Re: [tcpinc] AD review of tcp-eno

"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Mon, 14 August 2017 12:39 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C9CE1321BE for <tcpinc@ietfa.amsl.com>; Mon, 14 Aug 2017 05:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=ietf@kuehlewind.net header.d=kuehlewind.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHbXf2JA_ZWu for <tcpinc@ietfa.amsl.com>; Mon, 14 Aug 2017 05:39:55 -0700 (PDT)
Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CCB01321B8 for <tcpinc@ietf.org>; Mon, 14 Aug 2017 05:39:54 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kuehlewind.net; b=rJXc//mFG9YttFnuMtchp+8i4sL3wwjLLYTU8nmmZbLWqG4/oRKNMPppqDwu/zmRaoVExOP/lQZnz31t3RLUGMCMayBho3h+v5CKvfV+U9eQNnV6SH9iEbnx9HrDmrOVNqfBhHO5WXVdk/DsxTxR3Oh23/S1lr4ENl+Cp+dG3F8=; h=Received:Received:Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-PPP-Message-ID:X-PPP-Vhost;
Received: (qmail 22350 invoked from network); 14 Aug 2017 14:39:53 +0200
Received: from p5dec2dc4.dip0.t-ipconnect.de (HELO ?192.168.178.33?) (93.236.45.196) by kuehlewind.net with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 14 Aug 2017 14:39:53 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <308CA47B-496A-403C-8191-1384B8999717@kuehlewind.net>
Date: Mon, 14 Aug 2017 14:39:51 +0200
Cc: draft-ietf-tcpinc-tcpeno.all@ietf.org, tcpinc <tcpinc@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <55C704A6-966A-4CBB-A05A-6F0CBF449F49@kuehlewind.net>
References: <55B07DA5-E274-4720-A919-83483094B9A0@tik.ee.ethz.ch> <80C705CD-8A24-49A9-A1B8-6FA7B2162941@kuehlewind.net> <87fudh62um.fsf@ta.scs.stanford.edu> <36738439-CAEC-4694-87EF-00EC91426D9C@kuehlewind.net> <87shhg2twv.fsf@ta.scs.stanford.edu> <308CA47B-496A-403C-8191-1384B8999717@kuehlewind.net>
To: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
X-Mailer: Apple Mail (2.3273)
X-PPP-Message-ID: <20170814123953.22344.36659@lvps83-169-45-111.dedicated.hosteurope.de>
X-PPP-Vhost: kuehlewind.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/CDzEPs6Nnk81WYIszXAkBUXf3qk>
Subject: Re: [tcpinc] AD review of tcp-eno
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 12:39:57 -0000

Hi once again,

because I also saw the updated draft just now. Thanks for that! All changes look good!

The only remaining question, is probably now how to cite tcp-use-tls. The way it is cited right now (as informational) would not block the publication. However, it seems weird to assign a number to an (expired) draft. Again, as explained below, it would actually recommend to just not assign it at all, or you could mark it as reserved and explain in the text what it is reserved for (use with TLS) without referring to a specific doc, if you really want.

Also again, please update draft-ietf-tcpinc-tcpcrypt as I would like to start their IETF Last Calls together!

Thanks!
Mirja


> Am 14.08.2017 um 14:29 schrieb Mirja Kuehlewind (IETF) <ietf@kuehlewind.net>et>:
> 
> Hi David,
> 
> sorry for the delay; I missed this mail. See below.
> 
>> Am 28.07.2017 um 22:22 schrieb David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>du>:
>> 
>> "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> writes:
>> 
>>> This is what early allocation is for. We could have also asked for
>>> early allocation for tcpinc as soon as the spec was reasonably stable
>>> but given there was no-one who was actually about to deploy this in
>>> the Internet, it was probably not necessary.
>> 
>> Is there something I can put in the document to clarify that early
>> allocation should be the norm not the exception?  The think I like about
>> "Specification required" is that RFC7120 2a says:
>> 
>>      The code points must be from a space designated as "RFC
>>      Required", "IETF Review", or "Standards Action".  Additionally,
>>      requests for early assignment of code points from a
>>      "Specification Required" registry are allowed if the
>>      specification will be published as an RFC.
> 
> This text only says that Early Allocation is only possible for "Specification required" if the specification will be an RFC. So if you have „Specification required“ and you have a stable spec somewhere, then you can ask for a code point right away. However, if your spec is a draft, you should wait to ask for the codepoint until this spec is stable, hence published as RFC. However, in this case you can apply the early allocation. While for policies where all final documents are RFC („IETF review“ or „Standards action“), early allocation is always possible.
> 
> Again I believe that you want all schemes to be document in RFCs in the IETF stream as a final outcome. Therefore the right policy is „IETF review“. Again, it is not necessary to explicitly mention early allocation for this policy, however, if you want to make sure that people think about using it, you can mention it separately.
> 
>> 
>> So I like the fact that the specification required allows early
>> allocation *if* an RFC is anticipated.
> 
> Again, if your spec is not an RFC/draft this means you can allocation a code point right away. I don’t think this is what you want.
>> 
>> Basically I want something in this document to make it clearly easier to
>> get ENO TEP IDs than TCP option kinds.
> 
> It’s actually not that hard to get an option number if you follow the process. Unfortunatey this was a bit a mess from the beginning for tcpinc. Again, we could have asked for early allocation for tcpinc but it didn’t seem necessary, given there is the experimental option and there was no real deployment yet.
>> 
>> 
>> On a related note, I think there might be an inconsistency in the draft
>> that I would appreciate some input in resolving.  Section 7.1 says:
>> 
>>       TLS can currently only be added to legacy applications whose
>>       protocols accommodate a STARTTLS command or equivalent.
>>       TCP-ENO, because it provides out-of-band signaling, opens the
>>       possibility of future TLS revisions being generically applicable
>>       to any TCP application.
>> 
>> Of course what, we really wanted to say was TCP-ENO was designed to
>> support TCP-use-TLS.  However, if I recall, there's a citation issue
>> because we aren't supposed to cite an internet draft in an RFC unless
>> the two will become RFCs at the same time, and TCP-use-TLS has been
>> delayed.  But then in 0x30, we still cite TCP-Use-TLS to assign it code
>> point 0x30.
> 
> You shouldn’t cite a draft normatively, also you in theory can if really needed. 
> 
>> 
>> Given the work invested in TCP-Use-TLS, should we indeed reserve TEP Id
>> 0x30 for that effort in case anyone wants to pick up it up again, and if
>> so how should we do that without citing an expired internet draft?  Can
>> we just reserve TEP ID 0x30 for future use by TLS and cite TLS?  Or what
>> should we do?
> 
> Yes, I think it would be good to remove the normative reference here. Usually the tcp-use-tls draft should make the assignment request itself. We could mark it in the registry as reserved and make a note in the document that this is reserved for use with TLS (without referring to any document). Or we just leave this open. I’m not expecting any other scheme coming up soon (especially if we go for „IETF review“ and not „Specification required", and in the unlikely case this would happen, then TLS would need to take another number, which I believe would also not be a problem, right?
> 
> Mirja
> 
> P.S.: Please also check my comments for draft-ietf-tcpinc-tcpcrypt and update accordingly. I would like to start both IETF Last Calls at the same time when updated. Thanks!
> 
> 
> 
>> 
>> Thanks,
>> David
>