Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)
Barry Leiba <barryleiba@computer.org> Fri, 29 January 2021 15:05 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A47B33A1052; Fri, 29 Jan 2021 07:05:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1M2IGe9SF6a; Fri, 29 Jan 2021 07:05:54 -0800 (PST)
Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D100C3A1078; Fri, 29 Jan 2021 07:05:42 -0800 (PST)
Received: by mail-lj1-f175.google.com with SMTP id l12so10814405ljc.3; Fri, 29 Jan 2021 07:05:42 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=mrlzNbaPZzgZyJSwnN/vv7zmwMpCDhTbbRhDNLb+/lE=; b=pqMGeD2mBiez0guvTZG7DHVH1pqDztNIfbFXyvyuH6qKJfuCnQ8cMh2vj3aA19PJSr CJJcVm67o/nnBcY0XmSD5IcbwO9YTZwfrjjtjXx8pUWsQjd+7asUDV6Nyo/ca8vlqVYe JVniCvg2fMbs8Qd6pAI9+X9ZKkp+RbzFPpY8O2/Ci2+GOTM/iQoUcBjYUAD5fqDhz/e0 ONVsWN2UMZatNPsiUAGVS3u5mZ5ysC7upawYNTd4srD/2wFAHlAy8BftLp20hlmyi1v0 CGAW+kuDFG5QtUeekLrqb/T5rcVIIjzrdnE7kXmyzX8sEZIDOqxbAz1S9eBMw4os633B rwhQ==
X-Gm-Message-State: AOAM533Es3uXTQ0KhZ4LCNcRMlr16PYgd0JXbKoQn0Tm564ahaFpYmvx b8Ak/nFy7Hj7URBEuj5gruNSluOSXawhoDD42YM=
X-Google-Smtp-Source: ABdhPJxDxtvlzlBmgV22HDKbZBSEFyIyH6zMfQaXwQJdbYBJW/D62CKbXPj8qsAtPjYXjT6bc1K+B+dneUI79FHYq3I=
X-Received: by 2002:a2e:824b:: with SMTP id j11mr2641203ljh.473.1611932740178; Fri, 29 Jan 2021 07:05:40 -0800 (PST)
MIME-Version: 1.0
References: <159730632066.12379.5174560093789503034@ietfa.amsl.com> <20201103170958.GA45088@hephaistos.amsuess.com> <20201103172739.GE45088@hephaistos.amsuess.com>
In-Reply-To: <20201103172739.GE45088@hephaistos.amsuess.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Fri, 29 Jan 2021 10:05:28 -0500
Message-ID: <CALaySJKZHtcnm1LRsLpcdoqdBEJRWbJbF6gpj6VsGJg8PiUV4w@mail.gmail.com>
To: Christian Amsüss <christian@amsuess.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, draft-ietf-core-resource-directory@ietf.org, jaime.jimenez@ericsson.com, core-chairs@ietf.org, The IESG <iesg@ietf.org>, core WG <core@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/MN-Bs3DDPTJKhgRjLdjC-7oiZtU>
Subject: Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2021 15:05:59 -0000
Ben, can you check version -26 and see how much of your ballot is addressed there? Christian, do you think you've addressed all of Ben's issues in -26? Barry On Tue, Nov 3, 2020 at 12:28 PM Christian Amsüss <christian@amsuess.com> wrote: > > (This is one of the point-to-point follow-up mails on the RD -25 > reviews; for the preface, please see the preceding mail on "The various > positions on draft-ietf-core-resource-directory-25" at > <https://mailarchive.ietf.org/arch/msg/core/xWLomwwhovkU-CPGNxnvs40BhaM/>). > > As DISCUSS: > > > I agree with Roman that the authorization model seems under-developed. > > While I recognize that there is need for flexibility across various > > deployments, I think that we should be providing a default model (and > > procedures for it) that will apply in many cases, and let > > deployments specify alternate models if needed. This stuff is hard > > enough to get right that we should have a secure option that people can > > use if they don't need to have customized details. (To be clear, I > > agree with the change of focus from -24 to -25 on the properties that a > > security policy needs to provide and/or consider, as that is > > fundamentally the important thing. I just want a fallback/default > > option that "does something reasonable in most cases" in addition. > > Doing that by reference to some other existing thing would be fine, if > > such a thing exists.) > > response: > > There is no external policy we could reference, so a new section was created. > The First-Come-First-Remembered policy implements one of the candidates that > were considered for this role, and was picked because unlike its "endpoint name > comes from the certificate" it is a mode which an implementation can use > without any further configuration whatsoever. > > The related changes can be viewed in > https://github.com/core-wg/resource-directory/issues/258. > > > In particular, the current text seems to rely on the authorization > > model including: > > > > (1) the RD knowing how clients will be using it (and thus what > > properties the RD needs to enforce), which in the general case cannot be > > known (though for static networks it could be), yet I don't see any > > discussion that indicates this as a prerequisite; and > > > > (2) the client either knowing out-of-band that an entity is authorized > > to act as a RD or just blindly trusting any of the unauthenticated (*) > > advertisement mechanisms. (* Yes, there may be some protection in the > > network on subscribing to the relevant multicast address, DNS-SD, etc., > > but the client cannot a priori know that such protections are in place.) > > > > Relatedly, the naming model and naming authority should have some > > clearer discussion. We do mention in Section 7 the possibility for a > > weak naming model where the RD is responsible for enforcing uniqueness > > of names but otherwise link attributes are the primary authorization > > criteria (vs. a traditional scheme with a naming authority and naming > > hierarchy), but with naming as a