I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please treat these comments just
like any other last call comments.
For more information, please see the FAQ at
<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Document: draft-ietf-lisp-ddt-08
Reviewer: Dale R. Worley
Review Date: 2016-10-09
IETF LC End Date: 2016-10-17
IESG Telechat date: 2016-10-27
Summary: This draft is on the right track but has open issues,
described in the review.
I believe that the technical specifics in this draft have been
settled, but in many places the wording is unclear and contradictory
in minor ways to the point that I was uncertain whether I understood
what is intended. The result is that this review is excessively long,
as I can only point to the items that appear problematic, rather than
pointing out the adjustments that would cure the problems.
I suspect that as the design has evolved, the text has been revised
many times, leading to incompletenesses and inconsistencies. The
danger, in my opinion, is that no part of the document can be reliably
understood without correlating it with many other parts of the
document, that many implementers will make mistakes of interpretation,
and that there may be points on which people believe consensus was
reached, but that their understandings of the point were contradictory.
I think that the document needs a careful final editing to bring the
terminology and all parts of the document into sync. That will also
reveal whether there are points on which people mistakenly believed
there was consensus.
I begin with a list of more global issues, then continue with comments
on specific parts.
* In regard to XEIDs: The concept of XEID unifies the treatment of
DBID, IID, AFI, and EID. Essentially all of the processing in the
draft is simplified by expressing processing in terms of XEIDs. For
instance, delegation based on DBID, IID, or AF becomes just a special
case of delegation based on XEID-prefix. However, it's not clear to
me whether this concept is followed in the text. For example:
In section 3, definition "XEID-prefix" seems to assume that an
XEID-prefix will always contain a complete DBID, IID, and AFI.
In section 4.2.1:
The root DDT node is the logical "top" of the database hierarchy:
DBID=0, IID=0, AFI=0, EID-prefix=0/0.
But really, the condition of a root node is that it's authoritative
for the *empty* XEID-prefix.
There is also the suggestion here that an AFI of 0 is somehow a
wildcard match for any AFI value. That is a special case that can be
eliminated by considering the entire XEID to be prefixable.
On the other hand, this text in 7.3.1 suggests that there is a "null
prefix" which is (or is equivalent) to the XEID-prefix of 0 bits:
the "referral XEID-prefix" is also initialized to the null value
since no referral has yet been received.
* In regard to the special fields in XEID, viz., DBID, IID, and AFI,
those need to be described in a way that doesn't leave loose ends, by
either describing how they are expected to be used or referring to a
document that does so. In this document, a lot of that information is
bundled into the definitions of "Extended EID (XEID)" and
"XEID-prefix" in section 3. It would be best if this information
appeared in its own paragraphs.
It appears to me that it is expected that DBID will always be zero
(see definition "XEID-prefix"), but the machinery is defined so that
other values can be used.
IID is presumably expected to be zero except when VPNs are used. (see
definition "Extended EID (XEID)")
Note that definition "Extended EID (XEID)" says "optionally extended
with a non-zero Instance ID". Read literally, that means that zero
IIDs aren't included in the XEID, which would be insanity. The text
needs to clarify that IID is always present in the XEID, but is
normally zero.
AFI is taken from http://www.iana.org/numbers.html, but you have to go
through the link to draft-ietf-lisp-lcaf to discover that; it should
be stated in this draft.
* For any given delegated prefix, there can be more than one "peer"
DDT nodes that contain duplicated information about the prefix. But
the term "peer" isn't defined in the lexicon, and there is no explicit
statement that the peers (for a prefix) must contain the same
information.
* It appears that "Map Server" has been defined elsewhere (RFC 6833),
and that Map Servers can automatically be DDT nodes. Or is it that
some Map Servers are also equipped with DDT node functionality? If
this draft places further requirements on Map Server DDT nodes, then
this draft should be noted as updating RFC 6833.
* There seems to be two meanings of "DDT node". One is a broad sense,
and is any server that responds to Map-Request. The other is a narrow
sense, and means any DDT node in the broad sense that is not a Map
Server, and thus is allowed to contain prefix delegations. These
terms need to be separated, and the uses of "DDT node" in the draft
need to be revised to the correct term.
