> On May 27, 2020, at 11:02 PM, worley@xxxxxxxxxxx wrote: > > Chuck Lever <chuck.lever@xxxxxxxxxx> writes: >>> Somewhere in this section you need to specify the semi-obvious: >>> >>> [...] >> >> I can add something like this in Section 4.1, but note that Sections >> 5.1.1 and 5.1.2 already explain the relationships between TCP/UDP >> and TLS/DTLS, respectively. > > Hmmm, I want to answer "yes and no". I think those passages were > written with the presupposition that those relationships were already > known and specified, and the text talks *about* that relationship. > E.g., 5.1.1 qualifies the sentence with "Typically", and neither section > uses normative language. > > The point is that if you upgrade, if you start with TCP, you MUST > upgrade to TLS, and if you start with UDP, you MUST upgrade to DTLS. > Whereas it is conceivable that one could start with UDP to port 111, > discover rpc-tls support and then do a TLS connection to TCP port 111 > ("the same port") to continue. (After all, every NFS server listens on > 111 both with UDP and TCP, right?) And you have to state that > explicitly as a requirement. NFSv4 servers don't have to provide an rpcbind service on port 111 any more... but I get your point. The proposed replacement text I posted earlier today explains how it is supposed to work but does not use normative language. It needs to take another step and /require/ that a client uses the appropriate protection mechanism for the transport it wants to use. -- Chuck Lever -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call