Re: [Tsv-art] Tsvart last call review of draft-ietf-dots-data-channel-27
<mohamed.boucadair@orange.com> Mon, 25 March 2019 13:04 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 642841203F5; Mon, 25 Mar 2019 06:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LnLpqnytruw8; Mon, 25 Mar 2019 06:04:11 -0700 (PDT)
Received: from orange.com (mta240.mail.business.static.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55C441203EF; Mon, 25 Mar 2019 06:04:11 -0700 (PDT)
Received: from opfedar07.francetelecom.fr (unknown [xx.xx.xx.9]) by opfedar25.francetelecom.fr (ESMTP service) with ESMTP id 44SZGK2yP4z8tB3; Mon, 25 Mar 2019 14:04:09 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.70]) by opfedar07.francetelecom.fr (ESMTP service) with ESMTP id 44SZGK1kLYz5vMq; Mon, 25 Mar 2019 14:04:09 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM33.corporate.adroot.infra.ftgroup ([fe80::c911:d24e:cc19:afa7%21]) with mapi id 14.03.0439.000; Mon, 25 Mar 2019 14:04:08 +0100
From: mohamed.boucadair@orange.com
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
CC: "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-dots-data-channel.all@ietf.org" <draft-ietf-dots-data-channel.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Tsv-art] Tsvart last call review of draft-ietf-dots-data-channel-27
Thread-Index: AQHU4tzUe3mbbawDM0mOIueG+9QlmqYcS5NQ
Date: Mon, 25 Mar 2019 13:04:08 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA4BA1D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <155273205205.32728.8738595851481147876@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302EA3EF14@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <01403930-4D01-4A40-945F-CE820CCB87E9@trammell.ch>
In-Reply-To: <01403930-4D01-4A40-945F-CE820CCB87E9@trammell.ch>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/Fo26DvDjPsvzpSMYpPNCBbderhk>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-dots-data-channel-27
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 13:04:14 -0000
Hi Brian, Please see inline. Cheers, Med > -----Message d'origine----- > De : Brian Trammell (IETF) [mailto:ietf@trammell.ch] > Envoyé : lundi 25 mars 2019 08:32 > À : BOUCADAIR Mohamed TGI/OLN > Cc : tsv-art@ietf.org; draft-ietf-dots-data-channel.all@ietf.org; > ietf@ietf.org; dots@ietf.org > Objet : Re: [Tsv-art] Tsvart last call review of draft-ietf-dots-data- > channel-27 > > hi Med, > > Thanks for the reply, apologies for the delay, > > > On 18 Mar 2019, at 08:13, mohamed.boucadair@orange.com wrote: > > > > Hi Brian, > > > > Thank you for the review. > > > > Please see inline. > > > > Cheers, > > Med > > > >> -----Message d'origine----- > >> De : Brian Trammell via Datatracker [mailto:noreply@ietf.org] > >> Envoyé : samedi 16 mars 2019 11:28 > >> À : tsv-art@ietf.org > >> Cc : draft-ietf-dots-data-channel.all@ietf.org; ietf@ietf.org; > dots@ietf.org > >> Objet : Tsvart last call review of draft-ietf-dots-data-channel-27 > >> > >> Reviewer: Brian Trammell > >> Review result: Ready with Issues > >> > >> This document has been reviewed as part of the transport area review > team's > >> ongoing effort to review key IETF documents. These comments were written > >> primarily for the transport area directors, but are copied to the > document's > >> authors and WG to allow them to address any issues raised and also to the > >> IETF > >> discussion list for information. > >> > >> Apologies for missing the last call deadline; however I hope the input is > >> useful. > >> > >> This document is basically ready; some issues and questions for the WG > below. > >> > >> General Considerations, Data Channel Design > >> ------------------------------------------------ > >> > >> On its own this document is okay from a transport considerations > standpoint: > >> the data channel does not have to operate in a degraded environment > (i.e.,. > >> on an > >> interface under attack) and makes perfectly reasonable use of RESTCONF. > The > >> companion signal channel document will require (much) more careful > attention > >> from the transport directorate. > >> > >> Please pay attention to whatever your SECDIR review says anything about > the > >> use of TLS client authentication (as specified with mutual > authentication). > >> > >> I suppose the use of mutual auth was inherited from RESTCONF, though? > > > > [Med] No, this