Re: [OPSAWG] WG LC for draft-ietf-opsawg-sdi-02

[Warren Kumari <warren@kumari.net>]

Apologies for the delay in responding, I was traveling and then got
sidetracked into other things.


On Tue, Feb 11, 2020 at 4:40 PM Joe Clarke (jclarke) <jclarke@cisco.com>
wrote:

>
>
> On Feb 11, 2020, at 15:41, Warren Kumari <warren@kumari.net> wrote:
>
> On Tue, Feb 11, 2020 at 10:19 AM Joe Clarke (jclarke) <jclarke@cisco.com>
> wrote:
>
>
> As a contributor, I think this document is mostly ready (and as previously
> stated, I like and support the work).  That said, after another read I
> found a few spelling nits and some comments:
>
> In Section 2, you paint the picture of a scenario, but “break the fourth
> wall” to explain what is existing and what is new functionality as well as
> state that the document prescribes using the SN as the unique identifier.
> In the spirit of a scenario with additional context, I think you should
> clarify that the DHCP boot of an out-of-the-box device is _typically_
> existing functionality.  Some vendors’ devices may not do this.
>
>
> Good point. I have just submitted a new version which I think
> addresses this (and your other comments below) -- I broke section 2
> ("Overview / Example Scenario") into 2 sections, "Overview" and
> "Example Scenario". This required moving some text around, but I think
> addresses your concern (and improves the document).
>
>
> Thanks.  I like these changes.
>

Yay!



>
> Yes -- unfortunately there doesn't seem to be any sort of standard way
> to add a comment device configs - these all work on different devices:
> # I'm a comment
> ! I'm also a comment
> ; Yet another comment format
> : This is getting silly
> ' Ugh, who thought apostrophes was a sane comment character?!
>
>
> I was actually thinking about the opposite.  Could your encrypted blob
> have a header?  Like a PEM encoded certificate has "-----BEGIN
> CERTIFICATE——“.  This way if you have that, you try to decrypt, else you
> assume a regular config.
>

Ah, I has misunderstood, see below.



>
> How about some text along the lines of: "Unfortunately there is no
> standard way to identify if a config file has been successfully
> decrypted, as different vendors use different configuration languages,
> with different forms of comments, etc.
> It is recommended that each vendor documents a standard header or
> magic which devices can use to determine if the configuration seems
> largely correct.
> As an example, Cisco IOS configuration files use the '!' character as
> a comment, and so Cisco IOS files could be expected to start with
> something like '! This is a Cisco IOS configuration file'. Juniper
> Network's JunOS uses '#' as a comment character, and so Juniper could
> adopt the convention of using '## JunOS device configuration file' (or
> some other string, to be chosen and documented by the vendor)."
>
> Note that I have *not* included this is the newly posted version yet,
> as I think it needs some polishing...
>
>
> Sure.  This text works as a means to know if decryption works.  But (and I
> haven’t tried this), if I point IOS to just some random bytes via option
> 150, I think it will try to load it (I know that some file extensions like
> .tcl and .py will be considered).  So you might not need to worry so much
> about what if decryption works as to know what should be attempted to be
> decrypted.
>

So, I've added some text saying the vendors could do things like use a
specific file extension (e.g if the file ends in .enc, it is encrypted),
have a magic string header, or use a different DHCP options -- these are
much better options than what I originally had (try parse, and if that
doesn't work, try decrypt).
Thank you, this has significantly improved the document / mechanism.

W



>
> Joe
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf