> On May 27, 2020, at 11:02 PM, worley@xxxxxxxxxxx wrote:
>
> Chuck Lever <chuck.lever@xxxxxxxxxx> writes:
>>> Somewhere in this section you need to specify the semi-obvious:
>>>
>>> [...]
>>
>> I can add something like this in Section 4.1, but note that Sections
>> 5.1.1 and 5.1.2 already explain the relationships between TCP/UDP
>> and TLS/DTLS, respectively.
>
> Hmmm, I want to answer "yes and no". I think those passages were
> written with the presupposition that those relationships were already
> known and specified, and the text talks *about* that relationship.
> E.g., 5.1.1 qualifies the sentence with "Typically", and neither section
> uses normative language.
>
> The point is that if you upgrade, if you start with TCP, you MUST
> upgrade to TLS, and if you start with UDP, you MUST upgrade to DTLS.
> Whereas it is conceivable that one could start with UDP to port 111,
> discover rpc-tls support and then do a TLS connection to TCP port 111
> ("the same port") to continue. (After all, every NFS server listens on
> 111 both with UDP and TCP, right?) And you have to state that
> explicitly as a requirement.
NFSv4 servers don't have to provide an rpcbind service on port 111 any
more... but I get your point.
The proposed replacement text I posted earlier today explains how it is
supposed to work but does not use normative language. It needs to take
another step and /require/ that a client uses the appropriate protection
mechanism for the transport it wants to use.
--
Chuck Lever
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
