Re: [art] Artart last call review of draft-ietf-core-coap-tcp-tls-07
Patrick McManus <pmcmanus@mozilla.com> Fri, 12 May 2017 21:17 UTC
Return-Path: <pmcmanus@mozilla.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B7291314BB; Fri, 12 May 2017 14:17:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.734
X-Spam-Level:
X-Spam-Status: No, score=-0.734 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SORBS_SPAM=0.5, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLr7m4rT1McK; Fri, 12 May 2017 14:17:01 -0700 (PDT)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id 0C359126DED; Fri, 12 May 2017 14:12:55 -0700 (PDT)
Received: from mail-qt0-f177.google.com (mail-qt0-f177.google.com [209.85.216.177]) by linode64.ducksong.com (Postfix) with ESMTPSA id 5AC0F3A0A2; Fri, 12 May 2017 17:12:53 -0400 (EDT)
Received: by mail-qt0-f177.google.com with SMTP id f55so9305115qta.3; Fri, 12 May 2017 14:12:53 -0700 (PDT)
X-Gm-Message-State: AODbwcBBxmndEuK8IDt6M4QYOtlV+mMbdjmctDRyNMnps/ZG8lbs8KYR kM+Atot/8MDE8wfBgeFzJbgFqLBcXA==
X-Received: by 10.200.40.193 with SMTP id j1mr6158200qtj.186.1494623573075; Fri, 12 May 2017 14:12:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.178.74 with HTTP; Fri, 12 May 2017 14:12:52 -0700 (PDT)
In-Reply-To: <2D57FF92-3A56-43BC-A815-27801E31F770@tzi.org>
References: <149179722452.3118.982908107963516290@ietfa.amsl.com> <5E5238DC-B835-4BDF-B50D-8D594A46C4D4@tzi.org> <767F913A-586B-42A2-B021-F9AC5C478702@mnot.net> <2D57FF92-3A56-43BC-A815-27801E31F770@tzi.org>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Fri, 12 May 2017 17:12:52 -0400
X-Gmail-Original-Message-ID: <CAOdDvNppxEj4NoTcE5_LvcnK80zxRdFjgwepCdNs0N2E+-00HQ@mail.gmail.com>
Message-ID: <CAOdDvNppxEj4NoTcE5_LvcnK80zxRdFjgwepCdNs0N2E+-00HQ@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: Mark Nottingham <mnot@mnot.net>, art@ietf.org, draft-ietf-core-coap-tcp-tls.all@ietf.org, IETF Discussion Mailing List <ietf@ietf.org>, core@ietf.org
Content-Type: multipart/alternative; boundary="001a11406bf6257010054f5a2b50"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/rVt6KPKv_Y4sTsfcIH-I8a7adlk>
Subject: Re: [art] Artart last call review of draft-ietf-core-coap-tcp-tls-07
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 21:17:04 -0000
I have a few thoughts on this draft too. 6455-Websockets was a point in time solution for a problem that was solved later and better by HTTP/2 (RFC 7540) with the introduction of parallelism, multiplexing, and non 1:1 bi-directional message capabilities (which 6455 only solves 1/3 of).. 6455 is now considered historical and legacy cruft by many. I don't know of anyone that would think that if 6455 did not exist it should be introduced into today's ecosystem. (we would still want a dev-facing interface doing some of the same things as websockets at a js layer, but it would not be implemented on the wire 6455 style.) If the motivation of the websockets-coap binding is to deal with bi-directional problems better than HTTP/1, the answer to me seems to be to use HTTP/2 (and maybe an extension of the existing http mapping) rather than building a parallel system of gateways, proxies, and tunnels on top of 6455. It is unfortunate enough (perhaps unavoidable?) that we have a parallel stack of constrained protocols without building a gatewaying system between them rooted in legacy baggage. The draft as much as acknowledges this with some not totally convincing handwaving (that is not meant pejoratively - I've been known to hand wave :)) Although HTTP/2 could also potentially address these requirements, there would be additional costs and delays introduced by such a transition. Currently, there are also fewer HTTP/2 implementations available for constrained devices in comparison to CoAP. The aspects of the proposed solution that would seem to pose the largest challenges for constrained devices, (tcp and tls) are also present in wss:// as well - which begs the question of whether this is designing a nominally constrained-device ecosystem actually for not-so-badly-constrained gateways and they