Re: [secdir] SecDir review of draft-ietf-anima-grasp-09
Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 08 March 2017 03:44 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1013C12948E; Tue, 7 Mar 2017 19:44:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNK0IbLTnceM; Tue, 7 Mar 2017 19:44:21 -0800 (PST)
Received: from mail-pg0-x242.google.com (mail-pg0-x242.google.com [IPv6:2607:f8b0:400e:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41D0A129410; Tue, 7 Mar 2017 19:44:21 -0800 (PST)
Received: by mail-pg0-x242.google.com with SMTP id 25so2006636pgy.3; Tue, 07 Mar 2017 19:44:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=10Qt2TLB3kVT4hwHF99Q42gLVvhvBpiYwCiV+lvtzvk=; b=JAposnM64mgS6D/8q7eLmsEqAm/JWja+0qKHSGCK+GXDBvgavP179kFRsfCwn0xlsG KQuBTO3Uyl6BiWNEJVWawInJQgRkA0uN2avzodO8I+pXVtjMI5BSU0DoIgaWKIwkqffc 5gDy05dT4V7FWRKffHrPpa+j3lndd6+jhfZCiVWpqK0WaHJBZQUrgj53nBq+OIDomWxi 9moW4AC0b1GwRcA+gsQE2iwwZxxGC5OKUqacOLUDBucJmXDAOGDXU0KsgwtYOOLJoGZh 4a0t/IFGIDfPNDk8yruOY/h058od0x19GNs2oobxtivssyZqy3xP1X7BewtKsEfDS8Vs //wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=10Qt2TLB3kVT4hwHF99Q42gLVvhvBpiYwCiV+lvtzvk=; b=gZCZidCYqUpZbNcBcp78UAi2rtPwF4ipgngatRKw2Q0kL8kgDYeVj0TPsGllkjBn4u vzQ874ObFB39GLi0lqZ+XNawkqCuSzzcpls+oe3h5G7MRzAJVQxKfcySy5yA1+Eo+6v8 DUm5F5//SW+zPwFamroPVV+f8jt2rH7UZyiZytwYfqxdJSnmsMS6sGHCT5FjIzEXUGOF EyZXqdQTK2pMjb36I6wI+5ZD3kmcGMvMf0HRCXpQJ1FofrlxkPEDYYValCe+MuEhGS7U UD9kGdwlUBmdlEh9ZZHDc2wFEhFA2W7/cztqVeXzfg9Cf5wdsv8zO3othOA8eUJz/wqU oAdA==
X-Gm-Message-State: AMke39lj8EIcBezG8Q5QdoXVqdgEPLdGfh5oBZmL3qeUOyYDqWW2Wzi0URxTGLSFCchDGA==
X-Received: by 10.99.233.17 with SMTP id i17mr4502541pgh.76.1488944660565; Tue, 07 Mar 2017 19:44:20 -0800 (PST)
Received: from ?IPv6:2406:e007:77b4:1:28cc:dc4c:9703:6781? ([2406:e007:77b4:1:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id 185sm2442076pfg.13.2017.03.07.19.44.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Mar 2017 19:44:20 -0800 (PST)
To: Barry Leiba <barryleiba@computer.org>, draft-ietf-anima-grasp.all@ietf.org
References: <CALaySJ+rLh9ZBmydm0bG+TBxGK_dB-UmnkeJusd1C-3zMowwHg@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <7752607e-ce49-f8f9-7f09-b3e842bc69b9@gmail.com>
Date: Wed, 08 Mar 2017 16:44:19 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CALaySJ+rLh9ZBmydm0bG+TBxGK_dB-UmnkeJusd1C-3zMowwHg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/xkFRNkZE8gv7fby2MQ6MfjBH3Sg>
Cc: anima@ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-anima-grasp-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 03:44:23 -0000
Thanks Barry. Good comments, but we have to get a new draft out before the deadline, so I'm not sure these will all make it in until the one after. Regards Brian On 08/03/2017 15:43, Barry Leiba wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > First, I'm sorry this review is a few days late, and I hope that isn't > a problem. > > Second, the document is "ready with issues". Most of the comments > below are minor, and editorial. The three that are substantive are: > > 1. SHOULD vs MUST with respect to encryption in Sections 3.5.1 and 3.5.2.1. > > 2. The UTF-8 issues in Section 3.10.1. > > 3. Guidance for the Designated Expert in Section 7. > > These should all be easy to resolve. > > — Section 1 — > > A reference model > for autonomic networking on this basis is given in > [I-D.ietf-anima-reference-model]. The reader should consult this > document to understand how various autonomic components fit together. > > Even though that document is an informative reference, I find it odd > that the draft that helps us understand how this all fits together. . > . is an expired draft. It makes me wonder how well baked things are. > > — Section 3.1 — > > The following additional terms are used throughout this document: > > o Autonomic Device: identical to Autonomic Node. > > It’s not a big point, but: Why? Why is it important or useful to > specifically define a *new* term in this document that has the same > meaning as a similar term that’s already defined? > > And, actually, now that I check, I see that “autonomic devices” is > used in exactly one place, in the Abstract. I suggest changing the > term in the abstract to “autonomic nodes”, and removing this > definition. > > — Section 3.2 — > > Because GRASP needs to work whatever happens, especially during > bootstrapping and during fault conditions, it is essential that every > implementation is as robust as possible. > > There seems to be a missing word, or some such; I can’t parse “GRASP > needs to work whatever happens”. And picky grammatical nit: > subjunctive mood is needed with “essential”, so it should be “it is > essential that every implementation be as robust as possible.” > > — Section 3.3 — > > GRASP > provides mechanisms to guarantee convergence (or failure) in a > small number of steps, i.e. a timeout and a maximum number of > iterations. > > Another nit. This is an outstanding example of why I don’t like to use > “i.e.”: in this case, it leaves me wondering whether that’s really an > exhaustive list, or whether you meant “e.g.”