Re: [perpass] comments and questions for the group on draft-farrell-perpass-attack-02

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Eliot,

On 12/09/2013 02:53 PM, Eliot Lear wrote:
> Hi Stephen,
> 
> I'm not comfortable with having this discussion just in perpass, since
> the impact of what you are proposing is quite broad, as is my concern. 
> This is an IETF last call comment.  The IESG directed those comments to
> go to the IETF list.

WFM. I agree sticking to ietf@xxxxxxxx for this is right.

> 
> On 12/9/13 2:23 PM, Stephen Farrell wrote:
> 
>>  The chair you mean is Mark
>> Nottingham in this [1] mail to the httpbis list.
>>
>>    [1] http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/1453.html
>>
>> I definitely did not read him the way you appear to have and
>> that distinction matters. If you are the only one to take him
>> as saying that then I guess you'd agree that your changes
>> would be based on a fallacy. Maybe Mark can clarify but I think
>> its already crystal clear that he was not saying "ignore
>> everything else" - I'd be stunned if that was what he meant.
> 
> The point was and is that I wanted to respond to him to clarify that one
> should not ignore everything else, 

So, nothing in the draft says "ignore everything else" and it'd
be wrong if it did. Pervasive monitoring is an attack and like
the draft says:

   The IETF also has consensus to, where possible, work to mitigate the
   technical parts of the pervasive monitoring attack, in just the same
   way as we continually do for these and any other protocol
   vulnerability.

I think that's quite clear - we handle it the same as for "any
other protocol vulnerability."

> when in fact I found the opposite:
> since you laid out explicitly only network management considerations,

But the above already says that this is just another threat.
An important one? Sure. Overrides everything else? Of course not.

But yes we called out one significant area where there's an obvious
tension caused by mitigating this threat but where there's also
an obvious need for some forms of monitoring in order to ensure
that networks can be managed.

> the implication is that all other considerations are excluded.  

I don't read the draft that way at all fwiw. If everyone did,
that'd be something to fix though, I agree.

> The
> purpose of my change is to remove that implied exclusion, and leave this
> to working groups to wrestle with.  

Working groups will have to wrestle with this BCP yes. In some
cases that'll be easy. In other cases, hard.

> I'm happy with Robin's wording as
> well, and I don't mind you proposing other wording further to your
> liking, so long as we recognize that there are other considerations.

As I read it, that's there already in the text quoted above.
I don't think we want to try to list every possible other
consideration, or we'll never get this done.

> If you can show me where in your text it allows for those other
> considerations as I believe I've done in the reverse, I'll be happy to
> stand corrected.

My reluctance to extend a get-out-of-jail card here should be
fairly obvious, but I think its important that we recognise that
there will be people who from time to time will want to work around
the IETF consensus on this topic.

If your argument was "why just call out network management" that's
a good question, but to be honest the alternative wordings I've seen
so far do seem to offer a broad get-out-of-jail card and I don't
believe that represents the overwhelming consensus we had in the
room in Vancouver, which what this draft attempts to document.

Cheers,
S.

> 
> Eliot
> _______________________________________________
> perpass mailing list
> perpass@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/perpass
> 
> 




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]