However, the preceding paragraph assumes that a DDT node is not
allowed to contain both prefix delegations and ETR registrations.
That seems to be the case because in many places, those classes of
nodes are required to behave differently (e.g., return different error
codes for nonexistent prefixes) and be treated differently by other
DDT nodes (e.g., referrals to them are given with different action
codes). But there are a few places where the text suggests that a DDT
node could contain both prefix delegations and ETR registrations.
* Is it really true that two Map Servers that are authoritative for
the same XEID prefix can contain different sets of ETR registrations?
That is, the DDT client (the Map Resolver) may be required to query
the entire set of peer Map Servers to find the right ETR registration?
Perhaps the answer is defined in the RFC describing Map Servers, but
it affects one's understanding of this draft enough that it should be
stated in the overview.
* The role of hints is not clear. Clearly, a DDT node can be
configured with hints regarding some XEID-prefix, but what are the
limitations on what RLOCs must be provided in a hint? This seems
especially important because it seems in practice that the
authoritative nodes for a prefix might be reconfigured without anyone
realizing that the hints in nodes farther down the tree need to be
updated. In particular, when should the DDT client follow a hint?
Hints seem to provide the possibility of circular references. Given
that this is an Experimental draft, perhaps the best use of hints is
an "open issue and consideration", and by listing it in section 11,
these questions need not be answered now.
1. Introduction
LISP offers a general-purpose mechanism for mapping between EIDs and
RLOCs. In organizing a database of EID to RLOC mappings, this
specification extends the definition of the EID numbering space by
logically prepending and appending several fields for purposes of
defining the database index key: Database-ID (DBID, 16 bits),
Instance identifier (IID, 32-bits), Address Family Identifier (16
bits), and EID-prefix (variable, according to AFI value). The
resulting concatenation of these fields is termed an "Extended EID
prefix" or XEID-prefix.
This paragraph is undecided whether it is defining XEID or
XEID-prefix. Better, I think is to define XEID first and then define
XEID-prefix based on that:
this
specification extends the definition of the EID numbering space by
logically concatenating several fields for purposes of
defining the database index key: Database-ID (DBID, 16 bits),
Instance identifier (IID, 32-bits), Address Family Identifier (16
bits), and EID (variable length, according to AFI value). The
resulting concatenation of these fields is termed an "Extended EID"
or XEID. Prefixes within the XEID space are thus "Extended EID
prefixes" or XEID-prefixes.
--
It
also provides delegation information to Map Resolvers, which use the
information to locate EID-to-RLOC mappings.
There needs to be clarification regarding the relationship between
"Map Resolver" and "DDT client". As far as I can tell, in all places
in this document, "DDT client" is the correct term, though it is
expected that most (but not all) DDT clients will be Map Resolvers.
So this text should be something like
It
also provides delegation information to DDT clients (which are
usually Map Resolvers, but may be ITRs), which use the
information to locate EID-to-RLOC mappings.
and approximately all uses of "Map Resolver" should be changed to "DDT
client".
LISP-DDT defines a new device type, the DDT node, that is configured
as authoritative for one or more XEID-prefixes.
Here would be a good place to lay out clearly the relationship between
DDT node and Map Server: whether nodes that do delegation are
disjoint from Map Server nodes, etc.
3. Definition of Terms
Extended EID (XEID): a LISP EID, optionally extended with a non-
zero Instance ID (IID) if the EID is intended for use in a context
where it may not be a unique value, such as on a Virtual Private
Network where [RFC1918] address space is used. See "Using
Virtualization and Segmentation with LISP" in [RFC6830] for more
discussion of Instance IDs.
XEID-prefix: a LISP EID-prefix with 16-bit LISP-DDT DBID (provided
to allow the definition of multiple databases; currently always
zero in this version of DDT, with other values reserved for future
use), 32-bit IID and 16-bit AFI prepended. Encoding of the
prefix, its AFI and the instance ID (IID) are specified by
[I-D.ietf-lisp-lcaf]. An XEID-prefix is used as a key index into
the database.