fundamental prerequisite of any > > authentication/authorization scheme, I think clearer discussion of how a > > naming model is to be selected (and, perhaps more importantly, that it > > must be fixed as part of a given deployment) for a given network is > > needed. > > respond: > > The responsibilities are the other way around. The RD does not need to know the > clients' expectations, the clients may only expect things they know to be true > of the RD. > > See GENERIC-WHOPICKSMODEL. > > > If I understand correctly, we have some codepoint squatting going on in > > the examples (e.g., for resource types). > > response: > > The rt=temperature-c, rt=light-lux and if=sensor are used where endpoints > mimick the examples of RFC6690; it is a point here to have things look just > like in direct discovery. > > The if=core.a and if=core.p use values from the expired and partially abandoned > core-interfaces -- given its future is unclear, they've been replaced by > examples with tag URIs, as has the et=oic.d.sensor (a value that's registered, > but not to for et but for rt) and rt="light"; rt=sensor was dropped as it was > not essential to the example. > > The individual changes are listed in > https://github.com/core-wg/resource-directory/pull/266. > > > We should talk about the security properties of the various RD discovery > > mechanisms that are defined. > > response: > > A section was added in the security considerations on this topic (see > https://github.com/core-wg/resource-directory/pull/275 for text > changes). It does not go into the properties of each mechanism, as the host > discovery steps are generally unprotected; instead, it emphasizes the > importance of checking the RD's authorization for any security properties the > client would expect. In the context of the server authorization topic (see > OPEN-SERVER), it was added that if the authorization is conditional on the > resources being advertised with a particular resource type, that authorization > already needs to be checked during the discovery phase (details in > https://github.com/core-wg/resource-directory/pull/306). > > As COMMENT: > > > My apologies for where these comments diverge off into rambling > > incoherency, or where I'm misunderstanding something that's clearly laid > > out; this document had the misfortune of being the last one I got to > > this week. > > > > Section 1 > > > > [RFC6690] only describes how to discover resources from the web > > server that hosts them by querying "/.well-known/core". In many > > constrained scenarios, direct discovery of resources is not practical > > due to sleeping nodes, disperse networks, or networks where multicast > > traffic is inefficient. These problems can be solved by employing an > > entity called a Resource Directory (RD), which contains information > > about resources held on other servers, allowing lookups to be > > performed for those resources. > > > > nit(?): I'd consider specifying that the RD is "a trusted entity". > > (Even when the resources themselves are authenticated, a hostile RD can > > still deny existence of a given resource, so by choosing to use an RD > > there is some level of trust involved.) > > response: > > Putting it in there as a trusted entity would give the reader a wrong > impression of the general case. Any trust placed in the RD must be earned by a > security policy backed by the RD's credentials. > > > Section 2 > > > > Resource Directory (RD) > > A web entity that stores information about web resources and > > implements the REST interfaces defined in this specification for > > discovery, for the creation, the maintenance and the removal of > > registrations, and for lookup of the registered resources. > > > > nit: the list structure is not parallel here. Maybe "for discovery, > > creation, maintenance, and removal of registrations, and for lookup of > > the registered resources"? > > response: > > The intended structure that's linearized into the sadly untreeish structure of > written language was > > * discovery > * of registrations > - creation > - maintenance > - removal > * lookup > > I think this is what the current text expresses, whereas the proposed one > groups discovery with "of registrations", while it's more a top-level thing. > > > Commissioning Tool > > Commissioning Tool (CT) is a device that assists during the > > installation of the network by assigning values to parameters, > > naming endpoints and groups, or adapting the installation to the > > needs of the applications. > > > > Is "the installation of the network" a one-time event? (Might a CT be > > involved when adding a new device to a network at a later time?) > > response: > > CTs can come back to help new devices into the network; the text has been > clarified to that point in > https://github.com/core-wg/resource-directory/pull/295. > > There are remaining questions about how long a network can operate autonomously > while the CT is absent and can thus not refresh registrations, but those exceed > the scope of the document. (Discussed at > https://github.com/core-wg/resource-directory/issues/290). > > > Section 3.1 > > > > Information SHOULD only be stored