Re: [OPSAWG] Barry Leiba's No Objection on draft-ietf-opsawg-sdi-10: (with COMMENT)
Warren Kumari <warren@kumari.net> Wed, 20 May 2020 16:25 UTC
Return-Path: <warren@kumari.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA5F3A0A19 for <opsawg@ietfa.amsl.com>; Wed, 20 May 2020 09:25:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69O_HGFOfjeQ for <opsawg@ietfa.amsl.com>; Wed, 20 May 2020 09:25:04 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56AA83A0886 for <opsawg@ietf.org>; Wed, 20 May 2020 09:25:04 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id g1so4469169ljk.7 for <opsawg@ietf.org>; Wed, 20 May 2020 09:25:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=g8oOg02ljjB0NBMGKbmQG163N+v3bMfurySe5KK0WF0=; b=zlc6XOKAv2LuURimCI78kLsNHfb91ckWAF0KwhAJqkNpq0C5GkxCKlUwoZRZiGDzCW Tith5Iy9m6an+5FHXAI9eym13hKvRmA1fb0f1oCxQb5vphUb4ryg0iEbJJDIhWuEkyou fr7NUvrHOml3AIQJizT1OCL0ptiipkiJKrhZpoQH/2fNjwuncjwdcCHbWc/ICGJjKzKT fheTZgu51F84fVyA8SJKcdhfwKlKC4LYanl+TovUVQEu5cFGF59MIClhQxX/zLv2/ipC XUZgctyGxsHt2gn9CO/OtbXpsQ9C3IxRcJDYJalMRyLz1lFW6NUQ2h0wlQDpTLFVw23u csDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=g8oOg02ljjB0NBMGKbmQG163N+v3bMfurySe5KK0WF0=; b=HfEWqZum/F+fsOTUoswWvYFqNr6dTY0WrEG8vuRvyBXTUjvNjkcHla/586/HIOK3cI H09K8pIw+OBHhE01FJ3nm94eKM0zqTjt6p77ftCGaCDZYJ/0Pns/wsKqeiXN2ybRitYf tlKPWyKF8R/iWHCvdpqCj67maL4PPjsSuPM42qqQSJilUA0QEjt3LQKdkqXQBS2l+4bu i1b28hX/wg9waZYtuKt99gEoD5qGiEtDKUHIHuG9g1RKzqd93ume4JXgTP6W/ownA3Na 0uLNKmPBc0vv6ujrmW5urE2WofW3nOj5XDBwQj9q/D0RMmI3tA6vYStvRkP0WY93kN4A ebHA==
X-Gm-Message-State: AOAM533qoSKiXfyuxZZWSIbbrCoS7O2nYuz999DknxLu1M2G5xc/+n4r 7JjWq0kf46i0JhQuSSuJNKvM3lchg6FmR2rDSCM4wg==
X-Google-Smtp-Source: ABdhPJxNJFmTDbhgXB3RuFTRqeGNjw/0VIWgxpga+2SX/rMS/odNvUhW2zNHlEheF6Jsa3Ie8mVbeEMwbBoe+54X1tU=
X-Received: by 2002:a2e:8654:: with SMTP id i20mr1874527ljj.79.1589991902067; Wed, 20 May 2020 09:25:02 -0700 (PDT)
MIME-Version: 1.0
References: <158994883534.30159.9649308008222132813@ietfa.amsl.com>
In-Reply-To: <158994883534.30159.9649308008222132813@ietfa.amsl.com>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 20 May 2020 12:24:25 -0400
Message-ID: <CAHw9_iJX5sEewUudwS942HcAcYZkR4tBuQCN+egaTEF1HG+=pA@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-sdi@ietf.org, OpsAWG-Chairs <opsawg-chairs@ietf.org>, opsawg <opsawg@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/E-F-rIBX2M6t_aIzHwy5LKlS-Oc>
Subject: Re: [OPSAWG] Barry Leiba's No Objection on draft-ietf-opsawg-sdi-10: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 May 2020 16:25:07 -0000
On Wed, May 20, 2020 at 12:27 AM Barry Leiba via Datatracker <noreply@ietf.org> wrote: > > Barry Leiba has entered the following ballot position for > draft-ietf-opsawg-sdi-10: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sdi/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Just a nitty load of nits nitting about: Yikes, apologies for the number of nits - I feel that I usually have cleaner drafts than this, and apologize for the amount of editorial issues you had to note... I'm submitting a new version (-11) with the below (as well as Roman's and Murray's comments) addressed.... > > — Section 1 — > > Internet Exchange Points (IXP) or "carrier neutral > > Nit: hyphenate “carrier-neutral”, DONE. Thank you. > > vendor proprietary) protocols to perform initial device installs > > Nit: hyphenate “vendor-proprietary” (or just drop “vendor”). DONE. Thank you. > > use DHCP [RFC2131]to get an IP address > > Nit: add a space after the citation. DONE. Thank you. > > security related and/or proprietary