185 Matching Annotations
  1. Jul 2024
    1. encrypted by the TLS

      Check if east-west traffic is encrypted as well.

    2. Nydus Snapshotter to enhance the container launch speed

      Understand how Nydus might impact the threat model for the CRI.

    3. security of the data transmission by encrypting the data

      Understand how identity/tokens are established/rotated/stored.

      1. Are tokens short spanned by default?
      2. What is the blast radius of the token compromise?
      3. How are tokens/cred stored locally?
      4. What is the revocation logic that it is dependent on?
    4. download back-to-source

      What does this term mean?

  2. Mar 2023
  3. Feb 2023
  4. Nov 2022
  5. Jul 2022
    1. matchDirectories: - dir: /run/secrets/kubernetes.io/serviceaccount/ recursive: true action: Block # Denied in Global Context - dir: / # Allow every file in general, we need this because default posture is block due to presence of an allow policy but we still want to be less restrictive recursive: true - dir: / recursive: true fromSource: - path: /bin/cat

      This policy does not makes sense. It denies access to serviceaccount for all. For cat the access is enabled by allowing access to / recursively.

      What happens if we have two rules? 1. allow serviceaccount access to cat only 2. allow /etc/passwd access to more only

      With the given rule, cat and more will still have direct access to / recursively.

  6. Jun 2022
    1. contain multicast addresses in the RPL Target Option (RTO)

      It is not possible to hold multiple addresses in a single RTO. Do you mean multiple RTO each containing a multicast address?

    2. This means that a multicast address that needs to span a RPL DODAG MUST use a scope of Realm-Local whereas a multicast address that needs to span a RPL Instance MUST use a scope of Admin-Local as discussed in section 3 of "IPv6 Multicast Address Scopes" [RFC7346].

      This is not clear to me.

  7. Nov 2021
    1. From Neighbor Cache Entry: C delivers the packet to F.

      How can C deliver packet to F using Neighbor Cache Entry?

      Is it E delivers the packet to F?

    2. which

      where

    3. comprises provides

      comprises of

    4. new section

      section is a new term

    5. ensure that no packet is lost

      there is no way to ensure that no packet is lost.

    6. ignored by the receiver if the 'P'flag is set

      why to ignore the SenderRank if the 'P' flag is set?

    7. Projected-Route 'P':

      As I understand, this flag is only for additional information. This P flag is not used for processing in the RPI. Is this correct?

    8. Step of Rank

      What exactly is the Step of Rank? Is it:

      1. Difference between the rank of this node and the sibling?
      2. DAGRank() as computed in Section 3.5.1 in RFC 6550? This needs to be explained with an example.
    9. Figure 6: Projected DAO Base Object

      I got very much confused between Projected DAO Request and Projected DAO Object (Figure 6 and Figure 9).

      Projected DAO Request is sent from the node to the Root (Figure 9). Projected DAO message is sent from the root to the nodes to install P-routes (Figure 6) and this message is a updated DAO message with the P flag (thus updating 6550).

    10. C delivers packets to F or G.

      E delivers packets to F or G.

    11. In

      XInX

    12. C delivers packets to F or G

      E delivers packets to F or G.

    13. 3

      Section 2.4 "Domain Terms" states for Track Segment would typically be installed using Storing Mode P-DAO messages .. But in this example, P-DAO 3 is a NSM P-DAO.

      Why is it stated in Section 2.4 that, "With this specification, a Segment is typically installed by the Root of the main DODAG using Storing Mode P-DAO messages."

    14. what how

      XXwhatXX

    15. the excursion

      ??

    16. destination

      Destination

    17. need converge

      need to converge

    18. Segment used

      Segment is used

    19. namespace

      This is a new term! Does the line mean that the TrackID is local to the Track Ingress?

    20. ny the

      by the

    21. RAW

      Add this to terminology section above.

    22. anisotropic Distance Vector protocol

      Anisotropic?

  8. Aug 2021
  9. Jun 2021
  10. Jan 2021
    1. cilium_vxlan

      The example is all about non-tunnelled deployments but the tcpdump shows vxlan interface?

  11. Oct 2020
    1. IPv6 Node Requiements

      Requirements

    2. See [18] section 2.17 for discussion.

      This reference is broken. There is no section 2.17.

    3. A host MAY implement a "half-duplex" TCP close sequence, so that an application that has called CLOSE cannot continue to read data from the connection (MAY-1).

      "cannot continue to read data from the connection" ...

      shouldn't this be "can continue to read data from the connection"

    4. quiet time" specification

      Interesting to note.

    5. sequency numbers

      sequence numbers

    6. This information is carried in IP headers and is transferred across the TCP/Network interface in the arguments or results of calls by the TCP implementation on the IP layer.

      Difficult to understand.

      Checksum is carried in IP headers and is transferred across the TCP/Network interface in the arguments or results of calls by the TCP implementation on the IP layer.

    7. large window sizes will appear like negative windows and TCP will now work (MUST-1).

      "now work" ... is it "not work"?

      Also what does MUST - 1 indicate?

    8. though there is some risk of instability due to changes of lower-layer forwarding behavior

      loved to see some references in the context.

    9. each TCP segment sent as an Internet Protocol (IP) datagram.

      Is it necessary that each TCP segment is sent as in IP datagram?

  12. Sep 2020
    1. form the

      from the

    2. current on

      current one

    3. Set to 0

      RPLInstanceID = 0 is a valid instance ID as per 6550. This draft uses value 0 as a special purpose ID to instantiate a new TrackID.

    4. of

      or

    1. LoRaWAN layer will respect the regulation if required

      Which regulation is to be respected?

    2. applicative uplink

      What does "applicative uplink" means?

    3. In that case the device is the fragmentation receiver, and the SCHC gateway the fragmentation transmitter.

      In this case the device is the fragments receiver, and the SCHC gateway is the fragments transmitter.

    4. Tile

      For details about what tile is please provide ref to specific section in RFC 8724.

    5. DTag

      Please provide reference to Section 8.2.4 in RFC 8724 for DTag.

    6. In that case the device is the fragmentation transmitter, and the SCHC gateway the fragmentation receiver.

      In this case the device is the fragment transmitter, and the SCHC gateway is the fragment receiver.

    7. trigger a LoRaWAN join

      IID collision can be detected only by the Network Gateway. How would the Network Gateway initiate a LoRaWAN join?

      Section 4.4 defines that only the end device can initiate a JoinRequest frame.

    8. It uses another FPort

      Turns out it is not possible to use the same FPort number for both uplink and downlink in order to facilitate fragmentation as described in Section 5.2. Thus it may be better to use MUST here for specifying the different FPortDown i.e., mandating the the sets of FPortUp and FPortDown are fully disjoint.

    9. interoperability RECOMMENDED

      interoperability, recommended

    10. LoRaWAN payload | + ------------------------ + | SCHC packet

      The diagram shows that the LoRaWAN payload is separate from the SCHC packet. How to determine the size of LoRaWAN payload?

    11. fragmentation

      I believe the term "fragmented datagram" should be used in place of "fragmentation datagram" in whole of this para.

    12. LoRaWAN technology supports unicast downlinks, but also multicast

      rephrase.

    13. send

      sent

    14. major network's settings

      What is "major network's settings"? Was it supposed to be "network's major settings"?

    15. message

      Section 4.3, 4.4 uses the term frames and messages interchangeably. It would be better to use a single term, ideally frame for all the purposes of section 4.3/4.4.

    16. The lower the downlink latency, the higher the power consumption.

      I dont think you meant downlink latency here. I think you meant downlink frequency or listen periodicity.

    17. Join

      Join Server is not explained in the list of entities in the architecture.

    18. F/R

      C/D rules is understood, but what are F/R rules?

    19. are

      is

  13. Jun 2020
    1. If the Root indicates the capability to proxy the EDAR/EDAC exchange to the 6LBR by setting the "P" flag, the 6LR refrains from sending an EDAR message; if the Root is separated from the 6LBR, the Root regenerates the EDAR message to the 6LBR upon a DAO message that signals the liveliness of the Address. The regenerated message is anonymous if and only if the DAO is a legacy message that does not carry a ROVR as specified in Section 8.

      Not clear about this. Revisit Later.

    2. Root sets the "P" flag in the DODAG Configuration Option

      If Root sets the "P" flag then the 6LR should refrain from doing EDAR directly. But in the general flows the 6LR is doing EDAR.

    3. recognizable by a zero ROVR field

      by an absence of ROVR field.

    4. Updated Target Option

      It is possible to send complete target address but only partial prefix before. But with the new format this is not possible. For e.g., lets say the 6LR has IPv6 address FD00::1234/128 and manages the prefix fd00::/64. It was possible to send complete address fd00::1234 but only mentioning the prefix length as 64. But now it is no more possible.

    5. Aligned to 4-byte boundary

      Why is alignment to 4Byte boundary needed? Alignment to octet should be enough and saves bytes for odd prefixes.

    6. The 6LN signals the termination of a registration with a 6LR using an NS(EARO) with a Registration Lifetime set to 0.

      Section 5 states that the 6LR should refrain from sending EDAR messages if the Root signals 'P' flag. Should the 6LR in that case directly originate the DAO to the Root even for first registration? There is no flow diagram depicting or detailed clarification regarding the signaling to do when 'P' flag is set.

    7. If it is successful, the 6LR creates an NCE and injects the Registered Address in RPL using DAO/DAO-ACK exchanges all the way to the RPL DODAG Root.

      This indicates DAO Storing MOP behaviour.

    1. DIS Base Object

      Rather than changing the DIS Base Object for a specific cause it may be better to update the Solicited Information Option.

    2. Modification

      Modified

    3. abbreviated version

      The abbreviated version can be sent only once the end to end path of the target is established.

    4. Protected options

      Rather than calling "Protected Options" we should call them "Elided Options"

    5. A child node maintains the freshest RCSS received from its parents in each of the RPL Instances that it participates to

      Here it is implied that RCSS is Instance-specific while above it was implied that it is DODAG specific.

    6. The Root SHOULD jump rapidly away from the straight part once the network has sufficiently settled by resetting the RCSS to 0,

      How can the node decide that the network has sufficiently settled? Any example ways?

    7. Abstract

      This draft updates 6550. The abstract needs to reflect that.

    8. The scope of an RCSS is one DODAG within one RPL Instance.

      The scope of the RCSS should be RPLInstance. Even if the node switches a DODAG in the same RPLInstance the RCSS should be applicable since all the options are still valid.

    9. Abbreviated Option Option (AOO)

      Not sure how AOO is used ?

      1. Is AOO used only in DIS messages?
    10. DODAGID

      It is better to clarify what all can be elided with A flag set.

      • DODAGID
      • Tgt Opt
      • TgtDesc
      • TIO
    11. e 'A' flag to indicate that the DAO

      The DAO options could be easily elided in NS MOP but in Storing MOP it is difficult to apply the same logic especially for 6LRs.

    12. GCO is requested

      better to calls this Cap option

    13. DAO is resent with the same DAOSequence

      6LRs do not keep DAO states... they maintain states based on targets. Using DAO + DAOSequence may not be helpful.

    14. Abbreviated Option Option

      AOO option full form is Abbr Option Option Option :-)

    15. RUL: RPL-Unaware Leaf

      unused term

    16. RPI: RPL Packet Information (an Option in the Hop-By_Hop Header) RAL: RPL-Aware Leaf RAN: RPL-Aware Node

      remove these terms

    17. This document uses the terms RPL Leaf, RPL Aware Leaf (RAL), RPL- Aware Node (RAN) and RPL-Unaware Leaf (RUL) as defined in section 2 of [USE_OF_RPL_INFO]. A RPL-Unaware Leaf (RUL) thus refers to a host that does not understand RPL but uses a RPL router (without necessarily knowing it) as default gateway and depends on that router to obtain reachability for its addresses inside the RPL domain. Conversely, the term RPL- Aware Node (RAN) is used to refer to a node that participates to RPL and advertises its addresses or prefixes by itself.

      These paras have no relevance to the drafts core content. I think these paras are simply copy-forwards from previous draft used as a template.

    18. DCO

      Calling DODAG Configuration Option as DCO may be confusing since the DCO is used for Destination Cleanup Object .. Can we call DODAG Configuration Option as CfgOpt instead?

    19. Destination Advertisement Object (DAO) messages

      How is DAO message options elided? RCSS is only controlled by Root and only applies for Root-related options.

    20. RPL Configuration State Sequence (RCSS)

      Can we call this Root-Configuration-State-Sequence (RCSS) in place of RPL-Configuration....

      I want to reuse the term in Caps as Node-Configuration-State-Sequence (NCSS) ..

    21. Last Synchronized RCSS

      What value should the DIS-sender send if the previous RCSS is not known?

  14. Apr 2020
    1. Done

      What is Done?

    2. Figure 8 for RPL

      Figure 8 does not show first time registration

    3. 6LR

      Shouldnt this be called RAN.

    4. RCO

      DCO

    5. whereby the it is possible

      syntax problem

    6. acknoledgement

      acknowledgement

    7. if

      of

    8. TIO by converting the Lifetime Units used in RPL into units of 60 seconds used in the 6LoWPAN ND messages

      The units of RPL may not be units of 60s (as for 6lo).

    9. then it MUST stop injecting the address

      Can the NCE be purged?

    10. if

      If

    11. sends

      sent

    12. Extended DAR

      Why EDAR is directly invoked by the 6LR in NS MOP case for first registration? Isnt the implementation simpler if the root does it for all the cases? The 6LR can just initiate the DAO in all cases and root takes care of sending anonEDAR to 6LBR.

    13. imbeds

      embeds

    14. The RUL MUST register to all the 6LRs from which it desires routing services

      How will we deal with enrollment draft once it kicks in? Enrollment priority won't be honored by the RULs.

    15. Follows the RPI-6LoRH and then the IP-in-IP 6LoRH

      Sentence seemed to be cutoff.

  15. Mar 2020
  16. Jan 2020
    1. on

      ON

    2. operate as ships-in-the-night

      What is ships-in-the-night? Didn't find any explaination in the given ref.

    3. uncompresses

      uncompressed

    4. when it

      When it

    5. joins

      join

    6. But the node is also free to refrain from joining an Instance when a parameter is not suitable.

      Refrain from joining an instance is not same as "join as leaf". A node which joins as leaf, still is joining the instance.

    7. It results whether a parent supports RFC 8138 is not known by the child with the current level of specifications, and a child cannot favor a parent based on a particular support.

      Not clear.

    8. implicitely

      spelling mistake

  17. Dec 2019
    1. PS

      We need a way to compress parent set because we are dealing with DIOs here.

    2. IANA Considerations

      A new register for the NSA TLV type has to be created.

    3. PS IPv6 address

      Should the parent node send PS IPv6 addresses in the order of preference? i.e. preferrend parent first and so on ... The parent preference needs to be known for the child node to define the policy to use.

    4. TLV

      RFC 6551 does not define the TLV structure. This document should first define the TLV structure and then specify the PS TLV.

    5. A|O|

      Make it clear how these A|O bits should be handled with PS.

    6. For example, using different methods can be used to vary the transmission reliability in each hop.

      This statement is out of order

    7. Common Ancestor Objective Functions

      CA Strict/Medium/Relaxed policies should be explained before the CA OF is defined. CAOF often references those and thus the reader needs to know the policies before understanding CAOF.

  18. Nov 2019
    1. Parent Selection Algorithm

      What additional state is expected to be stored by RPL for handling this? Set of APs?

    2. To allow hysteresis, AP selection maintains a variable, cur_ap_min_path_cost, which is the path cost of the current AP

      This needs to be elaborated. What is cur_ap_min_path_cost?

    3. MAX_PATH_COST

      What is MAX_PATH_COST? Where is it defined?

    4. AP node

      Multiple AP nodes could be selected.

    1. both Node

      better to call it host as per RFC 4861

      Also provide ref to RFC 4861 for the roles.

      BLE IPSP defines Node role and Router role. Is that what is referenced here? Regardless, it is better to add a ref.

    2. A Bluetooth LE host MUST register its non-link-local addresses with its routers by sending a Neighbor Solicitation (NS) message with the Extended Address Registration Option (EARO) and process the Neighbor Advertisement (NA) accordingly.

      Contradicts with a SHOULD below.

    3. A 6LN SHOULD register its non-link-local address with EARO in the next-hop router.

      Contradicts with a MUST above.

    1. A typical storing node will use one Transit Information option with no parent field and will send the DAO message thus formed, with additional adjustments, to Path Control as detailed later, to one or multiple parents.

      Can the Path Control bits be used in context to Storing MOP?

  19. Jun 2019
    1. A sender MUST ignore any MAX_STREAM_DATA or MAX_DATA frames that do not increase flow control limits.

      This is not correct. It should be "frames that do not increase MAX_STREAM_DATA offset limit" .. it is not same as flow control limits.

    2. SCID

      what is SCID? Source Connection ID?

  20. Apr 2019
    1. target option

      This should be Transit Information Option.

    2. RPL Target Descriptor

      How can these descriptors/tags be used subsequently? Would be best if RPL could give some sample use-cases.

    3. RPL Target option MAY be present in DAO messages

      Is it possible to have a DAO message without a target in RPL ? what are the use-cases ?

    4. The Transit Information option MAY be present in DAO messages

      Transit Information is a MAY .. Transit information contains PathSeq/Lifetime which seems mandatory. Also Parent Address is mandatory with NS-MOP, isnt it?

      When sending NPDAO, one has to insert Transit Info Option to signal lifetime of zero.

    5. A typical non-storing node will use multiple Transit Information options, and it will send the DAO message thus formed directly to the root.