These can be simplified by moving the details of the XEID format and
the values of the fields into separate paragraphs (as discussed
above).
DDT node: a network infrastructure component responsible for
specific XEID-prefix and for delegation of more-specific sub-
prefixes to other DDT nodes.
A DDT node can be authoritative for more than one prefix (see section
4.2 and section 10, paragraph 2), so "specific XEID-prefix" should be
"specific XEID-prefix(es)".
DDT Map Resolver: a network infrastructure element that accepts a
Map-Request, adds the XEID to its pending request list, then
queries one or more DDT nodes for the requested EID, following
returned referrals until it receives one with action code MS-ACK
(or an error indication). MS-ACK indicates that the Map-Request
has been sent to a Map Server that will forward it to an ETR that,
in turn, will provide a Map-Reply to the original sender. A DDT
Map Resolver maintains both a cache of Map-Referral message
results containing RLOCs for DDT nodes responsible for XEID-
prefixes of interest (termed the "referral cache") and a pending
request list of XEIDs that are being resolved through iterative
querying of DDT nodes.
This isn't really a definition of what how Map Resolver fits into the
overall scheme, but an outline of Map Resolver processing. The
description of processing should be moved somewhere else. Also, any
DDT client that is not a Map Resolver must do the same processing, so
"DDT client" and "DDT Map Resolver" should be merged.
DDT Map-Request: an Encapsulated Map-Request sent by a DDT client to
a DDT node. The "DDT-originated" flag is set in the encapsulation
header ...
Given the importance of Map-Request messages, it might be worth
mentioning that they are defined in RFC 6830.
What is the need for the DDT-originated flag? It seems from the
definition "Encapsulated Map-Request" that EMRs from ITRs to Map
Resolvers never have the flag set, EMRs from Map Resolvers to DDT
nodes (including Map Servers) always have the flag set, and EMRs from
Map Servers to ETRs never have the flag set. But if that is so, no
type of device can receive EMRs that both have the flag set and not.
Hmmm, the exception is if an ITR acts as a DDT client sends a
Map-Request directly to DDT nodes. But in that case, the DDT nodes
would process the Map-Request in exactly the same way as a Map
Resolver, so there is no need for a "D" flag.
Also, the definition of the flag in section 5 is awkward:
D: The "DDT-originated" flag. It is set by a DDT client to indicate
that the receiver SHOULD return Map-Referral messages as
appropriate. Use of the flag is further described in
Section 7.3.1. This bit is allocated from LISP message header
bits marked as Reserved in [RFC6830].
If the flag *means* "DDT-originated", then the message must have come
from a DDT client, and the receiver MUST return Map-Referral messages
-- that's what this draft is specifying!
I get the feeling that the D flat is (or was) intended to work like
the DNS "recursion" flag, it tells whether the client is willing to
accept and follow Map-Referral messages, or whether the client wants
to put that work of following referrals on the server. But as the
lexicon makes clear, *any* DDT client must be willing to follow
Map-Referral messages, and DDT nodes are *never* required to follow
referrals on behalf of the DDT client.
Map-Referral: a LISP message sent by a DDT node in response to a DDT
Map-Request for an XEID that matches a configured XEID-prefix
delegation. A non-negative Map-Referral includes a "referral", a
set of RLOCs for DDT nodes that have more information about the
sub-prefix;
The phrase "more information" is used in various places, but it is not
really informative. As far as I can tell, all uses of "DDT nodes that
have more information" mean "DDT nodes to which that XEID has been
delegated". Unless perhaps hints are also considered to point to "DDT
nodes that have more information", in which case the term "more
information" needs to be defined specifically, as it doesn't always
mean a delegation relationship.
Negative Map-Referral: a Map-Referral sent in response to a DDT Map-
Request that matches an authoritative XEID-prefix but for which
there is no delegation configured (or no ETR registration if sent
by a DDT Map-Server).
I'd describe a negative Map-Referral as an answer from an
authoritative DDT node that there is no mapping for the requested
XEID. That happens because the request is sent to an authoritative
DDT node "but for which there is no delegation configured (or no ETR
registration if sent by a DDT Map-Server)", but the core semantics is
an authoritative denial of a mapping.
Pending Request List: the set of outstanding requests for which a
DDT Map Resolver has received encapsulated Map-Requests from a DDT
client for an XEID.
Is it correct that a DDT Map Resolver can receive Map-Requests from
DDT clients? I thought a Map Resolver could only receive them from
ITRs, and a DDT client could only send them to DDT nodes. If a Map
Resolver can receive requests from other Map Resolvers, there are
complexities of behavior that don't seem to be described in this
draft.
In any case, does this need an entry in the lexicon? It seems that a
pending request list is an implementation detail and should be
described in the algorithm description sections.
It is important to note that LISP-DDT does not store actual EID-to-
RLOC mappings; it is, rather, a distributed index that can be used to
find the devices (Map Servers and their registered EIDs) that can be
queried with LISP to obtain those mappings.
This text defines that Map Servers are not part of DDT, but the
lexicon refers to DDT Map Servers. And actually, its the ETRs that
store the EID-to-RLOC mappings, not the Map Servers (except when the
Map Server is proxying for the ETR).
6.1. Action codes
MS-ACK (2): indicates that a replying DDT Map Server received a DDT
s/a replying/the replying/
NOT-AUTHORITATIVE (5): indicates that the replying DDT node received
a Map-Request for an XEID-request for which it is not
authoritative. This can occur if a cached referral has become
invalid due to a change in the database hierarchy.
There's a treacherous case of how hints are returned by a DDT node.
Reading the above definition, it's clear that a hint should be
returned with a NON-AUTHORITATIVE action code, because the node isn't
authoritative for the XEID. Then again, section 6.1 suggests that
hints are returned as NODE-REFERRAL or MS-REFERRAL. If so, things get
messy -- How is the DDT client to know that the referral set is a hint
rather than an authoritative delegation? And that distinction is
necessary because the client can't fully trust hints.
6.3. Incomplete flag
o If it is setting action code MS-ACK or MS-NOT-REGISTERED but does
not have configuration for other "peer" DDT nodes that are also
authoritative for the matched XEID-prefix.
Is this situation equivalent to the referral set being a hint rather
than a delegation? Or rather, a hint which the DDT node doesn't
believe is the complete peer set for the prefix? (Is there any way
for a DDT node to know that it has the complete peer set?) In any
case, it seems to me that this might be usefully changed to "hint
flag".
6.4. Map-Referral Message Format
Is it intended that the "record" and "ref" sections can be repeated?
That is a different usage of bracketing than in the figure in section
5, and if so, should be described in the text.
I note that this section lists all the action codes, as does section
6.1. It seems like these should be consolidated into section 6.1.
The handling of the "Incomplete" column of the table cannot be
correct. There is no way for a node to send hints and mark them
Incomplete, and the description at the top of page 12 is incompatible
with the contents of the table.
Loc/LCAF-AFI: If this is a Loc AFI, keys SHOULD NOT be included in
the record. If this is a LCAF AFI, the contents of the LCAF depend
on the Type field of the LCAF. Security material are stored in LCAF
Type 11. DDT nodes and Map Servers can use this LCAF Type to include
public keys associated with their Child DDT nodes for a XEID-prefix
referral record. LCAF types and formats are defined in
[I-D.ietf-lisp-lcaf].
This paragraph doesn't make sense in this context. The terms "Loc",
"keys", "LCAF", "Security material" are all undefined in this context.
Note, though,
that the set of RLOCs correspond to the DDT node to be queried as a
result of the referral not the RLOCs for an actual EID-to-RLOC
mapping.
I take it that the "Ref" sections is counted by the "Referral Count"
field, and that the "Loc/LCAF-AFI" and "Locator" fields contain the
RLOCs of the set of DDT nodes that are the referral set. It might
help the reader to rephrase this sentence in those terms.
6.4.1. SIG section
Sig Length: The length of the Signature field.
Is this measured in bytes?
Signature: Contains the cryptographic signature that covers the
entire record. The Record TTL and the sig fields are set to zero for
the purpose of computing the Signature.
