IETF Logo Mail Archive

[APPS-REVIEW] Review of draft-ietf-btns-abstract-api-01

"Vijay K. Gurbani" <vkg@alcatel-lucent.com> Mon, 07 April 2008 19:45 UTC

Return-Path: <apps-review-bounces@ietf.org>
X-Original-To: apps-review-archive@optimus.ietf.org
Delivered-To: ietfarch-apps-review-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6334B28C39B; Mon, 7 Apr 2008 12:45:39 -0700 (PDT)
X-Original-To: apps-review@core3.amsl.com
Delivered-To: apps-review@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 020CC28C21E for <apps-review@core3.amsl.com>; Mon, 7 Apr 2008 12:45:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_64=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQxMw-BRP3am for <apps-review@core3.amsl.com>; Mon, 7 Apr 2008 12:45:32 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id 9712C28C1A5 for <APPS-REVIEW@ietf.org>; Mon, 7 Apr 2008 12:45:30 -0700 (PDT)
Received: from ihmail.ih.lucent.com (h135-1-218-70.lucent.com [135.1.218.70]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id m37JjIca019728; Mon, 7 Apr 2008 14:45:18 -0500 (CDT)
Received: from [135.185.244.90] (il0015vkg1.ih.lucent.com [135.185.244.90]) by ihmail.ih.lucent.com (8.11.7p1+Sun/8.12.11) with ESMTP id m37JjFA28441; Mon, 7 Apr 2008 14:45:16 -0500 (CDT)
Message-ID: <47FA79CB.7080905@alcatel-lucent.com>
Date: Mon, 07 Apr 2008 14:45:15 -0500
From: "Vijay K. Gurbani" <vkg@alcatel-lucent.com>
Organization: Bell Labs Security Technology Research Group
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: mcr@sandelman.ottawa.on.ca
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
Cc: APPS-REVIEW@ietf.org, tim.polk@nist.gov, lha@stacken.kth.se, julien.ietf@laposte.net
Subject: [APPS-REVIEW] Review of draft-ietf-btns-abstract-api-01
X-BeenThere: apps-review@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Applications Review List <apps-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/apps-review>, <mailto:apps-review-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/apps-review>
List-Post: <mailto:apps-review@ietf.org>
List-Help: <mailto:apps-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-review>, <mailto:apps-review-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: apps-review-bounces@ietf.org
Errors-To: apps-review-bounces@ietf.org

Dr. Richardson: I was asked by the Applications area to review
draft-ietf-btns-abstract-api-01 and draft-ietf-btns-c-api.  Here is
a review of draft-ietf-btns-abstract-api-01; I will send out a review
of draft-ietf-btns-c-api by the end of this week or early next week.

draft-ietf-btns-abstract-api-01
-------------------------------
This is a valuable document to have for the exact reasons that the
author mentions in S2.  Having dispensed with why such a document
is important, here are more focused comments on the contents of
the draft.  Designing a good and intuitive API is actually very
hard (if you are interested, I can dig up some published literature
on how to do a good enough job in designing one.)

- S3, opening paragraph: s/major kinds of objects/major objects

- S3, opening paragraph: objects are not "abstracted into unique
  opaque tokens" as much as they are *represented* by such constructs.
  I would suggest a rewrite as follows:
   OLD:
      Here we use the term "opaque token" to mean much what "object"
      means in a typical object-oriented programming language, but
      with no public fields (only methods or generic functions).
   NEW:
      The objects are represented by opaque tokens that can be used
      through the public accessor and mutator methods associated with
      the object.

- S3: It is written that, "The API provides a mechanism to query
  the value of attributes of the token."  Do you also provide
  a mechanism to change (or mutate) the state of the object?  Or
  are all operations on the object read-only?  I ask this because
  the Abstract promises that an application may "specify that IPsec
  should be used."  If that is the case, then the application may
  have to use mutators to set the state of the object appropriately.
  And if that is the case, you may want to list the mutators in
  a separate section much as you intend to list accessors in a
  separate section (S9, which is currently empty).

- S3.1: Is the pToken per socket?  In other words, within a process,
  there may be many different sockets.  Does each socket has a unique
  pToken?  It seems from S3.1 that the answer is no; the pToken is
  per process.  However, S5 says in its first paragraph that, "[an
  application] needs to get a protection token that is associated with
  the socket."  Thus, it seems that each socket has a unique pToken.
  You may want to elaborate on this some more to set up the model
  correctly.

- S3.1 says that "It SHOULD always be possible to obtain a current
  protection token for an established connection (whether for a
  connection-oriented transport protocol or for a "connected" UDP
  socket). that is equivalent to any previous protection token
  that was obtained."  A few comments on this.

  First, note the spurious "." after the closing brace; please remove.

