On Mon, Aug 12, 2019 at 04:23:54PM -0400, Michael Richardson wrote: > > Benjamin Kaduk via Datatracker <nore...@ietf.org> wrote: > > Section 13.2 > > > I think CDDL needs to be a normative reference, as does RFC 7231. RFC > > 2473 is listed but not referenced in the text, as are RFC 2663, RFC > > 7217, and RFC 7575. > > CDDL->RFC8610, now normative. (Glad that got published) > RFC2473 removed, we no longer attempt to document a stateless IPIP proxy > mechanism. > > RFC2663 (NAT terminology) reference was for Join Proxy, and I've restored > a reference in section 4. > > RFC7217 was thought to be relevant to Pledge use of SLAAC, but actually it's > not, removed. > > You are right that we don't reference RFC7575, which is the architecture of > ANIMA. I have added a sentence to the Intro, referencing RFC7575's > goal of "secure by default" > > > Appendix B > > doc> Discovery of registrar MAY also be performed with DNS-based > service > doc> discovery by searching for the service "_brski- > doc> registrar._tcp.example.com". In this case the domain "example.com" > is > doc> discovered as described in [RFC6763] section 11 (Appendix A.2 > suggests > doc> the use of DHCP parameters). > > > I'd suggest using "<domain>" per 6763 rather than "example.com". > > okay. > > doc> If no local proxy or registrar service is located using the GRASP > doc> mechanisms or the above mentioned DNS-based Service Discovery methods > doc> the pledge MAY contact a well known manufacturer provided > bootstrapping > doc> server by performing a DNS lookup using a well known URI such as > doc> "brski-registrar.manufacturer.example.com". The details of the URI > are > doc> manufacturer specific. Manufacturers that leverage this method on > the > doc> pledge are responsible for providing the registrar service. Also see > doc> Section 2.7. > > > It seems like there are some security considerations for device owners > > that may wish to prevent such registrars from being used. Do we need > > to direct them to run a firewall or similar? > > If they are doing ANIMA ACP bootstrapping, then there would ideally be no > IPv4 available, and so this won't work anyway. > I'd rather not get into too much of this here.
I'm not sure I see how v6-only prevents URI dereference or obviates the usecase for a firewall. Perhaps you mean that there would be no non-link-local available? > > Appendix C > > > I don't know how important file "ietf-mud-extens...@2018-02-14.yang" > > is, but it seems a tad generic. > > Renamed already. > > Ben, I'm posting the -25, and then moving on back to the responses to > my responses, including Adam's concerns. Okay, thanks. -Ben _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
