Re: Last Call: draft-bormann-cbor-04.txt (Concise Binary Object Representation (CBOR)) to Proposed Standard
[resending as non-HTML]
Hi Paul,
Sorry for the top posting. IMAP ate your mail. Responding to several remaining
points:
- A parser that looks for duplicates must be able to detect that {{a:1, b:2}:4, {b:2,
a:1}:5} does in fact have a duplicate key, because the two internal maps (used as keys) are identical. So in general,
parsers need to canonicalize maps to any depth in order to detect duplicates. This is complex by any definition of
the word.
- Even for an unloved diagnostic notation, you want people to read it without
resorting to little pieces of paper. So a symbolic representation (TAG_URI) is
definitely better than numbers.
- I don't understand your reply re: tags when applied to arrays. Is it up to
the application to decide whether the tag applies to all elements, to the first
one, to the last 14?
- Regarding error handling and security, I am slightly happier with -05, but not by much.
For some reason you avoid using 2119 language in places where I would expect: parsers
SHOULD include a strict mode. A strict mode parser MUST fail when the syntax
is broken (sec. 3.3, 3.4, and also 3.5). And so forth.
- Unknown tags: you specifically allow decoders (Sec. 3.5) to not implement any tags they
don't like, and then you specify the behavior of the decoder as do whatever you
feel like (and this is in -05). So a sender cannot rely on *any* tag being
implemented by the receiver, and cannot expect deterministic behavior if any are not.
This is a security issue IMO, but also an interoperability thing.
Thanks,
Yaron
---
On Aug 13, 2013, at 2:11 PM, Yaron Sheffer yaronf.ietf at gmail.com wrote:
sorry I'm submitting these comments after the end of the LC period. I hope they
can still be of use.
No problem, and the are. Some answers below.
- The diagnostic notation can be used very effectively for things like
configuration files, e.g. if an application already uses CBOR on the wire. Therefore I
would suggest to formalize it a bit more, so that we also have interoperability at this
level.
Based on other things we heard, we went sort of in the other direction in the
next draft: saying that an implementer might consider a different notation for
config files, such as YAML.
- And since this notation is not meant as a JSON extension, this is a good time
to introduce comments (e.g. with an initial '#') into the notation.
Comments are not needed in diagnostics. :-)
- The positive vs. negative encoding means that the parser actually deals with
9-, 17-, 33- and 65-bit integers. I don't think this makes it easier to write
parsers.
If you primarily think about signed integers, that may be one way of viewing
it. CBOR is primarily addressing unsigned integers. Negative integers are
clearly separated out, and indeed do require watching the sign bit. There is
no way to handle this that is painless for all applications.
Multiple people have implemented parsers in multiple languages (JavaScript,
Python, Ruby, ...), and we found it was pretty easy, and very little code.
- Arrays are prefixed by the number of elements but not by their length in
bytes. And elements need not be all of the same size. So you cannot skip the
array without fully parsing every last element. IIRC this is a major
disadvantage compared to ASN.1 encodings.
Correct. Counting items and not bytes is indeed a fundamental design decision
in CBOR that has advantages and disadvantages. We believe the advantages
outweigh the disadvantages.
In specific here, we are not assuming that skip over an array/map is a common
desire for a decoder. Forcing an encoder to marshall all the bytes before it could start
emitting an array/map causes overhead for the encoder that is avoided if it just knows
the number of elements it will emit.
- A puzzling change from JSON, and one that probably complicates
implementations quite a bit, is that a map's index can be of any type, not just
a string. And this includes mixed index types for the same map.
We have looked at this, and do not think that it complicates many
implementations. It does not complicate encoders at all. It does not complicate
decoders, even those that are looking for duplicate keys (which will be an
error). It only complicates decoders that are also sorting the keys. We assume
that the latter does not need to happen in the parser, but in the application
that needs the keys sorted by semantics it knows about.
- And similarly to arrays, you cannot skip a map element without deep parsing
of the element.
Ditto from above.
- I think many of the tag values are too specific, and are best left to
applications. For example, why should the format care if the app encodes a
UTF-8 string in base64?
Because a generic parser could then do the Base64 decoding. This will always be an iffy
space: CBOR will either force too much knowledge on the application, or it will do too
much. We picked somewhere on that continuum, knowing that it
Re: Radical Solution for remote participants
Maybe I am missing something. The reason we have face-to-face meetings is because there is value in such meetings that can not reasonably be achieved in other ways. I would like remote participation to be as good as possible. But if would could achieve the same as being there then we should seriously consider not meeting face-to-face. Conversely, until the technology gets that good, we must not penalize the face-to-face meeting for failures of the technology. Yours, Joel On 8/15/13 9:48 PM, Mark Nottingham wrote: On 13/08/2013, at 11:00 AM, Douglas Otis doug.mtv...@gmail.com wrote: 1) Ensure exact digital interfaces driving projectors are fully available remotely. That would be fantastic, if feasible. Much simpler than sharing through software. 2) Ensure Audio access requires an identified request via XMPP prior to enabling either a remote or local audio feed. Hm. 3) RFI tags could facilitate enabling local audio feed instead of an identified request via XMPP. Could be quite interesting; many conferences now provide attendees with RFID tags... 4) In the event of the local venue loosing Internet access, the device regulating A/V presentations must be able to operate in a virtual mode where only remote participants are permitted to continue the meeting proceedings. That seems… extreme. 5) Important participants should plan for alternative modes of Internet access to remain part of the proceedings. Not exactly practical. 6) Develop a simple syntax used on XMPP sessions to: 1) signify a request to speak on X 2) withdraw a request to speak on X 3) signify support of Y 4) signify non-support of Y 5) signal when a request has been granted or revoked. For local participants this could be in the form of a red or green light at their microphone. The W3C does much of this already with IRC bots, e.g.: http://www.w3.org/2001/12/zakim-irc-bot.html (also can pick a scribe, track an agenda, etc.) 7) Develop a control panel managed by chairs or their proxies that consolidate and sequence requests and log support and nonsupport indications and the granting of requests. See above (I think). 8) Chairs should be able to act as proxies for local participants lacking access to XMPP. Not practical, unless they delegate. 9) Chairs should have alternative Internet access independent of that of the venue's. Seems extreme. 10) Establish a reasonable fee to facilitate remote participants who receive credit for their participation equal to that of being local. 11) The device regulating A/V presentations must drive both the video and audio portions of the presentations. A web camera in a room is a very poor replacement. 12) All video information in the form of slides and text must be available from the Internet prior to the beginning of the meeting. Cheers, -- Mark Nottingham http://www.mnot.net/
Re: Radical Solution for remote participants
--On Friday, August 16, 2013 04:59 -0400 Joel M. Halpern j...@joelhalpern.com wrote: Maybe I am missing something. The reason we have face-to-face meetings is because there is value in such meetings that can not reasonably be achieved in other ways. I would like remote participation to be as good as possible. But if would could achieve the same as being there then we should seriously consider not meeting face-to-face. Conversely, until the technology gets that good, we must not penalize the face-to-face meeting for failures of the technology. Joel, I certainly agree with your conclusion. While I hope the intent wasn't to penalize the face-to-face meeting, there have been several suggestions in this thread that I believe are impractical and a few that are probably undesirable even if they were practical. Others, such as improved automation, are practical if we want to make the effort, would probably help, and, fwiw, have been suggested by multiple people in multiple threads. I do believe it would be helpful for everyone involved in the discussion to be careful about their reactions and rhetoric. While it is certainly possible to go too far in any given direction, significant and effective remote participation will almost certainly require some adjustments by the people in the room. We've already made some of those adjustments: for example while it is inefficient and sometimes doesn't work well, using Jabber as inbound channel with someone in the room reading Jabber input at the Mic does help remote participants at some cost to the efficient flow of the f2f discussions. Perhaps that penalizes the face to face participants. I believe it is worth it and that it would be worthwhile going somewhat further in that direction, e.g., by treating remote participants as a separate mic queue. I also see it as very closely related to some other tradeoffs: for example, going to extra effort to be inclusive and diverse requires extra effort by existing f2f participants and very carefully balancing costs -- higher costs and even costs at current levels discourage broader participants but many ways of increasing diversity also increase costs. Wrt not meeting face-to-face, I don't see it happening, even with technology improvements. On the other hand, the absolutely most effective thing we could do to significantly decrease costs for those who need the f2f meetings but are cost-sensitive would be to reverse the trends toward WG substituting interim meetings for work on mailing lists, toward extending the IETF meeting week to include supplemental meetings, and even to move toward two, rather than three, meetings a year. Those changes, especially the latter two, would probably require that remote participation be much more efficient and effective than it is today, but would not require nearly the level of perfection required to eliminate f2f meetings entirely. And any of the three would penalize those who like going to extended f2f meetings and/or prefer working that way and who have effectively unlimited travel support and related resources. best, john
Re: Radical Solution for remote participants
On Aug 13, 2013, at 6:24 AM, John Leslie j...@jlc.net wrote: There are a certain number of Working Groups where it's standard operating practice to ignore any single voice who doesn't attend an IETF week to defend his/her postings. I don't see that happening in the WGs I attend - when remote participants post to jabber, the jabber scribes get mic time. I think what you mean isn't really that physical participants ignore remote ones, but more that remote participants don't have as much impact/weight with their input/arguments than physical participants do. Is that what you mean? I don't always understand what Doug is asking for; but I suspect he is proposing to define a remote-participation where you get full opportunity to defend your ideas. This simply doesn't happen today. Then fix that problem. Which solution addresses that problem: 1) Make remote participants pay money. 2) Add a separate mic line. 3) Add remote controls for A/V equipment. 4) Add XMPP controls for mic-line and humming. 5) None of the above. ISTM it's (5). Working Groups don't ignore remote participant voices because they don't pay money. They don't ignore them because they don't have a separate mic. They don't ignore them because they don't have A/V control. They don't ignore them because they don't have XMPP controls. WG physical participants ignore remote ones because they're not physically present. We're human beings. Human beings have a subconscious connection/empathy with other human beings based on our senses, that does not exist when we only read their words or only hear them speaking... especially when it's hear them by-proxy as the current jabber model uses. This isn't news to anyone - it's why people travel to meet other people, and why the telepresence market exists. The next step up from our current jabber-scribe model is to have audio input - the ability for remote participants to speak using their own voice, when it's their turn at the 'mic'. The next step up after that is video input, where remote participants can be seen as well as heard. Both of those are technically achievable, and possibly even practical to implement - though that's something the folks who run and manage the meetings would have to decide, since they'd know a lot more than us about that. -hadriel
Re: Radical Solution for remote participants
Well, we just had a technical session about Real Time web. This seems to me like the perfect application to show and eat own dog food. Regards, as On 8/16/13 9:07 AM, Hadriel Kaplan wrote: The next step up from our current jabber-scribe model is to have audio input - the ability for remote participants to speak using their own voice, when it's their turn at the 'mic'. The next step up after that is video input, where remote participants can be seen as well as heard. Both of those are technically achievable, and possibly even practical to implement - though that's something the folks who run and manage the meetings would have to decide, since they'd know a lot more than us about that.
Charging remote participants
Since the topic keeps getting raised... I think that charging remote participants any fee is a really terrible idea. One of the really great things about the IETF is its open and free (as in beer) participation policy. The real work is supposed to be done on mailing lists, and there's no charge or restriction on who can send emails. That policy is actually quite rare for standards bodies, and makes our output better not worse. Obviously we discuss things and do real work at physical meetings too, and they're not simply social occasions. At the end of the day we actually want people to come to the physical meetings, but the realities of life make that impossible for many. But charging remote participants for better tools/experience isn't the answer. At least for me, whenever I'm discussing a draft mechanism I actually *want* input from remote participants. I don't want it to be only from folks who can afford to provide input. I want it from people who can't get approval for even a $100 expense, from people who are between jobs, people from academia, and even from just plain ordinary users rather than just vendors or big corps. At one time we worried that free remote participation would lead to too many random participants to get work done, but that hasn't become a problem afaict. Please don't whittle it down further to only those who can afford it. I would do anything whatsoever to avoid charging remote participants, even if it means raising the fee for f2f attendees to subsidize remote-participant tooling costs. In that vein, I think a lot of the f2f attendees get our reg-fee paid by our employer and another $50 or even $100 isn't going to make a bit of difference for us - for those whom it would make a difference, I'd create another category of f2f registration fee like 'Self-paying Attendee' or some such. Selecting the new category would drop your fee by the $50 or $100, but wouldn't change what gets displayed on your badge or anything. It would be purely optional, with no guilt attached for not paying it and no visible difference to anyone else. Just put some words on the registration form page saying something like If you cannot expense your registration fee, please select the 'Self-paying Attendee' category or something like that. Or make it some checkbox thingy. I believe the majority of folks who can expense it will not have difficulty expensing a 'Regular Attendee' charge so long as it doesn't say we opted to pay more. -hadriel p.s. Even from a purely practical standpoint, charging remote participants raises a lot of issues - we debate incessantly just about the f2f day-pass, and that's nothing compared to this. For example: if things break during the meeting session, do we re-imburse them? Do we pro-rate the re-imbursement based on how many of their meetings had technical issues with audio or video? Do we charge a flat fee for the whole week of meetings, or just charge per meeting session, or depending on how long the session is? Do we charge students a different rate, like we do f2f reg-fees? Do we need to provide tech support with a specific SLA? This while thing is a can of worms. It's not worth it.
Re: Radical Solution for remote participants
Yes, that had also occurred to me. :) It does cost money though... if even for just additional equipment, tech support and administration, and a separate presentation screen in the rooms. And it's one more thing for the folks who run the meetings to worry about, plan for, deal with, etc. - and that's a real cost too. As far as I can tell it's not the up-front capex costs of a technology that really matter much, it's the recurring opex costs. -hadriel On Aug 16, 2013, at 8:30 AM, Arturo Servin arturo.ser...@gmail.com wrote: Well, we just had a technical session about Real Time web. This seems to me like the perfect application to show and eat own dog food. Regards, as On 8/16/13 9:07 AM, Hadriel Kaplan wrote: The next step up from our current jabber-scribe model is to have audio input - the ability for remote participants to speak using their own voice, when it's their turn at the 'mic'. The next step up after that is video input, where remote participants can be seen as well as heard. Both of those are technically achievable, and possibly even practical to implement - though that's something the folks who run and manage the meetings would have to decide, since they'd know a lot more than us about that.
Re: Charging remote participants
08/16/2013 09:10:54 AM: From: Hadriel Kaplan hadriel.kap...@oracle.com ...I want it from people who can't get approval for even a $100 expense, from people who are between jobs, people from academia, and even from just plain ordinary users rather than just vendors or big corps. I agree. The realities of internal politics/funding being what they are, it is sometimes going to be just as hard to get $100 remote fee approved as it as to get the whole f2f trip approved. Janet
Re: Radical Solution for remote participants
I agree with Hadriel (probably because we attend a lot of the same WGs) that remote participants are not actively ignored. The problem is that, with the time lag, and the need to type in your comments in quickly, then relay them through the jabber scribe A- the discussion has often moved on before your comment gets to the mic B - your comment is necessarily short and, hopefully, to the point. But if the audience doesn't get the point and misinterprets your comment, you really don't get an opportunity to clarify. C- you can't participate in a back and forth conversation Of the remedies listed, only audio input - the ability for remote participants to speak using their own voice, when it's their turn at the 'mic'. addresses that. (When I drag myself out of bed at 2:30 AM for a remote meeting, even if I have changed into clothes, I don't think I want video input, where remote participants can be seen as well as heard. ) Janet ietf-boun...@ietf.org wrote on 08/16/2013 08:07:56 AM: From: Hadriel Kaplan hadriel.kap...@oracle.com To: John Leslie j...@jlc.net Cc: IETF Discussion Mailing List ietf@ietf.org Date: 08/16/2013 08:08 AM Subject: Re: Radical Solution for remote participants Sent by: ietf-boun...@ietf.org On Aug 13, 2013, at 6:24 AM, John Leslie j...@jlc.net wrote: There are a certain number of Working Groups where it's standard operating practice to ignore any single voice who doesn't attend an IETF week to defend his/her postings. I don't see that happening in the WGs I attend - when remote participants post to jabber, the jabber scribes get mic time. I think what you mean isn't really that physical participants ignore remote ones, but more that remote participants don't have as much impact/weight with their input/arguments than physical participants do. Is that what you mean? I don't always understand what Doug is asking for; but I suspect he is proposing to define a remote-participation where you get full opportunity to defend your ideas. This simply doesn't happen today. Then fix that problem. Which solution addresses that problem: 1) Make remote participants pay money. 2) Add a separate mic line. 3) Add remote controls for A/V equipment. 4) Add XMPP controls for mic-line and humming. 5) None of the above. ISTM it's (5). Working Groups don't ignore remote participant voices because they don't pay money. They don't ignore them because they don't have a separate mic. They don't ignore them because they don't have A/V control. They don't ignore them because they don't have XMPP controls. WG physical participants ignore remote ones because they're not physically present. We're human beings. Human beings have a subconscious connection/empathy with other human beings based on our senses, that does not exist when we only read their words or only hear them speaking... especially when it's hear them by-proxy as the current jabber model uses. This isn't news to anyone - it's why people travel to meet other people, and why the telepresence market exists. The next step up from our current jabber-scribe model is to have audio input - the ability for remote participants to speak using their own voice, when it's their turn at the 'mic'. The next step up after that is video input, where remote participants can be seen as well as heard. Both of those are technically achievable, and possibly even practical to implement - though that's something the folks who run and manage the meetings would have to decide, since they'd know a lot more than us about that. -hadriel
Re: Radical Solution for remote participants
Adding to my own comments - Beware of technological solutions that require software on the remote user's end, or network communications. Many employers have strict policies about what is allowed to be installed on company computers. Furthermore, some have draconian firewalls. For instance, my employer's network blocks jabber. They used to block the streaming audio too. They are likely to block anything new they have not officially approved. I have to isolate myself from the company network, and use a separate connection, to use jabber from the office. Janet ietf-boun...@ietf.org wrote on 08/16/2013 09:50:58 AM: From: Janet P Gunn/USA/CSC@CSC I agree with Hadriel (probably because we attend a lot of the same WGs) that remote participants are not actively ignored. The problem is that, with the time lag, and the need to type in your comments in quickly, then relay them through the jabber scribe A- the discussion has often moved on before your comment gets to the mic B - your comment is necessarily short and, hopefully, to the point. But if the audience doesn't get the point and misinterprets your comment, you really don't get an opportunity to clarify. C- you can't participate in a back and forth conversation Of the remedies listed, only audio input - the ability for remote participants to speak using their own voice, when it's their turn at the 'mic'. addresses that. (When I drag myself out of bed at 2:30 AM for a remote meeting, even if I have changed into clothes, I don't think I want video input, where remote participants can be seen as well as heard. ) Janet
Re: Last Call: draft-nandakumar-rtcweb-stun-uri-05.txt (URI Scheme for Session Traversal Utilities for NAT (STUN) Protocol) to Proposed Standard
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Hadriel,
Note that the STUN URIs design is based on the TURN URI design, which was
discussed back in 2008-2009. See my answers below.
On 08/15/2013 07:01 AM, Hadriel Kaplan wrote:
Some comments on this STUN draft and the TURN one:
1) The ABNF in these drafts leaves no room for future extension such as
adding parameters. Was that intentional?
Yes. There is two very different kind of parameters in an URI:
1. Parameters that are used to guide the selection of the resource (basically
parameters that are input to RFC 5766 and RFC 5928). The BEHAVE WG decided in
Dublin to not support this[1] (i.e. to not have either URI parameters or their
counterpart in the DNS).
2. Other parameters that are not used to guide the selection but that are used
by the protocol, e.g. username, password, etc... password was removed
for security reasons. It was decided (although I cannot find exactly when)
that these non-guiding parameters should not be part of a TURN URI, so
username was removed too, as was the auth parameter proposed recently
(i.e. all these parameters should be part of the WebRTC RTCIceServer
dictionary).
Not supporting extensibility (i.e. not being able to add these parameters
later) was agreed by default also in Dublin (see slide 5 of [2]). IIRC,
extensibility for the first kind of parameters was found too difficult (how
implementation reacts to a new parameter?). Extensibility for the second type
of parameters would create less issues, but as they were rejected anyway on
principle, there was no point of having a way to add them later.
For the record, I still disagree with the decision of not supporting the first
kind of parameters (RFC 5928 was even designed to support TWIST ;-) ), but
that was the consensus at the time. I still agree with not supporting the
second kind of parameters.
Note that only the second type of parameters would apply to STUN URIs, but
they were not permitted in STUN for symmetry with the TURN URIs.
[1] https://www.ietf.org/proceedings/72/minutes/behave.txt
[2] https://www.ietf.org/proceedings/72/slides/behave-0.pdf
2) Why do both of these docs repeat a lot of ABNF from RFC 3986, instead
of just referencing it? It says in the appendix some ABNF was repeated
because RFC 3986 are for hierarchical URIs. I'm not exactly sure what
that means other than you don't have a path component, but as far as I can
tell the copied ABNF components in these STUN/TRUN drafts are verbatim
copies of RFC 3986, all the way down to their final expansion.
For example, 'IP-literal' and all of its sub-defined parts ('IPv6address',
'IPvFuture', 'h16', 'ls32') appear identical to those in RFC 3986. In
fact, so is 'stun-host' and 'turn-host' - it's just RFC 3986 'host' by
another name. Am I missing something?
Why not just have this: stunURI = scheme : stun-host [ :
stun-port ] scheme= stun / stuns stun-host = host ;see
section 3.2.2 of [RFC3986] stun-port = port ;see section 3.2.3 of
[RFC3986]
Not a big deal, but it just seems simpler and cleaner to me to not repeat
ABNF from other RFCs, especially when the RFC in question is the one for
general URI syntax and you're defining a specific URI syntax based on it.
This was done back in 2009 during the first uri-review of the TURN URI,
following a comment by Ted Hardie. The problem is that the TURN and STUN uris
are opaque URIs, but using these ABNF productions make them look like
hierarchical URIs, because these productions are defined in RFC 3986 only for
hierarchical URIs. So the point was that developers may misinterpreting this
as meaning that TURN and STUN URIs can be parsed by a generic hierarchical
parser, which would be a very bad idea (as username and password would then be
parsed).
Version -06 will contain a more complete design note about this (we decided
that the design notes will stay in the RFC), here's the current version:
o The ABNF in this document duplicates the IP-literal,
IPv4address, and reg-name productions and other dependent
productions from [RFC3986], instead of referencing them. This is
because the definitions in RFC 3986 are for hierarchical URIs, so
using these references in an opaque URI made reviewers think that
a hierarchical URI parser could be used to parse the URIs defined
in this document.
- --
Marc Petit-Huguenin
Email: m...@petit-huguenin.org
Blog: http://blog.marc.petit-huguenin.org
Profile: http://www.linkedin.com/in/petithug
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBCAAGBQJSDj0WAAoJECnERZXWan7EbJwQAOIQJjxl2JtZM8oFcvSevFCG
aulKCWtmX9P067JvyeUHMBp5w3bP+piY6pKYVuBtbjhflKCW+k24cIK7vXyJ9w0N
0VjrubNIrtHYc8ORHGyASxx+92zoIHU8cssIPS/fXjho6u1tGJaJCghGlG5f9UiQ
JicqpdWagzL6KNmvpG3jOW+kXr+acSjGWJg/flwuK8SRiNlK4hWNAtzye8cPaSly
KkRrNS4ZJSDDDO7hWcKS7KgOXeyue5Vmh3OngIuOXOgpJeyITgI0F+EXnb0ius5z
Re: Charging remote participants
On 08/16/2013 09:38 AM, Janet P Gunn wrote: ...I want it from people who can't get approval for even a $100 expense, from people who are between jobs, people from academia, and even from just plain ordinary users rather than just vendors or big corps. I agree. The realities of internal politics/funding being what they are, it is sometimes going to be just as hard to get $100 remote fee approved as it as to get the whole f2f trip approved. As someone who just spent $3.5K out of pocket to show up in Berlin, I have a hard time being sympathetic to someone who won't participate because he has to spend $100 out of pocket. Keith
Re: Radical Solution for remote participants
On 08/16/2013 04:59 AM, Joel M. Halpern wrote: Conversely, until the technology gets that good, we must not penalize the face-to-face meeting for failures of the technology. Unfortunately, we've been doing that for many years, e.g. by forcing speakers to queue up at the microphones, and by arranging seating so that it's difficult to get to the microphones unless you're seated near an aisle. If you actually think you might want to speak at a f2f meeting, you need to show up early (forgoing any potentially valuable hallway conversations) and get a seat near an aisle. Keith
Re: Last Call: draft-nandakumar-rtcweb-stun-uri-05.txt (URI Scheme for Session Traversal Utilities for NAT (STUN) Protocol) to Proposed Standard
Hadriel, I think you are making a fair case that this URI is more than just an internal string for use in a single protocol, which is the impression I got from the registration draft. I think you're saying the URI schemes proposed provide ways for applications to be told about NAT-traversal resources they should use? I can see that even if their in-use deployment is limited, the benefits can be relevant to a wider audience. I think it would be useful if the URI scheme description could clarify that it is being used to identify a NAT traversal service (or something like that). #g -- On 15/08/2013 14:16, Hadriel Kaplan wrote: I agree with Harald. Both the STUN and TURN URIs really do represent what we traditionally use URIs for: they identify a physical resource, a protocol for accessing the resource, etc. Unlike a data URL, the STUN/TURN URI is not locally/directly self-contained data - it's a resource identifier, only meaningful when resolved and accessed using the scheme's protocol and host address, with whatever attributes are encoded in the URI. Today only W3C has an immediate need for it, for the Javascript API for WebRTC, but one can envision this might be used by others as well in the future: 1) SIP might use this in a UA-config profile to tell a SIP client what STUN/TURN resources to use, or even in a REGISTER response someday. 2) XMPP might use this someday to indicate to clients what STUN/TURN servers to use for Jingle/etc. Today it's done with a 'services' element I think, but it could be changed in the future. 3) BEHAVE WG might define a new DHCP option to tell DHCP clients a STUN/TURN server to use, in which case they could use this URI for that. (I don't know if BEHAVE's already done that, or decided not to do such a thing, but just sayin' it's another potential use-case) It's possible other protocols might use this as well someday, for example RTSP or H.323. I'm not saying any of them *will*, but it's possible. -hadriel On Aug 15, 2013, at 6:04 AM, Harald Alvestrand har...@alvestrand.no wrote: On 08/15/2013 11:04 AM, Graham Klyne wrote: Hi Harald, On 14/08/2013 19:49, Harald Alvestrand wrote: On 08/13/2013 12:14 AM, Graham Klyne wrote: [...] But, in a personal capacity, not as designated reviewer, I have to ask *why* this needs to be a URI. As far as I can tell, it is intended for use only in very constrained environments, where there seems to be little value in having an identifier that can appear in all the contexts where a URI may be recognized. The criteria for new URI schemes in http://tools.ietf.org/html/rfc4395 include: New URI schemes SHOULD have clear utility to the broad Internet community, beyond that available with already registered URI schemes. -- http://tools.ietf.org/html/rfc4395#section-2.1 This utility to the broader community is not clear to me, but I don't fully understand the intended scope of this protocol, so I could be missing something. So, in declaring consensus for this specification, I would request that this aspect at least be considered. I can only give my personal opinion 1) This is a format for a piece of data. This data cannot be expressed using any existing URI scheme - indeed, I don't think there exists another well-defined textual representation of this piece of data. 1) This is defining an identifier that will be used in W3C-defined APIs. W3C tends to use URIs every time they want a self-defining piece of data with a clearly defined structure. In the particular API where this is wanted, one wants to have STUN URIs, TURNS URIs and TURN URIs passed over the same interface. Thus, keeping with the W3C tradition of URIs seems reasonable. I think this answers the question about utility to the broader community to my satisfaction - your mileage may differ, of course. Some thoughts occur to me: 1. My reading was that this is a generic NAT traversal protocol, so the requirement here is not Web/W3C specific. But you do say used in W3C-defined APIs... Truth in advertising: One W3C-defined API. The specific reference: http://dev.w3.org/2011/webrtc/editor/webrtc.html#dictionary-rtciceserver-members 2. If this is being driven by W3C activities, this should probably be flagged with W3C TAG. I'll raise it there. 3. URIs are not generally used as *data* formats, but rather as identifiers for resources. Web architecture and REST principles tend to discourage information encoded in URIs in favour of data representation formats. Cf. http://www.w3.org/TR/webarch/#uri-opacity, http://www.w3.org/2001/tag/doc/metaDataInURI-31.html Well, it is. The data encoded is the identification of a STUN server, which is a resource. 4. If the purpose here is simply to encode data, then there does already exist a suitable URI scheme, viz data:. A new content type can be defined to actually encode the required data, and the whole be wrapped in a data: URI. This approach has the advantage that
RE: [karp] Gen-ART review of draft-ietf-karp-crypto-key-table-08
The key table is analogous to the SPD in 4301, but not the PAD. Close to SAD not SPD for some RPs as it have negotiation result including keys. But not definitely analogous to the PAD. -- Uma C.
