Op 17-12-2020 om 08:37 schreef Éric Vyncke via Datatracker:
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------

Thank you for your feedback Éric,

> -- Section 3 --
> I like that a Client cookie must be changed upon local IP address change but I
> am afraid that there is no way to detect that a provider Carrier Grade NAT
> (CGN) is using round robin among a pool of public address; this still allows
> for client tracking as the client cookie is unchanged even if the public IP
> address has changed. Should there be some text around this issue or in the
> security section ?

Agree, I have a soon to be submitted revised document that has a
paragraph on tracking of public IP of a NAT devices being beyond the
scope of the document. See:

        
https://github.com/NLnetLabs/draft-sury-toorop-dns-cookies-algorithms/pull/23/commits/83155e4bfed1afb08611723a13f9ebc045179e63

> 
> -- Section 4.4 --
> Should there be a recommended minimum length of the shared secret (or entropy
> level) ?

With SipHash-2-4, the secret is fixed length: 128 bits.

> -- Section 6 --
> In "This document REQUIRES compliant DNS Server to use SipHash-2.4 as a
> mandatory and default algorithm for DNS Cookies", I wonder whether "a 
> mandatory
> and default" is required as only one algorithm is specified and there is a
> "REQUIRES".

Well, there could be more algorithms in the future, but in that case
this one will be the default one.


Your other comments and nits are addressed in the revised document.
Except for the suggestion for a different title, which we're still
discussing.

Cheers,
-- Willem

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to