Re: [Arcing] A bit more on the problem statement

Mark Nottingham <mnot@mnot.net> Thu, 04 February 2016 02:55 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: arcing@ietfa.amsl.com
Delivered-To: arcing@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 677221B381B for <arcing@ietfa.amsl.com>; Wed, 3 Feb 2016 18:55:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JVLTXcvfCype for <arcing@ietfa.amsl.com>; Wed, 3 Feb 2016 18:55:44 -0800 (PST)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B8861B319A for <arcing@ietf.org>; Wed, 3 Feb 2016 18:55:44 -0800 (PST)
Received: from [192.168.1.101] (unknown [120.149.194.112]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id EACFE22E200; Wed, 3 Feb 2016 21:55:39 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CA+9kkMDBPHYg3ENofdZ2jQxh=Wjv3KZXK+gw=5nYT0B=VL87Qg@mail.gmail.com>
Date: Thu, 4 Feb 2016 13:55:36 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <524E4EBB-DB02-4091-9F5D-14F103A81178@mnot.net>
References: <CA+9kkMDBPHYg3ENofdZ2jQxh=Wjv3KZXK+gw=5nYT0B=VL87Qg@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/arcing/42OIcJqd8_lRoLtFN9Pli7qn29I>
Cc: arcing@ietf.org
Subject: Re: [Arcing] A bit more on the problem statement
X-BeenThere: arcing@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: This list will discuss different architectural approaches to signalling alternative resolution contexts for Internet names <arcing.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/arcing>, <mailto:arcing-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/arcing/>
List-Post: <mailto:arcing@ietf.org>
List-Help: <mailto:arcing-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/arcing>, <mailto:arcing-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 02:55:47 -0000

Hi Ted,

Trying to work through this, please be patient with my potentially limited understanding / context.


> On 4 Feb 2016, at 5:56 am, Ted Hardie <ted.ietf@gmail.com> wrote:
> 
> In the draft I posted on resolution contexts, I called the overarching set of names "Internet names", following RFC 891.  Clearly things have moved on from then no little, but I wanted to get back to that terminology because I wanted to stress the internetworking aspect of the problem.  
> 
> For names or identifiers to be meaningful in multiple contexts (like different networks or administrative domains), those contexts have to see them as part of the same namespace.  That doesn't mean that there must be one unitary namespace for every use, but it does mean that each context that uses a name must share the same idea of what the namespace context is.  
> 
> You can resolve that problem by having all names in a single namespace context.  You can also resolve that by having context markers.  
> 
> The issue with the first approach is that it is trivial for people to mint new names.  If those are presumed to be within a single context, that also means that it is trivial for those new names to conflict either with each other or established names.  The only available point of control we have at the moment is in resolution using a specific set of resolution protocols.
> 
> That is, a policy body may decline to allow a particular name to be resolved with the DNS, but anything that doesn't use that set of resolution protocols can still conflict.  I don't personally see any way to create a point of control on the minting of the names themselves without a complete architectural re-write of the entire Internet, so I don't think we can change the point of control.  That leaves this approach with a pretty big gap--any name that doesn't use the DNS as a resolution protocol is subject to squatting, collision, or confusion.
> 
> The second approach, using context markers, is approximately where we are today, but we are using an implicit set of context marker rather than an explicit one.  But we're not using it particularly well.  As it stands, the context marker (pseudo-gTLDs) requires a priori knowledge to establish resolution context

If applications don't (somewhere) have the ability to perform resolution in that context, they're not going to work anyway, and if they do, they have the a priori knowledge necessary. 

So, I think the problem here is largely what we saw with .onion -- if your application / resolver / etc. don't recognise it as a special name, it falls back to DNS resolution, and that may have various undesirable side effects (besides not working). 

Arguably the downsides of those side effects for .onion -- given its use cases -- are pretty extreme, and so it's very interesting to me that despite that limitation, its very privacy- and security-sensitive community still decided to go in that direction.


> *and it doesn't allow you to mark namespaces that don't share the syntax of the DNS*.

How big of a problem is this? There are issues with i18n and DNS names, of course, but I don't hear people in this space saying that a big driver for them is "names that don't look like hostnames." There's a LOT of shared understanding behind DNS-style names.


> If what we want is a single Internet namespace, with a marker for which resolution protocol is meant, this could be refined a bit to work.

Are you thinking of something like a DNS record on the root zone of these domains, so that resolvers can check to see if it's meant for them?


> But every single name delegation in any of the resolution contexts will remain a source of potential collision, squatting or confusion, because we still won't control the ability to mint names.

I'm not sure how you got here, or why our (the IETF's?) control over the ability to mint names is important here. Each resolution context is going to need to control its own destiny (assuming it has a distinct name space of its own, a la .onion .home etc.)...


> If we shift to an explicit set of markers, we get the following advantages:  we can use syntax different from the syntax of the DNS; we can avoid collision at the level of the tuple of namespace, name; we can avoid conflating resolution context and namespace.  (Note that resolution context is not a one-to-one mapping with protocol.  As David Conrad has been pointing out for years, having a cryptographically signed DNS root (or other zone) means the distribution channel for the information can change; the resolution context does not).
> 
> The disadvantage is that every protocol that works across namespaces must now be updated to recognize both the explicit markers and the namespaces themselves.  That's a lot of work and, as IPv6 taught us, the network effects run against you the whole way.  It may, however, be something that is significantly easier to deploy incrementally than the core IP layer is.

I'm not really sure what direction you're thinking of going here, but I am reminded somewhat of previous discussions to define how to transport DNSSEC-signed records inside HTTP/2 frames, thereby establishing an independent (albeit syntactically and semantically very similar) resolution protocol for the same context. That hasn't gone anywhere, but it's still lurking out there as a possibility, AIUI.


> My first question to this group is:  do folks agree with this characterization?  If not, what's wrong?
> 
> If they do agree with the characterization of the problem, does this sketch of solution spaces look right?
> 
> And, most importantly, which level of the problem do we think we can solve:  the multiple namespaces one or the unitary namespace/multiple resolution contexts one?
> 
> regards,
> 
> Ted

Cheers,

--
Mark Nottingham   https://www.mnot.net/