On Fri, Apr 3, 2020 at 12:29 PM tom petch <ie...@btconnect.com> wrote:
>
> From: OPSAWG <opsawg-boun...@ietf.org> on behalf of Warren Kumari
> <war...@kumari.net>
> Sent: 02 April 2020 23:24
> On Fri, Mar 6, 2020 at 8:17 PM Michael Richardson <mcr+i...@sandelman.ca>
> wrote:
> >
> >
> > I have posted a shepherd write-up.
> >
> > Some suggestions that I have, one of which came from the idnits:
> >
> > 1) IPv6 example maybe? How would IPv6 work at all?
> > Can it work in a SLAAC-only environment?
>
> Good catch - the only IPv4 address was in the example in the Appendix
> ('tftp 192.0.2.1 -c get SN19842256.enc') -- I've changed this to
> instead be 'tftp 2001:0db8::23 -c get SN19842256.enc'.
>
> I've also clarified that the document is more of a framework, and that
> things like how devices perform their autoboot is background and
> describes existing vendor functionality.
>
> Currently the autoboot implementations mostly / all use DHCP. There
> was a 6MAN document to add a "Boot File URL option" to RAs
> (draft-qin-6man-nb-option), but this work seems to have been abandoned
> - but, whatever the case, this functionality should work with any sort
> of autoboot that delivers something that looks like a config file,
> regardless of how that files is discovered...
>
> >
> > 2) no references for DHCP are there at all. Probably there should be a few?
> > at least to RFC2131?
>
> Gadzooks, yes, definitely! Fixed and pushed to github...
> Thank you...
>
> >
> > Some questions about how the keys would be generated, kept, distributed,
> > etc. were asked during WG adoption discussion (tom perch and other), and I'm
> > not sure that those comments/questions were dealt with fully at the time.
> > I don't think that this is blocking though.
>
> I've added some (admittedly handwavey) text to an earlier commit, but
> am expecting that I'll get some feedback during LC / SecDir / Security
> AD reviews.
>
> <tp>
> I said months ago that I would provide text linking to previous practices and
> every time I have sat down to write it have gone round in circles and was
> reminded of that when my MUA told me to logon as administrator so that it
> could overwrite my PC - NO! So- apologies
>
> I do think that the Security Considerations needs more. Like the padlock on
> the web page which could mean an encrypted connection with an entropy of 40
> bit, having a private public key pair is useless unless it is strong enough
> and used in a good algorithm. Lifting recommended values from TLS1.3 or,
> given the context, SSH is the sort of thing I have in mind. I note that the
> example uses RSA. I would be disappointed if a Security AD thought that this
> was ok:-)
Yup - I'm expecting some updates will be needed. Joe had already
requested SecDir feedback (and we haven't received any yet), and I've
asked a SecAD to review as well, but they are overloaded...
>
> Also the cert needs checking if only for the correct serial number or other
> fields that should match but also for the other standard cert checks
>
> I think that more references are needed. DHCP yes, but also RADIUS, TFTP,
> HTTPS, 802.1AR, SMIME
Hmmmm - I'm normally much better at adding references as I write the
document, but this time I somehow didn't... I also feel that the
quality of the writing is not up to my usual standard - I have done a
number of copy-edit passes, but some of it still feels clumsy..
But, yes, good catch -- I added a bunch more references, and posted a
new version, which includes a number of previous commits, including
mcrs'
Thank you very much,
W
>
> Tom Petch
>
> Thank you for the shepherd writeup / review,
> W
>
> P.S: Apologies all for the terseness of this email (and other emails)
> - I am attempting to improve my typing, and so am trying a split,
> ortholinear keyboard, and am having a REALLY hard time adjusting...
>
> >
> > --
> > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
> > -= IPv6 IoT consulting =-
> >
> >
> >
> > _______________________________________________
> > OPSAWG mailing list
> > OPSAWG@ietf.org
> > https://www.ietf.org/mailman/listinfo/opsawg
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
> ---maf
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
---maf
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg
