[RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10

Stewart Bryant via Datatracker <noreply@ietf.org> Fri, 14 August 2020 18:55 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: rtg-dir@ietf.org
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EB543A1211; Fri, 14 Aug 2020 11:55:19 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stewart Bryant via Datatracker <noreply@ietf.org>
To: rtg-dir@ietf.org
Cc: last-call@ietf.org, draft-ietf-roll-turnon-rfc8138.all@ietf.org, roll@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.14.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <159743131948.29404.7285894923089059952@ietfa.amsl.com>
Reply-To: Stewart Bryant <stewart.bryant@gmail.com>
Date: Fri, 14 Aug 2020 11:55:19 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/IFj8A_gYbD1Eer5GqVBFUlZ-c30>
Subject: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 18:55:20 -0000

Reviewer: Stewart Bryant
Review result: Not Ready

I have been asked to review this by the Routing Directorate.

Summary

Although the are quite a few points below, a lot of them are editorials.
However I am a bit worried about the safety of the mechanism proposed which
seems to be rather more one-way that may be operationally safe.

Genarally the text is clear and well written.

Major Issues:

   In particular it is not the
   intention to undo the setting of the "T" flag.  Though it is possible
   to roll back (see Section 5.3), adding nodes that do not support
   [RFC8138] after a roll back may be problematic if the roll back did
   not fully complete.
SB> I see this as quite problematic. There are a number of reasons why you
might need to roll back: network merging, legacy nodes, bugs in the
implementation. I would think that you needed to be able to go backwards and
forwards, without difficulty and yet you give the impression that it really is
a one-way trip. I think that could be operationally problematic.

========

A node
   that cannot do so may remain connected to the network as a RUL, but
   how the node is modified to turn into a RUL is out of scope.
SB> That is quite worrying in practical deployments that this is not specified.

=======

   To ensure that a packet is forwarded across the RPL DODAG in the form
   in which it was generated, it is required that all the RPL nodes
   support [RFC8138] at the time of the switch.
SB> I am not sure if it is possible to implement the feature, but a safe
implementation would have them report that they support it and use that to
inhibit the setting of the T bit.

========
   When turning [RFC8138] compression off in the network, the Network
   Administrator MUST wait until all nodes have converged to the "T"
   flag reset before allowing nodes that do not support the compression
   in the network.
SB> How does it know that this has happened?

=========

7.  Security Considerations

   First of all, it is worth noting that with [RFC6550], every node in
   the LLN that is RPL-aware can inject any RPL-based attack in the
   network.  A trust model has to be put in place in an effort to
   exclude rogue nodes from participating to the RPL and the 6LoWPAN
   signaling, as well as from the data packet exchange.  This trust
   model could be at a minimum based on a Layer-2 Secure joining and the
   Link-Layer security.  This is a generic RPL and 6LoWPAN requirement,
   see Req5.1 in Appendix of [RFC8505].
SB> I am surprised there is not a MUST in the above considering the
vulnerability.

======

   An attacker in the middle of the network may reset the "T" flag to
   cause extra energy spending in its subDAG.  Conversely it may set the
   "T" flag, so that nodes located downstream would compress when that
   it is not desired, potentially resulting in the loss of packets.  In
   a tree structure, the attacker would be in position to drop the
   packets from and to the attacked nodes.  So the attacks above would
   be more complex and more visible than simply dropping selected
   packets.  The downstream node may have other parents and see both
   settings, which could raise attention.
SB> I am worried that there are no real mitigations to this. The attack may be
a bug.

=========

Minor Issues

   The suggested bit position of the "T" flag is indicated in Section 6.
SB> I know that you need to go through the IANA process, but future readers
SB> will find the text a lot easier to follow if the bit is included in
SB> Fig 1 above.
SB>
SB> Presumably the base spec sends with the T bit clear and thus the
SB> feature is disabled. It might not hurt to remind the reader of this as it
is what gives you the backwards compatibility.

========

   A router MUST uncompress a packet that is to be forwarded to an
   external target.
SB> Is there not a config option to retain compression to a consenting external
party?

========

6.  IANA Considerations

It would be clearer if there were an IANA/Editor request to also edit Fig 1

========

Nits/Editorials

Otherwise, a non-capable node acting as leaf-only would fail to
SB> would be clearer as non-RPL-capable

========

   communicate, and acting as a router it would drop the compressed
SB> Perhaps:  and if acting

========

   The idea is to use the flag to maintain the compression inactive
SB> Perhaps : The flag is cleared to maintain the compression inactive state

=========

   A node SHOULD source packets in the compressed form using [RFC8138]
SB> source or send?

==========

   The decision of using [RFC8138] is made by the originator of the
SB> the decision to use

==========

A router that encapsulates a packet is the
   originator of the resulting packet and is responsible to compress the
SB> for compressing

==========

In most cases, packets from and to an external target are
SB> "to and from" is more conventional English

==========

Enabling the [RFC8138] compression
   without a turn-on signaling requires a "flag day"; all nodes must be
   upgraded, and then the network can be rebooted with the [RFC8138]
   compression turned on.

SB> I am not sure my English is any better below, but the text could use a
little polish

Enabling the [RFC8138] compression without a turn-on signaling method requires
a "flag day"; by which time all nodes must be upgraded, and at which point the
network can be rebooted with the [RFC8138]compression turned on.