should be using our primary security, application, and transport standards directly. This parallel stack has to end somewhere, right? also, if you stay within the semantics of http, but require 7540 or its successors for reasons of performance, you will pick up quic for free when we get there - which is just a specific instance of the general argument with forking standards. lastly I think the security considerations (both in that section and elsewhere) could use some work. The purpose of websockets-6455 is to deploy a mechanism, consistent with the web security model, for non-privileged javascript to be able to communicate using communication patterns that do not fit into the HTTP/1 request/reply pattern well. To be consistent with that security model a websockets end point needs to opt into doing websockets, potentially doing a particular sub-protocol, and be expecting this request to have been triggered by a particular Origin. The net effect is to prohibit random javascript from the web from spraying around arbitrary TCP streams behind every user agent's firewall, or otherwise generating arbitrary botnets (beyond what is allowed by SOP anyhow). The coap-tcp-tls-websockets forward-proxy model builds an arbitrary gateway from websockets to coap based on proxy-uri and would seem to run afoul of the security model by spraying arbitrary coap around instead of arbitrary tcp :).. Reverse proxy models, being locked down to particular origins, work better. (and as a final nit the websocket handshake examples do not have an Origin request header as required by 6455 for browsers, and I think browsers are in scope of this document - but thinking and talking about Origin is a key part of when websockets is and is not appropriate.). -Patrick On Wed, May 10, 2017 at 12:31 AM, Carsten Bormann <cabo@tzi.org> wrote: > > > On May 9, 2017, at 23:30, Mark Nottingham <mnot@mnot.net> wrote: > > > > To close this loop -- the change in -08 isn't sufficiently prominent > IME; while the general nature of the change is listed in the Abstract, the > actual normative text is very hard to find. > > Certainly, let’s see what the IESG decides here. > > > Given that this is a pretty fundamental change in the operation of a URI > scheme, I'd think it at least deserves its own section, if not a separate > document. > > I don’t agree that this is such a fundamental change here — the > /.well-known name space in the URI already was special (by the fact that ws > URIs are mapped to http URIs, which do have /.well-known reserved already). > > But that doesn’t matter, we should find the best editorial way to document > making the well-known URI concept available to WebSocket URIs. > > Grüße, Carsten > >
- [art] Artart last call review of draft-ietf-core-… Mark Nottingham
- Re: [art] Artart last call review of draft-ietf-c… Carsten Bormann
- Re: [art] Artart last call review of draft-ietf-c… Mark Nottingham
- Re: [art] [core] Artart last call review of draft… Carsten Bormann
- Re: [art] [core] Artart last call review of draft… weigengyu
- Re: [art] [core] Artart last call review of draft… Mark Nottingham
- Re: [art] [core] Artart last call review of draft… Bill Silverajan
- Re: [art] [core] Artart last call review of draft… Kovatsch Matthias
- Re: [art] [core] Artart last call review of draft… Mark Nottingham
- Re: [art] [core] Artart last call review of draft… Alexey Melnikov
- Re: [art] [core] Artart last call review of draft… Kovatsch Matthias
- Re: [art] [core] Artart last call review of draft… Jaime Jiménez
- Re: [art] Artart last call review of draft-ietf-c… Brian Raymor
- Re: [art] [core] Artart last call review of draft… Kovatsch, Matthias
- Re: [art] [core] Artart last call review of draft… Carsten Bormann
- Re: [art] Artart last call review of draft-ietf-c… Carsten Bormann
- Re: [art] [core] Artart last call review of draft… Carsten Bormann
- Re: [art] Artart last call review of draft-ietf-c… Mark Nottingham
- Re: [art] Artart last call review of draft-ietf-c… Carsten Bormann
- Re: [art] Artart last call review of draft-ietf-c… Patrick McManus