Re: [RTG-DIR] Rtg Dir review draft-ietf-6lo-rfc6775-update-13.txt

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Mon, 26 February 2018 17:53 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232D812025C; Mon, 26 Feb 2018 09:53:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.531
X-Spam-Level:
X-Spam-Status: No, score=-14.531 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qoI3Umpi9kbq; Mon, 26 Feb 2018 09:53:31 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E29E81205F0; Mon, 26 Feb 2018 09:53:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5204; q=dns/txt; s=iport; t=1519667611; x=1520877211; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=sA42Ex1fpTEnHqaWTvtVv9AVflzX4MV1Ld5ygzxmwIg=; b=M/e3UyDBnRNNdcvcPXHXtLMDFv2XhE55Dka8My4d0Y+po4MU7n5bzgh6 0zStglNzFhYKXCOFddWNeV61z5xFyJBLibLmLKq1gMmKKN9O/DJ++Q0gt 1/7pftpTASsfz7dYUt0nHK1SrZpZh5+CLahn7kTcg4khbnAssckfmG8R6 Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AqAQAWSZRa/5BdJa1dGQEBAQEBAQEBAQEBAQcBAQEBAYNPZnAyjWyNfoICgRaWBYIWCiOFEAKCRVQYAQIBAQEBAQECayiFIwEBAQECATo/BQsCAQg2EDIlAQEEAQ0NhQAIEK1liG2CFAEBAQEBAQEBAQEBAQEBAQEBAQEBARgFhiiBGoFXgWUBgy2DLgEBA4FShg4FiiOHC4FbhS6JKgkChzeDHESIfoIPhWaDZYcPiWeCaoh3AhEZAYEuAR44gVFwFYJ+gkIcgXuLDCyBA4EXAQEB
X-IronPort-AV: E=Sophos;i="5.47,397,1515456000"; d="scan'208";a="142881488"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Feb 2018 17:53:29 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id w1QHrTtv007477 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 26 Feb 2018 17:53:29 GMT
Received: from xch-rcd-001.cisco.com (173.37.102.11) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 26 Feb 2018 11:53:29 -0600
Received: from xch-rcd-001.cisco.com ([173.37.102.11]) by XCH-RCD-001.cisco.com ([173.37.102.11]) with mapi id 15.00.1320.000; Mon, 26 Feb 2018 11:53:29 -0600
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: "adrian@olddog.co.uk" <adrian@olddog.co.uk>, "rtg-ads@ietf.org" <rtg-ads@ietf.org>
CC: "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "draft-ietf-6lo-rfc6775-update.all@ietf.org" <draft-ietf-6lo-rfc6775-update.all@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Thread-Topic: Rtg Dir review draft-ietf-6lo-rfc6775-update-13.txt
Thread-Index: AdOtm2nPNYcCdDASR1Wy3aGvKJZ+UgBi8jcg
Date: Mon, 26 Feb 2018 17:52:59 +0000
Deferred-Delivery: Mon, 26 Feb 2018 17:52:39 +0000
Message-ID: <a604b90474174a7a9b937fc4994e836d@XCH-RCD-001.cisco.com>
References: <061001d3ad9b$7315c8e0$59415aa0$@olddog.co.uk>
In-Reply-To: <061001d3ad9b$7315c8e0$59415aa0$@olddog.co.uk>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.212.148]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/Uyh2mgcT2N7iuMVgwrGB3Pg-vVk>
Subject: Re: [RTG-DIR] Rtg Dir review draft-ietf-6lo-rfc6775-update-13.txt
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2018 17:53:33 -0000

Hello Adrian:

Thanks a  bunch for your review!

Let us address the major concerns first. Please see below:
> 
> Comments:
> 
> The document is quite hard work. More cross-references would help, and
> bringing the abbreviations to the top would also make things easier. But the
> main problem was the trickle feed of how everything hangs together - it's all
> there, but you have to read the entire document to get the whole picture.
[PT>] 
[PT>] will do.


