IETF Logo Mail Archive

Re: [secdir] SecDir review of draft-ietf-anima-grasp-09

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 08 March 2017 03:44 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1013C12948E; Tue, 7 Mar 2017 19:44:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNK0IbLTnceM; Tue, 7 Mar 2017 19:44:21 -0800 (PST)
Received: from mail-pg0-x242.google.com (mail-pg0-x242.google.com [IPv6:2607:f8b0:400e:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41D0A129410; Tue, 7 Mar 2017 19:44:21 -0800 (PST)
Received: by mail-pg0-x242.google.com with SMTP id 25so2006636pgy.3; Tue, 07 Mar 2017 19:44:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=10Qt2TLB3kVT4hwHF99Q42gLVvhvBpiYwCiV+lvtzvk=; b=JAposnM64mgS6D/8q7eLmsEqAm/JWja+0qKHSGCK+GXDBvgavP179kFRsfCwn0xlsG KQuBTO3Uyl6BiWNEJVWawInJQgRkA0uN2avzodO8I+pXVtjMI5BSU0DoIgaWKIwkqffc 5gDy05dT4V7FWRKffHrPpa+j3lndd6+jhfZCiVWpqK0WaHJBZQUrgj53nBq+OIDomWxi 9moW4AC0b1GwRcA+gsQE2iwwZxxGC5OKUqacOLUDBucJmXDAOGDXU0KsgwtYOOLJoGZh 4a0t/IFGIDfPNDk8yruOY/h058od0x19GNs2oobxtivssyZqy3xP1X7BewtKsEfDS8Vs //wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=10Qt2TLB3kVT4hwHF99Q42gLVvhvBpiYwCiV+lvtzvk=; b=gZCZidCYqUpZbNcBcp78UAi2rtPwF4ipgngatRKw2Q0kL8kgDYeVj0TPsGllkjBn4u vzQ874ObFB39GLi0lqZ+XNawkqCuSzzcpls+oe3h5G7MRzAJVQxKfcySy5yA1+Eo+6v8 DUm5F5//SW+zPwFamroPVV+f8jt2rH7UZyiZytwYfqxdJSnmsMS6sGHCT5FjIzEXUGOF EyZXqdQTK2pMjb36I6wI+5ZD3kmcGMvMf0HRCXpQJ1FofrlxkPEDYYValCe+MuEhGS7U UD9kGdwlUBmdlEh9ZZHDc2wFEhFA2W7/cztqVeXzfg9Cf5wdsv8zO3othOA8eUJz/wqU oAdA==
X-Gm-Message-State: AMke39lj8EIcBezG8Q5QdoXVqdgEPLdGfh5oBZmL3qeUOyYDqWW2Wzi0URxTGLSFCchDGA==
X-Received: by 10.99.233.17 with SMTP id i17mr4502541pgh.76.1488944660565; Tue, 07 Mar 2017 19:44:20 -0800 (PST)
Received: from ?IPv6:2406:e007:77b4:1:28cc:dc4c:9703:6781? ([2406:e007:77b4:1:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id 185sm2442076pfg.13.2017.03.07.19.44.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Mar 2017 19:44:20 -0800 (PST)
To: Barry Leiba <barryleiba@computer.org>, draft-ietf-anima-grasp.all@ietf.org
References: <CALaySJ+rLh9ZBmydm0bG+TBxGK_dB-UmnkeJusd1C-3zMowwHg@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <7752607e-ce49-f8f9-7f09-b3e842bc69b9@gmail.com>
Date: Wed, 08 Mar 2017 16:44:19 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CALaySJ+rLh9ZBmydm0bG+TBxGK_dB-UmnkeJusd1C-3zMowwHg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/xkFRNkZE8gv7fby2MQ6MfjBH3Sg>
Cc: anima@ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-anima-grasp-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 03:44:23 -0000

Thanks Barry. Good comments, but we have to get a new draft out
before the deadline, so I'm not sure these will all make it in
until the one after.