It's not clear to me why the Record TTL should be set to zero for
computing the signature, given that you'd want to protect the TTL from
modification. Also, what is the relationship between Record TTL and
Original Record TTL? As far as I can tell, no DDT element can receive
a Map-Referral Record from another element and pass it on to a third
element, so there need never be TTL skew between when a record was
signed and when it was sent.
It seems awkward to compute the signature by first laying out the Sig
section and filling it with zeros when the same benefit could be
obtained by omitting the Sig section from the part of the record whose
signature is calculated.
Is it a problem that Original Record TTL, Signature Expiration, and
Signature Inception aren't protected by the signature?
7.1.1. Match of a delegated prefix (or sub-prefix)
If the delegation is known to be a DDT Map Server,
This seems to assume that either all delegatees are Map Servers or
none are. All of the processing algorithms seem to presuppose that a
set of peers either are all Map Servers or all are not, but there
doesn't seem to be an explicit requirement of that.
7.1.2. Missing delegation from an authoritative prefix
If the requested XEID did not match a configured delegation but does
match an authoritative XEID-prefix, then the DDT node MUST return a
negative Map-Referral that uses the least-specific XEID-prefix that
does not match any XEID-prefix delegated by the DDT node.
It would be a bit clearer if "the least-specific XEID-prefix" was
changed to "the least-specific prefix of the XEID".
If the requested XEID did not match either a configured delegation or
an authoritative XEID-prefix, then negative Map-Referral with action
code NOT-AUTHORITATIVE MUST be returned.
I understand what you mean, but this isn't phrased quite right in
regard to hints, because the DDT node may have a hint for an
XEID-prefix that is neither a configured delegation nor within one of
its authoritative XEID-prefixes, but hints are returned with
NODE-REFERRAL.
7.3. DDT Map Resolver
7.3.1. Queuing and sending DDT Map-Requests
I think there is an issue around the cache. Usually (IMHO) when
discussing "resolvers", the "cache" is entirely transient information
that the resolver has acquired from other devices, it doesn't contain
configured information. But in some places, the draft reads as if the
configured information is permanently present in the cache. If that
is so, it would help the reader (i.e., this reader!) if when the cache
is introduced that it was stated that the configured delegations (and
hints) are permanently resident in the cache.
That is, this should be promoted from section 7.3.1 to 7.3 where the
structure (rather than the detailed behavior) of a Map Resolver is
discussed:
The referral cache is initially populated with one or more
statically-configured entries;
Similarly this is a structural statement about the cache:
A DDT Map Resolver is not absolutely required to cache referrals,
but it doing so decreases latency and reduces lookup delays.
--
Note that in normal use on the public Internet, the statically-
configured initial referral cache for a DDT Map Resolver should
include a "default" entry with RLOCs for one or more DDT nodes that
can reach the DDT root node.
This suggests that it will be common that a Map Resolver won't be
configured with the RLOCs of the root nodes (which is different from
the common DNS usage), but rather configured with the RLOCs of nodes
that contain a hint for the null prefix and the root nodes. (Also,
"can reach" should be changed to "containing hints for".) If this is
so, then the operation of hints is a central part of the DDT protocol
and (IMO) it would greatly help if the role and processing of hints
was outlined in some location. In particular, it suggests that all
nodes that are expected to be the initial node for an extensible
population of Map Resolvers SHOULD be configured with a hint for the
root nodes.
There is also a possible conflict with section 10 -- the Map Resolver
isn't expected to be configured with the RLOCs of the root servers,
but it is expected to be configured with the public keys of the root
servers. Indeed, given the language in section 10, the keys can
differ between the various root DDT nodes, which means that in order
to configure the Map Resolver with the public keys of the root
servers, it must be configured with their RLOCs.
7.3.2. Receiving and following referrals
If the maximum number of retransmissions has occurred and all RLOCs
have been tried, then the pending request list entry is dequeued.
This isn't phrased quite right, because it requires a further
retransmission if "the maximum number of retransmissions has occurred"
but not "all RLOCs have been tried" -- and that would mean sending
more retransmissions than the "maximum number".
