ietf
[Top] [All Lists]

Re: [perpass] comments and questions for the group on draft-farrell-perpass-attack-02

2013-12-09 10:03:43

Hi Eliot,

On 12/09/2013 02:53 PM, Eliot Lear wrote:
Hi Stephen,

I'm not comfortable with having this discussion just in perpass, since
the impact of what you are proposing is quite broad, as is my concern. 
This is an IETF last call comment.  The IESG directed those comments to
go to the IETF list.

WFM. I agree sticking to ietf(_at_)ietf(_dot_)org for this is right.


On 12/9/13 2:23 PM, Stephen Farrell wrote:

 The chair you mean is Mark
Nottingham in this [1] mail to the httpbis list.

   [1] http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/1453.html

I definitely did not read him the way you appear to have and
that distinction matters. If you are the only one to take him
as saying that then I guess you'd agree that your changes
would be based on a fallacy. Maybe Mark can clarify but I think
its already crystal clear that he was not saying "ignore
everything else" - I'd be stunned if that was what he meant.

The point was and is that I wanted to respond to him to clarify that one
should not ignore everything else, 

So, nothing in the draft says "ignore everything else" and it'd
be wrong if it did. Pervasive monitoring is an attack and like
the draft says:

   The IETF also has consensus to, where possible, work to mitigate the
   technical parts of the pervasive monitoring attack, in just the same
   way as we continually do for these and any other protocol
   vulnerability.

I think that's quite clear - we handle it the same as for "any
other protocol vulnerability."

when in fact I found the opposite:
since you laid out explicitly only network management considerations,

But the above already says that this is just another threat.
An important one? Sure. Overrides everything else? Of course not.

But yes we called out one significant area where there's an obvious
tension caused by mitigating this threat but where there's also
an obvious need for some forms of monitoring in order to ensure
that networks can be managed.

the implication is that all other considerations are excluded.  

I don't read the draft that way at all fwiw. If everyone did,
that'd be something to fix though, I agree.

The
purpose of my change is to remove that implied exclusion, and leave this
to working groups to wrestle with.  

Working groups will have to wrestle with this BCP yes. In some
cases that'll be easy. In other cases, hard.

I'm happy with Robin's wording as
well, and I don't mind you proposing other wording further to your
liking, so long as we recognize that there are other considerations.

As I read it, that's there already in the text quoted above.
I don't think we want to try to list every possible other
consideration, or we'll never get this done.

If you can show me where in your text it allows for those other
considerations as I believe I've done in the reverse, I'll be happy to
stand corrected.

My reluctance to extend a get-out-of-jail card here should be
fairly obvious, but I think its important that we recognise that
there will be people who from time to time will want to work around
the IETF consensus on this topic.

If your argument was "why just call out network management" that's
a good question, but to be honest the alternative wordings I've seen
so far do seem to offer a broad get-out-of-jail card and I don't
believe that represents the overwhelming consensus we had in the
room in Vancouver, which what this draft attempts to document.

Cheers,
S.


Eliot
_______________________________________________
perpass mailing list
perpass(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/perpass