Regards
   Brian

On 08/03/2017 15:43, Barry Leiba wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> First, I'm sorry this review is a few days late, and I hope that isn't
> a problem.
> 
> Second, the document is "ready with issues".  Most of the comments
> below are minor, and editorial.  The three that are substantive are:
> 
> 1. SHOULD vs MUST with respect to encryption in Sections 3.5.1 and 3.5.2.1.
> 
> 2. The UTF-8 issues in Section 3.10.1.
> 
> 3. Guidance for the Designated Expert in Section 7.
> 
> These should all be easy to resolve.
> 
> — Section 1 —
> 
>    A reference model
>    for autonomic networking on this basis is given in
>    [I-D.ietf-anima-reference-model].  The reader should consult this
>    document to understand how various autonomic components fit together.
> 
> Even though that document is an informative reference, I find it odd
> that the draft that helps us understand how this all fits together. .
> . is an expired draft.  It makes me wonder how well baked things are.
> 
> — Section 3.1 —
> 
>    The following additional terms are used throughout this document:
> 
>    o  Autonomic Device: identical to Autonomic Node.
> 
> It’s not a big point, but: Why?  Why is it important or useful to
> specifically define a *new* term in this document that has the same
> meaning as a similar term that’s already defined?
> 
> And, actually, now that I check, I see that “autonomic devices” is
> used in exactly one place, in the Abstract.  I suggest changing the
> term in the abstract to “autonomic nodes”, and removing this
> definition.
> 
> — Section 3.2 —
> 
>    Because GRASP needs to work whatever happens, especially during
>    bootstrapping and during fault conditions, it is essential that every
>    implementation is as robust as possible.
> 
> There seems to be a missing word, or some such; I can’t parse “GRASP
> needs to work whatever happens”.  And picky grammatical nit:
> subjunctive mood is needed with “essential”, so it should be “it is
> essential that every implementation be as robust as possible.”
> 
> — Section 3.3 —
> 
>       GRASP
>       provides mechanisms to guarantee convergence (or failure) in a
>       small number of steps, i.e. a timeout and a maximum number of
>       iterations.
> 
> Another nit. This is an outstanding example of why I don’t like to use
> “i.e.”: in this case, it leaves me wondering whether that’s really an
> exhaustive list, or whether you meant “e.g.”.  And, to me, it reads
> awkwardly anyway.  I suggest one of these alternatives (the sorts that
> can pretty much always stand in for the overused and unnecessary
> “i.e.”):
> 
> NEW-1
>       GRASP
>       provides two mechanisms to guarantee convergence (or failure)
>       in a small number of steps: a timeout and a maximum number of
>       iterations.
> 
> NEW-2
>       GRASP
>       provides a timeout and a maximum number of iterations,
>       which together guarantee convergence (or failure) in a
>       small number of steps.
> 
> — Section 3.5.1 —
> 
>    If there is no ACP, the protocol MUST use another form of strong
>    authentication and SHOULD use a form of strong encryption.  See
>    Section 3.5.2.1 for further discussion.
> 
> Both here and in 3.5.2.1: Why is encryption SHOULD, and not MUST?
> Looking ahead to 3.5.2.1, how could it be considered safe to use a
> network configuration protocol across administrative boundaries
> without encryption?
> 
> — Section 3.5.2.2 —
> 
>       A responder
>       SHOULD NOT send a Discovery Response message unless it cannot be
>       avoided.
> 
> Any clue about why it might be possible that it “cannot be avoided”?
> 
> — Section 3.5.2.3 —
> 
>    o  Any type of GRASP message MAY be sent.
> 
> This doesn’t feel like a “MAY” to me.  You’re not saying that there’s
> a protocol choice here, and how to handle it is optional and up to the
> implementation.  You’re saying that all types of GRASP messages are
> permitted when you’re using a SONN instance.  So maybe, “All types of
> GRASP messages are permitted.”
> 
> — Section 3.10.1 —
> 
>    All objectives are identified by a unique name which is a case-
>    sensitive UTF-8 string.
> 
> Actually, “case-sensitive” isn’t a sufficient descriptor for UTF-8, as
> there are issues of canonicalization and normalization, and the fact
> that languages differ in whether “case” makes sense at all.  This
> would be a bigger issue if you wanted case insensitivity, but as it is
> I think the fix is easy: you should just say that the name is a UTF-8
> string that is compared byte by byte.  This will have the effect of
> being case sensitive when that makes sense, and will also eliminate
> the issues of canonicalization and normalization: different ways of
> representing characters such as “ä” and “ô” and “é” will compare as
> different, and as these are protocol elements and not user strings,
> that should be fine.
> 
> The other question is whether there are any restrictions on what
> Unicode characters can be represented.  You make the colon a special
> character but give no other restrictions, so an objective name could
> include space characters (and various related Unicode characters such
> as tab, EN SPACE, ZERO WIDTH SPACE, and ZERO WIDTH NON-JOINER),
> control characters (FORM FEED, CARRIAGE RETURN, and the like),
> characters from every character set and language including Cuneiform
> and Egyptian Hieroglyphs, and even such iconic characters as MUSICAL
> SYMBOL G CLEF, ONCOMING POLICE CAR, and the famous PILE OF POO.  If
> that’s all OK, then that’s fine (and maybe it is, as, again, this is a
> protocol element, not a user string).  I just want to make sure you
> thought about it.
> 
> — Section 7 —
> 
> The creation of the Specification Required registry for the Objective
> Names Table needs to specify guidance for the Designated Expert (see
> draft-leiba-cotton-iana-5226bis, Sections 4.6 and 4.5).  It doesn’t
> have to be a lot, but it needs to be clear for future DEs who might
> not have been involved with developing this document what they need to
> consider as they review registration requests.  Why might they push
> back on a registration request?  Should they, for example, allow
> registration requests for two different Objective Names of “frobozz”
> and “Frobozz”?  What sort of documentation is sufficient for a
> registration (is “enough that you think implementations can be written
> from it” good enough, or are there specific things that the
> documentation ought to contain)?
>

v2.23.0 | Report a Bug | By Email