IETF Logo Mail Archive

Re: [secdir] Secdir Last Call assignment: draft-ietf-regext-change-poll

"Gould, James" <jgould@verisign.com> Mon, 29 October 2018 13:57 UTC

Return-Path: <jgould@verisign.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85561130F26; Mon, 29 Oct 2018 06:57:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nArD7q3hxo94; Mon, 29 Oct 2018 06:57:11 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91D5E128CFD; Mon, 29 Oct 2018 06:57:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=5700; q=dns/txt; s=VRSN; t=1540821430; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=DzfcxFzHyBdBk91I12JkGrMqpFdewqjifhzU9u1OE0o=; b=H3Dd8l2xQit663kUdN66OmVu+lhxwWoeA0U3PdbzUxVHm2u0KBqZKzkD yMq3LI7kQdRvC4hZmVgZeFp7Rn6XB4eB/C+nljma6y0qqpzM61Yx1fZEx ypqemTc974MssndoylNZFQu7eNAP8FzsZbQq8ROV6yU7/JY/7KgzWYDZR x3+FKlekEGAbRC4G38AUGw6pMoWg/3yp49Gvu6iqJtX8rt96IpF943U6F hXJmXvYwtWq/cgX8dCSH9Runpf/V2ceDJR2XWEim/qM7zfXckkpmPWChi 2S4pYI44gWO3EuAVwzfO49kl0nqxTP/AO0M31YGF/XbZ/tgUMdKSDbU71 A==;
X-IronPort-AV: E=Sophos;i="5.54,440,1534809600"; d="scan'208";a="6145577"
IronPort-PHdr: 9a23:jhmxRxMICyZ1l7I15OIl6mtUPXoX/o7sNwtQ0KIMzox0K/3+psbcNUDSrc9gkEXOFd2Cra4c1KyO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhjexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykCoJNyA3/nzLisJ+j6xbrhCuqBJ+w4HIb4+aO+Fzfr/GctMfWWZNQtxcWi5HD4ihb4UPFe0BPeNAooXzplUOqga+BQ2xC+/31zRGgmX53agk3OQ6Hw3NwQstH9ABsHTTsdX1MLodXPurzKbW1zXDbuhW2Tby6IjOaBwuvfaMXbdpfMfX1EIhGQTFjlCKpozkOTOYzvoNvHaB7+phTuKvimEnqwdwojip2sggkJXGhoUQyl3C6C53w541KMWlREJne9KoDZldui+AO4drQs4vTXtktSk5x7EepJK3YDIGxIklyhLDcfCLboeF7xH5WOqMIjp0nHxld6y8ihqu9EWtz/fzW8qw3VlRqydInMfAuW0M2hHW8ceKTvpw80Wk1DuB2Q3e6PxLLEYpnqTBMZEh2KQ/lp8LvETGGS/5hVv5gbeNdkUh5uio8+PnYqj6ppOEN497lAX+MqM2l8GiHeo2KhUCUGiD9+qz1bLv4VD1TK9UjvIqlanZqojaKd4BqaGkGQNVzJwj6w25Dzu8zNsYmnwHIEpEeBKBkYfpJ0nDLO3kAfulnlihkjlmy+rbMrDhDJjBNHfOnbT5cbZ48UFcyQ4zzd5F55JTD7EMOPDzWkD2tNzFCh82Lhe5w/j5B9Vn14MeQmOPAqCfMK/IrVCI4ecvL/GWZIAJoDb9N+Ql5/n2gH8ng1Adebem3YEXaX2jBfRmJkWYYWHogtcGD2cGpAw+Q/L2iFeaSz5ce26yX74g5jE8EI+mFpnMSZywj7yAxie2BZxWaX5aClCCC3vocJ+EW/gUYiKIPsBhiiAEVaSmS4I5yB6urhX1y7R7LubN+y0Xq47j1NZs6+3Jix4y+iJ7DsuB022UU250nnkHRzk53K9huEB90lCD0ax8g/BCD9NT4/dJXxw7NZHC0+x6Bcr+WgXbfteGUFymWMmpASktTtItxN8De1x9FMutjh/d0CuqH6QYl72VC5wo/KLQxX/xJ9xyy3zezqkuk0EmQtdTNW2hnqN/9hbcB5LHk0iClqala7gc3CDX+GeE12qOsxIQbAklG7vMWX0Fd2PNqMXi4kTcCbmjFf5vZhVIzcOYO4NRb8zyiVJYAvHuJIKaKyiqlmy8BAygx76QYsztYWpXlHHGBUMIkho7/HuaO045HCj38EzECzk7X33ofkfgtaFcoXa2VQV8mwOFaFBl25Kr9wQUnv2TTbUY2bdS63RpkCl9AFvoh4GeMNGHvQc0JKg=
X-IPAS-Result: A2EYAADRENdb/zCZrQpiAxwBAQEEAQEHBAEBgVEHAQELAYJqgScKg2uIGI1/l0WBPzsMARMMD4Q+AheDNzQNDQEDAQEBAQEBAgEBAoEFDII2IhJLLwkBMgEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQgCCAdHARoGIxE+BxACAQgaAiYCAgIwFRABAQQBDQWDIQGqD4EuihOBC4gUgl+BQj6BEScME4JMhGgiCwomgj0xgiYCjmCQKQMGAoZoijKCHo4pjHCKBQIEAgQFAhSBQ4IOcBVlAYJBCYV8ilJvDSSLVYEfAQE
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Mon, 29 Oct 2018 09:57:08 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1531.003; Mon, 29 Oct 2018 09:57:08 -0400
From: "Gould, James" <jgould@verisign.com>
To: "valery@smyslov.net" <valery@smyslov.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-regext-change-poll.all@ietf.org" <draft-ietf-regext-change-poll.all@ietf.org>, "regext@ietf.org" <regext@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [EXTERNAL] Secdir Last Call assignment: draft-ietf-regext-change-poll
Thread-Index: AdRvXnGNFd6CotSYRDG5mWUsUy7B6wAMNZ4A
Date: Mon, 29 Oct 2018 13:57:08 +0000
Message-ID: <89648AE8-724C-4814-9826-FD28C8CBD652@verisign.com>
References: <04a001d46f8c$3fd204e0$bf760ea0$@smyslov.net>
In-Reply-To: <04a001d46f8c$3fd204e0$bf760ea0$@smyslov.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.f.0.180709
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <159781F298D37846B8AF299F7B65020F@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/EGANXd7-RNIUcosOWPgIUruYt44>
Subject: Re: [secdir] Secdir Last Call assignment: draft-ietf-regext-change-poll
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2018 13:57:14 -0000