in the RD if it can be obtained by > > querying the described device's /.well-known/core resource directly. > > > > When might that not be the case? > > response: > > The prime example here is with devices that don't even have a copy of what they > might want to (but can't for resource constraints) express there; those use a > CT to do their work. > > The second example I can come up with is when devices have complex > confidentiality requirements on the links, but rely on the RD and thus publish > data to an authorized RD of which they don't even know who precisely might be > authorized to read them. > > > Section 3.2 > > > > The RD architecture is illustrated in Figure 1. An RD is used as a > > repository of registrations describing resources hosted on other web > > servers, also called endpoints (EP). An endpoint is a web server > > associated with a scheme, IP address and port. A physical node may > > > > (side note) hmm, I feel like in the HTTP world an endpoint is more > > likely to be associated with a DNS name than an IP address, in common > > usage. Also, we later go on to assert that the endpoint's name has > > primacy and that the IP address/port can be ephemeral. > > response: > > This is leading the reader from the CoAP definition of endpoints to the > endpoints as registrants as used in the RD. > > > An endpoint uses specific interfaces to register, update and remove a > > registration. It is also possible for an RD to fetch Web Links from > > endpoints and add their contents to its registrations. > > > > At the first registration of an endpoint, a "registration resource" > > is created, the location of which is returned to the registering > > endpoint. The registering endpoint uses this registration resource > > to manage the contents of registrations. > > > > Does the "RD fetches links unilaterally" case count as a "first > > registration of an endpoint"? I'm having a hard time seeing how these > > two statements are consistent with each other, and a naive reading > > admits the possibility that a given endpoint could be "locked out" of > > the ability to manage the contents of its registrations. > > response: > > The act of the endpoint triggering the RD to fetch links from it is the > creation. And the "locking out" is the correct reading -- a client that uses > simple client has no way of managing the contents. If it were capable enough to > do that, it'd go the regular registration route. > > > Section 4 > > > > REST clients (registrant-EPs and CTs during registration and > > maintenance, lookup clients, RD servers during simple registrations) > > MUST be prepared to receive any unsuccessful code and act upon it > > according to its definition, options and/or payload to the best of > > their capabilities, falling back to failing the operation if recovery > > is not possible. In particular, they should retry the request upon > > > > "MUST be prepared [...] to the best of their abilities" seems > > non-actionable. The stuff after "In particular", on the other hand, is > > actual concrete guidance that could be mandated using normative > > language. > > response: > > Right; fixed in https://github.com/core-wg/resource-directory/pull/276. > > > Section 4.1 > > > > 1. In a 6LoWPAN, just assume the Border Router (6LBR) can act as an > > RD (using the ABRO option to find that [RFC6775]). Confirmation > > can be obtained by sending a Unicast to "coap://[6LBR]/.well- > > known/core?rt=core.rd*". > > > > nit(?): I was unaware that "Unicast" was a proper noun. > > response: > > Addressed in https://github.com/core-wg/resource-directory/pull/277. > > > Section 4.3 > > > > "core.rd" in the query string. Likewise, a Resource Type parameter > > value of "core.rd-lookup*" is used to discover the URIs for RD Lookup > > operations, core.rd* is used to discover all URI paths for RD > > operations. [...] > > > > Is the distinction between URIs (for RD Lookup) and URI paths (for RD) > > important here? > > response: > > No, it isn't. Fixed in https://github.com/core-wg/resource-directory/pull/277. > > > While the link targets in this discovery step are often expressed in > > path-absolute form, this is not a requirement. Clients of the RD > > SHOULD therefore accept URIs of all schemes they support, both as > > URIs and relative references, and not limit the set of discovered > > URIs to those hosted at the address used for URI discovery. > > > > I'm not sure I see how the "not limit [...] to those hosted at the > > address used for URI discovery" follows from the non-requirement for > > expression of the link-targets from discovery in path-absolute form. > > (Given the ability to send the discovery query to a multicast address, > > the guidance seems okay; it's just the "therefore" that is puzzling me.) > > response: > > If it was a requirement on the server, the clients could rely on it and thus > implicitly limit the set by failing to parse the full URIs. > > (It could say "explicitly or implicitly limit", but only the "implicitly > limit" case justifies the "therefore".) > > > It would typically be stored in an implementation information link > > (as described in [I-D.bormann-t2trg-rel-impl]): > > > > Req: GET /.well-known/core?rel=impl-info > > > > This seems to be depicting a link-relation type that is not registered > > at https://www.iana.org/assignments/link-relations/link-relations.xhtml > > , i.e., codepoint squatting. Please put in a stronger disclaimer that > > this is an example link relation type, not just an example exchange. > > response: > > A note has been added that the type is just proposed in a WIP document (in > https://github.com/core-wg/resource-directory/pull/278). > > > Section 5 > > > > These first few paragraphs give the impression that this is > > first-come-first-served with minimal authentication or authorization > > checking. Mentioning that there are authorization checks, with a > > forward-reference, might be helpful. > > response: > > It's more a last-come-longest-remembered, but even the most minimal security > policies would ensure that the registration resources belong to the "same" > device (for whatever the policy defines as same). > > Clarified in https://github.com/core-wg/resource-directory/pull/292. > > > further parameters (see Section 9.3). The RD then creates a new > > registration resource in the RD and returns its location. The > > > > Is this returned "registration resource" expected to function as a > > "capability URL" (https://www.w3.org/TR/capability-urls/) that would > > need to contain an appropriate amount of entropy to be reasonably > > unguessable by parties other than the registrant-ep/CT responsible for > > it? > > response: > > No, it is not a capability URL -- it will be discoverable through the endpoint > lookup interface. > > Note that around ACE, bearer tokens (which capability URLs are) are generally > discouraged in favor of proof-of-possession tokens. > > > The registration request interface is specified as follows: > > > > Interaction: EP -> RD > > > > I thought that the CT could be a requestor as well as the EP. > > response: > > Yes it can be. The expression in the interaction tables is an artifact of the > CTs being a not-even-special case of EPs, but as we have both of them in the > rest of the text, so do we now in those lists. (Changes in > https://github.com/core-wg/resource-directory/pull/309). > > > well. The endpoint name and sector name are not set when one > > or both are set in an accompanying authorization token. > > > > What should the RD do if they are set but also present in the > > accompanying authorization token? > > response: > > The wording has been updated in > https://github.com/core-wg/resource-directory/pull/273; it now (by > construction, but also explicitly) explains conflict handling. > > > Req: POST coap://rd.example.com/rd?ep=node1 > > Content-Format: 40 > > Payload: > > </sensors/temp>;ct=41;rt="temperature-c";if="sensor", > > > > (side note) XML for the sensors, not SenML? With Carsten as an author, > > even? ;) > > response: > > This is clearly a mistake, and got removed in an emergency update in > https://github.com/core-wg/resource-directory/pull/279. > > More seriously, though, these examples are from RFC6690 (which does not have > ct= entries for reasons of chronology), and keeping them aligned is a good > thing. > > > An RD may optionally support HTTP. Here is an example of almost the > > same registration operation above, when done using HTTP. > > > > Req: > > POST /rd?ep=node1&base=http://[2001:db8:1::1] HTTP/1.1 > > Host: example.com > > > > Wouldn't "Host: rd.example.com" be closer to "almost the same > > registration"? > > response: > > Fixed in https://github.com/core-wg/resource-directory/pull/277. > > (I had brief qualms about introducing a protocol-negotiation situation here, > but performing "almost the same registration" over two protocols already > necessarily does that). > > > Section 5.1 > > > > I'm a little uneasy about specifying new behavior for POST to the > > existin /.well-known/core that was defined by RFC 6690 for other uses. > > What factors go into using the same well-known URI vs. defining a new > > one for this usage? > > response: > > It-always-having-been-that-way, primarily. As no large deployments are known, > this is fixed in https://github.com/core-wg/resource-directory/pull/259 > by switching to a standalone /.well-known/rd. > > > The sequence of fetching the registration content before sending a > > successful response was chosen to make responses reliable, and the > > caching item was chosen to still allow very constrained registrants. > > > > I'm not sure what "the caching item" is supposed to be (if it's not a > > typo/misordering of words). > > response: > > Now phrased as "the point about caching" (in > https://github.com/core-wg/resource-directory/pull/277) which should > be easier to read. A few lines up we recommend that the RD caches the .wk/c, > and this provides the rationale. > > > Section 5.3 > > > > queries concerning this endpoint. The RD SHOULD continue to provide > > access to the Registration Resource after a registration time-out > > occurs in order to enable the registering endpoint to eventually > > refresh the registration. The RD MAY eventually remove the > > registration resource for the