. And, to me, it reads > awkwardly anyway. I suggest one of these alternatives (the sorts that > can pretty much always stand in for the overused and unnecessary > “i.e.”): > > NEW-1 > GRASP > provides two mechanisms to guarantee convergence (or failure) > in a small number of steps: a timeout and a maximum number of > iterations. > > NEW-2 > GRASP > provides a timeout and a maximum number of iterations, > which together guarantee convergence (or failure) in a > small number of steps. > > — Section 3.5.1 — > > If there is no ACP, the protocol MUST use another form of strong > authentication and SHOULD use a form of strong encryption. See > Section 3.5.2.1 for further discussion. > > Both here and in 3.5.2.1: Why is encryption SHOULD, and not MUST? > Looking ahead to 3.5.2.1, how could it be considered safe to use a > network configuration protocol across administrative boundaries > without encryption? > > — Section 3.5.2.2 — > > A responder > SHOULD NOT send a Discovery Response message unless it cannot be > avoided. > > Any clue about why it might be possible that it “cannot be avoided”? > > — Section 3.5.2.3 — > > o Any type of GRASP message MAY be sent. > > This doesn’t feel like a “MAY” to me. You’re not saying that there’s > a protocol choice here, and how to handle it is optional and up to the > implementation. You’re saying that all types of GRASP messages are > permitted when you’re using a SONN instance. So maybe, “All types of > GRASP messages are permitted.” > > — Section 3.10.1 — > > All objectives are identified by a unique name which is a case- > sensitive UTF-8 string. > > Actually, “case-sensitive” isn’t a sufficient descriptor for UTF-8, as > there are issues of canonicalization and normalization, and the fact > that languages differ in whether “case” makes sense at all. This > would be a bigger issue if you wanted case insensitivity, but as it is > I think the fix is easy: you should just say that the name is a UTF-8 > string that is compared byte by byte. This will have the effect of > being case sensitive when that makes sense, and will also eliminate > the issues of canonicalization and normalization: different ways of > representing characters such as “ä” and “ô” and “é” will compare as > different, and as these are protocol elements and not user strings, > that should be fine. > > The other question is whether there are any restrictions on what > Unicode characters can be represented. You make the colon a special > character but give no other restrictions, so an objective name could > include space characters (and various related Unicode characters such > as tab, EN SPACE, ZERO WIDTH SPACE, and ZERO WIDTH NON-JOINER), > control characters (FORM FEED, CARRIAGE RETURN, and the like), > characters from every character set and language including Cuneiform > and Egyptian Hieroglyphs, and even such iconic characters as MUSICAL > SYMBOL G CLEF, ONCOMING POLICE CAR, and the famous PILE OF POO. If > that’s all OK, then that’s fine (and maybe it is, as, again, this is a > protocol element, not a user string). I just want to make sure you > thought about it. > > — Section 7 — > > The creation of the Specification Required registry for the Objective > Names Table needs to specify guidance for the Designated Expert (see > draft-leiba-cotton-iana-5226bis, Sections 4.6 and 4.5). It doesn’t > have to be a lot, but it needs to be clear for future DEs who might > not have been involved with developing this document what they need to > consider as they review registration requests. Why might they push > back on a registration request? Should they, for example, allow > registration requests for two different Objective Names of “frobozz” > and “Frobozz”? What sort of documentation is sufficient for a > registration (is “enough that you think implementations can be written > from it” good enough, or are there specific things that the > documentation ought to contain)? >
- [secdir] SecDir review of draft-ietf-anima-grasp-… Barry Leiba
- Re: [secdir] SecDir review of draft-ietf-anima-gr… Brian E Carpenter
- Re: [secdir] SecDir review of draft-ietf-anima-gr… Brian E Carpenter
- Re: [secdir] SecDir review of draft-ietf-anima-gr… Barry Leiba
- Re: [secdir] [Anima] SecDir review of draft-ietf-… Michael Richardson
- Re: [secdir] [Anima] SecDir review of draft-ietf-… Barry Leiba
- Re: [secdir] [Anima] SecDir review of draft-ietf-… Brian E Carpenter
- Re: [secdir] [Anima] SecDir review of draft-ietf-… Barry Leiba
- Re: [secdir] [Anima] SecDir review of draft-ietf-… Michael Richardson
- Re: [secdir] [Anima] SecDir review of draft-ietf-… Barry Leiba