      Why NS-MOP needs multiple Transit Information options while storing-MOP doesn't need one?

  21. Feb 2019
    1. I am wondering if it is possible to attach a field "such as min-priority" field which is a derivative of the metric calculation in context to every parent in the parent-set. This greatly helps the child nodes in deciding the CA policy to use.

    2. I think a section on reparenting is needed here. During reparenting, the parent might send its updated DIO with its new parent set. The implications of use CA strict policy in this case might result in child choosing a different AP which certainly is not desirable if the parent still has connectivity to its old parent and the reparenting is done based on metric changes.

    3. SHOULD be compressed

      How would the receiver node knows whether the addresses are compressed using 6lorh or not? Should there be a flag depicting this as part of PS TLV?

    4. selection based on common ancestors (CA), named Common Ancestor

      As i understand, the node should ideally use strict mode. If the clauses of strict mode are not satisfied by the parent set then it should go for CA medium and relaxed mode respectively ? Different nodes can choose different modes in the same network.

    5. How would the PRE be applied only to a subset of the traffic ?

    6. 6TiSCH

      Most of the text is catered to 6TiSCH usage. But I believe the PRE technique can as well be used in non-6tisch context. Is that right ?

  22. Nov 2018
    1. In general, it makes sense realize aliveness checks at the highest protocol layer possible that is meaningful to the application, in order to maximize the depth of the aliveness check.

      Some problem with this text!

    2. CCNs

      what is CCN?

    3. lwIP has a total code size of ~14 kB to ~22 kB (which comprises memory management, checksumming, network interfaces, IP, ICMP and TCP), and a TCP code size of ~9 kB to ~14 kB

      These numbers are no longer true. The total code size of LWIP ver 2.1 exceeds 70KB for Cortex-M3 MCU.

    4. 8- and 16-bit microcontrollers

      LWIP is widely used on 32 bit MCUs.

    5. Recently there has been little further work on the stack.

      Editorial

    6. The application programmer does not need to know anything about the TCP internals, therefore GNRC TCP can be seen as a user-friendly uIP TCP implementation.

      This statement does not make sense!

    1. P|C|O|R| A

      It is better you clarify the bits in RT context. I am specifically interested in understanding in how to handle this metric at multiple hops. How to do additive RT metric?

    2. DIO may need to carry OF configuration parameters .. i.e. all the nodes need to agree on the unit of the traffic measurement for e.g. THROUGHPUT_PERIOD defined in the draft. It is necessary that all the nodes agree on the time unit. Secondly if we use hysteresis, we need thresholds to be carried as well.

    3. During ROLL session, Pascal mentioned that parent oscillations should be avoided and suggested use of multiple parents while the transition is in progress. Other way to handle this is to involve hysteresis right in this draft and give guidelines/recommendations for configuring thresholds.

    4. Enrollment

      I dont understand why enrollment aspect was brought in here .. The relay chosen during enrollment and preferred parent chosen during routing protocol operaion could be different. Enrollment can choose a different set of metrics from routing metrics .. Enrollment of nodes happens few times during the lifetime of the device. The metrics enrollment could consider could be completely different from routing metrics.

    5. Certain deployments have roughly similar data stream generated from all nodes .. for e.g. metering solutions .. Current draft requires throughtput measurement on 6LRs .. Now in all cases this throughput calc may not be required .. But there is still a case to balance the network nonetheless .. Is it possible to consider balancing based on the sub-dodag size rooted at 6lr (naturally works only for storing MOP) ? In this sense, the work qasem-load-balancing was trying to do was similar considering nodes have similar traffic patterns.

  23. Jul 2018
  24. Apr 2018
    1. Then this RPLInstanceID SHOULD be shifted into another integer and shifted back to the original one at the OrigNode. In RREP option, the SHIFT field indicates the how many the original RPLInstanceID is shifted. When the new InstanceID after shifting exceeds 63, it will come back counting from 0.

      How would intermediate 6LR nodes react to these shiftings? Is there any way to quickly recover the routing adjacencies previously estalished with old instance IDs ? I think for symmetric routes this can still be handled (by 6LRs checking the shifted instance ID in RREP_DIO). But for asymmetric its not clear on how to handle. I think this handling warrants a separate section!

  25. mailarchive.ietf.org mailarchive.ietf.org
    1. corner case

      I think it is fairly reasonable for this situation to occur in real networks. The instance id size is 7 bits and good chances multiple nodes might end using the same local instance id.

  26. Mar 2018