[6tisch] draft-ietf-6tisch-minimal-security: Error code and server state
Christian Amsüss <christian@amsuess.com> Wed, 27 March 2019 17:29 UTC
Return-Path: <christian@amsuess.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95E6412035D for <6tisch@ietfa.amsl.com>; Wed, 27 Mar 2019 10:29:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kw1BLpb0nReq for <6tisch@ietfa.amsl.com>; Wed, 27 Mar 2019 10:29:28 -0700 (PDT)
Received: from prometheus.amsuess.com (prometheus.amsuess.com [5.9.147.112]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F6A112027A for <6tisch@ietf.org>; Wed, 27 Mar 2019 10:29:28 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bd]) by prometheus.amsuess.com (Postfix) with ESMTPS id 122334380B; Wed, 27 Mar 2019 18:29:25 +0100 (CET)
Received: from poseidon-mailbox.amsuess.com (hermes.amsuess.com [10.13.13.254]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id 1C7E536; Wed, 27 Mar 2019 18:29:24 +0100 (CET)
Received: from hephaistos.amsuess.com (unknown [IPv6:2001:67c:1232:144:53b4:478e:561d:3782]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id BEED77A; Wed, 27 Mar 2019 18:29:23 +0100 (CET)
Received: (nullmailer pid 13231 invoked by uid 1000); Wed, 27 Mar 2019 17:29:23 -0000
Date: Wed, 27 Mar 2019 18:29:23 +0100
From: Christian Amsüss <christian@amsuess.com>
To: Mališa Vučinić <malisa.vucinic@inria.fr>, 6tisch@ietf.org
Message-ID: <20190327172921.GA9348@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z"
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/CEd8cKYT9eHwEYg_wdhyEZ4gxdE>
Subject: [6tisch] draft-ietf-6tisch-minimal-security: Error code and server state
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2019 17:29:32 -0000
Hello Mališa, we've just talked about server state and the error codes sent with subsequent join requests in [1], especially Sections 8.4.1 and Section 8.4.5. (Working group, please be aware that I have not read and understood the full document but am responding to a particular question here). My understanding is that the pledge POSTs its Join_Request to the server, initially without an Error, and receives a response. If it has trouble acting on the response, it sends another request that includes the original parameters plus an error object; the server may respond to that with a more final error ("Sorry, then I can't help you either") or by sending a different response ("OK, if you can't do X, here's a setup that works without that"). The question is as whether that agrees with the a RESTful design and to the stateless servers we aspire in CoRE. The error handling as currently described requires the server to keep around information about the previous request. That is not per se a violation of the side effect rules of CoAP (as the request is a POST and the server may change state as a result), but has non-idempotent POST requests which are discouraged in CoRE, and could be avoided easily. Suggestion: Chain errors in the requests ---------------------------------------- I suggest that only errors be sent in subsequent requests that are self-descriptive, and not so much indicate "what happened" but more "what the pledge can't do"; then the server does not need to remember the history of each pledge's requests. If that is to be played back-and-forth (and I understand there are up to four attempts), this requires that the pledge can indicate more than one thing that went wrong. As long as there is only one error field, if (say) the client tells the server after the first round-trip that it doesn't support option X and the server offers option Y instead, the client could only indicate with the response that it won't support option Y, and the server would happily give it X again. Making the error field in the Join_Request a list would ease that, and might even allow for fewer round-trips if the pledge can issue complaints about several options in the first round-trip. Having a list of errors does obviously increase complexity a little, and it requires the client to keep track of things that it dislikes about the server's previous responses. My impression is that pledges can probably afford that (it's state of size that's limited by the number of attempts it's willing to do, and is only kept during the joining process), freeing the serve of keeping around state of every pledge for some potentially-hard-to-tell time. Suggestion: Require errors to be self-descriptive ------------------------------------------------- With that alone, a stateless server can be constructed, though the conceptualization would be a bit convoluted (the precise rules of interpreting the error codes would be "Had I sent you this request with one less error, your response would trigger error X in me") -- stateless, but not particularly elegant to think about or easy to act on. If the error codes could be limited to statements that are valid truths irrespective of hypothetical answers, that would look cleaner but supports only error codes that state such valid truths. Conceptually, it would not so much be an "error" field but a "things I'm telling you in advance I can't do". Of the list in Table 4, I'd say that * 0 is not applicable (it's a server response) * 1 should not be expected to be recoverable, and in this model of thought becomes very fuzzy. ("Give me that, but I know I can't act on it...?") * 2 is fine as long as it relates to the number of the option it doesn't understand but not the value (The statement would be "I don't support option X" -- something the pledge could have even said in advance). * 3 is not good but can easily be fixed by indicating a key ID rather than an index in a list whose indices will change when the server tries to do better. * 4 is fine (that, like with 2, is something the pledge could even have said in advance). From the discussion before I take it that this is something that can easily be fixed; if you want me to look at the changes you'd make to accommodate this, I'd be happy to have a brief look. (Just please CC me, I'm not actively reading the 6tisch list). Have a good flight Christian [1]: https://tools.ietf.org/html/draft-ietf-6tisch-minimal-security-09 -- To use raw power is to make yourself infinitely vulnerable to greater powers. -- Bene Gesserit axiom
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Mališa Vučinić
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Christian Amsüss
- [6tisch] draft-ietf-6tisch-minimal-security: Erro… Christian Amsüss
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Mališa Vučinić
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Christian Amsüss
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Mališa Vučinić
- Re: [6tisch] draft-ietf-6tisch-minimal-security: … Christian Amsüss