Re: [Gen-art] GEN-Art review of draft-ietf-dhc-relay-id-suboption-07
Ted Lemon <Ted.Lemon@nominum.com> Wed, 07 October 2009 06:27 UTC
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 770313A6894 for <gen-art@core3.amsl.com>; Tue, 6 Oct 2009 23:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.35
X-Spam-Level:
X-Spam-Status: No, score=-6.35 tagged_above=-999 required=5 tests=[AWL=0.249, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2zpSl3eVWob for <gen-art@core3.amsl.com>; Tue, 6 Oct 2009 23:27:21 -0700 (PDT)
Received: from exprod7og103.obsmtp.com (exprod7og103.obsmtp.com [64.18.2.159]) by core3.amsl.com (Postfix) with ESMTP id A8ED33A680A for <gen-art@ietf.org>; Tue, 6 Oct 2009 23:27:11 -0700 (PDT)
Received: from source ([64.89.228.229]) (using TLSv1) by exprod7ob103.postini.com ([64.18.6.12]) with SMTP ID DSNKSsw1IVPPGIdYQPyGIc9T1xdZRDZxZ5jN@postini.com; Tue, 06 Oct 2009 23:28:56 PDT
Received: from webmail.nominum.com (webmail.nominum.com [64.89.228.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client CN "webmail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 2836C1B82F4; Tue, 6 Oct 2009 23:28:57 -0700 (PDT)
Received: from vpna-148.vpn.nominum.com (64.89.227.148) by exchange-01.win.nominum.com (64.89.228.50) with Microsoft SMTP Server (TLS) id 8.1.393.1; Tue, 6 Oct 2009 23:28:48 -0700
MIME-Version: 1.0 (Apple Message framework v1076)
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
From: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <4ACB9A5F.4090300@ieca.com>
Date: Tue, 06 Oct 2009 23:28:42 -0700
Content-Transfer-Encoding: 7bit
Message-ID: <2D28B9BF-867C-4162-8A24-84C7CF56E781@nominum.com>
References: <4ACB9A5F.4090300@ieca.com>
To: Sean Turner <turners@ieca.com>
X-Mailer: Apple Mail (2.1076)
Cc: Review Team <gen-art@ietf.org>, draft-ietf-dhc-relay-id-suboption.all@tools.ietf.org, General
Subject: Re: [Gen-art] GEN-Art review of draft-ietf-dhc-relay-id-suboption-07
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2009 06:27:22 -0000
On Oct 6, 2009, at 12:28 PM, Sean Turner wrote: > Major #1 It's not clear to me whether both relay identifier types MUST > be supported or whether implementations are free to pick which one(s) > they support? If you add one of the following (or something > similar) in > Section 5 then my concern is addressed: > > Implementations MUST support both RELAY_IDENTIFIER_DUID and > RELAY_IDENTIFIER_ASCII. > > Implementations MUST support RELAY_IDENTIFIER_DUID and [SHOULD or MAY] > support RELAY_IDENTIFIER_ASCII. > > Implementations MUST support RELAY_IDENTIFIER_ASCII and [SHOULD or > MAY] > support RELAY_IDENTIFIER_DUID. Yeah, this seems like an interoperability problem just waiting to happen. Personally I would like to see this go away and the draft _only_ use a DUID. If the DUID types defined in 3115 aren't adequate, add a new type that does what you want for this application (and, please, is restricted to this application). > Major #2 In the security considerations it says look to RFC 3046 and > RFC 4030 for security considerations and then says SHOULD use the > relay > agent authentication option from RFC 4030. RFC 3046 is targeted at > network infrastructures that are "trusted and secure" and RFC 4030 > allows the relay agent to be part of this trusted and secure network. > If an implementation doesn't use the relay agent authentication > option, > then the relay agent can't be part of the "trusted and secure" > network. > This makes me think that the relay agent authentication option from > RFC 4030 ought to be a MUST not a SHOULD? Yes, this text is confusing. This document makes no changes to practice that require more or less security than is provided by existing relay agent options in RFC4036. Thus, the security considerations in RFC3046 should be adequate. If the security considerations from RFC3046 are not adequate, the document needs a section prior to the security considerations section that explains the use of RFC4030 in the context of this document - in what circumstances it is required, and in what circumstances it is not.