Thank you for the review and feedback.  I can understand the confusion if you're not familiar with the EPP protocol.  I attempt to clarify things below.  

The info command and the poll command are different commands, but where the confusion lies is with the response.  A poll response can be any EPP response, since the information for a poll response is built into the general EPP response with the <msgQ> element (section 2.6 of RFC 5730), so any EPP response "has a" relationship with the poll queue information.  A concrete EPP response, which in this case is an info response, extends ("is a" relationship) the EPP general response, so a concrete EPP response can be used in the response to an EPP command or an EPP poll command.  In the case of the draft-ietf-regext-change-poll, it specifies the use of the info response of other EPP objects (e.g., domain in RFC 5731, host in RFC 5732, or contact in RFC 5733) with the Change Poll Extension that defines the server-side operation meta-data of what, when, who, and why.  A concrete example is the server adding a server status on a domain name, as defined in RFC 5731, where it can insert an EPP poll message in the form of a domain info response that includes the added server status, with the poll message <msgQ> element populated, and with the Change Poll Extension added.  The responses of draft-ietf-regext-change-poll are associated with poll responses, where the concrete poll responses used are info responses with the Change Poll extension.  A client would request the poll message using the EPP RFC 5730 poll command and would receive the poll message in the form of an info response, with the poll queue information included, and with the Change Poll extension.

I hope this helps.   

Thanks,
  
—
 
JG



James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

Verisign.com <http://verisigninc.com/> 

On 10/29/18, 9:36 AM, "Valery Smyslov" <valery@smyslov.net> wrote:

    Reviewer: Valery Smyslov	
    Review result: Ready with Nits
    
    I have reviewed this document as part of the security directorate's 
    ongoing effort to review all IETF documents being processed by the 
    IESG.  These comments were written primarily for the benefit of the 
    security area directors.  Document editors and WG chairs should treat 
    these comments just like any other last call comments.
    
    This draft defines an extension for an Extensible Provisioning Protocol (EPP, RFC 5730)
    that allows servers to notify clients about operations which were not 
    initiated by clients, but which modify state of client-sponsored objects.
    
    The extension is defined using standard EPP mechanism for adding extensions,
    so Security Considerations from RFC 5730 are applied and no new ones are added. 
    Keeping long message queues consume server resources and can
    potentially be a surface for DoS attack, however as far as I understand
    unauthorized entities cannot cause server to perform actions resulted in 
    operations on other clients' objects, so it seems that it is not a security issue here.
    Nevertheless adding a few words that it is not a security issue would be helpful.
    
    General comment not related to security. It seems to me that the protocol description
    is inconsistent. The Introduction Section states, that this extension only extends 
    the response to the EPP <poll> command. However, Section 3 of this specification, 
    which describes the EPP Command Mapping, extends only the response 
    to the EPP <info> command with poll message, and the <poll> command is not mentioned 
    there at all. I'm not familiar with the EPP protocol, but I believe that <info> and <poll> 
    are different commands, so unless I've missed something, it seems that the protocol 
    description is inconsistent (or incomplete). Since it is not related to security, 
    I think the document is Ready (from security perspective), but this inconsistency 
    must either be fixed or some clarification be provided.

v2.23.0 | Report a Bug | By Email