Re: [secdir] Secdir review of draft-ietf-ice-dualstack-fairness-03

"Pal Martinsen (palmarti)" <palmarti@cisco.com> Thu, 04 August 2016 06:54 UTC

Return-Path: <palmarti@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DFA712D0E4; Wed, 3 Aug 2016 23:54:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.808
X-Spam-Level:
X-Spam-Status: No, score=-15.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjmYrxKiz4mG; Wed, 3 Aug 2016 23:54:54 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7597212D103; Wed, 3 Aug 2016 23:54:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9714; q=dns/txt; s=iport; t=1470293694; x=1471503294; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=QGj5eNbVQm2Tvsx/rqzRfkT4oS1mAvGV91mfVGTf4bc=; b=D6mJ7ziqSVF9hLJSsr3aQaNYKsY9twyxvScla/RwyA0jnu5GNo46C5Eg eceOuX4f3qj8y2Jv+r3SRxX8ibpzFdQSGisrEwO+lFo3OD+xWiYrQYHg4 b8v8j5NcYpAaemIegyvkuAUdHq72+LtMS9T/ZlGnMR7KV82a9H9sIabji Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A4AgAc5qJX/4oNJK1XBoNFVnwHuRmBfSCFfQIcgTE4FAEBAQEBAQFdJ4ReAQEEAQ4VBA0xBg4FCwIBBgIYAgImAgICMBUQAgQOBYgXAw8IkjudIItWGIQNAQEBAQEBAQEBAQEBAQEBAQEBAR6BAYUpgXiBUoEDhDIOgwErgi8BBJk0AYkThWyPQIwwg3YBHjaCEhyBTG6HJn8BAQE
X-IronPort-AV: E=Sophos;i="5.28,469,1464652800"; d="scan'208";a="306582383"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 04 Aug 2016 06:54:34 +0000
Received: from XCH-ALN-016.cisco.com (xch-aln-016.cisco.com [173.36.7.26]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id u746sYFr009882 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 4 Aug 2016 06:54:34 GMT
Received: from xch-rcd-019.cisco.com (173.37.102.29) by XCH-ALN-016.cisco.com (173.36.7.26) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 4 Aug 2016 01:54:34 -0500
Received: from xch-rcd-019.cisco.com ([173.37.102.29]) by XCH-RCD-019.cisco.com ([173.37.102.29]) with mapi id 15.00.1210.000; Thu, 4 Aug 2016 01:54:34 -0500
From: "Pal Martinsen (palmarti)" <palmarti@cisco.com>
To: Charlie Kaufman <charliekaufman@outlook.com>
Thread-Topic: Secdir review of draft-ietf-ice-dualstack-fairness-03
Thread-Index: AQHR2AUWk4ql4+jlVEO1OZzBN30rgKA43a+A
Date: Thu, 04 Aug 2016 06:54:33 +0000
Message-ID: <34E03521-A8B0-417C-8A81-5F8234AE7CB4@cisco.com>
References: <CY1PR17MB042523AE29B615686A832F68DF3B0@CY1PR17MB0425.namprd17.prod.outlook.com>
In-Reply-To: <CY1PR17MB042523AE29B615686A832F68DF3B0@CY1PR17MB0425.namprd17.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.217.3]
Content-Type: text/plain; charset="utf-8"
Content-ID: <93CBDB58298DFA43A769322E7DAEAAC0@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-GDeT3Cmf5nXiVXG1ZabSZ-VGJA>
Cc: "draft-ietf-ice-dualstack-fairness.all@tools.ietf.org" <draft-ietf-ice-dualstack-fairness.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-ice-dualstack-fairness-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2016 06:54:57 -0000

> On 07 Jul 2016, at 06:12, Charlie Kaufman <charliekaufman@outlook.com> wrote:
> 
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> I don't believe this proposal raises any security concerns. It has a short Security Considerations section containing information relevant to ICE but not to this proposed modification.
> 
Rewrote the security section. Going into details regarding STUN is not needed.

How about:
The security considerations described in [I-D.ietf-ice-rfc5245bis]
are still valid.  This specification does not add or remove any
security considerations.  It changes recommended values and describes
how an agent could choose those values in a safe way.



> This document proposes a modification to RFC5245bis (which specifies a protocol for NAT traversal). When trying to establish a connection through a NAT, there are a number of different techniques that can be used, some of which will work and some of which will not work depending on the characteristics of the NAT and other aspects of the environment. RFC5245 specifies an enumeration of such techniques and specifies an order in which they should be attempted.
> 
> Apparently, there are problems in real world deployments where there are a large number of possible NAT traversal techniques and checking them in the order prescribed by RFC5245bis results in long delays and sometimes connection failures based on timeouts. This document proposes changing the order in order to get better performance and reliability. It makes no other changes to the protocol.
> 

That is a good summary. My only comment is that we are not dealing with “techniques” (ICE is the technique we are using).  What we are struggling with is multiple network paths that may or may not work. 

> Detailed review:
> 
> I'm not an ICE expert, so some of these comments may be completely misguided. Take them for whatever they may be worth.
> 
> I don't think "fairness" is the right term in this context. The goal is not a fair division of resources between different clients or even any sort of balance between use of IPv4 and IPv6. If many different connectivity mechanisms worked, the preferred mechanism would be (I assume) the one computed using the formula in RFC5245bis. The problem is that checking all of the mechanisms in order to too time consuming, and there is a desire to check (and settle on) techniques more likely to work ahead of techniques less likely to work but more optimal if they do (in particular, checking some IPv4 based techniques before all of the IPv6 based techniques have been tried).
> 

I tend to agree, but we struggled to find a better word than fairness. 

I am not a native speaker, so I might got this wrong. From http://www.dictionary.com:
“the state, condition, or quality of being fair, or free from bias or injustice; evenhandedness”.

We are trying to be free from bias or injustice when deciding what network paths to test first. 


> Section 5 says:
> > ICE [I-D.ietf-ice-rfc5245bis] section 4.1.2.2 has guidelines for how
> > the type preference and local preference value should be chosen.
> > Instead of having a static local preference value for IPv4 and IPv6
> > addresses, it is possible to choose this value dynamically in such a
> > way that IPv4 and IPv6 address candidate priorities end up
> > intermingled within the same candidate type. It is also possible to
> > assign lower priorities to IP addresses derived from unreliable
> > interfaces using the local preference value.
> 
> This specification says what is possible, but it does not (as far as I could see) specify any particular means of accomplishing it. If the intent of this RFC is to encourage people to experiment with different priority techniques, that's fair but the document should say so. If the intent is to encourage people to copy the design in ICE_dualstack_imp, then it's formula for priority should be specified here in sufficient detail to implement it.
> 
Good point. 

The original intent of the draft was to provide a formula, but creating one that everyone was happy with proved difficult. So the draft reverted to provide guidelines and say what values safely could safely be experimented with. 
 
Added text to introduction:
“ This document describes what parameters an agent can safely alter to
   fairly order the checklist candidate pairs in multihomed and dual-
   stack environments, thus affecting the sending order of the
   connectivity checks.  Actual values of those parameters is an
   implementation detail.  Dependant on the nomination method in use,
   this might have an effect on what candidate pair ends up as the
   active one.  Ultimately it should be up to the agent to decide what
   candidate pair is best suited for transporting media.”


> Section 1 para 1 line 5: All interfaces and address types are known to the application. Perhaps this was intended to say all interfaces and address types known by the application to be unreliable…
> 
?? Did not find that text.

> Section 1 last paragraph and Section 5 third to last paragraph say:
> 
> > The introduced fairness might be better, but not
> > worse than what exists today
> 
> This is probably not true. There are probably unusual cases where this reordering will result in slightly increased connection times. I suspect what is meant is that "In almost all cases this change will result in connection times at least as fast as those using the previous system, and in many cases the benefit will be substantial.”
> 
Both of those sections talks about backward compatibility. The intent was to say if agent supporting dual-stack fairness talks to an old ICE agent things would probably still be better off, but since this is also only recommendations in the ICE RFC there is really know way for us to know. 

Saying anything about connection times will open up a big rat-hole in the WG. The use of the fairness wording was meant to indicate that overall connection times might go up ((Especially for those implementation that did a hard prioritisation of IPv4, but the goal of this is to help IPv6 as well), but you would avoid those scenarios where excessive delays ere encountered. 

> Typos:
> 
> Section 1 para 1 line 5: arguable -> arguably
Fixed.
> Section 1 para 1 line 7: know -> known
Fixed
> Section 1 para 2 line 7: describes -> describe
Fixed.
> Page 4 last para line 7: “too excessive" -> "not optimal"
Fixed
> Section 7 end of third to last paragraph: missing “.”
Ignored, text to be removed before publishing as RFC. 



Have posted a new version of the draft. We should probably take especially care to make sure we are happy with the new security section. 


.-.
Pål-Erik

> 
> 
> 
> Sent from Outlook