Re: [secdir] Secdir last call review of draft-ietf-mpls-lsp-ping-ospfv3-codepoint-04

Tero Kivinen <kivinen@iki.fi> Thu, 02 September 2021 11:24 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 291803A12CA; Thu, 2 Sep 2021 04:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x3-RLB2i5aCI; Thu, 2 Sep 2021 04:24:07 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [IPv6:2a0b:5c81:1c1::37]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 046EF3A12C7; Thu, 2 Sep 2021 04:24:06 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 430CE1B001E9; Thu, 2 Sep 2021 14:24:01 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1630581841; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aa0X7tQQvtUYo3wPw92LX2ssMHNZi+LRorKhU/f1ZX0=; b=gnuYQa/7z+U6dFemmIZu478Im0w8WYVYEhJNor6gZngN7L8qmRbSth1E8ABZrbtLFQdcEU SClPXYyXrShZNaQ9ELWFK8IvI6h+GeA6eNMbhnDTAToIOt8MmlPuMJ8TVwwfpUw7Ovb3dn 6WzFaG35M/PKAWWmyoen+XftCvANWr3KKT5wjvRwHKLmH2h53sAKVUbAYQ+uFldewn2msU VHWGNrmx6g0PSdQpSkUPMFKPZbkQJwEya/8Ha/EN6bW/LpG8Mp+Xup0V5BJh53bxMlymzf XVvusFjRcBAw/QyVQd/nQuOdXAUQG7MylOJhS28mOef57nkgM8Np2KuTiie/hQ==
Received: by fireball.acr.fi (Postfix, from userid 15204) id 930F825C12B7; Thu, 2 Sep 2021 14:24:00 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-ID: <24880.46160.502738.363907@fireball.acr.fi>
Date: Thu, 2 Sep 2021 14:24:00 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Nagendra Kumar Nainar \(naikumar\)" <naikumar@cisco.com>
Cc: "secdir\@ietf.org" <secdir@ietf.org>, "draft-ietf-mpls-lsp-ping-ospfv3-codepoint.all\@ietf.org" <draft-ietf-mpls-lsp-ping-ospfv3-codepoint.all@ietf.org>, "last-call\@ietf.org" <last-call@ietf.org>, "mpls\@ietf.org" <mpls@ietf.org>
In-Reply-To: <BL3PR11MB5732F1592884274961E7B268C6CC9@BL3PR11MB5732.namprd11.prod.outlook.com>
References: <162333482591.8235.4418205938937483332@ietfa.amsl.com> <BL3PR11MB5732F1592884274961E7B268C6CC9@BL3PR11MB5732.namprd11.prod.outlook.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 17 min
X-Total-Time: 18 min
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1630581841; a=rsa-sha256; cv=none; b=gfiJeOJL4ZKsFFxkQg5PQD75g07gq3uRLqxhvyopVrsqPmg2pDTkohxXD1y1pSt5mB4tij kTfZD1EnHjeRrqYgWca+hqC+gR5y6wuenGyndLRB64MjVPYMB1yDfuOgQ+SzHrabBNxf/f vZ2vIuva5Fy+F6QOeIbD2U8WGBZuuLOh1DZ8pZHJ4J90WTHbkcaNER5EyDD5/2lzOEXwsi CzgeNtNNPokot0F89S5EC9JtAoHNJhy0erupRcvq62vmM6ghGgnxz0ddR2VsM1SNvJqbc9 rSn4rRbeUCIe3oeemFy/g4MMMrfLQGdlSRxbDr/le/8Fi/O/9u27XYrKXJlL5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1630581841; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aa0X7tQQvtUYo3wPw92LX2ssMHNZi+LRorKhU/f1ZX0=; b=r5bXA2Lwv//GcgxcpU9qSMMpLdHfG7GK/PSrmB2NOkBBTIGUGeNxfXhBFk5GouIPFTw2Ws rN+or+WbbkgT7N1vcKNcimgBQHRQXobFLo6Z5bsRYibUVZwWbxOqpGYdLVSUXahjbxnwmw vLRa7ZTZWV5kgPfWsuYEn98/Qu+MYACVgLWZCJYI94B3mI0pw6+uAi0CXKDj6oTqgyTD2i 1zAeJDFh07DfVtrBoKZ4vpH43RBSsj3kcClFcTD23eKoA+3RFdxiYh7A5OeDn6K2Y1miNT yPSh2KWAOV910Lm8YrTa3hPtqQdUHyUU1B6DZ/nwfYj8B77+c7PHI0up5M46Xg==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/p_TEZmZHjRpOUX3m3Jhn9TS6bLs>
Subject: Re: [secdir] Secdir last call review of draft-ietf-mpls-lsp-ping-ospfv3-codepoint-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2021 11:24:12 -0000

