[Taps] Paul Wouters' Discuss on draft-ietf-taps-interface-23: (with DISCUSS and COMMENT)
Paul Wouters via Datatracker <noreply@ietf.org> Wed, 13 December 2023 01:53 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: taps@ietf.org
Delivered-To: taps@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 507D0C14F5E9; Tue, 12 Dec 2023 17:53:42 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Paul Wouters via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-taps-interface@ietf.org, taps-chairs@ietf.org, taps@ietf.org, anna.brunstrom@kau.se, anna.brunstrom@kau.se
X-Test-IDTracker: no
X-IETF-IDTracker: 12.0.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Paul Wouters <paul.wouters@aiven.io>
Message-ID: <170243242231.33861.516142555398666090@ietfa.amsl.com>
Date: Tue, 12 Dec 2023 17:53:42 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/guffvQCLcT-dWqMehljlIIMZVlk>
Subject: [Taps] Paul Wouters' Discuss on draft-ietf-taps-interface-23: (with DISCUSS and COMMENT)
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.39
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2023 01:53:42 -0000
Paul Wouters has entered the following ballot position for draft-ietf-taps-interface-23: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-taps-interface/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- [updated for -24, although I feel most of my questions have not been discussed yet] - netflows vs IP flows? Is TAPS only meant for flows or does it also support IP transport. I don't see an example that would embody "setup a connection to 192.0.1.1 port 80, but require IPsec. I guess it could be added, eg a WithVPN("IPsec") or something, but I'm not sure you can specify credentials without those being interpreted to be for the port 80 in this example ? Is this specifically out of scope, or just not (yet) specified? Related, lets say you want to only use a flow if it goes over TOR, I guess one could introduce a WithTOR() transport requirement. I'm a bit concerned that without an IANA registry for functions, this might cause conflicts in the future. - single credentials for multiple protocols? Does this document cause encouraging of re-using of key pairs for different protocols (eg TLS and IKEv2, or TLS 1.2 and QUIC). This might have security implications (eg using RSA as RSA-PKCS1.5 as well as RSA-PSS) - Hostname vs FQDN Can WithHostname be unqualified? (God I hope not!) If not, can the call WithHostname be renamed to WithFQDN ? If it can be unqualified, how does one deal with credentials and identifiers, eg with a 'search domain' containing multiple domains, RemoteSpecifier.WithHostname("mail") could end up on either mail.example.com or mail.example.net (or heaven forbid, the .mail TLD) It seems a little text is added that says "RECOMMENDED to not use unqualified", but that raises the question on why even support it? It's just too dangerous imho. - WithPort and WithService, but not WithProtocol How does one choose their syslog service transport protocol, since syslog over udp and tcp are valid and both have the same service name? Or does WithService accept values like "514/udp" ? - ALPN I don't see a WithALPN method for setting the ALPN. - Preconnection vs Listener ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- It is not necessary for an application to handle all events; some events may have implementation-specific default handlers. The application should not assume that ignoring events (e.g., errors) is always safe. What is "ignoring events" vs "having a default handler for events" ? Wouldn't default handlers be handled outside the application, and thus not trigger an event towards the application? So that applications "ignoring events" would be unrelated to "implementation-specific default handlers"? Perhaps the last sentence should just start in a new paragraph to indicate these two things are separate unrelated notes? SecurityParameters.Set(identity, myIdentity) I assume myIdentity would be an array of Type and Value? Eg type=fqdn or type=RDN ? I don't understand this code: Connection := Preconnection.Initiate() Connection2 := Connection.Clone() Connection -> Ready<> Connection2 -> Ready<> //---- Ready event handler for any Connection C begin ---- C.Send(messageDataRequest) Where does "C" come from in "C.Send" ? The comment says "any Connection C"? I have a question on this code: Preconnections are reusable after being used to initiate a Connection, whether this Connection was closed or not. Hence, it would be correct to continue as follows after the above example: //.. carry out adjustments to the Preconnection, if desired Connection := Preconnection.Initiate() What would happen here? I can imagine a "compiler" turning this into a noop. I can also see it would kill the existing Connection state and start a new one. This could be to a different IP address (eg if the DNS name has A and AAAA). When starting a new one, what would happen to any Message or Event queues for Connection ? Preconnection.AddRemote(RemoteCandidates) Should this not technically be: Preconnection.AddRemote([]RemoteCandidates) as the array contains at least a host and a stun server candidate? Maybe this is just the difference between you using the variable you define that has been assigned, versus a more C like prototype format, eg: Preconnection := NewPreconnection([]LocalEndpoint, So I guess if your example here had set LocalEndpoint := [a,b] you would not have used [] in the call ? Section 6.1 An Endpoint object can be configured with the following identifiers: * Hostname (string): This starts with listing endpoint identifiers with types (eg string and 16-bit integers) but then stops specifying their types further down. I guess WithService(), WithIPAddress() and WithInterface take a (string) Section 6.1.4 Perhaps it would be useful to add a Local Endpoint with ephemeral port before the Local Endpoint with static port example, as the ephemeral port should be the far more common case. Right now the examples might give the wrong impression a local port MUST be specified. SecurityParameters.Set() seems to allow to set our identiy and our certificate, but not the remote peer's identity or certificate? For example, one might want to pin a remote certificate and not just rely on a WithHostname() identifier being present as subjectAltname on a certificate. If security is opportunistic, it will allow Connections without transport security, but will still attempt to use security if available. I assume what is meant is "but will still attempt to use unauthenticated security if available" ? The Connection state, which can be one of the following: Establishing, Established, Closing, or Closed. I think the text in Section 8 should more clearly show the property names if the goal is to have different implementations use the identical name. Eg in this case, why not write: The Connection state ("state"). The next two entries are similarly lacking a clear keyword to use: Whether the Connection can be used to send data. Whether the Connection can be used to receive data. eg. why not define words for these to implementations will use the same words, in this case perhaps ReadySend and ReadyRcv ? Writing that now, perhaps "state" should be "State" then ? Section 8.1.1: If this property is an Integer It is best to define the actual type in this document and not let implementations choose, if the goal is to try and harmonize implementations. I also see no non-integer value being given here ?
- [Taps] Paul Wouters' Discuss on draft-ietf-taps-i… Paul Wouters via Datatracker
- Re: [Taps] Paul Wouters' Discuss on draft-ietf-ta… Michael Welzl