Re: [secdir] secdir review of draft-ietf-6man-addr-select-opt
Arifumi Matsumoto <arifumi@nttv6.net> Wed, 05 June 2013 13:51 UTC
Return-Path: <n@arifumi.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C138621F9B4B for <secdir@ietfa.amsl.com>; Wed, 5 Jun 2013 06:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.976
X-Spam-Level:
X-Spam-Status: No, score=-101.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gd-m1Ljdl2sM for <secdir@ietfa.amsl.com>; Wed, 5 Jun 2013 06:51:10 -0700 (PDT)
Received: from mail-pd0-f169.google.com (mail-pd0-f169.google.com [209.85.192.169]) by ietfa.amsl.com (Postfix) with ESMTP id A441D21F9AB4 for <secdir@ietf.org>; Wed, 5 Jun 2013 06:51:09 -0700 (PDT)
Received: by mail-pd0-f169.google.com with SMTP id y10so1867602pdj.0 for <secdir@ietf.org>; Wed, 05 Jun 2013 06:51:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=+aN40ip5XcasqfQov6zmxaodHuDfN/HlsT39BGpD0Kg=; b=R8TBLxDQez8lG42FvjZAS5CHoTe634Xk2qkSkoQ9Yz6uz0dMfBGutKGB/UCL9tKNPw M7wY4p47dWOQq8eTJnJ3MkgiGnMzJONrkDNYj3ECglUdKSfkOYenB2dck4UbX7E8n6nB XsrbyO5dcV8cEPbJMzPXznhIo7nVXME4YYfRvCorisH0Fd7AuiMTnt2HofDiOcg/u7WZ PRWNMt7V4a9j+40AohBr0/wlbxp+063EDZbDthyMhyxl1y4hKQGBv2v2tFVDtiEEmK+G PJ3uveg237TJxfI4ovhcty43SMq4q4MckX3l4kN3EvxUIA8WRbgjwmzlndE2kHDrTnHG WaQA==
MIME-Version: 1.0
X-Received: by 10.66.162.67 with SMTP id xy3mr33709276pab.94.1370440269322; Wed, 05 Jun 2013 06:51:09 -0700 (PDT)
Sender: n@arifumi.net
Received: by 10.68.194.198 with HTTP; Wed, 5 Jun 2013 06:51:09 -0700 (PDT)
X-Originating-IP: [118.21.146.144]
In-Reply-To: <CABTuw1BWw6xxdo9zmQaVc3ceq1k4mGOOaZgEixSwgctuvYKc2w@mail.gmail.com>
References: <3dc2e7cf8e11e1928d71c08895be5c68.squirrel@www.trepanning.net> <CABTuw1BWw6xxdo9zmQaVc3ceq1k4mGOOaZgEixSwgctuvYKc2w@mail.gmail.com>
Date: Wed, 05 Jun 2013 22:51:09 +0900
X-Google-Sender-Auth: NKStlTe0Apla3rEYHHwBiXk5ky4
Message-ID: <CABTuw1CX6gAMCLNzPZyLyOfKCgWbWw7jk9vmPqSR4vXLUdcW=Q@mail.gmail.com>
From: Arifumi Matsumoto <arifumi@nttv6.net>
To: Arifumi Matsumoto <arifumi@nttv6.net>
Content-Type: multipart/alternative; boundary="047d7b86e3e470d6a304de687d2c"
X-Gm-Message-State: ALoCoQkkwSj2jSpLQjx/9t9H/WwZVSCeaHyHpd0SonosV/yfAY1rt+9W3BLNPtwePOeRJMHZ/Mf1
Cc: "draft-ietf-6man-addr-select-opt.all@tools.ietf.org" <draft-ietf-6man-addr-select-opt.all@tools.ietf.org>, secdir@ietf.org, iesg@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-6man-addr-select-opt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2013 13:51:16 -0000
Hi, did my previous e-mail get to you all ? 2013/5/28 Arifumi Matsumoto <arifumi@nttv6.net> > Hi Dan, > I appreciate your review. > > Comments below. > > 2013/5/22 Dan Harkins <dharkins@lounge.org> > >> >> Hello, >> >> I have reviewed draft-ietf-6man-addr-select-opt as part of the >> security directorate's ongoing effort to review all IETF documents >> being processed by the IESG. These comments were written primarily >> for the benefit of the security area directors. Document editors and >> WG chairs should treat these comments just like any other last call >> comments. >> >> draft-ietf-6man-addr-select-opt defines address selection options >> for DHCPv6 that allow a network administrator to effect some >> control over address selection behavior of nodes on their sites. >> >> This sounds like a reasonably straightforward problem but as I >> read the draft it seemed like it might be have interoperability issues. >> I don't believe this draft is ready for advancement until these issues >> are resolved. >> >> For instance, while I think I understand the policy override of RFC >> 6724, having the Automatic Row Additions Flag be part of the address >> selection options seems problematic. If it is set to zero, then what are >> the semantics of such a message? "Here's an address selection option >> but don't you dare use it!"? What is the point? Me, as a node, can have >> this as part of my policy state which would allow me to ignore such >> an update but to have the bit be part of the option to update does >> not seem to make much sense. The semantics of the message needs >> to be explained much more clearly, or the bit needs to be removed >> from the message. >> > > If A flag is zero, it means Automatic Row Addition is indicated not to > perform. > If A flag is 1, it means it is up to the node. > > Even in the latter case, the Address Selection Option may contain other > information to the node, such as the policy table and other flags. > > Make sense ? > > If not, splitting the flag into another new sub-option makes sense to you ? > > >> >> Section 3.3 says, "Even if the received policy from one source is >> merged with one from another source, the effect of both policy are >> more