Re: [secdir] Secdir review of draft-ietf-ice-dualstack-fairness-03

"Pal Martinsen (palmarti)" <palmarti@cisco.com> Sun, 10 July 2016 20:16 UTC

Return-Path: <palmarti@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE73A12D0D9; Sun, 10 Jul 2016 13:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.685
X-Spam-Level:
X-Spam-Status: No, score=-14.685 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, URI_HEX=1.122, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id clsyg8ZO8oQ6; Sun, 10 Jul 2016 13:16:44 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAE0712D0D3; Sun, 10 Jul 2016 13:16:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13391; q=dns/txt; s=iport; t=1468181803; x=1469391403; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=J1hdhNqjCDmzkHQf24gCHcw8SA7NyOW4HkgQNS0ZX4A=; b=bPg/8WrFOcPojRKqz76056tAXNQ7jvdCHdKdH9ACJMFvJMadC1XuEiAA WthT+Bu/MI52WuOFD1JChp9eMAi/32L/CWuB+tAzllk4Z8RR1btK2lRsz hUzSi9C6s3ETWRJ19r3U6lDTqYHGt7sInXnEaK6zJ6YyMbBnRjV+tRH0I 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CiBwAfrIJX/5NdJa1XBoF3eU5WfKdij?= =?us-ascii?q?DGFBIF6H4UvRQMCAoEfOBQBAQEBAQEBZSeEXQEEAQ4ZPgYOBQsCAQg/BzIUEQI?= =?us-ascii?q?EDgWIFgMPCA65fgMVhBABAQEBAQEBAQEBAQEBAQEBAQEBAQEchieBeAiCTYQtB?= =?us-ascii?q?oM6gi8FjAeNEQGGDIJ6hUuPLIgdFYdcAR42ggkcgUxuAQGHK4FDAQEB?=
X-IronPort-AV: E=Sophos;i="5.28,343,1464652800"; d="scan'208,217";a="295944906"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Jul 2016 20:16:42 +0000
Received: from XCH-RTP-016.cisco.com (xch-rtp-016.cisco.com [64.101.220.156]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u6AKGgDd002739 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 10 Jul 2016 20:16:42 GMT
Received: from xch-rtp-019.cisco.com (64.101.220.159) by XCH-RTP-016.cisco.com (64.101.220.156) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 10 Jul 2016 16:16:41 -0400
Received: from xch-rtp-019.cisco.com ([64.101.220.159]) by XCH-RTP-019.cisco.com ([64.101.220.159]) with mapi id 15.00.1210.000; Sun, 10 Jul 2016 16:16:41 -0400
From: "Pal Martinsen (palmarti)" <palmarti@cisco.com>
To: Charlie Kaufman <charliekaufman@outlook.com>
Thread-Topic: Secdir review of draft-ietf-ice-dualstack-fairness-03
Thread-Index: AQHR2AUWk4ql4+jlVEO1OZzBN30rgKASH+d7
Date: Sun, 10 Jul 2016 20:16:41 +0000
Message-ID: <68B1A3ED-519C-4BE4-8319-59857846E2F4@cisco.com>
References: <CY1PR17MB042523AE29B615686A832F68DF3B0@CY1PR17MB0425.namprd17.prod.outlook.com>
In-Reply-To: <CY1PR17MB042523AE29B615686A832F68DF3B0@CY1PR17MB0425.namprd17.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_68B1A3ED519C4BE4831959857846E2F4ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Uw8wvvb6QE7ewYk8eemG0Ccncdk>
Cc: "draft-ietf-ice-dualstack-fairness.all@tools.ietf.org" <draft-ietf-ice-dualstack-fairness.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-ice-dualstack-fairness-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2016 20:16:47 -0000

Thanks for the thorough review. Due to paternity leave there will be a slight delay fixing the issues. Will attend to this early August.

P?l-Erik
Sent from my iPhone

On 07 Jul 2016, at 06:39, Charlie Kaufman <charliekaufman@outlook.com<mailto:charliekaufman@outlook.com>> wrote:


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

I don't believe this proposal raises any security concerns. It has a short Security Considerations section containing information relevant to ICE but not to this proposed modification.

This document proposes a modification to RFC5245bis (which specifies a protocol for NAT traversal). When trying to establish a connection through a NAT, there are a number of different techniques that can be used, some of which will work and some of which will not work depending on the characteristics of the NAT and other aspects of the environment. RFC5245 specifies an enumeration of such techniques and specifies an order in which they should be attempted.

Apparently, there are problems in real world deployments where there are a large number of possible NAT traversal techniques and checking them in the order prescribed by RFC5245bis results in long delays and sometimes connection failures based on timeouts. This document proposes changing the order in order to get better performance and reliability. It makes no other changes to the protocol.

Detailed review:

I'm not an ICE expert, so some of these comments may be completely misguided. Take them for whatever they may be worth.

I don't think "fairness" is the right term in this context. The goal is not a fair division of resources between different clients or even any sort of balance between use of IPv4 and IPv6. If many different connectivity mechanisms worked, the preferred mechanism would be (I assume) the one computed using the formula in RFC5245bis. The problem is that checking all of the mechanisms in order to too time consuming, and there is a desire to check (and settle on) techniques more likely to work ahead of techniques less likely to work but more optimal if they do (in particular, checking some IPv4 based techniques before all of the IPv6 based techniques have been tried).

Section 5 says:
> ICE [I-D.ietf-ice-rfc5245bis] section 4.1.2.2 has guidelines for how
> the type preference and local preference value should be chosen.
> Instead of having a static local preference value for IPv4 and IPv6
> addresses, it is possible to choose this value dynamically in such a
> way that IPv4 and IPv6 address candidate priorities end up
> intermingled within the same candidate type. It is also possible to
> assign lower priorities to IP addresses derived from unreliable
> interfaces using the local preference value.

This specification says what is possible, but it does not (as far as I could see) specify any particular means of accomplishing it. If the intent of this RFC is to encourage people to experiment with different priority techniques, that's fair but the document should say so. If the intent is to encourage people to copy the design in ICE_dualstack_imp, then it's formula for priority should be specified here in sufficient detail to implement it.

Section 1 para 1 line 5: All interfaces and address types are known to the application. Perhaps this was intended to say all interfaces and address types known by the application to be unreliable...

Section 1 last paragraph and Section 5 third to last paragraph say:

> The introduced fairness might be better, but not
> worse than what exists today

This is probably not true. There are probably unusual cases where this reordering will result in slightly increased connection times. I suspect what is meant is that "In almost all cases this change will result in connection times at least as fast as those using the previous system, and in many cases the benefit will be substantial."

Typos:

Section 1 para 1 line 5: arguable -> arguably
Section 1 para 1 line 7: know -> known
Section 1 para 2 line 7: describes -> describe
Page 4 last para line 7: "too excessive" -> "not optimal"
Section 7 end of third to last paragraph: missing "."



[https://cid-ee6944db1998bb09.users.storage.live.com/users/0xee6944db1998bb09/myprofile/expressionprofile/profilephoto:UserTileMedium,UserTileStatic,UserTileSmall/MeControlMediumUserTile?ck=1&ex=24&fofoff=1&sc=1467864372864]
Reply all



Sent from Outlook<http://aka.ms/weboutlook>