Hi Roman,
thanks a lot for your review. Plase find my comments inline.
Il 04/09/2020 23:13, Roman Danyliw via Datatracker ha scritto:
Roman Danyliw has entered the following ballot position for
draft-ietf-regext-rdap-partial-response-13: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-partial-response/
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
** Section 2.1. Can a server return multiple entries in the availableFieldSets
area with default=TRUE? Probably not. Should something be said to that effect?
[ML] Obviously not. I don't think something should be furtherly said in
this case. I simply consider it a server failure.
** Section 4. Per ‘Fields included in the "brief" and "full" field set
responses MUST take into account the user's access and authorization levels’,
would there be circumstances where the “id” field set should also take into
account the user’s access and authorization level? Section 8 noted that “RDAP
operators can vary the information returned in RDAP responses based on a
client's access and authorization levels.” My thinking is that if a given
client’s access level would result in particular fields being removed, then
perhaps they shouldn’t have been listed in the with the “id” field list to
begin with.
[ML] Removing an object identifier from the "id" field set seems to me
something deeply disagreeing with the purpose of that field set.
An RDAP provider may evaluate to provide more side information (more
links, more notices, more remarks) according to the user access level,
but not less relevant information.
Besides, removing the object identifer but keeping the self link is a
nonsense because it means providing the same information as the object
identifier but more diffiicult to process for an RDAP client.
** Section 8.
A search query typically requires more server resources (such as
memory, CPU cycles, and network bandwidth) when compared to a lookup
query. This increases the risk of server resource exhaustion and
subsequent denial of service due to abuse. This risk can be
mitigated by supporting the return of partial responses combined with
other strategies ...
I do not follow how partial responses provide denial of service mitigation when
the attack is intentional. Wouldn’t the attacker continue to request full
queries given the choice between loading the server with a subset vs. full
query? Or is this text saying that because of the use of partial responses the
server would have more capacity and this would enable it to better result a
denial service?
[ML] Obviously, the second one but I agree with you that the sentence
needs to be rearranged. Could removing "due to abuse" be enough ?
** Editorial:
-- Section 1. Editorial. s/fewer data/less data/
[ML] I was suggested by a mother tongue to replace "less data" with
"fewer data" before WGLC . After a further check on the web, it seems
that "less" fits better for massive data.
Therefore, I'll revert that change in the next version.
Looking forwad for your answer to my comments.
Best,
Mario.
--
Dr. Mario Loffredo
Systems and Technological Development Unit
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Mobile: +39.3462122240
Web: http://www.iit.cnr.it/mario.loffredo
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
