Thank you for the review and feedback. I can understand the confusion if
you're not familiar with the EPP protocol. I attempt to clarify things below.
The info command and the poll command are different commands, but where the
confusion lies is with the response. A poll response can be any EPP response,
since the information for a poll response is built into the general EPP
response with the <msgQ> element (section 2.6 of RFC 5730), so any EPP response
"has a" relationship with the poll queue information. A concrete EPP response,
which in this case is an info response, extends ("is a" relationship) the EPP
general response, so a concrete EPP response can be used in the response to an
EPP command or an EPP poll command. In the case of the
draft-ietf-regext-change-poll, it specifies the use of the info response of
other EPP objects (e.g., domain in RFC 5731, host in RFC 5732, or contact in
RFC 5733) with the Change Poll Extension that defines the server-side operation
meta-data of what, when, who, and why. A concrete example is the server adding
a server status on a domain name, as defined in RFC 5731, where it can insert
an EPP poll message in the form of a domain info response that includes the
added server status, with the poll message <msgQ> element populated, and with
the Change Poll Extension added. The responses of
draft-ietf-regext-change-poll are associated with poll responses, where the
concrete poll responses used are info responses with the Change Poll extension.
A client would request the poll message using the EPP RFC 5730 poll command
and would receive the poll message in the form of an info response, with the
poll queue information included, and with the Change Poll extension.
I hope this helps.
Thanks,
—
JG
James Gould
Distinguished Engineer
jgo...@verisign.com
703-948-3271
12061 Bluemont Way
Reston, VA 20190
Verisign.com <http://verisigninc.com/>
On 10/29/18, 9:36 AM, "Valery Smyslov" <val...@smyslov.net> wrote:
Reviewer: Valery Smyslov
Review result: Ready with Nits
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
This draft defines an extension for an Extensible Provisioning Protocol
(EPP, RFC 5730)
that allows servers to notify clients about operations which were not
initiated by clients, but which modify state of client-sponsored objects.
The extension is defined using standard EPP mechanism for adding extensions,
so Security Considerations from RFC 5730 are applied and no new ones are
added.
Keeping long message queues consume server resources and can
potentially be a surface for DoS attack, however as far as I understand
unauthorized entities cannot cause server to perform actions resulted in
operations on other clients' objects, so it seems that it is not a security
issue here.
Nevertheless adding a few words that it is not a security issue would be
helpful.
General comment not related to security. It seems to me that the protocol
description
is inconsistent. The Introduction Section states, that this extension only
extends
the response to the EPP <poll> command. However, Section 3 of this
specification,
which describes the EPP Command Mapping, extends only the response
to the EPP <info> command with poll message, and the <poll> command is not
mentioned
there at all. I'm not familiar with the EPP protocol, but I believe that
<info> and <poll>
are different commands, so unless I've missed something, it seems that the
protocol
description is inconsistent (or incomplete). Since it is not related to
security,
I think the document is Ready (from security perspective), but this
inconsistency
must either be fixed or some clarification be provided.
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