Re: Charging remote participants
Keith, Fortunately sympathy is unidirectional, therefore I keep all my respect towards you while totally disagree with your opinion... On Fri, Aug 16, 2013 at 4:56 PM, Keith Moore mo...@network-heretics.comwrote: On 08/16/2013 09:38 AM, Janet P Gunn wrote: ...I want it from people who can't get approval for even a $100 expense, from people who are between jobs, people from academia, and even from just plain ordinary users rather than just vendors or big corps. I agree. The realities of internal politics/funding being what they are, it is sometimes going to be just as hard to get $100 remote fee approved as it as to get the whole f2f trip approved. As someone who just spent $3.5K out of pocket to show up in Berlin, I have a hard time being sympathetic to someone who won't participate because he has to spend $100 out of pocket. Keith
Re: Charging remote participants
In some parts of the world there are good engineers that get $100 for a week as salary. Charging remote participation will raise the bar even more for people that cannot travel and their only way to participate is in mailing lists and remotely. Providing good remote tools it expensive in capex and opex as stated before, but charging remote participants it is not the way forward, unless that payment were optional (I personally I would do it, but I know people -students, researchers in public universities, badly paid engineers whose employer is not convinced that the ietf is a good way to expend money, etc.- ) Regards, as On 8/16/13 11:56 AM, Keith Moore wrote: On 08/16/2013 09:38 AM, Janet P Gunn wrote: ...I want it from people who can't get approval for even a $100 expense, from people who are between jobs, people from academia, and even from just plain ordinary users rather than just vendors or big corps. I agree. The realities of internal politics/funding being what they are, it is sometimes going to be just as hard to get $100 remote fee approved as it as to get the whole f2f trip approved. As someone who just spent $3.5K out of pocket to show up in Berlin, I have a hard time being sympathetic to someone who won't participate because he has to spend $100 out of pocket. Keith
Re: Charging remote participants
On Aug 16, 2013, at 10:56 AM, Keith Moore mo...@network-heretics.com wrote: As someone who just spent $3.5K out of pocket to show up in Berlin, I have a hard time being sympathetic to someone who won't participate because he has to spend $100 out of pocket. This isn't about fairness or equal-pain-for-all. It's about getting work done and producing good output. Whether someone remote has to pay $0 or $1000 won't change your $3.5k out-of-pocket expense. If you don't feel the $3.5k was worth it for you to go physically, don't go. But let's say we go deploy some more tools for remote participants, and want to subsidize that additional cost. Because making f2f folks pay out-of-pocket to subsidize remote participants reduces the incentive for them to come physically, I suggested we have a 'Self-paying Rate' category or check-box in the registration form page that removes any new additional remote-participant subsidy from the reg-fee cost. Those of us who can expense the reg-fee won't select that, and can expense the new full amount.[1] Nothing on the badges or attendee list or whatever would show any difference... it's purely a registration form/receipt thing. [Fwiw, I think people still get their money's worth to go, though $3.5k is pushing it. I assume it was that high for you because you're in the US and it was quite expensive to fly there - I find US-based f2f meetings are far cheaper for US folks, but I assume they're more expensive for non-US folks so in that sense it's good we rotate meeting locations.] -hadriel [1] Sure some people may claim Self-Paying status even when expensing their fee, but that's ok so long as many people pay the full amount. Speaking just for myself, every employer I've worked at so far would have paid the full amount - it just can't be an opt-in to pay more, nor look like we're 'donating' or stuff like that. It's got to be a 'Regular Rate' or some such for our receipts, while the other type says 'Self-Paying Rate' or some such on their receipts. And it can't be like $1000 more, but $100 is reasonable.
Re: Charging remote participants
On 8/16/2013 6:10 AM, Hadriel Kaplan wrote: Since the topic keeps getting raised... I think that charging remote participants any fee is a really terrible idea. One of the really great things about the IETF is its open and free (as in beer) participation policy. The real work is supposed to be done on mailing lists, and there's no charge or restriction on who can send emails. That policy is actually quite rare for standards bodies, and makes our output better not worse. The IETF has never been free. Actually, it's quite expensive. We've maintained the myth that it's free because we've had long-term funding support from the outside, originally dubbed daddy pays. First it was ARPA, then CNRI and now ISOC (and wealthy corporations). Having a wealthy benefactor is definitely pleasant, but it is also fragile. It does not take much for funding or political problems to develop. Currently, primary IETF funding comes from 3 sources: 1. ISOC 2. Face-to-face meeting attendees 3. Face-to-face sponsors Each of these represents a sizable pool, although the sponsors require significant, on-going effort to recruit (the formal term is cost of sales). ISOC is the main 'daddy' in the equation because it graciously and reliably gives the IETF whatever money is asked for. There's a large annual budget that gets approved, but ISOC readily adds to that when asked. And one certainly cannot fault ISOC for this, of course. Nevermind that supporting the IETF is one of ISOC's main reasons for existence; it's still darn nice of them, and darn lucky that they have such a reliable and large base of their own funding. Sponsors and the bulk of meeting attendee fees constitute another daddy, in this case an aggregate corporate daddy. Wealthy organizations. But the resulting financial model for the IETF isn't very business-like. We regularly make expenditure choices on a well-intentioned whim. We do it because, contrary to the real world, we don't suffer meaningful financial downsides for poor choices. Daddy will keep paying. Robust organizations make sure they have diverse revenue sources. In the case of the IETF, we need to balance between easy, inclusive access by the widest possible range of possible participants, versus diverse funding to ensure both financial and political robustness. But charging remote participants for better tools/experience isn't the answer. At least for me, whenever I'm discussing a draft mechanism I actually *want* input from remote participants. I don't want it to be only from folks who can afford to provide input. I want it from people who can't get approval for even a $100 expense, from people who are between jobs, people from academia, and even from just plain ordinary users rather than just vendors or big corps. At one time we worried that free remote participation would lead to too many random participants to get work done, but that hasn't become a problem afaict. Please don't whittle it down further to only those who can afford it. The diversity of participation /is/ a problem and always has been. However it also is a benefit, and always has been. So, yes, we want to continue to make highly diverse participation easy. But we still have bills to pay. So it's not reasonable to argue against one source of revenue in the absence of a compensating argument in favor of another. As remote participation tools get better, it is likely that we will have more remote attendees and fewer face-to-face ones. This likely means significant reduction in attendee fees but also could challenge sponsor fees, since the marketing benefit of sponsorship for the f2f will likely go down. The IETF already has a modest program for free or subsidized participation in the face-to-face meeting. Attention to the diverse access you cite would recommend extending it to remote participation, should fees be imposed. I would do anything whatsoever to avoid charging remote participants, even if it means raising the fee for f2f attendees to subsidize remote-participant tooling costs. So, you want to make the f2f meetings even more exclusionary than they already are? The meetings are already dominated by well-funded corporate attendees. Higher fees will screen out some additional percentage of the others who currently find a way to pay for attendance. In that vein, I think a lot of the f2f attendees get our reg-fee paid by our employer and another $50 or even $100 isn't going to make a bit of difference for us For you. For other well-funded corporate attendees. But each increment makes a difference for anyone on a tight budget. So yes: - for those whom it would make a difference, I'd create another category of f2f registration fee like 'Self-paying Attendee' or some such. Selecting the new category would drop your fee by the $50 or $100, but wouldn't change what gets displayed on your badge or anything. It would be purely
Re: Radical Solution for remote participants
Hi, +1 On Fri, Aug 16, 2013 at 1:59 AM, Joel M. Halpern j...@joelhalpern.com wrote: Maybe I am missing something. The reason we have face-to-face meetings is because there is value in such meetings that can not reasonably be achieved in other ways. I would like remote participation to be as good as possible. But if would could achieve the same as being there then we should seriously consider not meeting face-to-face. Being at the IETF for a week is never going to be the same experience as participating remotely at a computer for a couple 2 hour meetings. A lot of work gets done outside the official WG meetings because the right people can all be in the same room at the same time. IMO we should be using more virtual interim meetings, not trying to turn our f2f meetings into remote meetings. WGs should meet virtually at least once a month for 2 - 4 hours to make progress on issues same as via the WG mailing list. Everybody is a remote participant in a virtual interim so the problems with interfacing to a live meeting go away. Conversely, until the technology gets that good, we must not penalize the face-to-face meeting for failures of the technology. Yours, Joel Andy On 8/15/13 9:48 PM, Mark Nottingham wrote: On 13/08/2013, at 11:00 AM, Douglas Otis doug.mtv...@gmail.com wrote: 1) Ensure exact digital interfaces driving projectors are fully available remotely. That would be fantastic, if feasible. Much simpler than sharing through software. 2) Ensure Audio access requires an identified request via XMPP prior to enabling either a remote or local audio feed. Hm. 3) RFI tags could facilitate enabling local audio feed instead of an identified request via XMPP. Could be quite interesting; many conferences now provide attendees with RFID tags... 4) In the event of the local venue loosing Internet access, the device regulating A/V presentations must be able to operate in a virtual mode where only remote participants are permitted to continue the meeting proceedings. That seems… extreme. 5) Important participants should plan for alternative modes of Internet access to remain part of the proceedings. Not exactly practical. 6) Develop a simple syntax used on XMPP sessions to: 1) signify a request to speak on X 2) withdraw a request to speak on X 3) signify support of Y 4) signify non-support of Y 5) signal when a request has been granted or revoked. For local participants this could be in the form of a red or green light at their microphone. The W3C does much of this already with IRC bots, e.g.: http://www.w3.org/2001/12/zakim-irc-bot.html (also can pick a scribe, track an agenda, etc.) 7) Develop a control panel managed by chairs or their proxies that consolidate and sequence requests and log support and nonsupport indications and the granting of requests. See above (I think). 8) Chairs should be able to act as proxies for local participants lacking access to XMPP. Not practical, unless they delegate. 9) Chairs should have alternative Internet access independent of that of the venue's. Seems extreme. 10) Establish a reasonable fee to facilitate remote participants who receive credit for their participation equal to that of being local. 11) The device regulating A/V presentations must drive both the video and audio portions of the presentations. A web camera in a room is a very poor replacement. 12) All video information in the form of slides and text must be available from the Internet prior to the beginning of the meeting. Cheers, -- Mark Nottingham http://www.mnot.net/
Re: Charging remote participants
Hello, On 8/16/13 11:56 AM, Keith Moore wrote: As someone who just spent $3.5K out of pocket to show up in Berlin, I have a hard time being sympathetic to someone who won't participate because he has to spend $100 out of pocket. Funny reading that under the light of the IETF worried about increasing participation and diversity. There are places in the world where $100 is all the disposable income an engineer *might* have. For months. And, before the IETF would commit to take steps in that direction, it would be interesting to see some numbers about how much money needs to be invested in deploying and operating remote participation tools that would actually make people feel they are getting value back for a $100 remote attendance fee. I can already imagine the complain threads in the [XXattendees-remote] list. Oh, the humanity! ~Carlos
RE: [karp] IANA policy for draft-ietf-karp-crypto-key-table-08
Sam, Thanks for picking this up. Unlike my other two concerns with this draft, I think we have a longer discussion ahead of us on this one. Your summary of my concern is on the mark: David's main concern is that bad security will get registered. I understand the response to be two-fold: 1) It doesn't matter; the controlling registry for crypto algorithm usage is the protocol-specific registry, not the key table database registry. 2) The guidance for the Expert Reviewer will be very difficult to write. I'm not convinced by either of these, sorry. I'm concerned that the two-registry subtlety in 1) will be lost on implementers, especially because (as mentioned in the IESG thread), this key table database is likely to see use beyond routing protocols. Among other things, it's being proposed as a general mechanism for keying RSVP, not just RSVP-TE (I'm one of the co-chairs of the tsvwg WG that's responsible for RSVP). That key table databases registry is also likely to be a place that designers of new protocols look to figure out what to use for security. As for cleartext passwords: Also, some routing protocols are protected by cleartext passwords sent over the network. We want to be able to manage that, so we will be registering plaintext password in these registries. I don't think anyone will come up with anything worse than that. I read the first sentence in Section 2 of this draft as excluding cleartext passwords: The database is characterized as a table, where each row represents a single long-lived symmetric cryptographic key. If someone wants to argue that a cleartext password is a long-lived symmetric cryptographic key, I'll go break out the popcorn and watch w/amusement :-). Seriously, if the intention is to include cleartext passwords, then I think some more rewriting is in order, and I would suggest checking directly with the Security ADs before going there. As for 2), the fact that it will be difficult (with which I agree) doesn't imply that it isn't necessary or shouldn't be done. IMHO, we really should be setting a bar that says that this sort of IETF imprimatur of approval of a crypto algorithm actually means something. I appreciate that FCFS provides an easier path forward, however I'm reminded by analogy of something I learned from my grad school software engineering professor: I can make the code run arbitrarily fast ... ... if it doesn't have to be correct. I'm rather uncomfortable with this use of process expediency as a rationale for avoiding a technical concern. This may ultimately be an issue that the IESG needs to sort out, as the level of security for IETF protocols and concerns about vanity crypto extend well beyond the karp WG, but discussion ought to start here. Thanks, --David -Original Message- From: Sam Hartman [mailto:hartmans-ie...@mit.edu] Sent: Wednesday, August 14, 2013 3:19 PM To: Black, David Cc: hous...@vigilsec.com; tim.p...@nist.gov; Dacheng Zhang (zhangdach...@huawei.com); General Area Review Team (gen-...@ietf.org); k...@ietf.org; ietf@ietf.org Subject: Re: [karp] IANA policy for draft-ietf-karp-crypto-key-table-08 David, as we mentioned in the IESG thread, we seem to have dropped the response to your comments about IANA actions. WG: From the genart review: [9] I suggest Expert Review for the new IANA registries, not just First Come First Served, so that someone with a security clue can check that the proposed registrations are reasonable. Stephen has filed a related DISCUSS position. He's confused why we need a registry for KDFs or algorithms. He argues that the protocols should already have such a registry. He argues that it would be non-sensical to register a value in this registry but not the protocol registry. In a somewhat related discussion, multiple people have asked what the scope of this document is. Are we defining something for routing protocols? Any security protocol in the world? Something in-between? IU'm going to make two responses: 1) I think FCFS is not harmful for these registries. David's main concern is that bad security will get registered. I'll point out that these registries are not about what security you can use with a routing protocol, but about what security you can configure from a management standpoint. Registering rot13 or similarly questionable security here wouldn't mean I could use it with a routing protocol, only that I could ask a system to do so. If ROT13 was not actually in the security-specific registries for the protocols in question there'd be no way to send a rot13-transformed message. I think people wanting to use bad security in routing protocols will focus on specifying how to use the security for the protocols, and that's the appropriate place to do any gateway review. Yeah, I guess with FCFS it's possible someone could register here and then later realize they cannot get their md4
Re: Charging remote participants
On Fri, 16 Aug 2013, Keith Moore wrote: On 08/16/2013 09:38 AM, Janet P Gunn wrote: ...I want it from people who can't get approval for even a $100 expense, from people who are between jobs, people from academia, and even from just plain ordinary users rather than just vendors or big corps. I agree. The realities of internal politics/funding being what they are, it is sometimes going to be just as hard to get $100 remote fee approved as it as to get the whole f2f trip approved. As someone who just spent $3.5K out of pocket to show up in Berlin, I have a hard time being sympathetic to someone who won't participate because he has to spend $100 out of pocket. As someone who couldn't justify the $3k+ to attend the meeting, and for whom attending a meeting implies substantial lost revenue opportunities, the $100 (or more) fee for first class remote participation would be awesome.
