Internet, or external parties trying to (maliciously) access or modify the MUD file? Reading RFC 8520 and this document, it appears to be the former, but it would help to clarify. Major: > At the MUD policy enforcement point -- the firewall -- there is a problem. The firewall has only access to the layer-3 headers of the packet. This includes the source and destination IP address, and if not encrypted by IPsec, the destination UDP or TCP port number present in the transport header. The DNS name is not present! There are several assertions in this paragraph that could do with some clarity, and the clarity requested above might help. Again, is this in the context of traffic originating inside the device private network, or traffic originating from outside the device network? My understanding of firewalls is that the default policy for a device inside a private network is to allow access any resources in the network, and drop any traffic originating from the outside world. If this is for traffic originating from inside the device network, a temporary hole is punched in the firewall to allow the return traffic to pass through. Therefore, is the ACL for traffic originating outside the device network, or is for traffic originating inside the device network? Minor: Section 3. If we are comparing, should there be a Section titled “Strategies to map IP addresses”? > The second section of this document details how common manufacturer anti-patterns get in the way of this mapping. Definition of “anti-patterns” needs to come on first use, not later in the document. > • it can not be done fast enough, What is the definition of fast? How often do these lookups happen to make it a significant delay? And how does it compare to getting the data that one is fetching from the Internet? > • it reveals usage patterns of the devices, How is this an issue, as any effort to do a lookup or get data is going to show usage? And how is it known what the kind of device is doing the lookup. Nits: - In general lot of small paragraphs, with one of two sentences per paragraph. Can they be consolidated? - Use of acronyms Do53, DoQ, DoT or DoH. These are not common acronyms. The definitions for some of them, e.g., Do53 come much later in the document. Please define in a Terminology Section or somewhere before first use. > IoT Devices SHOULD prefer doing DNS to with the DHCP provided DNS servers. Grammar? > The ADD WG has written [I-D.ietf-add-dnr] and [I-D.ietf-add-ddr] to provided. Same here. Mahesh Jethanandani mjethanandani@gmail.com
- [OPSAWG] Review comments on draft-ietf-opsawg-mud… Mahesh Jethanandani
- Re: [OPSAWG] Review comments on draft-ietf-opsawg… Michael Richardson