[Roll] Benjamin Kaduk's No Objection on draft-ietf-roll-efficient-npdao-12: (with COMMENT)

[Benjamin Kaduk via Datatracker <noreply@ietf.org>]

Benjamin Kaduk has entered the following ballot position for
draft-ietf-roll-efficient-npdao-12: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-roll-efficient-npdao/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I think that we need greater clarity about whether the DCOSequence
number is just a series of monotonic (i.e., time-ordered) nonces (to be
echoed back for matching request/response) or a full-on sequence counter
that allows for loss detection as well as providing in-order delivery.
It sounds like we just need the time-ordering and single-use properties,
but I'm not entirely sure.  I wavered about making this a Discuss point
but ended up not doing so since I'm not sure how much harm is being
risked.  (I also mention this topic a couple times in the
section-by-section comments below.)

I agree with Barry that the Abstract is really hard to parse.

Section 1.2

   RPL uses NPDAO messaging in the storing mode so that the node
   changing it routing adjacencies can invalidate the previous route.

nit: "its routing adjacencies"

   This is needed so that nodes along the previous path can release any
   resources (such as the routing entry) it maintains on behalf of
   target node.

nit: singular/plural mismatch "nodes"/"it maintains"

Section 4.1

                                                            When node A
   receives the regular DAO, it finds that it already has a routing
   table entry on behalf of the target address of node D.  It finds
   however that the next hop information for reaching node D has changed
   i.e., node D has decided to change the paths.  In this case, Node A
   which is the common ancestor node for node D along the two paths
   (previous and new), should generate a DCO which traverses downwards
   in the network.

I can't decide whether or not it helps readability to reiterate that in
addition to creating the DCO, node A also does normal DAO processing
(e.g., forwarding to the 6LBR).  I guess the example in A.1 does show
this normal processing, so maybe it's overkill to also do so here.

Section 4.2

               Transit Information Option should be carried in the DAO
   message with I-flag set in case route invalidation is sought for the
   corresponding target(s).

nit: this text as written implies thatthe I-flag is set in the DAO
itself, not the TIO therein.

I'd also suggest to s/in case/when/ for clarity.

   The common ancestor node SHOULD generate a DCO message in response to
   this I-flag when it sees that the routing adjacencies have changed
   for the target.  I-flag governs the ownership of the DCO message in a
   way that the target node is still in control of its own route
   invalidation.

nit: "The I-flag" (start of last sentence).

I'd further suggest rewording to something like "The I-flag is intended
to give the target node control over its own route invalidation, serving
as a signal to request DCO generation; in normal operation a DCO would
not otherwise be generated"; the current text about "ownership" has some
weird connotations/implications and this text also implicitly assumes
that DAO/TIO/I-flag will never be maliciously generated.  It is also a
little weaker about unsolicited DCO, per Section 4.5

Section 4.3

   A new ICMPv6 RPL control message type is defined by this
   specification called as "Destination Cleanup Object" (DCO), which is

nit: either "called" or "known as" or "referred to as" would be fine;
"called as" is a grammatical mismatch.

   DCOSequence: Incremented at each unique DCO message from a node and
   echoed in the DCO-ACK message.  The initial DCOSequence can be chosen
   randomly by the node.

What's the behavior if a sequence number is skipped?  (Why do we have a
sequence number if we aren't going to detect and act on this condition?)
Ah, I see Section 4.3.3, but perhaps a forward-reference is in order.

Section 4.3.4

It seems that the "Reserved" field should be called "Flags", since a
registry is being created for it.

(I trust that the language about the D flag and DODAGID optionality from
Barry's ballot thread is consistent between DCO and DCO-ACK.)

Section 4.4

   1.  If a node sends a DCO message with newer or different information
       than the prior DCO message transmission, it MUST increment the
       DCOSequence field by at least one.  A DCO message transmission
       that is identical to the prior DCO message transmission MAY
       increment the DCOSequence field.

While reading up to this point I managed to confuse myself about Path
Sequence (which must be consistent from DAO to DCO) and the separate
DAOSequence and DCOSequence fields.  To check my (less confused)
understanding, I guess if I could over-summarize, Path Sequence is like
a generation counter for a given node's position in the routing
topology, and the other two are for managing retransmission/ack of the
respective update messages.  So if that mental model is correct, then
there's not any value from trying to introduce a shared sequence number
space for DCO and DAO, even though they are frequently going to be
generated at the same time, especially since they have different
recipients.  Right?