RE: [karp] Gen-ART review of draft-ietf-karp-crypto-key-table-08
Sam, Thanks for taking another look at this. I think we're in good shape on the IPsec relationship concern, but I think key selection responsibility could use some more attention. [A] The new text on the IPsec relationship looks good - I'd suggest also adding a sentence to state that keys for IPsec pre-shared-key authentication are not appropriate for this key database. [C] The key selection responsibility was not clear to me from the draft - the intent/design stated in your message is fine (and having one key be returned is simpler, and probably more robust than handing multiple keys to different protocol implementations and hoping that they do something consistent): I think we've discussed key selection in the WG and come to a different conclusion. The key table selects the key. We expect peer, key ID, protocol and interface to identify a unique key for an inbound packet. My confusion stems from section 3 starting out by stating that the key database is consulted to find the key to use on an outgoing message followed by several sentences that indicate that the consultation may result in multiple keys. That leads to a suggestion and a question. Suggestion: Add a new paragraph at the start of Section 3 to make the functional responsibility clear: Key selection is the responsibility of the key database functionality; in all cases, the protocol requests a key, and the database returns one key or an indication that there is no matching key. When multiple keys match a protocol's request, the key database selects one as described further in this section. Question: What happens, when despite all the measures described in Section 3, multiple keys match a protocol's request? How does one ensure that the key databases at both ends of the security association return the same key? Thanks, --David -Original Message- From: Sam Hartman [mailto:hartmans-i...@mit.edu] Sent: Wednesday, August 14, 2013 3:32 PM To: Black, David Cc: hous...@vigilsec.com; tim.p...@nist.gov; Dacheng Zhang (zhangdach...@huawei.com); General Area Review Team (gen-...@ietf.org); k...@ietf.org; ietf@ietf.org Subject: Re: [karp] Gen-ART review of draft-ietf-karp-crypto-key-table-08 Black, == Black, David david.bl...@emc.com writes: Black, [A] Overall - I would like to see a paragraph added on how Black, this database conceptually relates to the IPsec Peer Black, Authorization Database (PAD) - see RFC 4301, section 4.4.3. It doesn't. not even a little bit. It's not IPsec; it's not about what key management peers to interact with. It's conceptually similar to the Security Association Database (SAD). In a discussion with Jari I agreed to propose text for a paragraph describing how this interacts with IPsec. If this conceptual database is used to manage to keys for a security protocol that uses IPsec [RFC4301] security services, then the interactions between this conceptual database and the IPsec databases needs to be described by the protocol specification. Typically such a protocol would insert entries into the Security Association Database (SAD) when rows are inserted into the key table and remove SAD entries when key table rows are removed. The protocol specification needs to describe how the SAD entries are constructed along with any other IPsec database entries that are needed, including a description of how these entries are ordered along with other IPsec database entries. The question of whether it is desirable to use this conceptual database to manage protocols that use IPsec security services is open and has not been evaluated. Black, [C] (Section 3) Where does key selection occur? I would Black, suggest that the database return all possible keys and let Black, the protocol figure out what to use. This is particularly Black, important for inbound traffic for obvious reasons. I think we've discussed key selection in the WG and come to a different conclusion. The key table selects the key. We expect peer, key ID, protocol and interface to identify a unique key for an inbound packet. So, I think the concern you raise is not a problem. While there was not a specific thread discussing key selection or this issue, there were multiple reviewers who provided comments on key selection over the development of the document, and making a major change at this point without a technical problem seems undesirable. If I'm missing something and the inbound packet issue is a problem then we need to discuss it.
Re: Charging remote participants
I expect _I_ would pay $100 out of my own pocket, if it came to that. But not all remote participants would be able to. Janet ietf-boun...@ietf.org wrote on 08/16/2013 10:56:27 AM: From: Keith Moore mo...@network-heretics.com On 08/16/2013 09:38 AM, Janet P Gunn wrote: ...I want it from people who can't get approval for even a $100 expense, from people who are between jobs, people from academia, and even from just plain ordinary users rather than just vendors or big corps. I agree. The realities of internal politics/funding being what they are, it is sometimes going to be just as hard to get $100 remote fee approved as it as to get the whole f2f trip approved. As someone who just spent $3.5K out of pocket to show up in Berlin, I have a hard time being sympathetic to someone who won't participate because he has to spend $100 out of pocket. Keith
Re: TCPMUX (RFC 1078) status
On 8/15/2013 10:19 PM, Martin Sustrik wrote: On 15/08/13 22:18, Joe Touch wrote: Does anyone have any idea how widely is TCPMUX (RFC 1078) protocol used? Is it the case that there are inetd daemons in TCPMUX mode running everywhere, or can it be rather considered a dead protocol? Specifically, if I implement a new TCPMUX daemon how likely I am to clash with an existing TCPMUX daemon listening on port 1? It's in the FreeBSD inetd, among others, but to to my knowledge, nobody actually turns it on. There are probably security issues. There are semantics issues to; see draft-touch-tcp-portnames-00 for information (this is being revised for resubmission shortly, FWIW). Nice, however, it requires changes to TCP stack, so even if it succeeds it won't be a practical option for at least few years to come. There have been other stack changes that have been deployed fairly quickly. However, that's not relevant to the reason I cited the doc; the doc has a discussion of TCPMUX and its problems. Joe
Re: Charging remote participants
--On Friday, August 16, 2013 13:07 -0300 Carlos M. Martinez carlosm3...@gmail.com wrote: ... And, before the IETF would commit to take steps in that direction, it would be interesting to see some numbers about how much money needs to be invested in deploying and operating remote participation tools that would actually make people feel they are getting value back for a $100 remote attendance fee. Please Dave Crocker's note before my comment below -- I agree with mose of it don't want to repeat what he has already said well. As someone who favors charging remote participants, who has paid most or all of the travel and associated costs for every meeting I've attended in the last ten plus years, and who doesn't share in a view of if I can, everyone can, let me make a few observations. (1) As Dave points out, this activity has never been free. The question is only about who pays. If any participants have to pay (or convince their companies to pay) and others, as a matter of categories, do not, that ultimately weakens the process even if, most of the time, those who pay don't expect or get favored treatment. Having some participants get a free ride that really comes at the expense of other participants (and potentially competing organizations) is just not a healthy idea. (2) Trying to figure out exactly what remote participation (equipment, staffing, etc.) will cost the IETF and then trying to assess those costs to the remote participants would be madness for multiple reasons. Not least of those is the fact that, if new equipment or procedures are needed, there will be significant startup costs with the base of remote participants arriving only later. One could try to offset that effect with some accounting assumptions that would be either rather complex, rather naive, or both, but, as a community, we aren't good at those sorts of calculations nor at accepting them when the IAOC does them in a way that doesn't feel transparent. (3) Trying to establish a more or less elaborate system of categories of participants with category-specific fees or to scale the current system of subsidies and waivers to accommodate the full range of potential in-person and remote participants is almost equally insane. While we might make such arrangements work and keeping categories and status off badges helps, it gets us entangled with requiring that the Secretariat and/or IAD and/or some IAOC or other leadership members be privy to information that is at least private and that might be formally confidential. We don't want to go there if we can help it. (4) The current registration fee covers both some proportion of meeting-specific expenses and some proportion of overhead expenses that are not specific to the meetings or to meeting attendance. Breaking those proportions down specifically also would require some accounting magic, especially given the differences between meetings with greater or lesser degrees of sponsorship. But I believe that, if we can trust the IAOC to set meeting registration fees for in-person attendees, we can trust them to set target (see below) meeting registration fees for remote participants. Note that such a fee involves some reasonable contribution to overhead expenses (including remote participation costs, secretariat site visits, and the like) just as the fee for in-person participants does -- it is not based on the costs of facilities for remote participation. So, to suggest this again in a different context: Remote participants then pay between 0 and 100% of that target fee, based on their consciences, resources, and whatever other considerations apply. No one asks how given remote participants or their organizations arrive at the numbers they pick. No one is asked to put themselves into a category or explain their personal finances. The IETF does not need to offer promises about the confidentiality of information that it doesn't collect. Any Euro we collect is one Euro more than we are collecting now and, if a Euro or two is what a participant from a developing area feels is equitable for him or her to pay, then that is fine. That voluntary fee model would be a terrible one except that I think we can actually trust the vast majority of the community to be reasonable. Certainly some people will not be, but they would probably figure out how to game a category system or any more complex system we came up with. Just as the price of running a truly open standards process including tolerating a certain number of non-constructive participants (and other subspecies of trolls), it may require tolerating a certain number of people who won't want to pay their fair share (or whose judgments of fair might be at variance with what other people with the same information would conclude). Absent clear indications that more complex process, or one that relied more on leadership judgments about individual requests, would produce more than enough additional revenue to compensate
Re: [IAB] Call for Review of draft-rfced-rfcxx00-retired, List of Internet Official Protocol Standards: Replaced by an Online Database
SM: This is a call for review of List of Internet Official Protocol Standards: Replaced by an Online Database prior to potential approval as an IAB stream RFC. The document is available for inspection here: https://datatracker.ietf.org/doc/draft-rfced-rfcxx00-retired/ From Section 2.1 of RFC 2026: 'The status of Internet protocol and service specifications is summarized periodically in an RFC entitled Internet Official Protocol Standards.' My guess is that draft-rfced-rfcxx00-retired cannot update RFC 2026. Does the IAB have any objection if I do something about that? This seems to require coordination with the General Area Director. I suggest that you ask Jari. From Section 3: This document formally retires STD 1. Identifier STD 1 will not be re-used unless there is a future need to publish periodic snapshots of the Standards Track documents (i.e., unless the documentation is resumed). The document argues that STD 1 is historic as there is an online list now. The above reserves an option to restart periodic snapshots if there is a future need. I suggest removing that option as I presume that the IAB has thought carefully about the long term evolution of the Series before taking the decision to retire STD 1. I tend to agree. I think the point is that STD 1 will not take on another meaning. Russ
Re: [karp] IANA policy for draft-ietf-karp-crypto-key-table-08
Black, == Black, David david.bl...@emc.com writes: Black, done. IMHO, we really should be setting a bar that says Black, that this sort of IETF imprimatur of approval of a crypto Black, algorithm actually means something. Something got manged there. I agree that publishing a standards-track document should endorce the algorithm in question. I'm somewhat uncomfortable with that sort of bar for IANA registries in general, although I have supported it from time to time. (My discomfort with this has grown significantly since my time as an AD). I do not support that sort of bar for this registry. I think we understand each other, but disagree. The question now is whether you can gain sufficient support to show rough consensus for a change in the document or to show that while there was rough consensus behind the document in the KARP WG, there's a lack of consensus on handling this issue between KARP and some other significant segment of the IETF like the security area.
Re: [karp] IANA policy for draft-ietf-karp-crypto-key-table-08
Black, == Black, David david.bl...@emc.com writes: Black, done. IMHO, we really should be setting a bar that says Black, that this sort of IETF imprimatur of approval of a crypto Black, algorithm actually means something. Something got manged there. I agree that publishing a standards-track document should endorce the algorithm in question. I'm somewhat uncomfortable with that sort of bar for IANA registries in general, although I have supported it from time to time. (My discomfort with this has grown significantly since my time as an AD). I do not support that sort of bar for this registry. I think we understand each other, but disagree. The question now is whether you can gain sufficient support to show rough consensus for a change in the document or to show that while there was rough consensus behind the document in the KARP WG, there's a lack of consensus on handling this issue between KARP and some other significant segment of the IETF like the security area.