  Second, and this goes back to establishing the model of a pToken,
  is the pToken a singleton?  That is, when an application gets the
  current pToken object, does that pToken object correspond to
  the one-and-only pToken object established in that process's space?
  Or is that pToken object a *clone* of the one-and-only pToken
  object (i.e., contents of the objects are the same, but they are
  distinct objects.  Deleting one has no bearing on the other.)

  In software engineering terms, there is the concept of a singleton
  pattern that states that objects with this property are created
  only once within the system.  Whenever an application wants to
  access a singleton object, the system passes a handle to the
  existing one-and-only singleton object to the caller.

  ISTM that a pToken is a singleton object, but then S5 confuses me
  because that seems to lend credence to the fact that there can
  be many pToken objects in a process, each corresponding to a
  socket created by the application.

- S3.3 says that "It is permitted for one protection token to be
  replaced with another (equivalent) protection token due to a node
  moving, suspending and resuming, ..."  This is perplexing, and
  points to the pToken NOT being a singleton object.

  If a node moves, why would the pToken be replaced?  Some
  characteristics -- like the attachment point and network
  identifiers -- may change, but the pToken should remain the same
  object, right?  Likewise, if the node is suspended, then presumably
  the state of the process is saved.  The pToken, as any other
  variable in the system, will be saved and subsequently resurrected
  when the system resumes.  So why is this a special case?  I
  do not understand.

- S4: "All symbols (functions, macros, etc.) defined by this API are
  prefixed with "ipsec_". "  The draft does not specify any APIs
  as such.  So this is probably a place-holder for the future.  If so,
  okay.

- S4: "Specific rules for capitalizations should be driven by the
  specific language binding."  I don't think any modern languages
  mandates capitalization in naming objects, or methods; it is
  purely a syntactic sugar.  You probably want to say instead:

   Specific rules for capitalizations for the identifiers following
   the prefix "ipsec_" should follow the local programming
   conventions.  This draft does not mandate the convention to name
   objects or methods in any way beyond requiring the "ipsec_" prefix.

- S5 says that: As the pToken will not change during the connection.
  (see notes about rekeying).  A simple function is provided to return
  a pToken from a file descriptor.  Many implementions are likely to
  implement this using getsockopt(2), but an interface in those terms
  is not specified in order to keep it more abstract, and therefore
  more portable.

  Some comments on this.

  First, note the gratuitous periods in the first 3 sentences.

  Second, and of more importance, is how do we design such an API?
  One way is to use the getsockopt(2) API that is mentioned and
  its disadvantages.  If a decision is made not to go through this
  route, then something like

      pToken *ipsec_get_ptoken(const int sock);

  could be considered.  The advantage is that this is close enough
  to the Unix system call

      int fileno(FILE *stream);

  that transforms a FILE * object into a file descriptor that the
  legions of *nix programmers would be happy.  For non-*nix
  programmers ... well, they should move to *nix ;-)  Just kidding.
  But seriously, the fileno() function has been in existence for
  so long that it is not tied to *nix platform only.

- S5, fourth paragraph:
  s/received may be received may arrive/received may arrive

- S5, fourth and fifth paragraphs: I am not sure I understand what
  is going on here.  Is it the case that when a peer gets a datagram, it
  also gets some additional data -- the sending peer's pToken --
  as ancillary data?  If so, why would a peer send its pToken, which
  is presumably something to keep secret, to another peer?  I am
  sure you had some reason to put this text in, it is just not
  apparent to the casual reader.

- S6: s/do-not-care values./defaulted accordingly.

- S7: Are these the properties of pToken objects or a pToken object
  template?  The discussion involves default values, which leads
  me to think that they are template values.

- S7, tunnelMode discussion.  Since you have tunnelMode, do you
  also need transportMode?

- S8: Are these the properties of iToken objects or a iToken object
  template?  The discussion involves default values, which leads
  me to think that they are template values.

- S8: s/LEAFOFFAITH/LEAPOFFAITH
  or better yet, LEAP_OF_FAITH; much more readable that way.

- S9, 10, and 11 appear to be place-holders.

- S11: Some things you may want to mention here is what do applications
  do when the IPSec characteristics set by one application are not
  acceptable to others?  Unlike TLS, each application cannot choose
  the specific properties it wants applied to the channel.

  Also, if one application sets the IPSec characteristics, is it a
  problem if another one queries them and sends them to someone else?
  For instance, if the IPSec instance is using a group pre-shared
  key, what happens if one application surreptitiously sends the
  key to a malicious party?  ISTM on a cursory reading that
  certain characteristics of the IPSec connection should not be
  made available to applications even on a read-only basis.

Hope that helps!

- vijay
-- 
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
Email: vkg@{alcatel-lucent.com,bell-labs.com,acm.org}
WWW:   http://www.alcatel-lucent.com/bell-labs
_______________________________________________
APPS-REVIEW mailing list
APPS-REVIEW@ietf.org
https://www.ietf.org/mailman/listinfo/apps-review

v2.23.0 | Report a Bug | By Email