Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2012-05-23 at 19:12 -0400, Samuel Weiler wrote:

> With that said, there are some things that need clarification, and the 
> doc sorely needs an editorial pass.  As-is, the doc is not ready for 
> publication.  I will be happy to review the doc again once it's been 
> thoroughly edited.

It does need copy-editing.  As far as I know, the IETF does not have a
team of volunteer copy-editors, and multiple attempts to get help from
within the working group have met with only limited success (most
notably in the form of help from Stephen, who did quite a bit of work on
this before starting on his AD review).  If anyone wants to volunteer to
spend some time on helping to clean up this document, let me know.

Otherwise, I think our only options are either to ask the paid editors
at the RFC production center to take a stab, or block an otherwise
completed document on cycles that may never appear.


> Section 7 uses the term "TGT" without expansion.  In the Kerberos 
> world I can't imagine someone not knowing what this is, but it's not 
> clear to the layman.  It probably needs to be expanded.

It does; I somehow missed that in my review.


> The algorithm in section 4.1 needs work.  The obvious thing is to read 
> it linearly.  Doing that, one would prefer DHCP over DNS SVR info (per 
> step 2), which is not what step 6 and the graphic say.

The algorithm is fine, but the description requires careful reading.
Step 2 kicks in only if you get a DHCP response containing Kerberos
configuration but no nameservers.  


> Saying "no answer from the DNS server" is probably not the desired 
> semantic.

There are only two branches here.  Either you get a response containing
one or more relevant SRV RRs, or you don't.  The latter is phrased as
"no answer from the DNS server", but is meant to also include errors and
empty responses.  A suggestion for how to word this better would be
welcome.


> In 3.4, the option-len field is ambiguous.  It says "24-octet + the 
> length of the realm-name field in octets."  But it looks to me like 
> this option is 27 octets + length of realm name.  Perhaps it would be 
> better to just count the length of the realm name?

Yes, the description is wrong; the correct length is _23_ plus the
length of the realm.  The 16-bit option code and length are part of the
DHCPv6 protocol; unless I'm misremembering, the length is the length of
the option payload (that is, excluding the two header fields).


Thanks for taking the time to review this.

-- Jeff



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]