Re: [tsvwg] Stephen Farrell's No Objection on draft-ietf-tsvwg-rfc5405bis-18: (with COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 14 October 2016 15:46 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5734F129649; Fri, 14 Oct 2016 08:46:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.297
X-Spam-Level:
X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GiLVW3DlA55d; Fri, 14 Oct 2016 08:46:10 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF8D112944D; Fri, 14 Oct 2016 08:46:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3B87FBE38; Fri, 14 Oct 2016 16:46:08 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GIRtSK7R5Nk; Fri, 14 Oct 2016 16:46:08 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9C8B0BE32; Fri, 14 Oct 2016 16:46:07 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476459968; bh=o+3BkaH9ocK7J+xAn7w0ZN/5uU6AKJ344v6vFkDG4AA=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=pCVx64ZGL1U+kPJPBLC0lpJTvCuCCZ0VWIK2JYlYyE9VkAd952rfvg9UX6yla6IA5 8mK1UalsnyrrZcC+lI4zYapiQ8s69QmZasCWV9Z5GXKT1Ou4ta/YvvR98ouSvM9/ND JA77W6WiKCGelP/xolg7A2WoVwg1cs5qLF6nj+uM=
To: "Eggert, Lars" <lars@netapp.com>
References: <147627951927.24204.5957412872290553453.idtracker@ietfa.amsl.com> <708FB1B5-F71F-47C6-B86D-B243CD6459A6@netapp.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <3f07ffab-1028-6806-e591-7d494ed29c69@cs.tcd.ie>
Date: Fri, 14 Oct 2016 16:46:07 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <708FB1B5-F71F-47C6-B86D-B243CD6459A6@netapp.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms040104040101090807040605"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/LeGGO0eHgjiSpxKx64XsAk4Daio>
Cc: "draft-ietf-tsvwg-rfc5405bis@ietf.org" <draft-ietf-tsvwg-rfc5405bis@ietf.org>, "David L. Black" <david.black@emc.com>, The IESG <iesg@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>, "tsvwg-chairs@ietf.org" <tsvwg-chairs@ietf.org>
Subject: Re: [tsvwg] Stephen Farrell's No Objection on draft-ietf-tsvwg-rfc5405bis-18: (with COMMENT)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 15:46:14 -0000
Hiya, On 14/10/16 14:21, Eggert, Lars wrote: > Hi, > > On 2016-10-12, at 15:38, Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: >> Some of the text in section 6 seems outdated, e.g. I'm not sure >> we'd recommend GSS-API or AH these days. I wonder would that >> section be worth running by the saag list to see if anyone has time >> and interest to offer better text? (I would be happy to try write >> such text myself but other than the bit below, don't have time >> right now, sorry.) > > so we did have a sec-dir review, and nothing was flagged :-) Yeah, but then different eyeballs catch different things:-) > > I'm happy to take out the references to GSS-API and/or AH, but note > that they are only listed as options. I also note that they are not > historic or obsolete, AFAICT. They're not. But they're probably also not that useful as they're not much used for UDP applications afaik. Text about how to successfully use DTLS would be more useful these days I'd say. Or maybe JOSE or COSE stuff. Sorry no to have good text. If you want, I can ask on saag or you can just go ahead if you'd prefer not wait. > >> - General: I wondered if the folks interested in QUIC have been >> involved with this? I assume they have and that this update won't >> cause issues with the just-formed QUIC WG. (If we did expect such >> issues, then we probably ought be explicit about that and I didn't >> see any mention of QUIC in this document.) > > Spencer answered this. I expect that QUIC would describe how it > relates to the guidelines in this doc, but that will > probably/thankfully be a very boring description (due to using > standard CC). > >> - 3.1.1: "Latency samples MUST NOT be derived from ambiguous >> transactions" - I don't understand how that MUST NOT can be >> universally applied, maybe that's just a use of 2119 terms for >> emphasis? > > I don't follow. Of course this can be universally applied? Well, the MUST NOT assumes that there's an unambiguous definition of "ambiguous transaction" and I'm not sure there is, is there? > >> - 3.1.2: I wondered if there's anything useful to say about LPWAN >> applications that may meet the "don't send much" criterion, but I >> assume it's too early to say most likely. >> >> - (some text that moved, which I why I noticed it:-) section 6 >> says: "Applications that respond to short requests with potentially >> large responses are vulnerable to amplification attacks, and SHOULD >> authenticate the sender before responding. The source IP address of >> a request is not a useful authenticator, because it can easily be >> spoofed. Applications MAY also want to offer ways to limit the >> number of requests they respond to in a time interval, in order to >> cap the bandwidth they consume." >> >> I think that's a bit wrong and a bit out of date. I'd suggest >> instead maybe something more like: >> >> "Applications that respond to short requests with potentially large >> responses are a potential vector for amplification attacks, and >> SHOULD take steps to minimize their potential for being abused as >> part of a DoS attack. That could mean authenticating the sender >> before responding noting that the source IP address of a request is >> not a useful authenticator, because it can easily be spoofed. Or it >> may mean otherwise limiting the cases where short unauthenticated >> requests produce large responses. Applications MAY also want to >> offer ways to limit the number of requests they respond to in a >> time interval, in order to cap the bandwidth they consume." > > Applied. Cool, Thanks. > > Lars >
- [tsvwg] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [tsvwg] Stephen Farrell's No Objection on dra… Eggert, Lars
- Re: [tsvwg] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [tsvwg] Stephen Farrell's No Objection on dra… Eggert, Lars
- Re: [tsvwg] Stephen Farrell's No Objection on dra… Stephen Farrell