purpose of garbage collection. If the > > Registration Resource is removed, the corresponding endpoint will > > need to be re-registered. > > > > (This MAY is actually a MUST for the simple registration case, per §5.1, > > right?) > > response: > > No, it's a choice there as well. One server may keep them around forever, and > when the simple client comes back it'll show with the same registration > resource in the resource lookup. Another server may GC it and assign a > different registration resource when it returns. > > > Section 5.3.1 > > > > An update MAY update the lifetime or the base URI registration > > parameters "lt", "base" as in Section 5. Parameters that are not > > > > What about the "extra-attrs"; are they inherently forbidden from > > updates? > > response: > > The introduction paragraph was overly specific and fixed in > https://github.com/core-wg/resource-directory/pull/294. > > > base := Base URI (optional). This > > parameter updates the Base URI established in the original > > registration to a new value. If the parameter is set in an > > update, it is stored by the RD as the new Base URI under which > > to interpret the relative links present in the payload of the > > original registration, following the same restrictions as in > > the registration. If the parameter is not set in the request > > > > nit: is it the interpretation of relative links that is following the > > same restrictions as in the registration, or the new value of the > > parameter being supplied in the update? > > response: > > The restrictions apply to the new value, and were moved up there in > https://github.com/core-wg/resource-directory/pull/294. > > > The following example shows how the registering endpoint updates its > > registration resource at an RD using this interface with the example > > location value: /rd/4521. > > > > The path component "4521" contains a worryingly small amount of > > unpredictableness; I would prefer examples that used longer random > > locations, as for capability URLs. (Throughout the document, of > > course.) See also draft-gont-numeric-ids-sec-considerations, that I'm > > AD sponsoring, though I do not see any clear issues on first glance. > > response: > > See comment on the original capability URL question -- they are not. > > > (Also, it might be worth another sentence that this update is serving > > just to reset the lifetime, making no other changes, since this might be > > expected to be a common usage.) > > response: > > Stating purpose rather than mechanism now (since > https://github.com/core-wg/resource-directory/pull/294). > > > Section 6 > > > > With "Resource Lookup" and "Endpoint Lookup" as (apparent) top-level > > siblings, would it make sense to put 6.2, or at least 6.3, as > > subsections under 6.1? > > response: > > It would from a hierarchical table-of-contents point of view, but given the > focus of lookup is on resource lookup, the existing sequence captures the > narrative of "With an RD, you can look up resources, here is how you use it, > here is what it looks like, and by the way if you really need it you can even > look at the registrations themselves". > > > Section 6.1 > > > > Resource lookup results in links that are semantically equivalent to > > the links submitted to the RD. The links and link parameters > > returned by the lookup are equal to the submitted ones, except that > > the target and anchor references are fully resolved. > > > > Are the "submitted ones" the submissions at registration time, or during > > the lookup query itself? (I assume registration-time, but being > > explicit costs little.) > > response: > > Some words added for clarity in > https://github.com/core-wg/resource-directory/pull/294. > > > If the base URI of a registration contains a link-local address, the > > RD MUST NOT show its links unless the lookup was made from the same > > link. The RD MUST NOT include zone identifiers in the resolved URIs. > > > > Same link as what? > > response: > > The link the endpoint sits on; clarified in > https://github.com/core-wg/resource-directory/pull/294. > > > Section 6.2 > > > > The page and count parameters are used to obtain lookup results in > > specified increments using pagination, where count specifies how many > > > > (We haven't introduced the page and count parameters yet.) > > response: > > Wording has been enhanced in > https://github.com/core-wg/resource-directory/pull/294. > > > operator as in Section 4.1 of [RFC6690]. Attributes that are defined > > as "link-type" match if the search value matches any of their values > > > > Where is it specified how an attribute might be "defined as > > 'link-type'"? This is the only instance of the string "link-type" in > > this document, and it does not appear in RFC 6690 at all... > > response: > > That should have said "relation-types"; it does now, and also refers to > the 6690 ABNF (since > https://github.com/core-wg/resource-directory/pull/294. > > > references) and are matched against a resolved link target. Queries > > for endpoints SHOULD be expressed in path-absolute form if possible > > and MUST be expressed in URI form otherwise; the RD SHOULD