Re: [Drip] Paul Wouters' No Objection on draft-ietf-drip-rid-32: (with COMMENT)
Robert Moskowitz <rgm@labs.htt-consult.com> Fri, 19 August 2022 12:54 UTC
Return-Path: <rgm@labs.htt-consult.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41F82C14CE41; Fri, 19 Aug 2022 05:54:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zXr5Jlq-VJ8j; Fri, 19 Aug 2022 05:54:43 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D931C14CF15; Fri, 19 Aug 2022 05:54:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 316246250B; Fri, 19 Aug 2022 08:54:06 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id jZIcAyS9S6lR; Fri, 19 Aug 2022 08:53:57 -0400 (EDT)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id C34F162434; Fri, 19 Aug 2022 08:53:54 -0400 (EDT)
Message-ID: <cb0858a1-632a-162d-22c6-8b6a35ee07af@labs.htt-consult.com>
Date: Fri, 19 Aug 2022 08:54:26 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0
Content-Language: en-US
To: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>
Cc: draft-ietf-drip-rid@ietf.org, drip-chairs@ietf.org, tm-rid@ietf.org, mohamed.boucadair@orange.com
References: <166087210346.22378.11539044178131031462@ietfa.amsl.com>
From: Robert Moskowitz <rgm@labs.htt-consult.com>
In-Reply-To: <166087210346.22378.11539044178131031462@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/2tbZN8znOw3cst7Hnv_rIeDiL80>
Subject: Re: [Drip] Paul Wouters' No Objection on draft-ietf-drip-rid-32: (with COMMENT)
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 12:54:48 -0000
Paul, Thank you for closing out your DISCUSS. I will address your comments below. On 8/18/22 21:21, Paul Wouters via Datatracker wrote: > Paul Wouters has entered the following ballot position for > draft-ietf-drip-rid-32: No Objection > > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > OLD DISCUSSES: > > #1 > > Note that if the zone hhit.arpa is ultimately used, some registrar > will need to manage this for all HHIT applications. > > Regardless of what zone is used, someone needs to keep it operational. > It might be an attractive target to attack, eg to try and avoid drones > being shut down. I would feel much better if this zone was optional, > not mandatory. (but if optional, one could also argue maybe not have it > at all?) Sticky item. But we are in discussions with ICAO as the 'natural' owner of this zone. Well for starters as the only occupant at this time is aviation, and it may well be manned aviation sooner than later. But it is also of interest to others, like deep space usage. So ICAO is best to start with and work out the funding for the basic hhit.arpa. management. And the registration of RAAs (most of which, initially will be ICAO Treaty signers). > If the HHITs cannot be > looked up with services provided by the registrar identified via the > embedded hierarchical information or its registration validated by > registration attestations messages [drip-authentication], then the > HHIT is either fraudulent or revoked/expired. > > That's quite catastrophic if there is a Registrar/Registry outage. Would > all the drones get shot down or would they all be ignored (so they can > fly to their terrorism target) Drip-auth goes at lengths through the offline authentication process. What a UA MUST send to prove its registration. Now this DOES require the Observer to have some embedded trust root, but then they had to get the Observer app that recognizes DETs over other RIDs, so that would install at least the root. So such action is 'unlikely'. BTW, in USA airspace, only DHS can currently take decisive action. The expectation is that once UTM is working, local enforcement will have the information to be able to take defensive actions. But this means either Network RID or something like my crowd-sourced-rid. There is a LOT of discussion about actionable information in other areas and here, we are way ahead of the curve. > #2 > > As DISCUSS'ED by others, > https://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hi-algorithm > does not seem to have a third field for "status" to denotate RECOMMENDED, > REQUIRED, etc, even though RFC 7401 creates the registry, uses the terms too > but doesn't populate a status field. Perhaps this or another short RFC could do > so. > > Also, 3.4.1 calls this "Algorithm profiles" and "Values" but the IANA registry > calls it "Algorithm Profile" (singular) and "Value" (singular) This was fixed at least by -31. I did not go back further to determine where I finally got this right. > #3 > > Section 3.4.1.1. has a NULL field of variable length ? Or perhaps the > slash and pipe symbols on those first and second lines got swapped by > accident? It is now a pipe and the intent is 2 bytes to word-align the public key as in 7401. At least you caught this as 7401 has the / and I had just copied/pasted that here. > > #4 > > The new EdDSA HI uses [RFC8080] for the IPSECKEY RR encoding: > > Value Description > > TBD2 (suggested value 4) > An EdDSA key is present, in the format defined in [RFC8080] > > I have asked the Expert of this Registry whether they are okay with this > entry to the ipseckey-rr-parameters registry. It might be confusing for IKE. Draft waiting for IPsecme to adopt as wg item and progress through publishing. > COMMENTS: > > #1 > > 100.hhit.arpa IN PTR raa.example.com. > > Please add a trailing dot, eg "100.hhit.arpa." > > Similarly for: > > 100.50.det.uas.icao.int IN PTR foo.uss.icao.int. Done. > #2 > > HIP DNS RR (Resource Record) > > Add reference to RFC5205 on its first mention. Now references 8005. > #3 > > However, this document does not intend to provide a recommendation. > > weasel wording. It should probaby just state "this document does not provide > a recommendation." fixed in at least -31. > > #4 > > The individual DETs may be potentially too numerous (e.g., 60 - 600M) > and dynamic (e.g., new DETs every minute for some HDAs) to store in a > signed, DNS zone. > > This can be achieved with online signing. I would remove this speculative > sentence unless it is backed by some real numbers. Removed in -30. thank you. -33 will be published after discussions with Roman. I have one change there to improve the CTA mapping. This does not directly impact DRIP, but could make this approach (used in drip-registries) more attractive to manufacturers. Bob
- [Drip] Paul Wouters' No Objection on draft-ietf-d… Paul Wouters via Datatracker
- Re: [Drip] Paul Wouters' No Objection on draft-ie… Robert Moskowitz
- Re: [Drip] Paul Wouters' No Objection on draft-ie… Jim Reid
- Re: [Drip] Paul Wouters' No Objection on draft-ie… michael palage.com
- Re: [Drip] Paul Wouters' No Objection on draft-ie… Michael Richardson
- Re: [Drip] Paul Wouters' No Objection on draft-ie… Da Silva, Saulo