[Last-Call] Tsvart last call review of draft-ietf-i2nsf-consumer-facing-interface-dm-26

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Joseph Touch
Review result: Ready with Issues

This document has been reviewed as part of the transport area review team's
ongoing effort to review key IETF documents. These comments were written
primarily for the transport area directors, but are copied to the document's
authors and WG to allow them to address any issues raised and also to the IETF
discussion list for information.

When done at the time of IETF Last Call, the authors should consider this
review as part of the last-call comments they receive. Please always CC
tsv-art@xxxxxxxx if you reply to or forward this review.

Note that this review focuses on transport issues. The document's content has
not been otherwise reviewed.

Overall, there is little transport-related content in this document. As a YANG
model, there are no transport issues.

The model itself does refer to transport protocols by name. The list is
sufficiently complete.

The only key issue is the reference to ways of blocking protocols. The
"identity reject" entry below describes a variety of ways of blocking transport
protocols, buthese examples have issues. It is important that this document be
updated to give correct advice, even if in such examples.

          ...For example, a TCP packet is rejected with
          TCP RST response or a UDP packet may be rejected with an
          ICMPv4 response message with Type 3 Code 3 or ICMPv6 response
          message Type 1 Code 4 (i.e., Destination Unreachable:
          Destination port unreachable)."

It is not entirely clear from the rest of the context of this document, but if
this filtering occurs anywhere other than the destination IP address of these
packets then ICMP messages from routers should be used, not those from hosts.
I.e., if the issue is packets to/from a NFV service, then host errors are
appropriate, but if the issue is packets relayed through an NFV service, then
router errors should be used instead.

Additionally, assuming host errors are intended, the entry mentions ICMPv4 Type
3 Code 3 (Destination port unreachable) and ICMPv6 Type 1 Code 4 (also
Destination port unreachable), where it appears that ICMPv4 Type 3 Code 10 and
ICMPv6 Type 1 Code 1 (both “administratively prohibited”) seems more
appropriate.

That entry also incorrectly refers to use of TCP RST. TCP RST should be
reserved for actions of the receiver TCP protocol engine based on state errors,
and emitting that message requires that endpoint’s TCP to enter TIME-WAIT for
that socket pair (RFC 9293, Note 3 in Sec 3.3). It should never be issued by a
third party that might not be in a position to maintain those TIME-WAIT states.
It is also not clear it is appropriate to reject connections using this
technique, i.e., as a substitute for host ICMPs.



-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux