Re: [Last-Call] Tsvart last call review of draft-ietf-dots-server-discovery-11

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Kyle, 

Please see inline.

Cheers,
Med

> -----Message d'origine-----
> De : Kyle Rose [mailto:krose@xxxxxxxxx]
> Envoyé : mercredi 21 octobre 2020 16:24
> À : BOUCADAIR Mohamed TGI/OLN <mohamed.boucadair@xxxxxxxxxx>
> Cc : tsv-art@xxxxxxxx; last-call@xxxxxxxx; dots@xxxxxxxx; draft-
> ietf-dots-server-discovery.all@xxxxxxxx
> Objet : Re: Tsvart last call review of draft-ietf-dots-server-
> discovery-11
> 
> On Tue, Oct 13, 2020 at 4:28 AM <mohamed.boucadair@xxxxxxxxxx>
> wrote:
> > > * Section 4 says:
> > >
> > >    The discovery method is reiterated by a DOTS agent upon the
> > > following
> > >    events:
> > >
> > >    o  Expiry of a a validity timer (e.g., DHCP lease, DNS TTL)
> > >       associated with a discovered DOTS agent.
> > >
> > > >From my reading, rendezvous information for the DOTS server is
> > > "pushed"
> > > >to the
> > > client via DHCP, so it's not clear the above is actionable. Is
> it
> > > simply the case that a client should use the DOTS server
> assigned in
> > > the most recent lease?
> > >
> >
> > [Med] The intent is to avoid using "stale" servers. So yes, this
> is about using the server that was most recently discovered but also
> about not using a server beyond a validity time associated with the
> discovered server.
> 
> I think the wording for this requirement should be normative rather
> than buried in the description of the discovery mechanism. Adding a
> statement somewhere that "a DOTS agent MUST NOT initiate or continue

[Med] The normative language is not used because managing sessions is beyond discovery. Such behavior will depend on the DOTS channel and whether a DOTS agent is in idle or attack time. For example, immediately closing a communication with a peer DOTS agent while an attack mitigation is in progress may not be convenient. We have such exceptions in RFC8782, e.g.,

   "This fallback mechanism is triggered immediately upon
   expiry of the TTL, except when a DDoS attack is active."

> communicating with a server whose associated discovery metadata has
> expired: for instance, once a DNS TTL or DHCP lease has expired, an
> appropriate DOTS server must be rediscovered using one of the
> mechanisms in {}."

FWIW, your review was taken into account in https://tools.ietf.org/rfcdiff?url2=draft-ietf-dots-server-discovery-12.txt. See the security section, in particular. 

Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux