[6tisch] draft-ietf-6tisch-minimal-security: Error code and server state
Christian Amsüss <christian@amsuess.com> Wed, 27 March 2019 17:29 UTC
Return-Path: <christian@amsuess.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95E6412035D for <6tisch@ietfa.amsl.com>; Wed, 27 Mar 2019 10:29:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kw1BLpb0nReq for <6tisch@ietfa.amsl.com>; Wed, 27 Mar 2019 10:29:28 -0700 (PDT)
Received: from prometheus.amsuess.com (prometheus.amsuess.com [5.9.147.112]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F6A112027A for <6tisch@ietf.org>; Wed, 27 Mar 2019 10:29:28 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bd]) by prometheus.amsuess.com (Postfix) with ESMTPS id 122334380B; Wed, 27 Mar 2019 18:29:25 +0100 (CET)
Received: from poseidon-mailbox.amsuess.com (hermes.amsuess.com [10.13.13.254]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id 1C7E536; Wed, 27 Mar 2019 18:29:24 +0100 (CET)
Received: from hephaistos.amsuess.com (unknown [IPv6:2001:67c:1232:144:53b4:478e:561d:3782]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id BEED77A; Wed, 27 Mar 2019 18:29:23 +0100 (CET)
Received: (nullmailer pid 13231 invoked by uid 1000); Wed, 27 Mar 2019 17:29:23 -0000
Date: Wed, 27 Mar 2019 18:29:23 +0100
From: Christian Amsüss <christian@amsuess.com>
To: Mališa Vučinić <malisa.vucinic@inria.fr>, 6tisch@ietf.org
Message-ID: <20190327172921.GA9348@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z"
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/CEd8cKYT9eHwEYg_wdhyEZ4gxdE>
Subject: [6tisch] draft-ietf-6tisch-minimal-security: Error code and server state
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 17:29:32 -0000
Hello Mališa,
we've just talked about server state and the error codes sent with
subsequent join requests in [1], especially Sections 8.4.1 and Section
8.4.5. (Working group, please be aware that I have not read and
understood the full document but am responding to a particular question
here).
My understanding is that the pledge POSTs its Join_Request to the
server, initially without an Error, and receives a response. If it has
trouble acting on the response, it sends another request that includes
the original parameters plus an error object; the server may respond to
that with a more final error ("Sorry, then I can't help you either") or
by sending a different response ("OK, if you can't do X, here's a setup
that works without that"). The question is as whether that agrees with
the a RESTful design and to the stateless servers we aspire in CoRE.
The error handling as currently described requires the server to keep
around information about the previous request. That is not per se a
violation of the side effect rules of CoAP (as the request is a POST and
the server may change state as a result), but has non-idempotent POST
requests which are discouraged in CoRE, and could be avoided easily.
Suggestion: Chain errors in the requests
----------------------------------------
I suggest that only errors be sent in subsequent requests that are
self-descriptive, and not so much indicate "what happened" but more
"what the pledge can't do"; then the server does not need to remember
the history of each pledge's requests.
If that is to be played back-and-forth (and I understand there are up to
four attempts), this requires that the pledge can indicate more than one
thing that went wrong. As long as there is only one error field, if
(say) the client tells the server after the first round-trip that it
doesn't support option X and the server offers option Y instead, the
client could only indicate with the response that it won't support
option Y, and the server would happily give it X again. Making the error
field in the Join_Request a list would ease that, and might even allow
for fewer round-trips if the pledge can issue complaints about several
options in the first round-trip.
Having a list of errors does obviously increase complexity a little, and
it requires the client to keep track of things that it dislikes about
the server's previous responses. My impression is that pledges can
probably afford that (it's state of size that's limited by the number of
attempts it's willing to do, and is only kept during the joining
process), freeing the serve of keeping around state of every pledge for
some potentially-hard-to-tell time.
Suggestion: Require errors to be self-descriptive
-------------------------------------------------
With that alone, a stateless server can be constructed, though the
conceptualization would be a bit convoluted (the precise rules of
interpreting the error codes would be "Had I sent you this request with
one less error, your response would trigger error X in me") --
stateless, but not particularly elegant to think about or easy to act
on.
If the error codes could be limited to statements that are valid truths
irrespective of hypothetical answers, that would look cleaner but
supports only error codes that state such valid truths. Conceptually, it
would not so much be an "error" field but a "things I'm telling you in
advance I can't do".
Of the list in Table 4, I'd say that
* 0 is not applicable (it's a server response)
* 1 should not be expected to be recoverable, and in this model of
thought becomes very fuzzy. ("Give me that, but I know I can't act on
it...?")
* 2 is fine as long as it relates to the number of the option it doesn't
understand but not the value (The statement would be "I don't support
option X" -- something the pledge could have even said in advance).
* 3 is not good but can easily be fixed by indicating a key ID rather
than an index in a list whose indices will change when the server
tries to do better.
* 4 is fine (that, like with 2, is something the pledge could even have
said in advance).
From the discussion before I take it that this is something that can
easily be fixed; if you want me to look at the changes you'd make to
accommodate this, I'd be happy to have a brief look. (Just please CC me,
I'm not actively reading the 6tisch list).
Have a good flight
Christian
[1]: https://tools.ietf.org/html/draft-ietf-6tisch-minimal-security-09
--
To use raw power is to make yourself infinitely vulnerable to greater powers.
-- Bene Gesserit axiom
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Mališa Vučinić
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Christian Amsüss
- [6tisch] draft-ietf-6tisch-minimal-security: Erro… Christian Amsüss
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Mališa Vučinić
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Christian Amsüss
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Mališa Vučinić
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Christian Amsüss