Re: TCPMUX (RFC 1078) status
On 8/15/2013 10:38 PM, Martin Sustrik wrote: On 16/08/13 03:23, Wesley Eddy wrote: There are semantics issues to; see draft-touch-tcp-portnames-00 for information (this is being revised for resubmission shortly, FWIW). I totally agree. In fact, in the update to the TCP roadmap [1], we added TCPMUX to the section on Historic and Undeployed Extensions, though it definitely bears further discussion than is currently in the roadmap. I think we should add a reference to your portnames doc to explain why this should be Historic plus check a bit more to see if the code that's out there is really being used or whether it's just hanging out like a vestigal limb in the various inetd packages. If it's fair to ask Martin ... I'm kind of curious why you might want to be using it or think it sounds useful? I think a lot of admins would be concerned that it could be used to get around port-based firewall rules, etc. Ok, let me explain. I am coming from enterprise messaging world (think of IBM MQ series, JMS, ActiveMQ, RabbitMQ et c.) Once I was participating on AMQP protocol development (now at OASIS). So, what AMQP and other enterprise messaging products do is exposing a message broker on a single TCP port, which then forwards messages to any connected services. As can be seen, single open firewall port can be used to access any internal service. I don't understand that statement. Services are currently indicated by the destination port. If there is only one destination port available, there is only one service provided - because very few services can be identified solely by in-band information. That being obviously the *wrong* way to do things, I've written ZeroMQ later which takes the strict approach: If you want to expose a new service, you have to use a separate TCP port number. Since then it turned out that this as a limitation that people are most complaining about. It would be useful if you could be more specific about the problem you are trying to solve. So far I hear people want one port that serves multiple services. I'd like a pony ;-) I.e., just because they want it, doesn't mean it either makes sense or should get it. Now, the reason seems to be that ZeroMQ requires you to use different TCP connections for doing different kinds of stuff to avoid head-of-line blocking et c. (think of SCTP channels simulated via TCP) Different connections don't have anything to do with the use of a single port. A single port can serve multiple connections, and yes - that's a useful way to avoid HOL blocking. What that means is that you have a lot of fine-grained services and as the development of your application proceeds you add more of them, remove them and so on. That in turn requires admins (and the corporate approval process!) to get into the deployment cycle and open the TCP ports as appropriate. The result is that the development basically grinds to halt. That sounds a lot like the desires of admins is in conflict with the desires of your users. I.e., an admin that wants to block anything they don't explicitly allow WANTS to block this sort of mechanism too. The solution IMO is to preserve the port-based services functionality for those that truly care about security and -- optionally -- support some kind of multiplexer such as TCPMUX for those that care more about short deployment cycle. TCPMUX won't do what you're asking - if you're asking to block based on the service type. If it did, then the sysadmin would just block TCPMUX connections to services they didn't know, and you'd be right back where you are now (i.e., without TCPMUX). Again, what is the goal? (note: the goal of the portnames approach is NOT to provide a single multiplexing port; it's to decouple the dest port's two uses - demux info and service identifier. the primary reason for portnames is to allow more than 65K concurrent/timewait connections to a single service; FWIW, I cited it because of its description of the limitations of TCPMUX, not because the approach there was relevant here). That being said, IIRC, there's such functionality in WebSockets as well. Open a connection to fixed pot (80) and particular URL (string), then after the initial negotiation, switch to raw TCP mode and hand the connection to whatever application is suppose to handle it. The reason I don't like that solution is that you have to have web server installed to work as a multiplexer, which is kind of strange. If you want a multiplexer to serve different connections from a single service port, you need a multiplexer server (tcpmux daemon, websockets, whatever you want to call it). Joe
Re: Charging remote participants
On Aug 16, 2013, at 11:55 AM, Dave Crocker d...@dcrocker.net wrote: On 8/16/2013 6:10 AM, Hadriel Kaplan wrote: Since the topic keeps getting raised... I think that charging remote participants any fee is a really terrible idea. One of the really great things about the IETF is its open and free (as in beer) participation policy. The real work is supposed to be done on mailing lists, and there's no charge or restriction on who can send emails. That policy is actually quite rare for standards bodies, and makes our output better not worse. The IETF has never been free. Actually, it's quite expensive. We've maintained the myth that it's free because we've had long-term funding support from the outside, originally dubbed daddy pays. First it was ARPA, then CNRI and now ISOC (and wealthy corporations). I didn't say it didn't cost someone money to run it - I said it's free to participate, and I like that policy and think we're better for it. *Of course* someone has to pay something, and we could have a long debate about a better funding model for the IETF in general. But that's not a problem I'm trying to fix. Some people on the list have expressed a desire to have better remote participation. I don't know if that's necessary or not, but I suggested a possible solution for that (i.e., audio input). The solution will cost some money. Not a lot, hopefully, but more than currently being spent. The people who run the meetings will have to tell us how much more, per meeting. Assuming it costs more than some trivial amount, we have to figure out a source of revenue for that. We don't have to re-do the whole IETF funding model - just figure out where to get the money for this new thing. So if that costs real money, I propose that instead of charging remote participants the cost, we charge f2f participants by burying it in the reg-fee, but discounting the reg-fee for those who can't expense the reg-fee. That sounds whacky, I know. It sounds radical too. It's not a new idea though, and some other places do the same but using different words (like Corporate Attendee vs. Individual Attendee, but those don't make sense here). The good thing is it's something we can test and measure, without impacting attendee rates. We can't measure how impactful a fee to remote participants is - the number who join rises and falls due to various reasons; and even if they don't join due to the fee we won't know it - they won't say so, and won't join remotely, and we won't know it. Thus it's self-limiting and self-fulfilling. We can't measure how impactful a mandatory increase across-the-board for f2f meeting reg-fee is either - the number of f2f attendees rises/falls based on too many factors, and again it's self-limiting and self-fulfilling. With a selectable registration form check-box, and no laying of guilt or stigma on those who do/don't choose 'Self-Paying Rate' vs. 'Full Rate' and no external indicator of it, we can figure out if we get more money and how much, without directly impacting our f2f attendance rate. We can even do it *before* we go and pay for anything. We could, for example, have the check-box for the Vancouver IETF meeting form, with textual explanation of why to check it. We could do the same for remote participants too, just to see how much we'd get that way instead. As remote participation tools get better, it is likely that we will have more remote attendees and fewer face-to-face ones. This likely means significant reduction in attendee fees but also could challenge sponsor fees, since the marketing benefit of sponsorship for the f2f will likely go down. I have a hard time believing that. If anyone thinks they get as much out of remote participation as they do with f2f, then I think they're crazy... but you're right they shouldn't come. If it turns out a lot of people stop coming, then maybe we really don't need f2f meetings or as many of them. Or maybe it means we need to make cost the highest priority factor in meeting locations, instead of one among many must-have requirements. Or maybe it means we need to restructure how we spend and get funding. Regardless, the goal of the IETF isn't to have f2f meetings - it's a means to an end, not an end in itself. I think it's super-valuable, for both physical attendees and the output the IETF produces; and I think it's worth having it 3 times year. I *want* people to go physically. But if it's not valuable to many people, don't have them; or not as frequently. -hadriel
Re: Call for Review of draft-rfced-rfcxx00-retired, List of Internet Official Protocol Standards: Replaced by an Online Database
--On Thursday, August 15, 2013 12:06 -0700 SM s...@resistor.net wrote: At 11:48 14-08-2013, IAB Chair wrote: This is a call for review of List of Internet Official Protocol Standards: Replaced by an Online Database prior to potential approval as an IAB stream RFC. The document is available for inspection here: https://datatracker.ietf.org/doc/draft-rfced-rfcxx00-retired/ From Section 2.1 of RFC 2026: 'The status of Internet protocol and service specifications is summarized periodically in an RFC entitled Internet Official Protocol Standards.' My guess is that draft-rfced-rfcxx00-retired cannot update RFC 2026. Does the IAB have any objection if I do something about that? SM, You have just identified another aspect of why I find this document troubling. I note that requirement of RFC 2026 has not been satisfied for years unless one interprets periodically as consistent with whenever we get around to it, which, in today's age, is likely to be never. I note that the last version of STD 1 was RFC 5000, published in May 2008 and that its predecessor was RFC 3700 in July 2004, i.e., there was a four year interval followed by at least a seven year one. That is well outside most normal interpretations of periodic. I don't personally think it is worth it (or, more specifically, think the resources could be better spent in other ways) but, if one believed the keep anything that might turn out to be historically important theme of the IETF 86 History BOF, then there is value in maintaining the sort of comprehensive status snapshot that STD 1 was supposed to provide (once its [other] original purpose of being part of a report to the sponsor became irrelevant) even if that snapshot is taken only once every few years. That aside, I think this document is almost completely unnecessary. RFC 5000 already points to the HTML version of the RFC index as the authority for contemporary information. There has, as far as I know, never been a requirement that STD 1 be issued as RFCs numbered NN00, nor that all such numbers be reserved for that purpose, outside the internal conventions of the RFC Editor function. At the same time, if the IAB and RSE believe that assembling and publishing this statement formally and in the RFC Series is a good use of their time and that of the community, I think it is basically harmless, _unless_ it becomes an opportunity to nit-pick such questions as its relationship to requirements or statements in 2026 or elsewhere. From Section 3: This document formally retires STD 1. Identifier STD 1 will not be re-used unless there is a future need to publish periodic snapshots of the Standards Track documents (i.e., unless the documentation is resumed). The document argues that STD 1 is historic as there is an online list now. The above reserves an option to restart periodic snapshots if there is a future need. I suggest removing that option as I presume that the IAB has thought carefully about the long term evolution of the Series before taking the decision to retire STD 1. This is another form of the nit-picking (if there were protocols involved, the historical term would involve the phrase protocol lawyer) that concerns me. I don't remember where it is written down (if at all), but the RFC Editor has had a firm rule ever since I can remember that STD numbers are never reused for a different topic. Violating that prohibition against reuse would be a really stupid move on the part of the RFC Editor and/or the IAB. If they were to be that stupid, we have much more serious other problems. If they are going to continue to avoid that sort of stupidity, then that part of the statement above is completely unnecessary - but still harmless. As far as removing the option is concerned, I think doing so would be pointless if the rest of the statement remains. For better or worse, anything that is written into one RFC by the IAB (or, under different circumstances, the IETF) can be amended out of it by another RFC. While I think it unlikely, I can imagine at least one scenario, tied to the historical concern above, under which we would resume publishing a snapshot. Whether the IAB has considered it or not and whatever promises this document does or does not make are irrelevant to whether or not that would happen. Summary: I think the RFC Series Editor should just make whatever announcement she feels it is appropriate to make, recognizing that we stopped regularly updating STD 1 long ago and have no present intention of restarting. I think this document and the process and associated work it imposes on the IAB and the community are a waste of time that could be better used in other ways.However, if they feel some desire to publish it in some form, let's encourage them to just get it done and move on rather than consuming even more time on issues that will make no difference in the long term. best, john
Re: Community Input Sought on SOWs for RFC Production Center and RFC Publisher
All; Are there any more comments on the SOWs? This item will be on the IAOC agenda for its call on 22 August. Ray On Aug 12, 2013, at 5:54 PM, IETF Administrative Director wrote: The RFC Series Editor (RSE) is proposing changes to the Statements of Work (SOW) for the RFC Production Center (RPC) and the RFC Publisher. The IAOC wants to receive community input prior to negotiating the proposed changes with the contractor. Community input will be discussed with the RSE prior to negotiations and reviewed by the IAOC. In forwarding the proposed Statements of Work the RSE said: The changes seek to make the SoWs more current [implementing RFC 6635] and specific, correcting the issues of multiple masters directing the RPC and Publisher, as well as preparing the way for a more significant revision to the SoWs when the RFC Format changes are operationalized. The SoWs have also been reviewed and supported by the RSOC [RFC Series Oversight Committee]. We consider the changes within the SoWs critical to the clear function of the RPC and Publisher, but suggest that the changes do not imply a significant change in responsibility for the RPC or Publisher. The proposed SOWs, the current SOWs and a diff file for each can be found here under Community Review: http://iaoc.ietf.org/rfps.html We appreciate the community's input and look forward to hearing from you. Thanks Ray Pelletier IAD
Re: Charging remote participants
On 8/16/13 9:53 AM, John C Klensin wrote: As someone who favors charging remote participants, who has paid most or all of the travel and associated costs for every meeting I've attended in the last ten plus years, and who doesn't share in a view of if I can, everyone can, let me make a few observations. I think these are good points, and I'd like to add: the extent to which there's now an expectation that someone must participate in a meeting in order to contribute to work is the extent to which there's been a gradual shift in working methods in the organization, and effectively reflect a loss (to whatever extent) of openness. We can stay free and open if mailing lists remain the locus of the IETF's work. The costs associated with remote participation have to be borne by someone; the marginal cost of someone joining an existing mailing list is effectively zero. Melinda
Re: Charging remote participants
On 08/16/2013 11:36 AM, Hadriel Kaplan wrote: On Aug 16, 2013, at 10:56 AM, Keith Moore mo...@network-heretics.com wrote: As someone who just spent $3.5K out of pocket to show up in Berlin, I have a hard time being sympathetic to someone who won't participate because he has to spend $100 out of pocket. This isn't about fairness or equal-pain-for-all. It's about getting work done and producing good output. Whether someone remote has to pay $0 or $1000 won't change your $3.5k out-of-pocket expense. If you don't feel the $3.5k was worth it for you to go physically, don't go. I'm all about having IETF get work done and produce good output. May I suggest that we start by trying to reduce IETF's longstanding bias in favor of large companies with large travel budgets that pay disproportionate attention to narrow and/or short-term interests, and against academics and others who take a wider and/or longer view? The Internet has suffered tremendously due to a lack of a long-term view in IETF. To that end, I'd like to see IETF do what it can to reduce meeting costs for those who attend face-to-face, rather than increase those costs even more in order to subsidize remote participation. I have reached the difficult (i.e. expensive) conclusion that the only way to participate effectively in IETF (except perhaps in a narrow focus area) is to regularly attend face-to-face meetings. There are several reasons for this, just a few of which (off the top of my head) are: (1) It's really hard to understand where people are coming from unless/until you've met them in person. I had been participating in IETF for about a year before I showed up at my first meeting, and I still remember how (2) It's much easier to get a sense of how a group of people react to a proposal in person, than over email. (3) For several reasons, people seem to react to ideas more favorably when discussed face-to-face. (4) It's easier to get along well with people whom you see face-to-face on at least an occasional basis, so people whom you've met face-to-face are more likely to appreciate constructive suggestions and to interpret technical criticism as helpful input rather than personal attacks. (5) Among the many things that hallway conversations are good for are quickly settling misunderstandings and resolving disputes. I realize that a better remote participation experience might help with some or all of these, but I think we're decades away from being able to realize that quality of experience via remote participation, at least without developing new technology and spending a lot more money on equipment. If someone wants to fund development of that technology and purchase of that equipment separately from the normal IETF revenue stream, more power to them. But I do suspect that at some point it will cost money to maintain that technology and equipment, and again, I suspect it shouldn't primarily come from people who are paying to be there in person. Or if we're really about trying to make IETF as open as possible, then we should be willing to publicly declare that people can participate in face-to-face meetings without paying the registration fee. [*] But I don't think that IETF's current funding model can support that. So maybe IAOC should give serious thought to changing the model, but offhand I don't know what a better model would be. Should IETF become a membership organization, and let some of the administrative costs be borne by membership fees, so that meeting costs can more accurately reflect the cost of hosting meetings? How would the organization provide benefits to paying members without excluding participation from others? I don't expect that there are any obviously right answers to questions like those - everything involves compromise - but it might be that there are far better answers to those questions than those that have been assumed for the past 20 years or so. [*] I do realize that some people have, on occasion, shown up as tourists for the benefit of hallway and bar conversations, and avoided paying the meeting fee.
