Session Date/Time: 13 May 2025 18:00

TOOLS

Summary

The TOOLS working group received updates on ongoing infrastructure modernization efforts, including the RFC Production Center's systems, the Data Tracker, and the mail system. Significant progress was reported on migrating production services to Azure, and the ID Nits rewrite is nearing beta. Key announcements included the upcoming enforcement of password strength requirements for Data Tracker users and the selection of a firm for cybersecurity services.

Key Discussion Points

Big Picture Overview: A new recurring section was introduced to provide context on ongoing projects and overall focus areas. Current priorities include:
- RFC Production Center Modernization: Developing the Workflow Management System (Purple), the RFC Editor Website Rewrite (Red), and the Draft Forge editor. This work is prioritized to complete before RFC 10K.
- Data Tracker Improvements: Moving to blob storage for artifacts (drafts, RFCs, conflict reviews) to enhance resiliency and performance, and improve mitigation against denial-of-service from heavy bot traffic.
- Production Services Migration: Transitioning services into Azure for more performant hardware and greater control over system updates.
- Mail System Stabilization: Work on cleaning up delivery issues and preparing the system for a more modern operating system and potential architectural changes.
- Small Project Completion: Wrapping up projects such as the ID Nits rewrite.
- Delayed Projects: Resuming work on ISG-requested issues and the IAB liaison management tool.
Mail Processing Changes:
- An incident in April where TLSA records and certificates became desynchronized was resolved, and automation has since been put in place to monitor for such discrepancies. This monitoring project has garnered external interest.
- Planned changes to certificate deployment automation will ensure TLSA records are correctly configured before certificates are deployed.
- Dane Foster presented on the development of Ansible code to reproduce the mail system architecture, which enables reproducible testing and configuration modeling for future architectural changes. The skeleton of this Ansible code is intended for public release.
Data Tracker Security Enhancements:
- Password Strength Enforcement: Jennifer announced plans to enforce password strength requirements for Data Tracker users. Users with insecure passwords will be prompted to perform a password reset upon their next login. Communication efforts will precede this change to minimize user surprise. The requirements are being finalized, aiming for user-friendliness and alignment with NIST recommendations (e.g., avoiding frequent forced resets). Users who have not logged in for several years will also be required to reset their passwords, as some older passwords use the now-insecure crypt library.
- Two-Factor Authentication (2FA): 2FA and UB key support are on the roadmap. There are plans later in the year to split authentication out of the Data Tracker and integrate with an open-source identity provider like Authentic, which will support these advanced authentication modes. The current password enforcement is a preparatory step for this transition.
Production Infrastructure Moves:
- Nick reported that all applications not dependent on the shared NFS system have been successfully migrated to a new Azure cluster. An updated diagram is available.
- CloudNativePG has been selected for self-hosting PostgreSQL databases over managed services, offering improved performance and cost savings. All new databases for Azure-migrated applications are now using this setup, and staging environments will follow suit.
- The remaining applications that are tied to the shared file system are targeted for migration immediately after IETF 123 (Madrid), during a period of anticipated low IETF activity, to mitigate potential downtime.
Zulip Update:
- Zulip has been upgraded to version 9.4, resulting in UI changes such as "Streams" being renamed to "Channels."
- Coordination is underway to further upgrade Zulip to the 10 or 11 series.
ID Nits Rewrite (ID Nits 3):
- ID Nits 3 is nearing beta release, with the core checker functionality complete.
- Further work is planned to improve the human readability of command-line interface results.
- A web interface is deployed at author tools, though some features (e.g., checking reference versions from the Data Tracker) are still to be implemented.
- The community is encouraged to use the web interface and report issues, especially following a formal beta release announcement in the coming weeks.
- Plans include removing anachronistic checks carried over from ID Nits 2. A participant commented that non-ASCII character checks should ideally be warnings, not errors, as these can be introduced accidentally (e.g., smart quotes). The new implementation, built with test-driven development, will make such changes easier.

Decisions and Action Items

Cybersecurity Services RFP: The selection process is complete, and the contract work has been finalized. An official announcement is pending. The work, which includes assessing Data Tracker posture and cloud infrastructure security, is expected to commence after IETF 123 (Madrid).
Data Tracker Password Policy: A decision has been made to enforce stronger password requirements for Data Tracker users. The specific requirements and implementation timeline will be communicated proactively.

Next Steps

ID Nits 3 Beta: A formal request for beta testing and feedback on ID Nits 3 will be distributed in the next couple of weeks.
Production Migrations: The migration of remaining NFS-dependent applications to Azure is scheduled for after IETF 123.
Zulip Upgrade: Continue coordination for further Zulip upgrades to the 10 or 11 series.
Future Meetings: Scheduling for upcoming TOOLS calls through IETF 123 will be posted, with a review for any potential date conflicts. Suggestions for improving call effectiveness are welcome.