Re: [tsvwg] Stephen Farrell's No Objection on draft-ietf-tsvwg-rfc5405bis-18: (with COMMENT)
"Eggert, Lars" <lars@netapp.com> Fri, 14 October 2016 13:22 UTC
Return-Path: <lars@netapp.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190EE129684; Fri, 14 Oct 2016 06:22:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.917
X-Spam-Level:
X-Spam-Status: No, score=-9.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9jv7e0frZfjZ; Fri, 14 Oct 2016 06:22:36 -0700 (PDT)
Received: from mx144.netapp.com (mx144.netapp.com [216.240.21.25]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EA221293FD; Fri, 14 Oct 2016 06:22:36 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.31,493,1473145200"; d="scan'208";a="151188441"
Received: from hioexcmbx05-prd.hq.netapp.com ([10.122.105.38]) by mx144-out.netapp.com with ESMTP; 14 Oct 2016 06:21:27 -0700
Received: from HIOEXCMBX07-PRD.hq.netapp.com (10.122.105.40) by hioexcmbx05-prd.hq.netapp.com (10.122.105.38) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 14 Oct 2016 06:21:34 -0700
Received: from HIOEXCMBX07-PRD.hq.netapp.com ([::1]) by hioexcmbx07-prd.hq.netapp.com ([fe80::4ca2:22d:a2f1:881b%21]) with mapi id 15.00.1210.000; Fri, 14 Oct 2016 06:21:34 -0700
From: "Eggert, Lars" <lars@netapp.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: Stephen Farrell's No Objection on draft-ietf-tsvwg-rfc5405bis-18: (with COMMENT)
Thread-Index: AQHSJI3yPowvaekgbEK6lFCYIm76Z6CoaAEA
Date: Fri, 14 Oct 2016 13:21:34 +0000
Message-ID: <708FB1B5-F71F-47C6-B86D-B243CD6459A6@netapp.com>
References: <147627951927.24204.5957412872290553453.idtracker@ietfa.amsl.com>
In-Reply-To: <147627951927.24204.5957412872290553453.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3226)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.122.56.79]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <12AF9F0B67AC3642B0228C503E04E6E3@hq.netapp.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/tfRUudR094aeKiaRws_lPn5K4Sc>
Cc: "draft-ietf-tsvwg-rfc5405bis@ietf.org" <draft-ietf-tsvwg-rfc5405bis@ietf.org>, "David L. Black" <david.black@emc.com>, The IESG <iesg@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>, "tsvwg-chairs@ietf.org" <tsvwg-chairs@ietf.org>
Subject: Re: [tsvwg] Stephen Farrell's No Objection on draft-ietf-tsvwg-rfc5405bis-18: (with COMMENT)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 13:22:38 -0000
Hi, On 2016-10-12, at 15:38, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > Some of the text in section 6 seems outdated, e.g. I'm > not sure we'd recommend GSS-API or AH these days. I > wonder would that section be worth running by the saag > list to see if anyone has time and interest to offer > better text? (I would be happy to try write such text > myself but other than the bit below, don't have time > right now, sorry.) so we did have a sec-dir review, and nothing was flagged :-) I'm happy to take out the references to GSS-API and/or AH, but note that they are only listed as options. I also note that they are not historic or obsolete, AFAICT. > - General: I wondered if the folks interested in QUIC > have been involved with this? I assume they have and that > this update won't cause issues with the just-formed QUIC > WG. (If we did expect such issues, then we probably ought > be explicit about that and I didn't see any mention of > QUIC in this document.) Spencer answered this. I expect that QUIC would describe how it relates to the guidelines in this doc, but that will probably/thankfully be a very boring description (due to using standard CC). > - 3.1.1: "Latency samples MUST NOT be derived from > ambiguous transactions" - I don't understand how that > MUST NOT can be universally applied, maybe that's just a > use of 2119 terms for emphasis? I don't follow. Of course this can be universally applied? > - 3.1.2: I wondered if there's anything useful to say > about LPWAN applications that may meet the "don't send > much" criterion, but I assume it's too early to say most > likely. > > - (some text that moved, which I why I noticed it:-) > section 6 says: "Applications that respond to short > requests with potentially large responses are vulnerable > to amplification attacks, and SHOULD authenticate the > sender before responding. The source IP address of a > request is not a useful authenticator, because it can > easily be spoofed. Applications MAY also want to offer > ways to limit the number of requests they respond to in a > time interval, in order to cap the bandwidth they > consume." > > I think that's a bit wrong and a bit out of date. I'd > suggest instead maybe something more like: > > "Applications that respond to short requests with > potentially large responses are a potential vector for > amplification attacks, and SHOULD take steps to minimize > their potential for being abused as part of a DoS attack. > That could mean authenticating the sender before > responding noting that the source IP address of a request > is not a useful authenticator, because it can easily be > spoofed. Or it may mean otherwise limiting the cases > where short unauthenticated requests produce large > responses. Applications MAY also want to offer ways to > limit the number of requests they respond to in a time > interval, in order to cap the bandwidth they consume." Applied. Lars
- [tsvwg] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [tsvwg] Stephen Farrell's No Objection on dra… Eggert, Lars
- Re: [tsvwg] Stephen Farrell's No Objection on dra… Stephen Farrell
- Re: [tsvwg] Stephen Farrell's No Objection on dra… Eggert, Lars
- Re: [tsvwg] Stephen Farrell's No Objection on dra… Stephen Farrell