date:20220216

Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)

2022-02-16 Thread Qin Wu

Thanks, Jensen, just one update to Roman,
Authors has made another revision to address comments raised by IANA manager
The diff can be seen:
https://www.ietf.org/rfcdiff?url1=draft-ietf-alto-cdni-request-routing-alto-20&url2=draft-ietf-alto-cdni-request-routing-alto-22

-Qin (on behalf of chairs)
发件人: Jensen Zhang [mailto:jingxuan.n.zh...@gmail.com]
发送时间: 2022年2月16日 21:35
收件人: Roman Danyliw 
抄送: The IESG ; alto-chairs ; IETF ALTO 
; draft-ietf-alto-cdni-request-routing-a...@ietf.org
主题: Re: [alto] Roman Danyliw's No Objection on 
draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)

Hi Roman,

A new version that echoes the replies already provided in this thread is 
available:

URL:
https://www.ietf.org/archive/id/draft-ietf-alto-cdni-request-routing-alto-21.txt
Status: 
https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/
Htmlized:   
https://datatracker.ietf.org/doc/html/draft-ietf-alto-cdni-request-routing-alto-21
Diff:   
https://www.ietf.org/rfcdiff?url2=draft-ietf-alto-cdni-request-routing-alto-21.txt

Please let us know if they address your concerns.

Best regards,
Jensen


On Tue, Jan 18, 2022 at 10:00 PM Jensen Zhang 
mailto:jingxuan.n.zh...@gmail.com>> wrote:
Hi Roman,

Many thanks for your comments. See our answers inline. Please let us know if 
they address your concerns.


On Thu, Jan 6, 2022 at 5:31 AM Roman Danyliw via Datatracker 
mailto:nore...@ietf.org>> wrote:
Roman Danyliw has entered the following ballot position for
draft-ietf-alto-cdni-request-routing-alto-18: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/



--
COMMENT:
--

Thanks to Klaas Wierenga for the SECDIR review.

Thanks for addressing my DISCUSS point

** Section 8.
 For authenticity and integrity of ALTO information, an attacker
  may disguise itself as an ALTO server for a dCDN, and provide
  false capabilities and footprints to a uCDN using the CDNI
  Advertisement service.

-- I don’t follow the intent of the first clause.  Why is an _attacker_
concerned with the authenticity and integrity of the ALTO information?

This bullet describes the same risk scenario as the one in Sec 15.1 of RFC7285.


-- What role can TLS, an associated server certificate (for the dCDN) and
configured knowledge of this certificate at the uCDN mitigate some of this
risk?  Shouldn’t the uCDNs only be communicating with a collection of known
dCDNs with which it has some out-of-band negotiated arrangement?

Yes, the uCDNs should only communicate with known dCDNs. But an attacker can 
start a man-in-the-middle attack.
About how to configure TLS, does the second last bullet of this section make it 
clear?


** Section 8.
  For availability of ALTO services, an attacker may conduct service
  degradation attacks using services defined in this document to
  disable ALTO services of a network.

Again, operating under the assumption that the dCDN (ALTO Server) would only be
working with a known (prearranged) set of uCDNs and they would have
authenticated somehow (per the DISCUSS), couldn’t repeated requested be rate
limited and after attribution, filtered to minimize impact?

Yes, considering the limited number of authenticated uCDNs, this security issue 
may not be that risky.
This bullet just aligns with Sec 15.5 of RFC7285. Do you strongly think we 
should remove this one?

Thanks,
Jensen




___
alto mailing list
alto@ietf.org
https://www.ietf.org/mailman/listinfo/alto
___
alto mailing list
alto@ietf.org
https://www.ietf.org/mailman/listinfo/alto

[alto] I-D Action: draft-ietf-alto-cdni-request-routing-alto-22.txt

2022-02-16 Thread internet-drafts



A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Application-Layer Traffic Optimization WG of 
the IETF.

Title   : Content Delivery Network Interconnection (CDNI) 
Request Routing: CDNI Footprint and Capabilities Advertisement using ALTO
Authors : Jan Seedorf
  Y. Richard Yang
  Kevin J. Ma
  Jon Peterson
  Jingxuan Jensen Zhang
Filename: draft-ietf-alto-cdni-request-routing-alto-22.txt
Pages   : 44
Date: 2022-02-16

Abstract:
   The Content Delivery Networks Interconnection (CDNI) framework in RFC
   6707 defines a set of protocols to interconnect CDNs to achieve
   multiple goals, including extending the reach of a given CDN.  A CDNI
   Request Routing Footprint & Capabilities Advertisement interface
   (FCI) is needed to achieve the goals of a CDNI.  RFC 8008 defines the
   FCI semantics and provides guidelines on the FCI protocol, but the
   exact protocol is not specified.  This document defines a new
   Application-Layer Traffic Optimization (ALTO) service, called "CDNI
   Advertisement Service", that provides an implementation of the FCI,
   following the guidelines defined in RFC 8008.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-alto-cdni-request-routing-alto-22.html

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-alto-cdni-request-routing-alto-22


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


___
alto mailing list
alto@ietf.org
https://www.ietf.org/mailman/listinfo/alto

Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)

2022-02-16 Thread Jensen Zhang

Hi Roman,

A new version that echoes the replies already provided in this thread is
available:

URL:
https://www.ietf.org/archive/id/draft-ietf-alto-cdni-request-routing-alto-21.txt
Status:
https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/
Htmlized:
https://datatracker.ietf.org/doc/html/draft-ietf-alto-cdni-request-routing-alto-21
Diff:
https://www.ietf.org/rfcdiff?url2=draft-ietf-alto-cdni-request-routing-alto-21.txt

Please let us know if they address your concerns.