Re: Call for Review of draft-rfced-rfcxx00-retired, List of Internet Official Protocol Standards: Replaced by an Online Database
I think that if we worried about every minor deviation from RFC 2026, we would be here for a long time and wasting most of it. I have no particular objection to publishing the draft. Regards Brian Carpenter (who tried and failed - see draft-carpenter-rfc2026-critique, draft-carpenter-rfc2026-practice, draft-carpenter-rfc2026-changes) On 17/08/2013 06:44, John C Klensin wrote: --On Thursday, August 15, 2013 12:06 -0700 SM s...@resistor.net wrote: At 11:48 14-08-2013, IAB Chair wrote: This is a call for review of List of Internet Official Protocol Standards: Replaced by an Online Database prior to potential approval as an IAB stream RFC. The document is available for inspection here: https://datatracker.ietf.org/doc/draft-rfced-rfcxx00-retired/ From Section 2.1 of RFC 2026: 'The status of Internet protocol and service specifications is summarized periodically in an RFC entitled Internet Official Protocol Standards.' My guess is that draft-rfced-rfcxx00-retired cannot update RFC 2026. Does the IAB have any objection if I do something about that? SM, You have just identified another aspect of why I find this document troubling. I note that requirement of RFC 2026 has not been satisfied for years unless one interprets periodically as consistent with whenever we get around to it, which, in today's age, is likely to be never. I note that the last version of STD 1 was RFC 5000, published in May 2008 and that its predecessor was RFC 3700 in July 2004, i.e., there was a four year interval followed by at least a seven year one. That is well outside most normal interpretations of periodic. I don't personally think it is worth it (or, more specifically, think the resources could be better spent in other ways) but, if one believed the keep anything that might turn out to be historically important theme of the IETF 86 History BOF, then there is value in maintaining the sort of comprehensive status snapshot that STD 1 was supposed to provide (once its [other] original purpose of being part of a report to the sponsor became irrelevant) even if that snapshot is taken only once every few years. That aside, I think this document is almost completely unnecessary. RFC 5000 already points to the HTML version of the RFC index as the authority for contemporary information. There has, as far as I know, never been a requirement that STD 1 be issued as RFCs numbered NN00, nor that all such numbers be reserved for that purpose, outside the internal conventions of the RFC Editor function. At the same time, if the IAB and RSE believe that assembling and publishing this statement formally and in the RFC Series is a good use of their time and that of the community, I think it is basically harmless, _unless_ it becomes an opportunity to nit-pick such questions as its relationship to requirements or statements in 2026 or elsewhere. From Section 3: This document formally retires STD 1. Identifier STD 1 will not be re-used unless there is a future need to publish periodic snapshots of the Standards Track documents (i.e., unless the documentation is resumed). The document argues that STD 1 is historic as there is an online list now. The above reserves an option to restart periodic snapshots if there is a future need. I suggest removing that option as I presume that the IAB has thought carefully about the long term evolution of the Series before taking the decision to retire STD 1. This is another form of the nit-picking (if there were protocols involved, the historical term would involve the phrase protocol lawyer) that concerns me. I don't remember where it is written down (if at all), but the RFC Editor has had a firm rule ever since I can remember that STD numbers are never reused for a different topic. Violating that prohibition against reuse would be a really stupid move on the part of the RFC Editor and/or the IAB. If they were to be that stupid, we have much more serious other problems. If they are going to continue to avoid that sort of stupidity, then that part of the statement above is completely unnecessary - but still harmless. As far as removing the option is concerned, I think doing so would be pointless if the rest of the statement remains. For better or worse, anything that is written into one RFC by the IAB (or, under different circumstances, the IETF) can be amended out of it by another RFC. While I think it unlikely, I can imagine at least one scenario, tied to the historical concern above, under which we would resume publishing a snapshot. Whether the IAB has considered it or not and whatever promises this document does or does not make are irrelevant to whether or not that would happen. Summary: I think the RFC Series Editor should just make whatever announcement she feels it is appropriate to make, recognizing that we stopped regularly updating
Re: Charging remote participants
I may be misunderstanding you, but I'm proposing we charge large corporations with large travel budgets slightly *more* than others.[1] I'm not suggesting an overhaul of the system. I'm not proposing they get more attention, or more weight, or any such thing. Of course they *do* have more impact in subtle ways, because they can afford to send people and hire IETF insiders and pay salaries for people to be ADs and WG chairs and so on. That's a separate issue, which we've long fretted about but can't truly address, nor am I proposing to fix it nor make it worse. I'm just trying to fix the problem at hand. (well... it would only be a problem if people think we need better remote participation tools) -hadriel [1] Large corporations don't actually equate to large travel budgets; big corps have travel freezes all the time. But if you can get expense approval for $695 reg-fee, you can likely get approval for $795; and the reg-fee is only a portion of the overall travel expense. If you *can't* get approval for the $100 difference, that's ok - just select the Self-Paying Rate. There's no stigma associated with doing that. (at least that's the goal anyway) On Aug 16, 2013, at 3:10 PM, Keith Moore mo...@network-heretics.com wrote: On 08/16/2013 11:36 AM, Hadriel Kaplan wrote: On Aug 16, 2013, at 10:56 AM, Keith Moore mo...@network-heretics.com wrote: As someone who just spent $3.5K out of pocket to show up in Berlin, I have a hard time being sympathetic to someone who won't participate because he has to spend $100 out of pocket. This isn't about fairness or equal-pain-for-all. It's about getting work done and producing good output. Whether someone remote has to pay $0 or $1000 won't change your $3.5k out-of-pocket expense. If you don't feel the $3.5k was worth it for you to go physically, don't go. I'm all about having IETF get work done and produce good output. May I suggest that we start by trying to reduce IETF's longstanding bias in favor of large companies with large travel budgets that pay disproportionate attention to narrow and/or short-term interests, and against academics and others who take a wider and/or longer view? The Internet has suffered tremendously due to a lack of a long-term view in IETF. To that end, I'd like to see IETF do what it can to reduce meeting costs for those who attend face-to-face, rather than increase those costs even more in order to subsidize remote participation. I have reached the difficult (i.e. expensive) conclusion that the only way to participate effectively in IETF (except perhaps in a narrow focus area) is to regularly attend face-to-face meetings. There are several reasons for this, just a few of which (off the top of my head) are: (1) It's really hard to understand where people are coming from unless/until you've met them in person. I had been participating in IETF for about a year before I showed up at my first meeting, and I still remember how (2) It's much easier to get a sense of how a group of people react to a proposal in person, than over email. (3) For several reasons, people seem to react to ideas more favorably when discussed face-to-face. (4) It's easier to get along well with people whom you see face-to-face on at least an occasional basis, so people whom you've met face-to-face are more likely to appreciate constructive suggestions and to interpret technical criticism as helpful input rather than personal attacks. (5) Among the many things that hallway conversations are good for are quickly settling misunderstandings and resolving disputes. I realize that a better remote participation experience might help with some or all of these, but I think we're decades away from being able to realize that quality of experience via remote participation, at least without developing new technology and spending a lot more money on equipment. If someone wants to fund development of that technology and purchase of that equipment separately from the normal IETF revenue stream, more power to them. But I do suspect that at some point it will cost money to maintain that technology and equipment, and again, I suspect it shouldn't primarily come from people who are paying to be there in person. Or if we're really about trying to make IETF as open as possible, then we should be willing to publicly declare that people can participate in face-to-face meetings without paying the registration fee. [*] But I don't think that IETF's current funding model can support that. So maybe IAOC should give serious thought to changing the model, but offhand I don't know what a better model would be. Should IETF become a membership organization, and let some of the administrative costs be borne by membership fees, so that meeting costs can more accurately reflect the cost of hosting meetings? How would the organization provide benefits to paying
Re: Charging remote participants
On Aug 16, 2013, at 1:53 PM, John C Klensin john-i...@jck.com wrote: (1) As Dave points out, this activity has never been free. The question is only about who pays. If any participants have to pay (or convince their companies to pay) and others, as a matter of categories, do not, that ultimately weakens the process even if, most of the time, those who pay don't expect or get favored treatment. Having some participants get a free ride that really comes at the expense of other participants (and potentially competing organizations) is just not a healthy idea. Baloney. People physically present still have an advantage over those remote, no matter how much technology we throw at this. That's why corporations are willing to pay their employees to travel to these meetings. And it's why people are willing to pay out-of-pocket for it too, ultimately. It's why people want a day-pass type thing for only attending one meeting, instead of sitting at home attending remote. Being there is important, and corporations and people know it. An audio input model (ie, conference call model) still provides plenty of advantage to physical attendees, while also providing remote participants a chance to have their say in a more emphatic and real-time format. We're not talking about building a telepresence system for all remote participants, or using robots as avatars. (2) Trying to figure out exactly what remote participation (equipment, staffing, etc.) will cost the IETF and then trying to assess those costs to the remote participants would be madness for multiple reasons. [...snip...] Yet you're proposing charging remote participants to bear the costs. I'm confused. (3) Trying to establish a more or less elaborate system of categories of participants with category-specific fees or to scale the current system of subsidies and waivers to accommodate the full range of potential in-person and remote participants is almost equally insane. While we might make such arrangements work and keeping categories and status off badges helps, it gets us entangled with requiring that the Secretariat and/or IAD and/or some IAOC or other leadership members be privy to information that is at least private and that might be formally confidential. We don't want to go there if we can help it. I'm not talking about posting this info on web, nor a full range of potential. We already have multiple reg-fee categories; I'm talking about adding *one* more. I don't know who in the leadership can see a list of what rates people paid - if we need to constrain that, that's a solvable problem. It's not the sky falling. Regardless, the same argument can be made for charging remote participants to donate 0-100% or whatever. -hadriel
Re: Community Input Sought on SOWs for RFC Production Center and RFC Publisher
Greetings, Since the publication of RFC 5620, the RFC Editor has been working to implement the RPC and Publisher split. Based on our attempts to create two separable entities per RFC 5620 and later RFC 6635, our understanding of the motivations for splitting the RPC and Publisher into distinct functions, and our discussions with the RSE, the RSE has created a figure http://www.rfc-editor.org/rse/wiki/lib/exe/detail.php?id=rfcpublishermedia=rfc-publisher-split-c.jpg to describe where the split resides in practice. We believe the figure accurately reflects the most practical split in terms of work allocation and portability. The split described in the figure eliminates the need for the Publisher to have staff with detailed RFC-specific knowledge by placing the majority of staff-related responsibilities with the RPC. Our understanding is that it is important for the SoWs to be aligned with the split described in the figure, so many of our comments below are an attempt to align these documents. We provide our comments below for consideration. Thank you, Sandy Ginoza (for the RPC and Publisher) Notes: -- Current refers to text as provided in the Proposed SoWs: http://iaoc.ietf.org/documents/RPC-Proposed-SoW-2013-final.pdf http://iaoc.ietf.org/documents/PUB-Proposed-SoW-2013-final_000.pdf Figure refers to the figure available at http://www.rfc-editor.org/rse/wiki/lib/exe/detail.php?id=rfcpublishermedia=rfc-publisher-split-c.jpg RFC Production Center - 1) In the following, we suggest changing reference IETF documents (RFCs and Internet Drafts) to referenced documents (RFCs and Internet Drafts) because not all RFCs/I-Ds are IETF-stream documents. Current: 1.2. Validation of references Ensure that references within specifications are available and that referenced IETF documents (RFCs and Internet Drafts) are latest versions available. Also, match citations and references for consistency. In the IETF standards stream, specific rules on the suitability and availability of references apply, as documented in RFC 2026 and successors, as interpreted by the IESG. Editing of documents may be delayed waiting for normative references to become available. 2) In the following, we suggest that ASN.1 (and particularly MIBs and MIB-related details) be updated to reflect MIBs. Although MIB modules are written using a subset of ASN.1, the RPC does not check all ASN.1, we only check MIBs. This change will reflect what is done in practice. If the intent is to actually require the RPC to check all ASN.1, please let us know and we will discuss checking tools with the RSE and IAD. Current: 1.3. Validation of formal languages The RPC should validate the syntax of sections of documents containing formal languages. In particular ASN.1 (and particularly MIBs and MIB-related details), YANG, ABNF, and XML should be verified using one or more tools as approved by the RSE. 3) Publication takes place in the Electronic Signing Announcements box within the figure. The following text does not seem to align with the figure: Current: 2. Documents forwarded to RFC Publisher 2.1. The RPC will edit the documents from all streams consistent with the RFC Style Manual, the RFC Series, and the intent of the Authors. Documents so edited will be placed in the ready-to-publish state and forwarded to the RFC Publisher. In the figure, the publication-related actions occur on the RPC side because the RPC is responsible for posting RFCs in the public archive, sending out the RFC announcements, updating the various indexes, and digitally signing the RFCs. This makes it possible for the RPC to respond to requests for legal verification of RFCs. Therefore, we suggest the following update: 2. Documents forwarded to RFC Publisher 2.1. The RPC will edit the documents from all streams consistent with the RFC Style Manual, the RFC Series, and the intent of the Authors. Documents so edited will be published on the RFC Editor website. Alternately, Section 2.1 could be removed, as the documents will not be forwarded to the Publisher for publication and because how docs will be edited is discussed in Section 1.1.1. For consistency with the above update, we suggest that item 2.2 be updated as follows: Current: 2.2. Additionally, the RPC will forward records of all interaction and edits relative to the document, including dialogue with the document authors and stream representatives, to the RFC Publisher for archiving. Suggested: 2.2. The RPC will post all relevant documents, including the related RFC files, records of all interaction and edits relative to the document, dialogue with the document authors and stream representatives, on the RFC Publisher server for archiving. 4) Because the Publisher is responsible for the website, webmas...@rfc-editor.org is a Publisher address (and the address in mentioned in the Publisher SoW).
