Barry Leiba has entered the following ballot position for
draft-ietf-dnssd-prireq-05: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dnssd-prireq/

COMMENT:

It’s useful to have this analysis; thanks. Just some editorial comments below.
Please consider them; none needs any explicit response. Please take specific
note of the last one, about the references.

General: “i.e.” and “e.g.” always need a comma after them.

— Section 1 —

There are cases when nodes connected to a network want to provide or
consume services without exposing their identity to the other parties

Nit: “their identities” (or “a node… wants… its identity”)

Consider for example a traveler

Nit: “Consider, for example, a traveler”

Disclosing Information In this document "disclosing information" is
also focused on disclosure by data conveyed via messages on the
service discovery protocol layer.

Do you mean “disclosure of data” (not “by”)?

— Section 2 —

All these attackers can either be passive, i.e.
they just listen to network traffic they have access to, or active,
i.e. they additionally can craft and send (malicious) packets.

Style: You decide, of course, but I find this easier to read with parentheses,
rather than “i.e.”s:

SUGGEST
All these attackers can either be passive (they
just listen to network traffic they have access to) or active
(they additionally can craft and send malicious packets).
END

on-link An on-link attacker is on the same network link as victim
devices engaging in service discovery; thus, the external attacker
is in the same multicast domain.

The second line should say “on-link attacker”.

MITM A Man in the Middle (MITM) attacker either controls (parts of)
a network link or can trick two parties to send traffic via him;

Nit: “Man-in-the-Middle” needs hyphens when it modifies “attacker”.
Style: I know that “him” matches “Man”, so maybe we should leave it as is.
Still, it jarred me. I would say “via the attacker.”

— Section 3.1.1 —
I love the ASCII-art stick figures.

just for tracking people or as a preliminary to targeted attacks.

“preliminary” isn’t a noun. Maybe “preliminary step”, or maybe “preamble”? Or
you could remove “as a”, and it would work. Yes, I think the last is the best
fix here.

— Section 3.1.2 —

such as
for example an airport's lounge.

Nit: “for example” needs to be set off with commas before and after it.

— Section 3.1.3 —

to further attacks, from theft to device specific hacking.

Nit: hyphenate “device-specific”.

"fingerprint" of the person, allowing identification.

Style: I would say “facilitating identification”, or maybe “risking
identification”.

— Section 3.2 —

This is mainly relevant for unicast based discovery

Nit: hyphenate “unicast-based”.

— Section 3.2.4 —

o Some attributes like the paper size available in a printer,

Fruit flies like a banana? The attributes are not paticularly fond of
anything: “Some attributes, such as the paper size available in a printer,”

Combinations of attributes have more information power than specific
attributes

Style: I would say, “than individual attributes”

Information contained in TXT records does not only breach privacy

Nit: make it “…records not only breaches privacy”

Further, TXT records often contain version information about services
allowing potential attackers

You need a comma after “services” — otherwise, the meaning isn’t quite as you
want it.

— Section 3.2.5 —

An argument is sometimes made that devices providing services can be
identified by observing the local traffic, and that trying to hide
the presence of the service is futile. However,

Given what you say below this, I think it would help to emphasize the point
here, so may I suggest this?:

NEW
An argument is sometimes made that devices providing services can be
identified by observing the local traffic, and that trying to hide
the presence of the service is futile. However, there are good
reasons for the doscovery service layer to avoid unnecessary exposure:
END

— Section 3.2.6 —

services, such as for example some private messaging services.

“such as” already means “for example”, so you don’t need both. I would just
remove “for example”.

— Section 3.4.1 —

can perform, the proxy may have some way to wake the device, as
implied in RFC6762 [RFC6762]

6762 is 50 pages-ish; do you mind adding a section to the citation to help the
reader find the implication?

— Section 3.4.2 —

Further it may cause an unnecessary level
of power consumption which is particularly problematic

Nit: this needs a comma after “further” and another after “consumption”.

unauthorized observers, while also managing to do that efficiently.

You’re missing an antecedent to “that”. I think you need to say, “to do its
job efficiently,” or something like that.

— Section 3.4.3 —

establishment requires active participation of the user, such as
entering a password or PIN.

I submit that “clicking OK” is also active participation. Maybe “more
significant participation” is better?

— Section 4 —

lead to a solution that does not transmit privacy violating DNS-SD

Nit: hyphenate “privacy-violating”.

mechanisms should be used on deeper layer network protocols and on
how to actually connect to services in a privacy preserving way,

Nit: hyphenate “deeper-layer” and “privacy-preserving”.

— Section 4.2 —

4. Avoid disclosure of information about the services they offer to
   unauthorized clients.

This sounds like it’s talking about services that they offer to unauthorized
clients. I don’t actually think readers will misunderstand it, but they might
trip over it. Maybe move “to unauthorized clients” after “disclosure”? That
way, you can make the same change in bullet 3 and keep them parallel and clear.