recognize > > either. The "anchor" attribute is usable for resource lookups, and, > > if queried, MUST be for in URI form as well. > > > > I don't see how it can be only a SHOULD to recognize either given these > > generation criteria. > > response: > > If the URI is on a different scheme/host, I assert things are clear. (Just to > ensure I didn't get your point wrong.) > > Otherwise, in practice there can happen mistakes where server and client > disagree about the default values of the Uri-Scheme, Uri-Host and Uri-Port > options -- as anyone who's ever tried to set up an HTTP reverse proxy for a > WebDAV server can attest to. We're trying to avoid creating these situations, > but when they do happen. We don't automatically declare the offending party > broken by putting a MUST here, but encourage the peer to assist it. The client > can help by providing the relative reference (for then, disagreement passses > unnoticed), and the server by recognizing the full URI (for the client may have > obtained it and not know that it'd match what the server thinks is its Uri-Host > name). > > (The "and MUST be expressed in URI form otherwise" sounds like a factual > necessity, but it is here to rule out the corner case of a client handing out > //hostname/path style references). > > > Section 6.3 > > > > The following example shows a client performing a lookup of all > > resources of all endpoints of a given endpoint type. It assumes that > > two endpoints (with endpoint names "sensor1" and "sensor2") have > > previously registered with their respective addresses > > "coap://sensor1.example.com" and "coap://sensor2.example.com", and > > posted the very payload of the 6th request of section 5 of [RFC6690]. > > > > Er, the 6th request is a GET; do we mean to say the response to the 6th > > request? > > response: > > Yes. Fixed in https://github.com/core-wg/resource-directory/pull/294. > > > Section 6.4 > > > > The endpoint lookup returns registration resources which can only be > > manipulated by the registering endpoint. > > > > This seems to leave it unclear whether the endpoint lookup is expected > > to return resources that the requestor will not have permission to > > manipulate (in addition to those it does have permission for). > > response: > > Clarified in https://github.com/core-wg/resource-directory/pull/294. > > > While Endpoint Lookup does expose the registration resources, the RD > > does not need to make them accessible to clients. Clients SHOULD NOT > > attempt to dereference or manipulate them. > > > > But why expose them at all if they're not going to be accessible? > > response: > > They serve as identifiers (think URI rather than URL), and may additionally be > used in implementation defined operations on the resource that could be allowed > for administrators. Last but not least, link-format (unlike the upcoming CoRAL) > does not have means of talking about something without naming it. > > (I do see the point, and if we started RD anew with the benefit of having > CoRAL, chances are this would look a bit different, and the names would not be > exposed to just any lookup client). > > The WG discussion of this did, however, lead to a point added to the security > considerations about the RD's choice of what to put in there (change in > https://github.com/core-wg/resource-directory/pull/267). > > > An RD can report endpoints in lookup that are not hosted at the same > > address. [...] > > > > The "same address" as what? > > response: > > Sharpened in https://github.com/core-wg/resource-directory/pull/294. > > > Section 7.1 > > > > Whenever an RD needs to provide trustworthy results to clients doing > > endpoint lookup, or resource lookup with filtering on the endpoint > > > > How will the RD know whether the client is expecting trustworthy > > results? (When would a client *not* expect trustworthy results?) > > response: > > It won't per-client, it is configured for one. See GENERIC-WHOPICKSMODEL. > > > name, the RD must ensure that the registrant is authorized to use the > > given endpoint name. This applies both to registration and later to > > operations on the registration resource. It is immaterial there > > whether the client is the registrant-ep itself or a CT is doing the > > registration: The RD can not tell the difference, and CTs may use > > > > I suppose there might be plausible authorization models where a > > return-routability check to a given address constitutes authorization to > > use that address as an endpoint name, in which case the RD can tell the > > difference between a registrant-ep and a CT attempting to act on its > > behalf. > > WGF-6 > response: > > The RD might do such checks, but then again the EP might just be using > different network interfaces simultaneously. At that point where the EP uses a > different (and usually dormant) network interface for registration, the line > between EP and the CT gets blurry; we tolerate that blurriness because the > distinction is not so much a technical one (the REST server does not care > whether the request originates at its network peer, is proxied through there or > sent from there on behalf of someone