Best regards,
Jensen


On Tue, Jan 18, 2022 at 10:00 PM Jensen Zhang 
wrote:

> Hi Roman,
>
> Many thanks for your comments. See our answers inline. Please let us know
> if they address your concerns.
>
>
> On Thu, Jan 6, 2022 at 5:31 AM Roman Danyliw via Datatracker <
> nore...@ietf.org> wrote:
>
>> Roman Danyliw has entered the following ballot position for
>> draft-ietf-alto-cdni-request-routing-alto-18: No Objection
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/
>> for more information about how to handle DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>>
>> https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/
>>
>>
>>
>> --
>> COMMENT:
>> --
>>
>> Thanks to Klaas Wierenga for the SECDIR review.
>>
>> Thanks for addressing my DISCUSS point
>>
>> ** Section 8.
>>  For authenticity and integrity of ALTO information, an attacker
>>   may disguise itself as an ALTO server for a dCDN, and provide
>>   false capabilities and footprints to a uCDN using the CDNI
>>   Advertisement service.
>>
>> -- I don’t follow the intent of the first clause.  Why is an _attacker_
>> concerned with the authenticity and integrity of the ALTO information?
>>
>
> This bullet describes the same risk scenario as the one in Sec 15.1 of
> RFC7285.
>
>
>>
>> -- What role can TLS, an associated server certificate (for the dCDN) and
>> configured knowledge of this certificate at the uCDN mitigate some of this
>> risk?  Shouldn’t the uCDNs only be communicating with a collection of
>> known
>> dCDNs with which it has some out-of-band negotiated arrangement?
>>
>
> Yes, the uCDNs should only communicate with known dCDNs. But an attacker
> can start a man-in-the-middle attack.
> About how to configure TLS, does the second last bullet of this section
> make it clear?
>
>
>>
>> ** Section 8.
>>   For availability of ALTO services, an attacker may conduct service
>>   degradation attacks using services defined in this document to
>>   disable ALTO services of a network.
>>
>> Again, operating under the assumption that the dCDN (ALTO Server) would
>> only be
>> working with a known (prearranged) set of uCDNs and they would have
>> authenticated somehow (per the DISCUSS), couldn’t repeated requested be
>> rate
>> limited and after attribution, filtered to minimize impact?
>>
>
> Yes, considering the limited number of authenticated uCDNs, this security
> issue may not be that risky.
> This bullet just aligns with Sec 15.5 of RFC7285. Do you strongly think we
> should remove this one?
>
> Thanks,
> Jensen
>
>
>>
>>
>>
>> ___
>> alto mailing list
>> alto@ietf.org
>> https://www.ietf.org/mailman/listinfo/alto
>>
>
___
alto mailing list
alto@ietf.org
https://www.ietf.org/mailman/listinfo/alto

[alto] I-D Action: draft-ietf-alto-cdni-request-routing-alto-21.txt

2022-02-16 Thread internet-drafts



A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Application-Layer Traffic Optimization WG of 
the IETF.

Title   : Content Delivery Network Interconnection (CDNI) 
Request Routing: CDNI Footprint and Capabilities Advertisement using ALTO
Authors : Jan Seedorf
  Y. Richard Yang
  Kevin J. Ma
  Jon Peterson
  Jingxuan Jensen Zhang
Filename: draft-ietf-alto-cdni-request-routing-alto-21.txt
Pages   : 44
Date: 2022-02-16

Abstract:
   The Content Delivery Networks Interconnection (CDNI) framework in RFC
   6707 defines a set of protocols to interconnect CDNs to achieve
   multiple goals, including extending the reach of a given CDN.  A CDNI
   Request Routing Footprint & Capabilities Advertisement interface
   (FCI) is needed to achieve the goals of a CDNI.  RFC 8008 defines the
   FCI semantics and provides guidelines on the FCI protocol, but the
   exact protocol is not specified.  This document defines a new
   Application-Layer Traffic Optimization (ALTO) service, called "CDNI
   Advertisement Service", that provides an implementation of the FCI,
   following the guidelines defined in RFC 8008.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-alto-cdni-request-routing-alto-21.html

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-alto-cdni-request-routing-alto-21


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


___
alto mailing list
alto@ietf.org
https://www.ietf.org/mailman/listinfo/alto

Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)

[alto] I-D Action: draft-ietf-alto-cdni-request-routing-alto-22.txt

Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)

[alto] I-D Action: draft-ietf-alto-cdni-request-routing-alto-21.txt

4 matches

Site Navigation

Mail list logo

Footer information