Nagendra Kumar Nainar (naikumar) writes:
> The security considerations section just says:
> 
>    This document updates [RFC8287] and does not introduce any additional
>    security considerations.
> 
> And I am not completely sure if that is true, if this document really allows
> using
> IPv6 when it was not possible before. Quite often having multiple address
> families do 
> cause new security considerations too. 
> 
> <Authors> This draft only introduces the codepoint to indicate the protocol is
> OSPFv3. What to do when the protocol is OSPFv3 is defined in RFC8287. So we
> believe that this draft doesn’t introduce any new semantics/actions.
> 
> Also RFC8287 refers to the RFC8029 for its
> security considerations, so perhaps direct reference to RFC8029 would be
> needed here.
> 
> <Authors> Ok. We can clarify that in the section as below:
> 
> “This document updates [RFC8287], [RFC8029] and does not introduce any additional
> 
>    security considerations.
> 
> “

I do not think that is completely correct, as this document is not
marked as updating the RFC 8029. Perhaps something like:

   This document updates [RFC8287] and does not introduce any
   additional security considerations. See [RFC8029] to see generic
   security considerations about the MPLS LSP Ping.

> Please let us know if the above is fine.
> 
> There are several acronyms which are not expanded on their first use
> (including
> in title, and in abstract). Examples of such are IS, TLV, OSPF, IS+IS, IGP,
> SUb-TLV (is the 
> spelling correct in abstract with uppercase u?),  FEC.
> 
> <Authors> “Protocol in the Segment ID Sub-TLV” is the IANA registry name and I
> am not sure if we should try expanding it. For clarity, we will expand the
> rest. Let us know if that solves the concern.

That should be ok.

Btw, looking at the RFC8287 and 8029 they seem to use sub-TLV inside
the text, but in this draft you seem to use both Sub-TLV and sub-TLV.
It would be better to be consistent with it. For example the section
7.1 (both in header and body) has lower case version of "Segment ID
sub-TLV", when section 6 has upper case version "Segment ID Sub-TLV"
in the body. Only the abstract uses the SUb-TLV spelling...

> The use of just RFC numbers in reference format makes the document
> hard to read as not everybody remembers what RFC is RFC number 8287,
> 8402 etc. It would be much nicer to at least on the first time use
> the format where the text refers to RFC with title or similar and
> just has the reference in parenthesis, i.e.:
> 
>    RFC5340 "OSPF for IPv6" ([RFC5340]) describes OSPF version 3 (OSPFv3) to 
>    support IPv6. RFC5838 "Support of Address Families in OSPFv3" ([RFC5838])
>    describes the mechanism to support multiple address families (AFs) in
> OSPFv3.
>    Accordingly, OSPFv3 may be used to advertise IPv6 and IPv4 prefixes.
> 
> is easier for reader than current format:
> 
>    [RFC5340] describes OSPF version 3 (OSPFv3) to support IPv6.
>    [RFC5838] describes the mechanism to support multiple address
>    families (AFs) in OSPFv3. Accordingly, OSPFv3 may be used to
>    advertise IPv6 and IPv4 prefixes.
> 
> <Authors> The use of RFC number alone as the reference is a common use AFAIK
> and we feel that it is not specific to this document. But we don’t want that
> to be a hurdle to move this document forward and if the consensus is to
> include the RFC document name, we are ok.

I agree it is common use, but it makes it hard for outsiders to get
in to reading IETF specifications in general. It makes us (the ietf)
to be felt like insider group, if you do not know the magic language
and can't map the RFC numbers to actual document names in your head,
you can't follow the discussion easily. I understand it is much harder
to get rid of that in the actual discussions in the session etc, but
at least here in the RFCs we can make it easier for new people to read
the drafts when they do not need to be doing mappings between RFC
numbers and the titles in their head, but can see both the number and
name in the text.
-- 
kivinen@iki.fi