> 
> ==Major==
> 
> 4.3
> 
>    With this specification, the Registration Unique ID is allowed to be
>    extended to different types of identifier, as long as the type is
>    clearly indicated.  For instance, the type can be a cryptographic
>    string and used to prove the ownership of the registration as
>    discussed in "Address Protected Neighbor Discovery for Low-power and
>    Lossy Networks" [I-D.ietf-6lo-ap-nd].  In order to support the flows
>    related to the proof of ownership, this specification introduces new
>    status codes "Validation Requested" and "Validation Failed" in the
>    EARO.
> 
> This seems fine, but I don't see how "the type is clearly indicated".

[PT>] AP -ND  https://tools.ietf.org/html/draft-ietf-6lo-ap-nd-05 introduce a new flag to indicate its form of RUID. Other may come in the future. It is important that it does signal the type because that triggers the validation flow. 



> 
> I think you also have to restate the uniqueness assumption in this new
> context. Probably that uniqueness is required across {type, value} (unless, of
> course, your answer to my first question is that type is embedded in value).
> This possibly cuts into backward compatibility as well?
> 
[PT>] A pure RFC 6775 6LR/6LBR will not need to know the difference, since it cannot validate a thing anyway. It will figure that the field is an EUI 64. As you point out, the additional risk vs. an implementation of the update is that the name spaces are not differentiated. So there is a (very^64 remote) risk that a crypto token ends up with the same value as an EUI 64 in the network; for that to have an impact, it would take that 2 nodes register a same address. Note that the Ap ND token is not expected to be used a IID. In other words, for the use that we make of the RUID, there is no real issue that an older implementation confuses the name spaces. Note that AP-ND may have 2 devices form the same RUID from 2 different keys. Then again, very bad luck. Still, not real damage even if that happens unless it is done willingly. DFrom the AP-ND perspective, that is address protection, one node could control the other's address but it does not even know they exist.

> See also 6.1/6.2
> 
> Furthermore, 7.1.2 says...
> 
>    A node that supports this specification MUST always use an EARO as a
>    replacement to an ARO in its registration to a router.  This is
>    harmless since the "T" flag and TID field are reserved in [RFC6775],
>    and are ignored by a RFC6775-only router.  A router that supports
>    this specification answers an ARO with an ARO and answers an EARO
>    with an EARO.
> 
> ...but this doesn't mention the "variation" of the RUID that might also arise
> with the EARO. How will the RFC6775-only router handle these new RUIDs
> and their "clearly indicated" types?
[PT>] 
[PT>] This is defined in the specs that provide those variations; in the case of AP ND there is a proof of ownership challenge of the RUID. You own the RUID if you have the key, and then you are entitled to register and use the address... A router that supports the RFC 6775 update and not any of the coming specs cannot process the RUID differently than a RFC6775-only router. Which is OK as long as the extensions are backwards compatible, IOW the RUID can be used as a unique token.


> 
> ---
> 
> 7.1.2
> 
>    One alternate way for a 6LN to discover the router's capabilities is
>    to start by registering...
> 
> You went to a lot of trouble to define the E-flag. You then made the use of the
> 6CIO (and hence the E-flag) only a SHOULD, and you defined an alternate
> mechanism. (Note: you say "one alternate" implying there are
> more!)
> 
> Choice is not good. It complicates the specification and the implementation.
> Why go there? Can't you settle on one mechanism and make it necessary and
> sufficient?
> 
[PT>] We could live without the 6CIO. The draft does not seem to be very much used and for backward compatibility we cannot depend on it.
 Still I think it is a good idea to expose capabilities and then start.  This draft encourages to start using it more now.
Unsure what to do here, I need to take the pulse of the WG.

> ---
> 
> You create new registries in 10.1 and 10.2. You must tell the IANA what
> allocation policies to use
> 
>
[PT>] Yes, it is missing in 10.2 though present in 10.1. I do not see a reason to make them different, so that would be:
' The policy is "IETF Review" or "IESG Approval" [RFC8126]'. 

Take care,

Pascal