Re: Community Input Sought on SOWs for RFC Production Center and RFC Publisher
Hi Sandy, I'm not sure how or if it plays into the SoW but your diagram shows errata handling in the publisher part. Many people find the current errata process not that great, but we've collectively not gotten around to figuring out something better. I think the possible consequence is that it might be good to have some flexibility in terms of how errata are processed in future, e.g. if we all do get around to figuring out something better it might be good for that not to be precluded by this SOW being overly prescriptive in that respect. (I don't know that the SOW is prescriptive about this btw, I did read it a few days ago but didn't consider this aspect and am about to head out for the evening... and going out wins:-) As I said, I'm not sure if that might result in some change here, but be good if the folks thinking about this SOW keep that in mind. Ta, S. On 08/16/2013 09:16 PM, Sandy Ginoza wrote: Greetings, Since the publication of RFC 5620, the RFC Editor has been working to implement the RPC and Publisher split. Based on our attempts to create two separable entities per RFC 5620 and later RFC 6635, our understanding of the motivations for splitting the RPC and Publisher into distinct functions, and our discussions with the RSE, the RSE has created a figure http://www.rfc-editor.org/rse/wiki/lib/exe/detail.php?id=rfcpublishermedia=rfc-publisher-split-c.jpg to describe where the split resides in practice. We believe the figure accurately reflects the most practical split in terms of work allocation and portability. The split described in the figure eliminates the need for the Publisher to have staff with detailed RFC-specific knowledge by placing the majority of staff-related responsibilities with the RPC. Our understanding is that it is important for the SoWs to be aligned with the split described in the figure, so many of our comments below are an attempt to align these documents. We provide our comments below for consideration. Thank you, Sandy Ginoza (for the RPC and Publisher) Notes: -- Current refers to text as provided in the Proposed SoWs: http://iaoc.ietf.org/documents/RPC-Proposed-SoW-2013-final.pdf http://iaoc.ietf.org/documents/PUB-Proposed-SoW-2013-final_000.pdf Figure refers to the figure available at http://www.rfc-editor.org/rse/wiki/lib/exe/detail.php?id=rfcpublishermedia=rfc-publisher-split-c.jpg RFC Production Center - 1) In the following, we suggest changing reference IETF documents (RFCs and Internet Drafts) to referenced documents (RFCs and Internet Drafts) because not all RFCs/I-Ds are IETF-stream documents. Current: 1.2. Validation of references Ensure that references within specifications are available and that referenced IETF documents (RFCs and Internet Drafts) are latest versions available. Also, match citations and references for consistency. In the IETF standards stream, specific rules on the suitability and availability of references apply, as documented in RFC 2026 and successors, as interpreted by the IESG. Editing of documents may be delayed waiting for normative references to become available. 2) In the following, we suggest that ASN.1 (and particularly MIBs and MIB-related details) be updated to reflect MIBs. Although MIB modules are written using a subset of ASN.1, the RPC does not check all ASN.1, we only check MIBs. This change will reflect what is done in practice. If the intent is to actually require the RPC to check all ASN.1, please let us know and we will discuss checking tools with the RSE and IAD. Current: 1.3. Validation of formal languages The RPC should validate the syntax of sections of documents containing formal languages. In particular ASN.1 (and particularly MIBs and MIB-related details), YANG, ABNF, and XML should be verified using one or more tools as approved by the RSE. 3) Publication takes place in the Electronic Signing Announcements box within the figure. The following text does not seem to align with the figure: Current: 2. Documents forwarded to RFC Publisher 2.1. The RPC will edit the documents from all streams consistent with the RFC Style Manual, the RFC Series, and the intent of the Authors. Documents so edited will be placed in the ready-to-publish state and forwarded to the RFC Publisher. In the figure, the publication-related actions occur on the RPC side because the RPC is responsible for posting RFCs in the public archive, sending out the RFC announcements, updating the various indexes, and digitally signing the RFCs. This makes it possible for the RPC to respond to requests for legal verification of RFCs. Therefore, we suggest the following update: 2. Documents forwarded to RFC Publisher 2.1. The RPC will edit the documents from all streams consistent with the RFC Style Manual, the RFC Series, and the
Re: Charging remote participants
We already have a version of self-pay, namely the very low student rate. For that rate, you are supposed to show student ID (not sure how and whether this is enforced), so it's not quite the same, but it's a means-based test, as well as an attempt to increase the diversity of participants. Nearly every scientific conference has versions of differentiated pricing - special rates for authors, attendees from low-income countries, students, society members (i.e., likely repeat attendees), ... In those venues, the general rule of thumb for organizers is that even the lowest priced category pays for the variable costs, and the fixed costs are borne by those more able to pay. We also have the early-registration rate - thus, late and on-site registrations subsidize the early bird moochers. We presumably want to encourage building a community, and that includes making it possible for people to attend who might not otherwise be able to. Our objective is not one-time revenue optimization. Many individuals switch back-and-forth between traveling on their own dime and on corporate tabs, and we want to encourage continued engagement, if only to increase our supply of Nomcom-eligibles. Thus, I think this is worth exploring, as an experiment, just like we started the day-pass experiment a number of years ago. Henning I'm not talking about posting this info on web, nor a full range of potential. We already have multiple reg-fee categories; I'm talking about adding *one* more. I don't know who in the leadership can see a list of what rates people paid - if we need to constrain that, that's a solvable problem. It's not the sky falling. Regardless, the same argument can be made for charging remote participants to donate 0-100% or whatever. -hadriel
Gen-ART LC Review of draft-ietf-karp-ops-model-07
I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-karp-ops-model-07.txt Reviewer: Ben Campbell Review Date: 2013-08-16 IETF LC End Date: 2013-08-18 IESG Telechat date: Summary: This draft is almost ready for publication as an informational RFC. I have a few clarity related comments that might be worth considering prior to publication. Major issues: None. Minor issues: -- This abstract claims that this draft is a discussion of issues. From that perspective, I don't think the use of 2119 language is appropriate. There are some specific areas (mentioned below) where 2119 language is used in imprecise ways, and may do harm to the reader's understanding. There are other uses that may be more reasonable. But I think the draft would be better off dispensing with 2119 language altogether. -- Section 3, paragraph 4: This seems like a place where descriptive language would be better than 2119 language. In particular, and so on leaves things too open ended and imprecise. Also, the use of 2119 language in an example seems a bit off. -- section 3.1, last paragraph: I'm not sure what guidance is intended in this paragraph. It offers an example, then refutes it. Are there better examples to offer? Is the point that one shouldn't make such checks? -- section 3.2, paragraph 2: What distinguishes SHOULD from desirable in this context? That is, why use 2119 language for one and not the other? -- section 3.2, last paragraph: Implementations SHOULD permit a configuration in which if no unexpired key is available, existing security associations continue using the expired key with which they were established. This may need further guidance. For example, it seems risky to do this silently. -- section 3.3, last paragraph: ... then there is complexity in key management protocols. Can you elaborate? Too much complexity? Are there key management systems that are not complex? -- section 4, 2nd to last paragraph: Seems like other disadvantages are worth mentioning. For example, the potential impact of a compromised CA. -- 4.1: I understand why one might choose not to include a real-world example here, but is there something that can be referenced? -- 4.4, 2nd paragraph: ... it will be critical to make sure that they are not required during routine operation or a cold-start of a network. Can you elaborate on why? Nits/editorial comments: Abstract: Might be worth mentioning KARP and how this draft fits with others. -- Section 1, paragraph 1: Please expand KARP on first mention. -- Section 1, paragraph 3: Missing punctuation. -- section 3: The text seems to rather abruptly start talking about key considered actions with little background. A quick summary of how these keys re used would be helpful. -- section 3, paragraph 2: Each OSPF link needs to use the same authentication configuration, ... Same configuration as what? The sentence appears to say keys must be the same among links but can be different. -- section 3.2, first 2 paragraphs: I'm not sure how a configuration management system and a configuration interface differ for the purposes of this discussion. -- 4.1, paragraph 4: Preshared keys that are used via automatic key management have not been specified for KARP. I'm not sure what's intended here--if they are not specified why does the paragraph go on to talk about them? -- 4.4, 1st paragraph: ... like RADIUS or directories. Is there a word missing? -- 5, bullet list of management objects: There may be management objects implied by the second and third bullets, but they are not mentioned as such. Can you explicitly state them? For example, in bullet 2 is the peer the object being discussed? Or is it the name or key. In bullet 3, is group the managed object, rather than routing protocol? -- 5, paragraphs 7 and 8: s/what/which (two occurrences)
Anyone having trouble submitting I-Ds?
My web submission told me Your submission is pending email authentication. An email has been sent you with instructions. more than an hour ago, but I haven't seen such a mail. I sent a note to internet-drafts@ mentioning my experience, but wanted to check if anyone else was seeing this behavior. -Ben Kaduk MIT Kerberos Consortium
RE: Community Input Sought on SOWs for RFC Production Center and RFC Publisher
Hi Ray, Thanks for the reminder. Meta-nit The document seems unsure whether to say Internet Draft or Internet-Draft. --- Nits: Para 2 The RPC is one of the distinct components of the RFC Editor. The primary responsibility for the RPC is to edit approved Internet Drafts to a consistent high level of quality as described by the RFC Style Manual. 1. I don't believe the RPC edits Internet Drafts. The purpose, it seems to me, is to edit the text of Internet Drafts to create RFCs. It would be correct to say edits RFCs, but I can see people's toes curling. So say exit the text of approved Internet Drafts. 2. s/consistent/consistently/ --- Nit: 1.1.1 What is formal grammar and how does it differ from grammar? --- 1.1.1 Editing shall be accomplished in accordance with the current 'RFC Style Manual' maintained by the RSE . The Style Manual specification now in use will be used by the RPC until replaced. I can see what is being attempted here, but it hasn't achieved it! I think you want The RSE maintains the 'RFC Style Manual'. The RPC shall edit in accordance with the version of the RFC Style Manual current at the time of editing. --- 1.1.2 Maintain a tracking system for edits, and ensure that changes are signed off by all authors and that any technical changes are approved by an authorized stream representative, except when exceptions are requested by the relevant stream and approved by the RSE. except where exceptions is clumsy, but there is a bigger problem in that there is an implication in the way that this is written that technical changes can be made without sign-off by a representative of the stream if somehow requested by the stream. I think that what was being attempted was the ability to handle absent authors (e.g. during AUTH-48). I suggest... Maintain a tracking system for edits, and ensure that changes are signed-off by all authors except when the need for sign-off is waived by an authorized representative of the relevant stream and approved by the RSE. Also ensure that that any technical changes are approved by an authorized representative of the relevant stream. --- 1.2 What is the IETF standards stream? Text should maybe read: For standards track documents in the IETF stream --- Nits 1.3 The RPC should validate the syntax of sections of documents containing formal languages. In particular ASN.1 (and particularly MIBs and MIB-related details), s/languages/language/ s/particular/particular,/ s/MIBs/MIB modules/ --- 1.5 While it is much tidier, the text the relevant individuals provides no clear guidance to the RPC. How is the RPC supposed to know who constitutes a relevant individual in order to allow or disallow their requested change? --- 1.10 I can see why At the discretion of the RSE would apply to 1.10.2. It seems a bit harsh to apply it to 1.10.1. Can the RSE really tell the RPC to not participate in these discussions? --- Isn't 6.1.1 now in the Style Guide and covered by 9.3? --- Nit 9.1 appears to have too many when requested --- 9.2 when requested and regular seem to be in conflict. --- 9.3.1 Do you mean RFC Publisher web site or RFC Editor website cf. section 5 and 10.3 --- Nit authors appears in 10.4.1.2 and 10.4.1.3 --- 10.5.1 continuously or continually? --- 10.6 IANAL This text appears to say that the RPC must take direction from the IAOC if it receives a subpoena. I am surprised that this can be placed in a SOW that will form the basis of a contract. --- Cheers, Adrian -Original Message- From: iesg-boun...@ietf.org [mailto:iesg-boun...@ietf.org] On Behalf Of Ray Pelletier Sent: 16 August 2013 19:48 To: ietf@ietf.org Cc: wgcha...@ietf.org; i...@ietf.org; rfc-inter...@rfc-editor.org; i...@iab.org; i...@ietf.org; IETF Announcement List Subject: Re: Community Input Sought on SOWs for RFC Production Center and RFC Publisher All; Are there any more comments on the SOWs? This item will be on the IAOC agenda for its call on 22 August. Ray On Aug 12, 2013, at 5:54 PM, IETF Administrative Director wrote: The RFC Series Editor (RSE) is proposing changes to the Statements of Work (SOW) for the RFC Production Center (RPC) and the RFC Publisher. The IAOC wants to receive community input prior to negotiating the proposed changes with the contractor. Community input will be discussed with the RSE prior to negotiations and reviewed by the IAOC. In forwarding the proposed Statements of Work the RSE said: The changes seek to make the SoWs more current [implementing RFC 6635] and specific, correcting the issues of multiple masters directing the RPC and Publisher, as well as preparing the way for a more significant revision to the SoWs when the RFC Format changes are operationalized. The SoWs have also been reviewed and supported by the RSOC [RFC Series Oversight Committee]. We consider the changes within the SoWs critical to the clear function of the RPC and Publisher, but
Re: Charging remote participants
On Aug 16, 2013, at 1:42 PM, Henning Schulzrinne h...@cs.columbia.edu wrote: We already have a version of self-pay, namely the very low student rate. For that rate, you are supposed to show student ID (not sure how and whether this is enforced), so it's not quite the same, but it's a means-based test, as well as an attempt to increase the diversity of participants. Nearly every scientific conference has versions of differentiated pricing - special rates for authors, attendees from low-income countries, students, society members (i.e., likely repeat attendees), ... In those venues, the general rule of thumb for organizers is that even the lowest priced category pays for the variable costs, and the fixed costs are borne by those more able to pay. We also have the early-registration rate - thus, late and on-site registrations subsidize the early bird moochers. We presumably want to encourage building a community, and that includes making it possible for people to attend who might not otherwise be able to. Our objective is not one-time revenue optimization. Many individuals switch back-and-forth between traveling on their own dime and on corporate tabs, and we want to encourage continued engagement, if only to increase our supply of Nomcom-eligibles. Thus, I think this is worth exploring, as an experiment, just like we started the day-pass experiment a number of years ago. I don't know what this refers to in the above sentence, but I agree with everything else in your note. Mark Henning I'm not talking about posting this info on web, nor a full range of potential. We already have multiple reg-fee categories; I'm talking about adding *one* more. I don't know who in the leadership can see a list of what rates people paid - if we need to constrain that, that's a solvable problem. It's not the sky falling. Regardless, the same argument can be made for charging remote participants to donate 0-100% or whatever. -hadriel
Re: Last Call: draft-bormann-cbor-04.txt (Concise Binary Object Representation (CBOR)) to Proposed Standard
On 8/15/13 1:26 PM, Yaron Sheffer yaronf.i...@gmail.com wrote:
One of the reasons why I like the CBOR tag applied to a byte stream is
that
it can be used to skip parsing on entire sections (no matter their
underlying types) in processors that don't need to understand that
section.
I suppose you mean you don't understand the section at a semantic level
(e.g. you don't understand the map section-7) but you do need to parse
every last data item in the section before you know its byte length. So
at a syntactic level you don't skip anything.
Example:
{to: you, from: me, content: 24(h'a26161016162820203')}
If I'm just routing this based on the to address, I don't need to parse
the
content value. If I'm the end recipient, I can either put my parser
into a
mode that parses into CBOR (tag 24) blocks, or I can feed the byte string
I
get for content from a generic parser back into that same parser.