or less changed." I don't understand how both policies are >> changed. And what does "more or less" mean? > > > I think that a policy table has its own unique meaning. Even single > insertion/deletion from the table makes the table different. > > For example, when adding a line, from one source, to the default policy > table below, > > Prefix Precedence Label > ::1/128 50 0 > ::/0 40 1 > ::ffff:0:0/96 35 4 > 2002::/16 30 2 > 2001::/32 5 5 > fc00::/7 3 13 > ::/96 1 3 > fec0::/10 1 11 > 3ffe::/16 1 12 > > makes > > Prefix Precedence Label > ::1/128 50 0 > ::/0 40 1 > ::ffff:0:0/96 35 4 > 2002::/16 30 2 > + 2003::/16 10 6 > 2001::/32 5 5 > fc00::/7 3 13 > ::/96 1 3 > fec0::/10 1 11 > 3ffe::/16 1 12 > > In this case, the prefix 2003::/16 has lower precendence than the default > policy table. And, the table contains a lot of policy that is not intended > by > the source who deliver single line of policy. > > > >> 3.3 also says, >> "It also should be noted that absence of the distributed policy from a >> certain network interface should not be treated as absence of policy >> itself, because it may mean preference for the default address >> selection policy." So I use the default address selection policy then, >> is that it? > > > I mean, there is no way to tell the network with no policy distribution > prefers default policy, or does not care about it. > The conclusion is "using the default policy should be safe", though. > > >> This whole section (3.3) screams out for some normative >> language since it sounds like it refers to behavioral changes on the >> node. >> > > Do you mean this section should have more SHOULDs and MUSTs ? > If so, on which part do you think should we put ? > > >> >> There is an "Implementation Consideration" mentioning that the >> label is passed as an unsigned integer. But it then goes on to say, >> "DHCPv6 clients SHOULD convert this label to a representation >> appropriate for the local implementation (e.g., string)." This has >> interoperability implications because it is not solely a local matter. >> The node may represent these things differently than the network >> administrator and the preference will not be done properly. RFC 6724 >> does not really define what the label is from what I can tell. It's >> used to just allow for policies to prefer a particular source address, >> S, with a particular destination address, D, if "Label(S) = Label(D)". >> But to pass a value over a network, and have it be used by the >> recipient, means that a canonical representation of "label" has to >> be defined. >> > > Maybe, I don't understand your point quite well. > As far as the one-to-one mapping in a node is performed between an > unsinged integer and representation format, I think there will not arise > interoperability issue, such that a policy has different meaning depending > on a receiving host. > > >> An appendix with examples would be most helpful! >> > > RFC 6724 has a lot of examples for policy table. > Do you think we need other examples, or just same ones ? > > >> >> Spelling nit: section 3.1 "The choice a SHOULD be default, as far as >> the policy table is not configured by the user." There's an extra >> word in there somewhere, or maybe there's some words missing, >> it's hard to understand what is being implied. >> > > It means the choice called "a" below should be default. > Maybe using parenthesis (a) makes it clearer ? > > Best regards, > > >> >> regards, >> >> Dan. >> >> >> >
- [secdir] secdir review of draft-ietf-6man-addr-se… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-6man-add… Arifumi Matsumoto
- Re: [secdir] secdir review of draft-ietf-6man-add… Arifumi Matsumoto
- Re: [secdir] secdir review of draft-ietf-6man-add… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-6man-add… Arifumi Matsumoto
- Re: [secdir] secdir review of draft-ietf-6man-add… Ole Troan
- Re: [secdir] secdir review of draft-ietf-6man-add… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-6man-add… Arifumi Matsumoto
- Re: [secdir] secdir review of draft-ietf-6man-add… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-6man-add… Arifumi Matsumoto
- Re: [secdir] secdir review of draft-ietf-6man-add… Arifumi Matsumoto
- Re: [secdir] secdir review of draft-ietf-6man-add… Ole Troan
- Re: [secdir] secdir review of draft-ietf-6man-add… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-6man-add… Ole Troan
- Re: [secdir] secdir review of draft-ietf-6man-add… Arifumi Matsumoto
- Re: [secdir] secdir review of draft-ietf-6man-add… Arifumi Matsumoto
- Re: [secdir] secdir review of draft-ietf-6man-add… Arifumi Matsumoto
- Re: [secdir] secdir review of draft-ietf-6man-add… Dan Harkins