Roman Danyliw's No Objection on draft-ietf-quic-manageability-16: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 19 April 2022 03:18 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: quic@ietf.org
Delivered-To: quic@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D5D03A1228; Mon, 18 Apr 2022 20:18:57 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-quic-manageability@ietf.org, quic-chairs@ietf.org, quic@ietf.org, matt.joras@gmail.com, matt.joras@gmail.com
Subject: Roman Danyliw's No Objection on draft-ietf-quic-manageability-16: (with COMMENT)
X-Test-IDTracker: no
X-IETF-IDTracker: 7.46.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <165033833728.2600.15767815172481167436@ietfa.amsl.com>
Date: Mon, 18 Apr 2022 20:18:57 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/7d9EyQdb01TE1dS7cjKQC19kDCo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2022 03:19:00 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-quic-manageability-16: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-quic-manageability/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Barry Leiba for the SECDIR review. Thank you for this companion document considering the operational view of the wire image. It is a model to pattern for other protocols. ** Section 2.8 Using a particular version number to recognize valid QUIC traffic is likely to persistently miss a fraction of QUIC flows, and completely fail in the near future. Reliance on the version number field for the purposes of admission control is similarly likely to rapidly lead to unintended failure modes. Admission of QUIC traffic regardless of version avoids these failure modes, avoids unnecessary deployment delays, and supports continuous version-based evolution. -- True, but this guidance seems a bit too strong. Operators may choose to explicitly exclude traffic from particular “experimental versions" and should likely be curating their ACLs/admission control practices. -- Consider if the text "... likely to rapidly lead to unintended failure modes” will age well. -- Would there be an opportunity to fingerprint a unique application using a specific experimental version number (in an ecosystem of continuous evolution and experimentation suggested above)? ** Section 4.7. Other uses include support for security audits (e.g., verifying the compliance with ciphersuites); client and application fingerprinting for inventory; and to provide alerts for network intrusion detection and other next generation firewall functions. This text seems unrelated to the focus of this section -- DDoS detection and mitigation. Is it really needed? ** Section 4.7 Current practices in detection and mitigation of DDoS attacks generally involve classification of incoming traffic (as packets, flows, or some other aggregate) into "good" (productive) and "bad" (DDoS) traffic, This describes a “scrubbing” approach. DDoS mitigation can use the less nuanced rate limiting approach. DOTS has support for that too. ** Section 4.7 It is also possible for endpoints to directly support security functions such as DoS classification and mitigation. Endpoints can cooperate with an in-network device directly by e.g., sharing information about connection IDs. Does that happen now? How would that signaling work? Typos: ** Section 4.8. Typo. s/connnection/connection/ ** Section 4.8. Typo. s/usualy/usually/
- Roman Danyliw's No Objection on draft-ietf-quic-m… Roman Danyliw via Datatracker
- Re: Roman Danyliw's No Objection on draft-ietf-qu… Mirja Kuehlewind
- Re: Roman Danyliw's No Objection on draft-ietf-qu… Christian Huitema
- Re: Roman Danyliw's No Objection on draft-ietf-qu… Mirja Kuehlewind