Either
way, I find out that the content is:
{a: 1, b: [2, 3]}
--
Joe Hildebrand
Re: Community Input Sought on SOWs for RFC Production Center and RFC Publisher
Hi, A few nits regrading MIB module checking... On 8/16/13 4:16 PM, Sandy Ginoza sgin...@amsl.com wrote: 2) In the following, we suggest that ASN.1 (and particularly MIBs and MIB-related details) be updated to reflect MIBs. Although MIB modules are written using a subset of ASN.1, the RPC does not check all ASN.1, we only check MIBs. This change will reflect what is done in practice. If the intent is to actually require the RPC to check all ASN.1, please let us know and we will discuss checking tools with the RSE and IAD. Current: 1.3. Validation of formal languages The RPC should validate the syntax of sections of documents containing formal languages. In particular ASN.1 (and particularly MIBs and MIB-related details), YANG, ABNF, and XML should be verified using one or more tools as approved by the RSE. S/MIBs/MIB modules/ MIB Modules are written using version 2 of the SMI standard, a formal language which is an IETF-standardized adapted subset of ASN.1-1988. So MIB validation might be more accurately called SMI validation or SMIv2 validation (but SMIv3 could be done at some future date.) So s/ASN.1/SMI/ or s/ASN.1/SMIv2/ ASN.1 has moved on since the 1988 subset used for SMI. There are tools to validate against the more current ASN.1 standard. I'm not sure how much current ASN.1 is used in IETF documents, but if it is, then you might want to validate it. I think there is very little current ASN.1 usage in IETF documents. -- David Harrington ietf...@comcast.net +1-603-828-1401
Re: Charging remote participants
--On Friday, August 16, 2013 15:46 -0400 Hadriel Kaplan hadriel.kap...@oracle.com wrote: On Aug 16, 2013, at 1:53 PM, John C Klensin john-i...@jck.com wrote: (1) As Dave points out, this activity has never been free. The question is only about who pays. If any participants have to pay (or convince their companies to pay) and others, as a matter of categories, do not, that ultimately weakens the process even if, most of the time, those who pay don't expect or get favored treatment. Having some participants get a free ride that really comes at the expense of other participants (and potentially competing organizations) is just not a healthy idea. Baloney. People physically present still have an advantage over those remote, no matter how much technology we throw at this. That's why corporations are willing to pay their employees to travel to these meetings. And it's why people are willing to pay out-of-pocket for it too, ultimately. It's why people want a day-pass type thing for only attending one meeting, instead of sitting at home attending remote. Being there is important, and corporations and people know it. Sure. And it is an entirely separate issue, one which I don't know how to solve (if it can be solved at all). It is unsolvable in part because corporations --especially the larger and more successful ones-- make their decisions about what to participate in, at what levels, and with whatever choices of people, for whatever presumably-good business reasons they do so. I can, for example, remember one such corporation refusing to participate in a standards committee that was working on something that many of us thought was key to their primary product. None us knew, then or now, why they made that decision although their was wide speculation at the time that they intended to deliberately violate the standard that emerged and wanted plausible deniability about participation. Lots of reasons; lots of circumstances. An audio input model (ie, conference call model) still provides plenty of advantage to physical attendees, while also providing remote participants a chance to have their say in a more emphatic and real-time format. We're not talking about building a telepresence system for all remote participants, or using robots as avatars. IIR, we've tried audio input. It works really well for conference-sized meetings (e.g., a dozen or two dozen people around a table) with a few remote participants. It works really well for a larger group (50 or 100 or more) and one or two remote participants. I've even co-chaired IETF WG meetings remotely that way (with a lot of help and sympathy from the other co-chair or someone else taking an in-room leadership role). But, try it for several remote participants and a large room full of people, allow for audio delays in both directions, and about the last thing one needs is a bunch of disembodied voices coming out of the in-room audio system at times that are not really coordinated with what is going on in the room. Now it can all certainly be made to work: it takes a bit of coordination on a chat (or equivalent) channel, requests to get in or out of the queue that are monitored from within the room, and someone managing those queues along with the mic lines. But, by that point, many of the disadvantage of audio input relative to someone reading from Jabber have disappeared and the other potential problems with audio input -- noise, level setting, people who are hard to understand even if they are in the room, and so on-- start to dominate. Would I prefer audio input to typing into Jabber under the right conditions? Sure, in part because, while I type faster than average it still isn't fast enough to compensate for the various delays. But it really isn't a panacea for any of the significant problems. (2) Trying to figure out exactly what remote participation (equipment, staffing, etc.) will cost the IETF and then trying to assess those costs to the remote participants would be madness for multiple reasons. [...snip...] Yet you're proposing charging remote participants to bear the costs. I'm confused. I am proposing charging remote participants a portion of the overhead costs of operating the IETF, _not_ a fee based on the costs of supporting remote participation. And, again, I want them to have the option of deciding how much of it they can reasonably afford to pay. ... best, john
Re: Charging remote participants
On Friday, August 16, 2013 18:39:04 John C Klensin wrote: --On Friday, August 16, 2013 15:46 -0400 Hadriel Kaplan hadriel.kap...@oracle.com wrote: On Aug 16, 2013, at 1:53 PM, John C Klensin john-i...@jck.com wrote: (1) As Dave points out, this activity has never been free. The question is only about who pays. If any participants have to pay (or convince their companies to pay) and others, as a matter of categories, do not, that ultimately weakens the process even if, most of the time, those who pay don't expect or get favored treatment. Having some participants get a free ride that really comes at the expense of other participants (and potentially competing organizations) is just not a healthy idea. Baloney. People physically present still have an advantage over those remote, no matter how much technology we throw at this. That's why corporations are willing to pay their employees to travel to these meetings. And it's why people are willing to pay out-of-pocket for it too, ultimately. It's why people want a day-pass type thing for only attending one meeting, instead of sitting at home attending remote. Being there is important, and corporations and people know it. Sure. And it is an entirely separate issue, one which I don't know how to solve (if it can be solved at all). It is unsolvable in part because corporations --especially the larger and more successful ones-- make their decisions about what to participate in, at what levels, and with whatever choices of people, for whatever presumably-good business reasons they do so. I can, for example, remember one such corporation refusing to participate in a standards committee that was working on something that many of us thought was key to their primary product. None us knew, then or now, why they made that decision although their was wide speculation at the time that they intended to deliberately violate the standard that emerged and wanted plausible deniability about participation. Lots of reasons; lots of circumstances. An audio input model (ie, conference call model) still provides plenty of advantage to physical attendees, while also providing remote participants a chance to have their say in a more emphatic and real-time format. We're not talking about building a telepresence system for all remote participants, or using robots as avatars. IIR, we've tried audio input. It works really well for conference-sized meetings (e.g., a dozen or two dozen people around a table) with a few remote participants. It works really well for a larger group (50 or 100 or more) and one or two remote participants. I've even co-chaired IETF WG meetings remotely that way (with a lot of help and sympathy from the other co-chair or someone else taking an in-room leadership role). But, try it for several remote participants and a large room full of people, allow for audio delays in both directions, and about the last thing one needs is a bunch of disembodied voices coming out of the in-room audio system at times that are not really coordinated with what is going on in the room. Now it can all certainly be made to work: it takes a bit of coordination on a chat (or equivalent) channel, requests to get in or out of the queue that are monitored from within the room, and someone managing those queues along with the mic lines. But, by that point, many of the disadvantage of audio input relative to someone reading from Jabber have disappeared and the other potential problems with audio input -- noise, level setting, people who are hard to understand even if they are in the room, and so on-- start to dominate. Would I prefer audio input to typing into Jabber under the right conditions? Sure, in part because, while I type faster than average it still isn't fast enough to compensate for the various delays. But it really isn't a panacea for any of the significant problems. (2) Trying to figure out exactly what remote participation (equipment, staffing, etc.) will cost the IETF and then trying to assess those costs to the remote participants would be madness for multiple reasons. [...snip...] Yet you're proposing charging remote participants to bear the costs. I'm confused. I am proposing charging remote participants a portion of the overhead costs of operating the IETF, _not_ a fee based on the costs of supporting remote participation. And, again, I want them to have the option of deciding how much of it they can reasonably afford to pay. Maybe the IETF should charge for mailing list subscriptions too? Scott K
Re: Anyone having trouble submitting I-Ds?
On Fri, 16 Aug 2013, Benjamin Kaduk wrote: My web submission told me Your submission is pending email authentication. An email has been sent you with instructions. more than an hour ago, but I haven't seen such a mail. I sent a note to internet-drafts@ mentioning my experience, but wanted to check if anyone else was seeing this behavior. It turns out this was user error -- I was not listed as an author on the previous version of the document, even though I did the actual upload for that version. The anti-hijacking feature causes the confirmation email to only go to the authors listed on the previous version of the document, so mail was not sent to me and things are working as expected. -Ben
Re: Charging remote participants
On Aug 16, 2013, at 6:39 PM, John C Klensin john-i...@jck.com wrote: IIR, we've tried audio input. It works really well for conference-sized meetings (e.g., a dozen or two dozen people around a table) with a few remote participants. It works really well for a larger group (50 or 100 or more) and one or two remote participants. I've even co-chaired IETF WG meetings remotely that way (with a lot of help and sympathy from the other co-chair or someone else taking an in-room leadership role). But, try it for several remote participants and a large room full of people, allow for audio delays in both directions, and about the last thing one needs is a bunch of disembodied voices coming out of the in-room audio system at times that are not really coordinated with what is going on in the room. Now it can all certainly be made to work: it takes a bit of coordination on a chat (or equivalent) channel, requests to get in or out of the queue that are monitored from within the room, and someone managing those queues along with the mic lines. Yup, it definitely takes those things. Been there, done that, got the IETF t-shirt. :) I think we might be able to do it, using the jabber scribes for those coordination actions. Maybe. It depends on the number of remote active participants and quality of scribes. The jabber scribes would have to act like the operator-assisting person in big conferences with remote participants. (the old we've got a question from Jane Doe, go ahead Jane type thing) For the WGs I go to (RAI area mostly), we have good scribes and not a large number of remote people who actually participate (as opposed to monitor). We've had some exceptions, but my impression is the things the remote people wanted to say in those cases were usually said by someone locally anyway so they're more of a +1 thing. I.e., if there are lots of local attendees, you usually get someone saying what you were going to say anyway. Not that someone remote shouldn't say it as well, because it does matter if you hear the same thing being repeated. But at least it's not so much interaction needed for hearing that. But yes if there are a dozen remote active participants, and a 100 people locally in the room, it's chaos. It's not chaos because the remote participants don't get mic time - it's chaos because they *do* get mic time. The delay in letting them know it's their turn at the mic, delay in real-time interaction, the mental switch to remote mode for local participants, etc., all cause the meeting to slow down... a lot. It's like multiple processes running on one CPU - context switching is painful. We can try to pile up the remote participants to go all at once, so that there're fewer context switches. That's what folks do in big conferences: the remote participants are queued up until the local ones have finished, and then the remote ones go all at once. Unfortunately that turns it into a QA type thing at the end, and not a discussion, but with that big an active audience that's probably all it could be anyway. But, by that point, many of the disadvantage of audio input relative to someone reading from Jabber have disappeared and the other potential problems with audio input -- noise, level setting, people who are hard to understand even if they are in the room, and so on-- start to dominate. Yes, audio quality and volume control and a bunch of related things are very important for this to work. IANAE on that - there are professionals who do that stuff for a living. Would I prefer audio input to typing into Jabber under the right conditions? Sure, in part because, while I type faster than average it still isn't fast enough to compensate for the various delays. But it really isn't a panacea for any of the significant problems. OK, so what are the significant problems? What have the WGs you've been participating in not been doing, that makes you feel like you don't get to participate remotely? -hadriel
IAOC Chair
I was recently elected as the chair of the Internet Society Board of Trustees. While I plan to complete my current term on the IAOC, I am stepping down as its chair. I have served on the IAOC since 2007 and was chair since 2009. I am pleased to report that the IAOC has elected Chris Griffiths as the new IAOC chair. I think Chris will be an excellent chair and that he has my complete support. Congratulations to Chris! The change in IAOC chairs is effective with this email. Bob Hinden
Re: Charging remote participants
Thus, I think this is worth exploring, as an experiment, just like we started the day-pass experiment a number of years ago. I don't know what this refers to in the above sentence, but I agree with everything else in your note. Offer a self-pay rate, as suggested by Hadriel. See how many people take it and ask them whether that made a difference in their attendance. Henning
Re: Last Call: draft-bormann-cbor-04.txt (Concise Binary Object Representation (CBOR)) to Proposed Standard
On Aug 15, 2013, at 3:11 PM, Yaron Sheffer yaronf.i...@gmail.com wrote:
- A parser that looks for duplicates must be able to detect that {{a:1,
b:2}:4, {b:2, a:1}:5} does in fact have a duplicate key, because the
two internal maps (used as keys) are identical. So in general, parsers need
to canonicalize maps to any depth in order to detect duplicates. This is
complex by any definition of the word.
It does not need to canonicalize, but it does need to reify (or some word that
means know what each name means). This is not additional code: the decoder
already has that in the semantic processor. It is only additional runtime
during decoding, and only in protocols/applications that use maps as keys.
We could say you cannot use maps as keys in maps because it is too hard, but
then the question is where do we draw the line on too hard. Is it too hard
to use arrays? They might be arrays with arrays in them; is that too hard?
Instead of the CBOR spec saying this is too hard for you to do, we at some
point have to trust the protocol/application developer to understand the
tradeoffs.
- Even for an unloved diagnostic notation, you want people to read it without
resorting to little pieces of paper. So a symbolic representation (TAG_URI)
is definitely better than numbers.
You keep trying to elevate the diagnostic notation; we keep resisting.
- I don't understand your reply re: tags when applied to arrays. Is it up to
the application to decide whether the tag applies to all elements, to the
first one, to the last 14?
My reply may have been unclear, but the text in -05 should be clearer:
A tag always applies to the item that is directly followed by it. Thus, if tag
A is followed by tag B which is followed by data item C, tag A applies to the
result of applying tag B on data item C. That is, a tagged item is a data item
consisting of a tag and a value. The content of the tagged item is the data
item (the value) that is being tagged.
- Regarding error handling and security, I am slightly happier with -05, but
not by much. For some reason you avoid using 2119 language in places where I
would expect: parsers SHOULD include a strict mode. A strict mode parser
MUST fail when the syntax is broken (sec. 3.3, 3.4, and also 3.5). And so
forth.
This feels like creep to me, but Carsten wants to add more about strict mode in
the -06.
- Unknown tags: you specifically allow decoders (Sec. 3.5) to not implement
any tags they don't like, and then you specify the behavior of the decoder as
do whatever you feel like (and this is in -05). So a sender cannot rely on
*any* tag being implemented by the receiver, and cannot expect deterministic
behavior if any are not. This is a security issue IMO, but also an
interoperability thing.
In his new wording for strict mode, the decoder will not be able to ignore any
tag.
--Paul Hoffman