completely different) as long as the > credentials are good. > > Frankly, I'm personally not too happy with distinguishing CTs in the first > place; it is more reflective of what I understand to be an industry practice > than a distinction in this CoAP application. > > > When certificates are used as authorization credentials, the > > sector(s) and endpoint name(s) can be transported in the subject. In > > an ACE context, those are typically transported in a scope claim. > > > > As Russ noted in the Gen-ART review, "transported in the subject" is > > sufficiently vague to not really be actionable. It might be better to > > say that the holder of the private key corresponding to the public key > > certified in the certificate is generally considered authorized to act > > on behalf of any identities (including endpoint names) contained in the > > certificate's subject name. > > response: > > See GENERIC-SUBJECT. > > > Section 7.1.1 > > > > Conversely, in applications where the RD does not check the endpoint > > name, the authorized registering endpoint can generate a random > > number (or string) that identifies the endpoint. The RD should then > > > > How much entropy/randomness in the random name? Does a CSPRNG need to > > be used? (I do see the follow-up about doubling the length in case of > > failure or starting with a UUID if that's not possible, but some > > guidance on where to start still seems appropriate.) > > respond: > > There is no requirement here as collisions only result in retries. > > For those cases where the client implementer thinks they can get away with not > implementing retry, UUID URNs are pointed to, which themselves cover the topic. > > > Section 7.2 > > > > When lookup clients expect that certain types of links can only > > originate from certain endpoints, then the RD needs to apply > > filtering to the links an endpoint may register. > > > > As before, how will the RD know what behavior clients are relying on? > > response: > > It will not. It may, however, advertise it explicitly. If, for example, an > application like LwM2M always ensures trusted endpoint names, the RD may > advertise as rt="core.rd-lokup-ep example.lwm2m", and then clients that trust > that metadatum (which they'll want to verify from some claim) know they can > trust the RD to have checked ep names. > > See also GENERIC-WHOPICKSMODEL > > > An RD may also require that only links are registered on whose anchor > > (or even target) the RD recognizes as authoritative of. One way to > > > > I don't think I can parse this sentence (especially "the RD recognizes > > as authoritative of"). > > response: > > Rephrased to "require that links are only registered if the registrant is > authorized to publish information about the anchor [...] of the link." in > https://github.com/core-wg/resource-directory/pull/294. > > > Section 8 > > > > In contexts where we discuss DTLS and TLS as being generally comparable, > > we typically will state that DTLS replay protection is required in order > > to provide equivalent levels of protection. > > response: > > This item rippled quite a bit beyond the original response of "Huh? CoAP > doesn't already do this? Well, here we need it". > > As things stand, requiring replay protection make it harder to exploit the > issue described at OPEN-REPLAY-FRESHNESS, but once that is addressed for good, > replay protection should not be necessary any more for the RD, as all its > operations are becoming long-term idempotent. > > > We might also want to reiterate or refer back to the previous discussion > > of the potential for attributes or resource/endpoint names, link > > relations, etc. that may need to be confidential, the relevant access > > control/filtering, and the avenues by which disclosure of resource names > > can occur even when access to those resources will not be permitted. (I > > think some of this overlaps with 8288 and 6690, but don't mind repeating > > it.) > > response: > > There is a pointer back saying that the necessary access control depends on the > protection objectives set in the policies (since > https://github.com/core-wg/resource-directory/pull/250). > > > Section 8.1 > > > > It's probably worth reiterating that all name comparisons must be done > > at sector scope (since failing to do so can lead to attacks). > > response: > > It is; fixed since https://github.com/core-wg/resource-directory/pull/296. > > > Endpoint authentication needs to be checked independently of whether > > there are configured requirements on the credentials for a given > > endpoint name (Section 7.1) or whether arbitrary names are accepted > > (Section 7.1.1). > > > > I think this is more properly authorization than authentication. > > response: > > Yes; fixed in https://github.com/core-wg/resource-directory/pull/271. > > > Section 8.3 > > > > attacks. There is also a danger that NTP Servers could become > > implicated in denial-of-service (DoS) attacks since they run on > > unprotected UDP, there is no return routability check, and they can > > have a large amplification factor. The responses from the NTP server > > were found to be 19 times larger than the