[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OWAMP review (Was: Re: Please review documents on IESG agenda for June 9, 2005)

To: aaa-doctors@ops.ietf.org
Subject: Re: OWAMP review (Was: Re: Please review documents on IESG agenda for June 9, 2005)
From: stanislav shalunov <shalunov@internet2.edu>
Date: Thu, 9 Jun 2005 16:29:13 -0700
User-agent: Mutt/1.4.1i
User-agent: Mutt/1.4.1i
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3

Jari,

I have made some changes to the specification based on your comments
and our discussion.  A unidiff of the changes is attached below my
signature.  Let me know if this addresses your concerns and adequately
captures our intent.

Jari Arkko <jari.arkko@piuha.net> writes:

> The thing is, I'm not sure I have a good size to recommend.
> If you have a user@domain type of a name typically used over
> AAA, then according to current standards it should be at least
> 72 bytes though in practise less would suffice. But I wouldn't want
> to add a 64 or even 32 fixed size field to a protocol, it would look
> a bit silly. So that's why I said changing it is probably not what
> we want. With 16 bytes you'll still fit in all usernames, but not
> domain parts. But I guess this is not the application that you'd
> be using roaming with anyway :-)

I haven't made any changes here.  It'd be perfectly OK, as far as the
authors are concerned, to change 16 to 80 or 64 here.  Let us know if
that's what we should do.

> >>>7. IANA Considerations
> >>>
> >>>   IANA is requested to allocate a well-known TCP port number for the
> >>>   OWAMP-Control part of the OWAMP protocol.
> >>>
> >>How about Accept values? Might make sense to have a rule about adding
> >>those. Say, Standards Action.
> >>
> >
> >No objection (assuming the IESG is OK with burdening the IANA with
> >maintaining the registry).
> >
> Ok.

I haven't heard any preference from any IESG members.  Should we set
up an extra registry?

Pros:

- neatly encapsulates more mutable part

Cons:

- extra work for IANA;

- would not be shared by multiple documents, so, arguably, should
  remain in the OWAMP spec;

- no easier to change, if standards action is required, than simply to
  amend the OWAMP specification.

What should be done here?  (I'll not do any changes unless I am told
of a preference by someone.)

-- 
Stanislav Shalunov		http://www.internet2.edu/~shalunov/

This message is designed to be viewed with 0.06479891g of NaCl.



Index: draft-ietf-ippm-owdp.nroff
===================================================================
RCS file: /home/cvs/engdev/owdp-id/draft-ietf-ippm-owdp.nroff,v
retrieving revision 1.119
retrieving revision 1.121
diff -u -r1.119 -r1.121
--- draft-ietf-ippm-owdp.nroff	20 Dec 2004 05:01:10 -0000	1.119
+++ draft-ietf-ippm-owdp.nroff	9 Jun 2005 19:58:47 -0000	1.121
@@ -351,7 +351,7 @@
 ATM segmentation and reassembly (SAR).  Consequently, OWAMP has been
 designed to allow for small test packets that would fit inside the
 payload of a single ATM cell (this is only achieved in unauthenticated
-and encrypted modes).
+mode).
 
 .Pa
 Protocol Overview
@@ -486,7 +486,8 @@
 
 In unauthenticated mode, Username, Token, and Client-IV are unused.
 
-Otherwise, Username is a 16-octet indicator that tells the server
+Otherwise, Username is a UTF-8 string, up to 16 octets in length (if
+the string is shorter, it is padded with zero octets), that tells the server
 which shared secret
 the client wishes to use to authenticate or encrypt, while Token is the
 concatenation of a 16-octet challenge and a 16-octet Session-key,
@@ -1889,6 +1890,22 @@
 SHOULD limit receivers to hosts they control or to the OWAMP-Control
 client.
 
+Unless otherwise configured, the default behavior of servers MUST be
+to decline requests where the Receiver Address field is not equal to
+the address that the control connection was initiated from or an
+address of the server (or an address of a host it controls).  Given
+the TCP handshake procedure and sequence numbers in the control
+connection, this ensures that the hosts that make such requests are
+actually those hosts themselves, or at least on the path towards them.
+If either this test or the handshake procedure were omitted, it would
+become possible for attackers anywhere in the Internet to request
+large amounts of test packets be directed against victim nodes
+somewhere else.
+
+In any case, OWAMP-Test packets with a given source address MUST only
+be sent from the node that has been assigned that address (i.e.,
+address spoofing is not permitted).
+
 .Pb
 Covert Information Channels
 
@@ -2135,7 +2152,9 @@
 .Pa
 Internationalization Considerations
 
-The protocol does not carry any information in a natural language.
+The protocol does not carry any information in a natural language,
+with the possible exception of the Username in OWAMP-Control, which is
+encoded in UTF-8.
 
 .Pa
 Appendix A: Sample C Code for Exponential Deviates

Prev by Date: Re: OWAMP review (Was: Re: Please review documents on IESG agenda for June 9, 2005)
Next by Date: Documents on Agenda for the June 23, 2005 IESG Teleconference
Previous by thread: Re: OWAMP review (Was: Re: Please review documents on IESG agenda for June 9, 2005)
Next by thread: RE: Media label review (Was: Re: Please review documents on IESG agenda for June 9, 2005)
Index(es):
- Date
- Thread