Re: [core] draft-groupcomm-proxy: reverse proxies & URI embedding
Christian Amsüss <christian@amsuess.com> Tue, 14 June 2022 13:38 UTC
Return-Path: <christian@amsuess.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66283C14F692 for <core@ietfa.amsl.com>; Tue, 14 Jun 2022 06:38:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Lir7IosN5cZ for <core@ietfa.amsl.com>; Tue, 14 Jun 2022 06:38:26 -0700 (PDT)
Received: from smtp.akis.at (smtp.akis.at [IPv6:2a02:b18:500:a515::f455]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65391C159484 for <core@ietf.org>; Tue, 14 Jun 2022 06:38:24 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by smtp.akis.at (8.17.1/8.17.1) with ESMTPS id 25EDcKdV090102 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 14 Jun 2022 15:38:20 +0200 (CEST) (envelope-from christian@amsuess.com)
X-Authentication-Warning: smtp.akis.at: Host 095129206250.cust.akis.net [95.129.206.250] claimed to be poseidon-mailhub.amsuess.com
Received: from poseidon-mailbox.amsuess.com (hermes.amsuess.com [10.13.13.254]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id 23A0E7C92; Tue, 14 Jun 2022 15:38:19 +0200 (CEST)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:40cb:af72:4745:413a]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id A8D4BBBED; Tue, 14 Jun 2022 15:38:18 +0200 (CEST)
Received: (nullmailer pid 108884 invoked by uid 1000); Tue, 14 Jun 2022 13:38:18 -0000
Date: Tue, 14 Jun 2022 15:38:18 +0200
From: Christian Amsüss <christian@amsuess.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: core <core@ietf.org>, Marco Tiloca <marco.tiloca@ri.se>
Message-ID: <YqiPSmE9oVGmM/3S@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="26Uo8O58yE+N8fOu"
Content-Disposition: inline
In-Reply-To: <DU0P190MB1978DB0C5606C328D620EC38FDAA9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <DU0P190MB19784C8ED1D37EDBF4E0E7E0FDDE9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/BsYKAFtozgt00ndQHTquRlMSoxk>
Subject: Re: [core] draft-groupcomm-proxy: reverse proxies & URI embedding
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2022 13:38:30 -0000
Hello Esko,
(going with the second mail first because that's quick to answer, and
may suffice):
> 1. Forward Proxy
> * Client MUST include Multicast-Timeout option in its CoAP request.
> * Client includes the usual CoAP options to construct the proxy URI, using Proxy-Uri or Proxy-Scheme etc.
> * Proxy constructs the group communication request URI based on above options.
> 2. Reverse Proxy
> * Client MUST include Multicast-Timeout option in its CoAP request.
> * By the above option it follows that the client is aware of accessing a proxy and that its code is prepared to correctly handle multiple CoAP responses to 1 request.
> * Client includes the usual CoAP option to access a resource on the server/proxy, i.e. Uri-Path, Uri-Query and in rare cases Uri-Host/Uri-Port.
> * The reverse proxy has its own, custom, logic of constructing the groupcomm request URI i.e. deciding which resource leads to which groupcomm request.
I agree with the proposal, noting that
* I understand "client is aware of accessing a proxy" to roughly mean
"is aware that this behaves like a multicast proxy request" (but
doesn't necessarily need to do anything else about this being a
proxy), and
* I understand the MUST as "MUST in order to gain multicast forwarding".
If the option is absent, the proxy may exhibit a configured unicast
behavior, or refuse proxying, eg. with 4.00 Bad Request,
Content-Format: application/consise-problem-details+cbor, payload
{'multicast-resource': 10} indicating a realistic timeout value)
That probably suffices; the rest is merely arguing for why I see it that
way.
On Thu, Jun 02, 2022 at 09:26:10AM +0000, Esko Dijk wrote:
> During last interim we discussed some potential issues in the use of a
> reverse proxy for group communications, see
> https://datatracker.ietf.org/doc/html/draft-tiloca-core-groupcomm-proxy-06#appendix-A.1
> . This example is based on URI mapping as used for RFC 8075 for a HTTP
> client that wants to access a CoAP resource.
I think that's only appropriate for an HC proxy: HTTP clients generally
don't accept non-HTTP URIs even if they could just forward them into an
HTTP proxy whose `request-line` ABNF formally accepts non-HTTP URIs.
CoAP was specifically designed not to have that limitation, and thus
doesn't need that workaround.
> So I recall from the discussion that necessarily the client has to be
> aware that it is talking to a ‘group communication’ proxy , to apply
> the right token processing and expiry. And the best way to guarantee
> that is by requiring the client to include the Multicast-Timeout
> option. Is that correct?
Yes.
I recommend taking a mindset in which this is not about "proxy" but
about the address having the "is a multicast destination" property
(which is implicit in IP when using a multicast address in UDP, and
explicitly indicated in basically-unicast situations by
Multicast-Timeout) -- but given that the main user of this option is
proxies, it might be easier writing to just talk of proxies.
An example of using this in a non-proxy environment is when there is
name based virtual hosting, and a server could respond to `GET
coap://ip-address/.well-known/core Multicast-Timeout:1` with the WKCs of
all its virtual hosting servers, each with a Response-Forwarding option
indicating the adequate host name -- I doubt anyone would want to
implement it that way, but if you like to have a mental example of how a
multicast requests works in a non-proxy situation, there it is.
> Now the next question is, if this CoAP client is aware of the proxy
> and must anyhow include the Multicast-Timeout option so it already has
> dedicated code to do that, why doesn’t this client then use the
> standard Forward Proxy functionality of CoAP? There’s no need anymore
> to embed for example the CoAP URI into the URI path as in the example
> A.1 , because the client could just use a Proxy-URI option which would
> make the proxy a “Forward Proxy” instead of a reverse proxy. Any views
> on this?
I think that's because both
* a URI is easier to transport (say, in a QR code) than a URI with the
information about which proxy to use (even if it's only a bit of
information that says to send it to wherever the name resolves), and
* the forward proxy a client uses is more a matter of system
configuration, whereas the URI to go to is user guided. An application
may allow "untrusted sources" to set the URI to derefernce, but not to
set the proxy to use.
Note that due to the Multicast-Timeout property being elective, a client
can just be prepared to receive multicast addresses without any further
indication. An application could thus have an input field "entry points"
that accepts any number of URIs, some of which may be multicast, and
just send a Multicast-Timeout if there is doubt anywhere that something
could maybe respond thusly.
> If this argument holds then we could just remove any reverse
> proxy examples and say the client has to invoke the standard CoAP
> proxy methods in its request.
I'd welcome the examples going away -- after all, this is a corner case.
If the text manages to describe all relevant properties of the options
in a sufficiently generic way, a two-line statement about the options
working the same way when the client expects that multicast-like
responses can be returned from a request that does not carry a proxy
option.
BR
c
--
To use raw power is to make yourself infinitely vulnerable to greater powers.
-- Bene Gesserit axiom
- [core] draft-groupcomm-proxy: reverse proxies & U… Esko Dijk
- Re: [core] draft-groupcomm-proxy: reverse proxies… Esko Dijk
- Re: [core] draft-groupcomm-proxy: reverse proxies… Christian Amsüss
- Re: [core] draft-groupcomm-proxy: reverse proxies… Esko Dijk