— Section 4.3 —

   Further, it would
   increase power consumption which is critical for IoT devices.

Increased power consumption isn’t what’s critical; just the opposite. Maybe
“which is damaging to IoT devices.”

— Section 7 —
Do with this comment what you will: I’m one who believes that Informational
documents do have Normative References. Those are the references that are
critical to the understanding of the document. Clearly, the DNSSD and mDNS
documents are in that category, and I think there are others. You needn’t
reply on this, and you needn’t do it if you disagree, but I think it would be
best to identify the key documents that readers of this need to be familiar
with, and move them into Normative References.

MDNS and DNS-SD are specified sing DNS packet formats. This had lots of operational advantages, but it constrains the solutions a lot. We should discuss whether to keep that, or go for unconstrained format. And get consensus from the WG.

Adam Roach has entered the following ballot position for
draft-ietf-dnssd-prireq-05: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dnssd-prireq/

COMMENT:

Section 3.2:

Information conveyed via multicast messages can be
obtained by an on-link attacker, while unicast messages are only
available to MITM attackers.

I don’t think this is accurate. Given that many of the environments under
consideration (e.g., airport WiFi) use unencrypted wireless transmission
combined with a captive portal. In these cases, an eavesdropper on the same
channel can snoop on even unicast traffic without mounting an MITM attack.

General:

The document speaks of randomization of identifiers, including those commonly
used by users to identify which services they want to connect to. While the
current state of affairs may list a directory such as:

• Adam’s iPhone
• David’s Google Pixel 3
• Alice’s Laptop

(allowing me to select something based on its published name)

This document seems to propose a future state where such directories are
instead presented as:

• {da566203-0320-4604-aa14-f58ae7bea00c}
• {6c0952a5-a573-4d92-9d4a-a4bc111a35d8}
• {785bed6b-1355-4e7e-ad57-b5ce27e83e56}

I find it a bit surprising that this document doesn’t include at least a
cursory mention of the difficulty users may have in device rendezvous under
such a scheme and potential solutions to such issues (e.g., using RFID or QR
codes to provide pairing information).

Roman Danyliw has entered the following ballot position for
draft-ietf-dnssd-prireq-05: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dnssd-prireq/

COMMENT:

Thanks for this document. Kuddos on the amazing ASCII art.

** Section 3.1.1. Per “Identifying devices leads to identifying people, either
just for tracking people or as a preliminary to targeted attacks.”, this didn’t
parse for me and the intent of the “just for tracking people” wasn’t clear. Is
the following the intent:

“Identifying devices can lead to identifying people, either for surveillance of
these individuals in the physical world or as a preliminary step for a targeted
cyber attack.”

** Section 3.1.2. Per “The requirement in that scenario is that the discovery
activity should not disclose the identify of either the client or the server”,
is something stronger more desirable? For example, is there any desire to
thwart the discovery of the “business and social interactions” between the
device owners?

** Section 3.1.3 It seems as if all of the same challenges of Section 3.1.1
“identifying people” and using the information for a “targeted attack” apply
here too (but it’s said in a different way). Is it worth link the same issues
across scenarios?

** Section 3.2. Per “Information conveyed via multicast messages can be
obtained by an on-link attacker, while unicast messages are only available to
MITM attackers.”, please clarify why a passive on-link attacker can’t see the
unicast messages?

** Section 3.2.5. Per “This combination of services and attributes will often
be sufficient to identify the version of the software running on a device”,
makes sense. Is it worth adding that with this information and traffic
analysis, you might also be able to get identity (track people).

Benjamin Kaduk has entered the following ballot position for
draft-ietf-dnssd-prireq-05: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dnssd-prireq/

COMMENT:

Section 1

connected to the same network. Consider for example a traveler
wanting to upload pictures from a phone to a laptop when connected to
the Wi-Fi network of an Internet cafe, or two travelers who want to

[both devices are on the same Wi-Fi, right?]

Disclosing Information In this document "disclosing information" is
also focused on disclosure by data conveyed via messages on the
service discovery protocol layer.

This is generic non-identity but still potentially sensitive data,
right?

Section 3.2

kinds of means for making DNS-SD resource records available. These
means comprise but are not limited to mDNS [RFC6762], DNS servers
([RFC1033] [RFC1034], [RFC1035]), e.g. using SRP
[I-D.ietf-dnssd-srp], and multi-link [RFC7558] networks.

nit: this "e.g." seems out of place.

Section 3.2.2

There is, of course, also no authentication requirement to claim a
particular instance name, so an active attacker can provide resources
that claim to be Alice's but are not.

Section 3.3.2

This sort of problem frequently ends up with a third-party "trusted
introducer", though it's not clear that mentioning this in the document
will add value.

3.4.2

I'm given to understand that for many radio technologies, multicast is
both effectively broadcast and has specific spectrum
requirements/properties that make it especially scarce, compared to
unicast spectrum.