IETF Logo Mail Archive

Re: [art] Artart last call review of draft-ietf-core-coap-tcp-tls-07

Patrick McManus <pmcmanus@mozilla.com> Fri, 12 May 2017 21:17 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B7291314BB; Fri, 12 May 2017 14:17:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.734
X-Spam-Level:
X-Spam-Status: No, score=-0.734 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SORBS_SPAM=0.5, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLr7m4rT1McK; Fri, 12 May 2017 14:17:01 -0700 (PDT)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id 0C359126DED; Fri, 12 May 2017 14:12:55 -0700 (PDT)
Received: from mail-qt0-f177.google.com (mail-qt0-f177.google.com [209.85.216.177]) by linode64.ducksong.com (Postfix) with ESMTPSA id 5AC0F3A0A2; Fri, 12 May 2017 17:12:53 -0400 (EDT)
Received: by mail-qt0-f177.google.com with SMTP id f55so9305115qta.3; Fri, 12 May 2017 14:12:53 -0700 (PDT)
X-Gm-Message-State: AODbwcBBxmndEuK8IDt6M4QYOtlV+mMbdjmctDRyNMnps/ZG8lbs8KYR kM+Atot/8MDE8wfBgeFzJbgFqLBcXA==
X-Received: by 10.200.40.193 with SMTP id j1mr6158200qtj.186.1494623573075; Fri, 12 May 2017 14:12:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.178.74 with HTTP; Fri, 12 May 2017 14:12:52 -0700 (PDT)
In-Reply-To: <2D57FF92-3A56-43BC-A815-27801E31F770@tzi.org>
References: <149179722452.3118.982908107963516290@ietfa.amsl.com> <5E5238DC-B835-4BDF-B50D-8D594A46C4D4@tzi.org> <767F913A-586B-42A2-B021-F9AC5C478702@mnot.net> <2D57FF92-3A56-43BC-A815-27801E31F770@tzi.org>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Fri, 12 May 2017 17:12:52 -0400
X-Gmail-Original-Message-ID: <CAOdDvNppxEj4NoTcE5_LvcnK80zxRdFjgwepCdNs0N2E+-00HQ@mail.gmail.com>
Message-ID: <CAOdDvNppxEj4NoTcE5_LvcnK80zxRdFjgwepCdNs0N2E+-00HQ@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: Mark Nottingham <mnot@mnot.net>, art@ietf.org, draft-ietf-core-coap-tcp-tls.all@ietf.org, IETF Discussion Mailing List <ietf@ietf.org>, core@ietf.org
Content-Type: multipart/alternative; boundary="001a11406bf6257010054f5a2b50"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/rVt6KPKv_Y4sTsfcIH-I8a7adlk>
Subject: Re: [art] Artart last call review of draft-ietf-core-coap-tcp-tls-07
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 21:17:04 -0000

I have a few thoughts on this draft too.

6455-Websockets was a point in time solution for a problem that was solved
later and better by HTTP/2 (RFC 7540) with the introduction of parallelism,
multiplexing, and non 1:1 bi-directional message capabilities (which 6455
only solves 1/3 of).. 6455 is now considered historical and legacy cruft by
many. I don't know of anyone that would think that if 6455 did not exist it
should be introduced into today's ecosystem. (we would still want a
dev-facing interface doing some of the same things as websockets at a js
layer, but it would not be implemented on the wire 6455 style.)

If the motivation of the websockets-coap binding is to deal with
bi-directional problems better than HTTP/1, the answer to me seems to be to
use HTTP/2 (and maybe an extension of the existing http mapping) rather
than building a parallel system of gateways, proxies, and tunnels on top of
6455. It is unfortunate enough (perhaps unavoidable?) that we have a
parallel stack of constrained protocols without building a gatewaying
system between them rooted in legacy baggage.

The draft as much as acknowledges this with some not totally convincing
handwaving (that is not meant pejoratively - I've been known to hand wave
:))

Although HTTP/2 could also potentially address these requirements,
there would be
   additional costs and delays introduced by such a transition.
   Currently, there are also fewer HTTP/2 implementations available for
   constrained devices in comparison to CoAP.

The aspects of the proposed solution that would seem to pose the largest
challenges for constrained devices, (tcp and tls) are also present in
wss:// as well - which begs the question of whether this is designing a
nominally constrained-device ecosystem actually for
not-so-badly-constrained gateways and they should be using our primary
security, application, and transport standards directly. This parallel
stack has to end somewhere, right?

also, if you stay within the semantics of http, but require 7540 or its
successors for reasons of performance, you will pick up quic for free when
we get there - which is just a specific instance of the general argument
with forking standards.

lastly I think the security considerations (both in that section and
elsewhere) could use some work.

The purpose of websockets-6455 is to deploy a mechanism, consistent with
the web security model, for non-privileged javascript to be able to
communicate using communication patterns that do not fit into the HTTP/1
request/reply pattern well. To be consistent with that security model a
websockets end point needs to opt into doing websockets, potentially doing
a particular sub-protocol, and be expecting this request to have been
triggered by a particular Origin.

The net effect is to prohibit random javascript from the web from spraying
around arbitrary TCP streams behind every user agent's firewall, or
otherwise generating arbitrary botnets (beyond what is allowed by SOP
anyhow).

The coap-tcp-tls-websockets forward-proxy model builds an arbitrary gateway
from websockets to coap based on proxy-uri and would seem to run afoul of
the security model by spraying arbitrary coap around instead of arbitrary
tcp :).. Reverse proxy models, being locked down to particular origins,
work better.

(and as a final nit the websocket handshake examples do not have an Origin
request header as required by 6455 for browsers, and I think browsers are
in scope of this document - but thinking and talking about Origin is a key
part of when websockets is and is not appropriate.).

-Patrick



On Wed, May 10, 2017 at 12:31 AM, Carsten Bormann <cabo@tzi.org> wrote:

>
> > On May 9, 2017, at 23:30, Mark Nottingham <mnot@mnot.net> wrote:
> >
> > To close this loop -- the change in -08 isn't sufficiently prominent
> IME; while the general nature of the change is listed in the Abstract, the
> actual normative text is very hard to find.
>
> Certainly, let’s see what the IESG decides here.
>
> > Given that this is a pretty fundamental change in the operation of a URI
> scheme, I'd think it at least deserves its own section, if not a separate
> document.
>
> I don’t agree that this is such a fundamental change here — the
> /.well-known name space in the URI already was special (by the fact that ws
> URIs are mapped to http URIs, which do have /.well-known reserved already).
>
> But that doesn’t matter, we should find the best editorial way to document
> making the well-known URI concept available to WebSocket URIs.
>
> Grüße, Carsten
>
>

v2.23.0 | Report a Bug | By Email