information > > Nit: hyphenate “security-related”. DONE. Thank you. > > (or using an auto- > install techniques which fetch an unencrypted config file > > Nit: remove “an”. NOT DONE. I changed this to be: "Exposing these to a third party to load onto a new device (or using an auto-install technique which fetches an unencrypted configuration file via..." I assume that this addresses your concern, please let me know if not... > > perform the initial configuration work; this costs, time and money. > > Nit: remove the comma. > DONE. Thank you. Not sure where the comma came from, but removed :-) > configure the devices before shipping it; > > Nit: “device” (or “them”). DONE. Thank you. > > optimized for simplicity, both for the implementor and the operator; > > Nit: make it “for both” (or repeat “for” before “the operator”). DONE. Thank you. > > is it intended to solve all use-cases > > Nit: do not hyphenate “use cases”. DONE, thanks! > > Solutions such as Secure Zero Touch Provisioning (SZTP)" [RFC8572], > > Nit: there’s an unpaired quotation mark. ... not any more there isn't :-) DONE. > > — Section 2 — > > the devices serial number, MAC address or similar. > > Nit: Make it “device’s” (possessive). > Done! > extends this (vendor specific) paradigm > > Nit: hyphenate “vendor-specific”. DONE. > > — Section 2.1 — > > When the device arrives at the POP, it gets installed in Operator_A' > > autoboot state, and begins the DHCP process. Operator_A' DHCP server > > Nit: “Operator_A’s” in both places. DONE. Thank you. > > — Section 3.1 — > > Each devices requires a public-private key keypair > > Nit: “Each device” > Nit: you don’t need “key keypair”; I suggest “key pair”. DONE and DONE. Thank you. > > (for example, extended key usage, extensions, etc.) > > Nit: “for example” and “etc.” don’t go together; use one or the other. Doh! DONE. Thank you. > > — Section 4.3 — > > configurations fails, the device will either abort the auto-install > process, or will repeat this process until it succeeds. > > Nit: “configuration” (singular). > Nit: remove the second “will” (or make it “either will”). DONE and DONE. Thank you. > > — Section 5.2 — > > completely replace the initial device generated key > > Nit: hyphenate “device-generated”. DONE. > > operators installed key. > > Nit: “operator’s” (possessive). DONE. Thank you. > > — Section 5.3 — > > device management, whereby portions (or the entire) configuration > > Nit: “portions of” > DONE. > — Section 7 — > > third-party to copy and paste it over a serial terminal. > > Nit: “them”, not “it” (the antecedent is plural). Whoops. DONE. Thank you. > > An attacker (e.g., a malicious datacenter employee) who has physical > access to the device before it is connected to the network the > attacker may be able to extract the device private key > > Nit: remove “the attacker”. DONE. I wish it were always this easy :-) > > Even when using a secure bootstrapping mechanism, security conscious > operators may wish to bootstrapping devices with a minimal / less > sensitive config > > Nit: hyphenate “security-conscious”. > Nit: “bootstrap” (no “ing”). > Nit: hyphenate “less-sensitive”. > DONE, DONE and DONE. Thank you! These are addressed in commit 533160d (https://github.com/wkumari/draft-wkumari-opsawg-sdi/commit/533160d8e294848f6ba0221f1983f11398ac2467 ) and I'm cutting a new version now... W > > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [OPSAWG] Barry Leiba's No Objection on draft-ietf… Barry Leiba via Datatracker
- Re: [OPSAWG] Barry Leiba's No Objection on draft-… Warren Kumari