was a design requirement (https://tools.ietf.org/html/draft- > ietf-dots-requirements-21#section-2.4). The same security profile is used for > both signal and data channels. > > Okay, thanks for the pointer. > > >> I'd be curious to know whether other client authentication schemes were > >> considered. > > > > [Med] Which schemes do you have in mind? > > Nothing in particular; I'm just under the impression that client auth is seen > as a second-class feature of TLS, so I wonder how the decision to use it > impacts implementability and deployability of DOTS. Someone more up to date > on the state of TLS can probably make a more authoritative statement here. > > >> The use of cdid as a client rate association token and rate-limiter seems > >> open to > >> misconfiguration or misuse. > > > > [Med] I guess you are referring to policies at the server (because rate- > limits at the gateway rely upon the client identity). > > ... where the client identity is derived from cdid alone, or cdid / 3-tuple? > [Med] It is based on the cdid. 'cdid' is assumed to be supplied by a trusted gateway: DOTS servers MUST ignore 'cdid' attributes that are directly supplied by source DOTS clients or client-domain DOTS gateways. This implies that first server-domain DOTS gateways MUST strip 'cdid' attributes supplied by DOTS clients. DOTS servers SHOULD support a configuration parameter to identify DOTS gateways that are trusted to supply 'cdid' attributes. > > Is there a concept for protecting against this > >> beyond > >> log-and-detect? > > > > [Med] We do have the following generic recommendation (from the > requirements I-D): > > > > "DOTS operators should carefully > > monitor and audit DOTS agents to detect misbehavior and to deter > > misuse" > > so, "no". :) That's fine, this is a hard problem, and rate limitations are > still one of the only tools that works consistently. Calling out which parts > of the protocol are vulnerable to state space exhaustion on the server, > though, would be sueful. > > > > > >> > >> Data Model Design > >> -------------------- > >> > >> The target-fqdn element in the alias definition seems prone to cause > >> confusing results if used naïvely (indeed the document itself points > >> this out). On the other hand, in dynamic service environments it is quite > >> useful > >> for an alias to refer to a name as opposed to a set of addresses. Did the > >> working > >> group consider including some further context for the resoultion of these > >> into > >> IP addresses (for example, by providing a link to a DoT/DoH server to > update > >> the resolutions periodically)? > > > > [Med] The document states the following: > > > > How a name is passed to an underlying name resolution library is > > implementation- and deployment-specific. > > > > We could include some text similar to RFC7969 (Section 7), but still this > is deployment-specific. > > Okay, as long as we think the uncertainty in resolution is something that > will work as expected for DOTS clients. > [Med] While assuming that name resolution is deployment-specific, I added this NEW text to avoid misbehaviors: When FQDNs are used as targets, the DOTS server MUST rely upon DNS privacy enabling protocols (e.g., DNS over TLS [RFC7858], DoH [RFC8484]) to prevent eavesdroppers from possibly identifying the target resources protected by the DDoS mitigation service and means to ensure the target FQDN resolution is authentic (e.g., DNSSEC [RFC4034]). Thank you for the review. > Cheers, > > Brian > > > > > If not, perhaps some text about doing this out > >> of band would be helpful. > >> > >> Thanks, cheers, > >> > >> Brian > >> > > > > _______________________________________________ > > Tsv-art mailing list > > Tsv-art@ietf.org > > https://www.ietf.org/mailman/listinfo/tsv-art
- [Tsv-art] Tsvart last call review of draft-ietf-d… Brian Trammell via Datatracker
- Re: [Tsv-art] [Dots] Tsvart last call review of d… Konda, Tirumaleswar Reddy
- Re: [Tsv-art] Tsvart last call review of draft-ie… mohamed.boucadair
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian Trammell (IETF)
- Re: [Tsv-art] Tsvart last call review of draft-ie… mohamed.boucadair
- Re: [Tsv-art] Tsvart last call review of draft-ie… Brian Trammell (IETF)
- Re: [Tsv-art] Tsvart last call review of draft-ie… mohamed.boucadair