request. An RD which > > > > (It's not clear to me why the specific discussion of NTP numbers is > > relevant here, since RD is not NTP.) > > response: > > The section has been shortened in > https://github.com/core-wg/resource-directory/pull/249. > > > Section 9.3 > > > > Should we also include "rt" in the initial entries? I see it is used as > > a query parameter for resource lookup in the examples in Section 6.3. > > response: > > It's used as is any other link attribute. There's no registry for them, and > while there's been talk over ond over that it would be nice, I don't think > there will be any until linkformat-CoRAL conversion is defined (and even then > it may not be comprehensive). Selectively picking some distinguished common > link attributes into this registry won't make things less messy. > > The prime line of defense against this getting messy is the expert guidance > that for some types of parameters their short names should be checked against > "commonly used target attributes". > > > > * indication of whether it can be passed as a query parameter at > > registration of endpoints, as a query parameter in lookups, or be > > expressed as a target attribute, > > > > (Since this text does not clarify about lookup of endpoints vs. > > resources... > > > > Review" as described in [RFC8126]. The evaluation should consider > > formal criteria, duplication of functionality (Is the new entry > > redundant with an existing one?), topical suitability (E.g. is the > > described property actually a property of the endpoint and not a > > property of a particular resource, in which case it should go into > > the payload of the registration and need not be registered?), and the > > > > ... and this text suggests that query parameters for *resource* lookups > > need not be registered.) > > > > potential for conflict with commonly used target attributes (For > > example, "if" could be used as a parameter for conditional > > registration if it were not to be used in lookup or attributes, but > > would make a bad parameter for lookup, because a resource lookup with > > an "if" query parameter could ambiguously filter by the registered > > endpoint property or the [RFC6690] target attribute). > > > > Then why do we use it as an example of lookup filtering in Section 6.2? > > response: > > The text suggests that target attributes for registered resources need not be > registered. These unregistered wild-west attribute names can be used both with > resource lookups (matching only resources which), and in endpoint lookups > (matching endpoints that contain any resource which). > > If `if` were to be put in for use in an RD parameter used with lookup, that > would not per se create ambiguous queries (the rules would still say "matches > either"), but the results would be prone to causing confusion. > > > Section 10.1.2 > > > > Should we really be using unregistered resource types (i.e., codepoint > > squatting) in the examples? > > response: > > Addressed together with the earlier code squatting comments in > https://github.com/core-wg/resource-directory/pull/266. > > > After the filling of the RD by the CT, the application in the > > luminaries can learn to which groups they belong, and enable their > > interface for the multicast address. > > > > Just to check: the luminaries are learning their own group membership by > > querying the resource directory? > > response: > > Not directly. They (in this very particular example that seems to be based on > industry process but which I'd not necessarily recommend for imitation) use a > heuristic to find any multicast URI they might possibly provide, and join that > group. > > > Section 10.2.2 > > > > Please expand MSISDN. > > response: > > Taking a step back from this and other comments led to a drastical shortening > of the example. > > See also GENERIC-ODDEXAMPLES > > > Section 13.2 > > > > I think RFC 7252 should probably be normative. > > > > Likewise for RFC 8288 ("the query parameter MUST be [...] a token as > > used in [RFC8288]"). > > response: > > RFC7252 (CoAP) and RFC7230 (HTTP) were promoted to a normative reference. > (RFC7641 (CoAP observe) wasc left as informative because while they are > optional components, RD is not so much specified using them but more happens to > combine with them). > > RFC8288 was also promoted, but not due to the quoted line (that's not > implementation relevant but merely setting out rules for the registry > operation), but because we explicitly pull it in in terminology and the > information model. > > (Changes in https://github.com/core-wg/resource-directory/pull/307).
- [core] Benjamin Kaduk's Discuss on draft-ietf-cor… Benjamin Kaduk via Datatracker
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Barry Leiba
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Christian M. Amsüss
- Re: [core] The various positions on draft-ietf-co… Christian Amsüss
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Christian Amsüss
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Barry Leiba
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Barry Leiba
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk