On Mon, Aug 12, 2019 at 04:23:54PM -0400, Michael Richardson wrote:
> Benjamin Kaduk via Datatracker <nore...@ietf.org> wrote:
>     > Section 13.2
>     > I think CDDL needs to be a normative reference, as does RFC 7231.  RFC
>     > 2473 is listed but not referenced in the text, as are RFC 2663, RFC
>     > 7217, and RFC 7575.
> CDDL->RFC8610, now normative. (Glad that got published)
> RFC2473 removed, we no longer attempt to document a stateless IPIP proxy
> mechanism.
> RFC2663 (NAT terminology) reference was for Join Proxy, and I've restored
> a reference in section 4.
> RFC7217 was thought to be relevant to Pledge use of SLAAC, but actually it's
> not, removed.
> You are right that we don't reference RFC7575, which is the architecture of
> ANIMA.  I have added a sentence to the Intro, referencing RFC7575's
> goal of "secure by default"
>     > Appendix B
>     doc>    Discovery of registrar MAY also be performed with DNS-based 
> service
>     doc> discovery by searching for the service "_brski-
>     doc> registrar._tcp.example.com".  In this case the domain "example.com" 
> is
>     doc> discovered as described in [RFC6763] section 11 (Appendix A.2 
> suggests
>     doc> the use of DHCP parameters).
>     > I'd suggest using "<domain>" per 6763 rather than "example.com".
> okay.
>     doc>    If no local proxy or registrar service is located using the GRASP
>     doc> mechanisms or the above mentioned DNS-based Service Discovery methods
>     doc> the pledge MAY contact a well known manufacturer provided 
> bootstrapping
>     doc> server by performing a DNS lookup using a well known URI such as
>     doc> "brski-registrar.manufacturer.example.com".  The details of the URI 
> are
>     doc> manufacturer specific.  Manufacturers that leverage this method on 
> the
>     doc> pledge are responsible for providing the registrar service.  Also see
>     doc> Section 2.7.
>     > It seems like there are some security considerations for device owners
>     > that may wish to prevent such registrars from being used.  Do we need
>     > to direct them to run a firewall or similar?
> If they are doing ANIMA ACP bootstrapping, then there would ideally be no
> IPv4 available, and so this won't work anyway.
> I'd rather not get into too much of this here.

I'm not sure I see how v6-only prevents URI dereference or obviates the
usecase for a firewall.  Perhaps you mean that there would be no
non-link-local available?

>     > Appendix C
>     > I don't know how important file "ietf-mud-extens...@2018-02-14.yang"
>     > is, but it seems a tad generic.
> Renamed already.
> Ben, I'm posting the -25, and then moving on back to the responses to
> my responses, including Adam's concerns.

Okay, thanks.


Anima mailing list

Reply via email to