I do agree with the other discussion that we need clarity about whether
the increment is exactly one or larger values are allowed (plus,
presumably, whether the recipient should infer anything from a sequence
number gap).  I do note that these are expected to be "lollipop
sequence counters" per RFC 6550.

   4.  A node receiving a unicast DCO message with the 'K' flag set
       SHOULD respond with a DCO-ACK.  A node receiving a DCO message
       without the 'K' flag set MAY respond with a DCO-ACK, especially
       to report an error condition.

This seems redundant with Section 4.3's "A node receiving a DCO message
without the 'K' flag set MAY respond with a DCO-ACK, especially to
report an error condition."

Section 4.4

   The scope of DCOSequence values is unique to each node.

recipient or originator?

Section 4.5

   path on behalf of the target entry.  The 6LR has all the state
   information namely, the Target address and the Path Sequence,

nit: comma before "namely".

Section 4.6.2

   Even with the changed semantics, the current NPDAO mechanism in
   [RFC6550] can still be used, for example, when the route lifetime
   expiry of the target happens or when the node simply decides to
   gracefully terminate the RPL session on graceful node shutdown.

Er, what changed semantics?  This document does not have an Updates:
relationship to any other document.

Section 4.6.3

   Note that there is no requirement of synchronization between DCO and
   DAOs.  The DelayDCO timer simply ensures that the DCO control
   overhead can be reduced and is only needed when the network contains
   nodes using multiple preferred parent.

This ("no requirement of synchronization") is because the benefit of DCO
is in expiring routes faster than their normal expiration time to save
local storage, rather than to provide synchronous route migration?  (It
might be worth reiterating, if you want.)

Section 7

   This document introduces the ability for a common ancestor node to
   invalidate a route on behalf of the target node.  The common ancestor
   node is directed to do so by the target node using the 'I' flag in
   DCO's Transit Information Option.  However, the common ancestor node

nit(?): there's perhaps some wordsmithing possible about "is directed to
do so", given the next sentence and Section 4.5.

   is also met.  Having said that a malicious 6LR may spoof a DAO on
   behalf of the (sub) child with the I-flag set and can cause route
   invalidation on behalf of the (sub) child node.

IIUC, such a malicious 6LR might also spoof a DAO even without this
mechanism (to invalidate the "proper" Path Sequence) or otherwise cause
denial of service by dropping traffic entirely, so perhaps we want to
add another clause ", so this new mechanism does not present a
substantially increased risk of disruption".

   This document assumes that the security mechanisms as defined in
   [RFC6550] are followed, which means that the common ancestor node and
   all the 6LRs are part of the RPL network because they have the
   required credentials.  A non-secure RPL network needs to take into
   consideration the risks highlighted in this section.

I'd consider adding "as well as those highlighted in [RFC6550]" to the
end.

Appendix A.1

   6.  Node G receives the DCO(tgt=D,pathseq=x+1).  It checks if the
       received path sequence is latest as compared to the stored path
       sequence.  If it is latest, Node G invalidates routing entry of
       target D and forwards the (un)reachability information downstream
       to B in DCO(tgt=D,pathseq=x+1).

This wording of "latest as compared to" feels unusual to me; I would
have expected "is later than the stored path sequence" and "If it is
later", but perhaps there is a convention here that I'm missing.

nit: "invalidates the routing entry"

   9.  The propagation of the DCO will stop at any node where the node
       does not have an routing information associated with the target.
       If the routing information is present and its Path Sequence is
       higher, then still the DCO is dropped.

nit: maybye reword to "If cached routing information is present and the
cached Path Sequence is higher than the value in the DCO, then the DCO
is dropped".

Appendix A.2

I feel like we should probably mention the DelayDAO timer as well as the
DelayDCO one.

I think this is a side note, but it seems like the timer mechanism for
DelayDAO (and by extension, DelayDCO) are a bit fragile, as one party
has to wait for the full timeout before sending the message (e.g., N22
in this example) that the other party is waiting the timeout to receive
(e.g., N11).  So it seems like we are still susceptible to transport
delay/jitter and race conditions at some point in the network, even if
it's not the next-hop of the target node.  But if that's a property of
DelayDAO from RFC 6550, it doesn't really make sense to try to address
it in this document (and it's also possible I misunderstand the
situation).