I believe that the intention is that the Map Resolver must attempt to
contact all relevant RLOCs, but that it must also send at least
"number of retransmissions", meaning that if there are fewer RLOCs
than that number, some RLOCs will be attempted more than once. If
that is so, then "maximum number" should be "minimum number".
OTOH, if "maximum number" is intended, then the text should be "If the
maximum number of retransmissions has occurred or all RLOCs have been
tried".
Also, this paragraph should specify what response the Map Resolver
should send if processing is terminated due to response time-out. As
written, the text doesn't require the Map Resolver to send *any*
response, which seems like a bad design.
MS-REFERRAL: The DDT Map Resolver follows an MS-REFERRAL in the same
manner
It might be better to say "processes" than "follows".
MS-ACK: This is returned by a DDT Map Server to indicate that it has
one or more registered ETRs that can answer a Map-Request for the
XEID and the request has been forwarded to one of them
It's not clear to me how the Map Server or ETR knows the address of
the DDT client to which to send the Map-Reply. It seems that the
address must be in the Map-Request message, but reading that section
of RFC 6830 doesn't make it clear to me how that is done.
The processing regarding MS-ACK is not clear to me. It would help if
there was an overview discussion of the four-way dance between the DDT
client, the Map Resolver, the Map Server, and the ETR. (Some times
the Map Server also does the ETR's job.) Since one step of it is for
the ETR to send Map-Replay to the DDT client, this processing doesn't
break down into separate client/Map Resolver, Map Resolver/Map Server,
and Map Server/ETR components, there's a specific overall structure.
In particular, what happens when a Map Resolver sends a Map-Request to
a Map Server without LISP-SEC information? It appears that processing
goes through two cycles, with a second cycle when the Map Resolver
re-sends the Map-Request to the Map Server with LISP-SEC information.
The Map Server seems to return MS-ACK messages to the Map Resolver in
both cycles, and there is no special marking in the first MS-ACK
message to indicate that resending must be done (the Map Resolver can
determine that itself). But presumably, the Map Server forwards the
Map-Request to the ETR in both cycles, and the ETR sends Map-Replys to
the client in both cycles. Presumably the first Map-Reply is useless
to the client (otherwise there wouldn't need to be two cycles), but
it's not clear how the client deals with two replies.
MS-NOT-REGISTERED: ...
The DDT Map Resolver MUST return a negative
Map-Reply to the original Map-Request sender; this Map-Reply
contains the non-registered XEID-prefix whose TTL value SHOULD be
set to one minute.
I think "non-registered XEID-prefix" is meant to mean "least-specific
prefix of the XEID for which no registrations exist".
NOT-AUTHORITATIVE: ...
The pending request is silently discarded, i.e. all state
for the request that caused this answer is removed and no answer
is returned to the original requester.
It seems like a poor design to return no response. Is there not some
sort of "server failure" response that can be returned to the DDT
client?
8. Pseudo Code and Decision Tree diagrams
Care needs to be taken here as to whether the pseudo-code and decision
trees are normative or not. Generally, algorithms enunciated in RFCs
are marked as non-normative, as the implementation is usually allowed
to deviate from the stated algorithm as long as it satisfies the
constraints written in the text.
9. Example topology and request/referral following
The same principle
of hierarchical delegation and pinpointing referrals is equally
applicable to any AF whose address hierarchy can be expressed as a
bitstring with associated length.
This sentence seems to be redundant because we've been assuming all
along that in any address family used by DDT the address hierarchy is
expressed as bistrings with lengths.
Are lines in the diagram intended to cross? If so, they could be
clarified as:
+---------------------+ +---------------------+
| root1: 192.0.2.1 | | root2: 192.0.2.2 |
| authoritative: ::/0 | | authoritative: ::/0 |
+---------------------+ +---------------------+
| \ / |
| \ / |
| X |
| / \ |
| / \ |
| | | |
V V V V
+-------------------------+ +--------------------------+
| DDT node1: 192.0.2.11 | | DDT node2: 192.0.2.12 |
| authoritative: | | authoritative: |
| 2001:db8::/32 | | 2001:db8::/32 |
+-------------------------+ +--------------------------+
| \ / |
| \ / |
| X |
| / \ |
| / \ |
| | | |
V V V V
+--------------------------+ +---------------------------+
| Map-Server1: 192.0.2.101 | | DDT node3: 192.0.2.201 |
| authoritative: | | authoritative: |
| 2001:db8:0100::/40 | | 2001:db8:0500::/40 |
| site1: 2001:db8:0103::/48| +---------------------------+
| site2: 2001:db8:0104::/48| | |
+--------------------------+ | |
| |
| |
V V
+---------------------------+ +---------------------------+
| Map-Server2: 192.0.2.211 | | Map-Server3: 192.0.2.221 |
| authoritative: | | authoritative: |
| 2001:db8:0500::/48 | | 2001:db8:0501::/48 |
|site3: 2001:db8:0500:1::/64| |site5: 2001:db8:0501:8::/64|
|site4: 2001:db8:0500:2::/64| |site6: 2001:db8:0501:9::/64|
+---------------------------+ +---------------------------+
10. Securing the database and message exchanges
Each DDT node is configured with one or more public/private key
pair(s) that are used to digitally sign referral records for XEID-
prefix(es) that the DDT node is authoritative for. In other words,
each public/private key pair is associated with the combination of a
DDT node and the XEID-prefix that it is authoritative for.
s/the XEID-prefix/an XEID-prefix/
But the first sentence doesn't say the same thing as the second
sentence. Better would be
Each DDT node is configured with one or more public/private key
pairs for each XEID-prefix that it is authoritative for, and those
keys are used to sign referral records for XEID-prefixes within the
authoritative XEID-prefix.
Also, there should be some text as to whether a node is required to
sign a referral record with *all* of its keys. And in general, there
should be some discussion of the significance and use of multiple keys
for a single DDT node/authoritative prefix.
Every DDT
node is also configured with the public keys of its children DDT
nodes. By including public keys of target child DDT nodes in the
Map-Referral records, and signing each record with the DDT node's
private key, a DDT node can securely delegate sub-prefixes of its
authoritative XEID-prefixes to its children DDT nodes.
Does a DDT node have the public keys of the DDT nodes that its hints
point to? If not, hints can't be trusted and followed in the same way as
"downward" Map-Referrals, which breaks the trust sequence if the DDT
client is not configured with the keys of the RLOCs in the hint.
Also, how does the DDT node return public keys to the Map Resolver? I
don't see any field for it in the Map-Referral message.
11. Open Issues and Considerations
o Management of the DDT Map Resolver referral cache, in particular,
detecting and removing outdated entries.
I assume that this means "the definition and use of TTL values",
because the use of TTL values does not seem to be completely described
in this document. Perhaps this item could be rephrased to mention TTL
explicitly.
13. Security Considerations
For this reason, when
LISP-SEC is deployed in conjunction with a LISP-DDT mapping database
and the path between Map-Resolver and Map-Server needs to be
protected, DDT security should be enabled as well.
This sentence is obscure, because "DDT security" is not defined
anywhere, and there seems to be no optional security mechanism
described in the draft.
14.2. Informative References
[I-D.ietf-lisp-lcaf]
Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
Address Format (LCAF)", draft-ietf-lisp-lcaf-13 (work in
progress), May 2016.
The reference to ietf-lisp-lcaf in the definition "XEID-prefix" in
section 3 seems to be normative (unless the text in this draft is
adjusted to consider XEIDs as undifferentiated bit strings).
[LISP-TREE]
Jakab, L., Cabellos-Aparicio, A., Coras, F., Saucez, D.,
and O. Bonaventure, "LISP-TREE: a DNS hierarchy to support
the lisp mapping system", Selected Areas in
Communications, IEEE Journal , 2010,
<http://ieeexplore.ieee.org/xpls/
abs_all.jsp?arnumber=5586446>.
This reference is not referenced.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1", RFC 3447, DOI 10.17487/RFC3447, February
2003, <http://www.rfc-editor.org/info/rfc3447>.
The reference to RFC 3447 in section 6.4.1 seems to be normative, as
the specifics of RSA-SHA1 signatures come from this RFC.
Dale