IETF Logo Mail Archive

Re: [core] draft-groupcomm-proxy: reverse proxies & URI embedding

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 14 June 2022 10:12 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66CEC1649FD for <core@ietfa.amsl.com>; Tue, 14 Jun 2022 03:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xsnwVfOsGHo5 for <core@ietfa.amsl.com>; Tue, 14 Jun 2022 03:12:40 -0700 (PDT)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on20716.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1a::716]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBAC5C1649FA for <core@ietf.org>; Tue, 14 Jun 2022 03:12:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ko79k/3+7mZNz06t1kqkjuXaMDKLend683gOEwB/K+wgsGOKPDO3608HkdAvHyr4gT1wCFFKknkkHqd7+59PnjrR5pKn+ljwkJL6C0FmP3QR8gcFFU8UgAM9JJrmsjPYCo32CakMToIes1Dnppo2riphjcki5vuwzPkyF+SYBzcL6Ptw04o26/a+9OHr92A/QEeVwGUmGtD8hRlMxAc2ZeOqMx1Bg4Q2JgBTi/sFwXKRPNXSBHUmRlVEDN7PuMByCJgh4dshaX38Wk8MsMggeFCkcflywKtlUugpsj1o+VVYuhe/t+m8CeSZ9YMtedaEVL6vzk28lQPAw+Zb235daA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vGja/fGGFbnAiovPU8K2P5+nTHg3vj3o2qh6fL959lQ=; b=T7wQx+6qcg5+WgOCyaJh9dUXz3fG8Yg3y5ygV5oiqybsYjyl6wvlB5QABf+eOSlnQNkAL/8z9lwl309+DqPBwjEYTM4qP/Knw7yWZTBXl4i1lO9831RcwwU3ITLKZ2hGUiOmpECCv6fGzXBDS3YhuhrjPmcBKUHZIAG8momBiHMwvW39N60KOPvgO6qyy2fUZMCesV/f0t2E5nTRU/FIuF7Y8eda/uVL1KPy0d0qolLtd3z5I0uciQXv4Hx/xWAIN3G7ypgvLMdJ/JBlRabknsuUz/0o/i0qMWhDU107BHP7mDpXEuAFQViYrjwaFJkHpPKc2CGAWVFpApQI5FeDxg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vGja/fGGFbnAiovPU8K2P5+nTHg3vj3o2qh6fL959lQ=; b=HwZA8fKhBzfxPwGQ4yQ4ZAU/FHOIgDMs2F3q8yoIzpZ9M/t9QekOvxVCP6tU5pPbq4fMoIay0kuoeOeHUiOA9Va6mcrl8Mq1mozG2tDbDMWyr39mFF9Gas7EOeAQfHkA4IPqMxKn52RHTke4NwtzkcdMaeFgFrkWIPrnD3IVVq8=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by PR3P190MB0889.EURP190.PROD.OUTLOOK.COM (2603:10a6:102:8f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5332.14; Tue, 14 Jun 2022 10:12:32 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::d19a:a24c:bd5c:95da]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::d19a:a24c:bd5c:95da%8]) with mapi id 15.20.5332.020; Tue, 14 Jun 2022 10:12:32 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: core <core@ietf.org>
CC: Christian Amsüss <christian@amsuess.com>
Thread-Topic: draft-groupcomm-proxy: reverse proxies & URI embedding
Thread-Index: Adh2X90cKroSyKpVR/SCpmaLj7oB5AJde46w
Date: Tue, 14 Jun 2022 10:12:32 +0000
Message-ID: <DU0P190MB1978DB0C5606C328D620EC38FDAA9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <DU0P190MB19784C8ED1D37EDBF4E0E7E0FDDE9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <DU0P190MB19784C8ED1D37EDBF4E0E7E0FDDE9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 47d0f24b-5a2d-44cc-6839-08da4dee6589
x-ms-traffictypediagnostic: PR3P190MB0889:EE_
x-microsoft-antispam-prvs: <PR3P190MB088918625849FB4820E46237FDAA9@PR3P190MB0889.EURP190.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XRYyRnz+leoj/3WRg0PHNoSrnu60L4tKI9OPoWys0t0rqz/kldO4pi5Rj/it6Mg7KUA8As3qIcd0mne17+sSWQ8vTfwJV5xI69z4NpZVbPGqGKFlZAfDhDpxh5ZtbR0aJ6+5QpSfgzlb6UqQMYcgbPTdB6b3uaXSn7u55jHv3ntqncIw2lSkh5Th4uF6eANT5oRhp3U7NY5xVpghBT+8GqDLg7qZLQoV2jCq717hlyY8TWQ9Xx1p/X417A//EbzQyMRIFEEN7AGTtG6RiBQRodR+Bxl36/brAQA6LLvRiBT1gosyjmBDHZp4G8y8L8ZxzkApG2u4hRj8vBb/9UPT042k6WOsW+gCIav7m/k1nWNgpsEal6YHhvZZ8BfEBW8KrHLvsz224fy0L/f9U9V4kO3KUoXMNyF34w+qbirTepSze4UTmgEWuSHJLP5Ev4CzPFXR9C6xw20psgFUJK7GNBfmYw3SwYsM/+eLe1dQk99ACmHrGpKGqd2zHb4FGZt/DZjAYPw7pDdCn2LXG8XcNJ7Qm78S0CHLKO2rqXV3TKLGUjef3D4ZhhcfOpEQxWk1J8pGYR87LSDNS/H2K6NJvJJGYQ6AjNboGMtIBdXV5D+FSIcj5kklqrLp+22JNBDzr1pZFD7U46w75Mtc/EkE1zw/jNzgQG7cuiudooLEpoA1TahnLgYSaMwgGqWNy3akAWo54HeNh7s74HOgOQRcOMWwQJ7KwXNpqhjehb54vp0ZogTofpYlQwab+lPI60Bmd85YKH42x02JRIoDzogy+rlGNxX7RURxHVfA4tsLm14=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(136003)(346002)(396003)(39830400003)(366004)(41300700001)(86362001)(53546011)(66574015)(2906002)(66476007)(7696005)(166002)(64756008)(66556008)(316002)(8676002)(38100700002)(76116006)(6506007)(4326008)(38070700005)(66946007)(122000001)(6916009)(52536014)(44832011)(55016003)(71200400001)(186003)(9686003)(83380400001)(966005)(5660300002)(508600001)(8936002)(66446008)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: VdITHFwsyIY2bHzSKAutu2YS7xd4uQP2mAiguo1jh0/FnyqupABlJFI04E9SEQ7pMCZ7sweBnhhj4duhWck04EyEiPuJFf99sRxsjKlmjFbPPD9Y0IBdl5DFU243nlj01vTjRUUCxjsj8KCRQdFEikSv0B/cJITgOqY7ok3f37CrkudsQY7oWd1+WW/yrFl4u7/a4zuGNDtvrX+967S8BMsCuRCidQPH17g7m4UjKT+S/ZGSePI4/YGKtO5En1bpI39QFutRASE28UCgtHQj3Yced0ZU45ksa8rHOZR569L43+evh0Oe9Z048mmu71BdGaalwzsY2G8N8AWAG5BSmWeShQxEvcQmnjx5F+6SVMBSVwxCPeQ120pBEhxWevHixhMPDURxbiW5WPxeNmrRoMDp8ffOjbD5G/QrBZMwPE/RvY+y78k/dv9A303/hj3t0hJjGge9lthyfmGjeZPPIptzRzp5X8zkA0Nv2uRhaOjpk6pYLHH//h95cs8v69UewQnaeB5gdBDaw/sOFKtcE0Bhz0qvuH6AWhMmeWUiMANXfu8/OgGXihqGQT2KDEX8OgXQ0a8jk3/4dHCv+wYNUHrQOmPJf2GrAzPGCRi0E87azfP+xCeARK9X0bkes/h6PyWltnH77JQFxMJRe0h3vbzJRb27OsXRgHeZ38+11ZxCoAzkJmzem8Do2RvXxSRymGB5rq1p/HEc1fUximGOZk2y6rKcHLO1R7HWq2X+iorZFLt+RsKbdAU1sDpycsm4nT8XHjrTVFhuIPVnS9XtNNO9DkfDk89XPbR9+qEu83QcI1vb7Ml/tRmtqpoOeiQ+Z1eEbApHC6VEfWq/knn7AAAdQJPfW9uPLEht4Mi/zskwUWbspk2Fi1O+jiI9HTO66X/LSPE3Uf9xycUsNjJVFY6PtcHbAH5Z50UyikWRywUibA/8CrqSZid8IyEbf/3LxllswJVB9EjVNQ1VcUaBrb0MhnPGqXXEUkMdJiZgzav0hNldI82NNX6a4AFxsDRJYGmkngYHevqggP0goDf7bopZNeElXSy0ISK1UaXVYTNhRXEIOEAO8DvzhtxOqiz5QDk565Tu9Tsv9YiTl/npQOCrWZk6eaaL/krTzvsddA/W7Pz+XiZbhdbWE7Ofh3YdWLhCoiqzsSUoG1AH0A4m/gLRawysHmXggvP/G7zrdaN3kurPXT6fB3iB78j6WqZRcMfYMWaKPiZ1sthYV/9BoFS5yC6dyBz2nh5tR12iLAfLudREdaW0m46RgXxXIEaBhCZa/esINq07G6JmvyDQ/34DJMWO0SqXjjjP4YoucYgYV6XlB/hqAVnq+C0e07l2SEmQOl2lhGnaF/otj7w0SEH5de2H7ZLA7feWrD6fEU80MeyfDC/i/BXwMJVn5qhhwAIcnRaR7d7aKPfGlY5fxjWTgFQsP84lFiK4eM7MoGEc331+XAEshiySOlZiCf/EBZJLDMaiWzqddG/JM1q5A7VjsSwLNus5NdG9Irq7rhEgxs7kpb1/RV2AsE2yMh92BypQZZpXvDx15EWrJxM5uFUMnYDS3vni0cQOxmzo/JeS4b2egH+7BQ5lpUnFLLGo2NnoyOJpo7nggCdH+QRfp+cWZj+PTu2bMZiKjsA5BdgVwdxRYzYxZtZrUUtqkG602JBtoqFFsggE61OLGP05ji/5YPijSyq4XyRTxZd91yLz725cMQXaI7u2wNCexL0vPiicF82cqlfI+tFo5NcYGMBK8HBMh9Eu4DWvZwm6p71oI2OxZYWozwdONsvXxHWdSAQvlkJs
x-ms-exchange-antispam-messagedata-1: KLm7hgfF7HUg+VLM0HeS/hMAhBVV6HjugxM=
Content-Type: multipart/alternative; boundary="_000_DU0P190MB1978DB0C5606C328D620EC38FDAA9DU0P190MB1978EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 47d0f24b-5a2d-44cc-6839-08da4dee6589
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jun 2022 10:12:32.7093 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bM6zIzQsb0FVG1cfGUtUVctuEAHCMsCPDG50yMPfTmBPSkKFNH3D+TlB6lhpB+mD7ouAeCi/fFRq204aBlQ/3Kc3vN43Bm/9j0Ww2PF6+x4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3P190MB0889
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/iS-NVnx77UaR5NM-Bgkl5pSIhJA>
Subject: Re: [core] draft-groupcomm-proxy: reverse proxies & URI embedding
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2022 10:12:44 -0000

Hi all,

Since I did not see any views on this matter, I’ll just propose a way forward for groupcomm-proxy :-)

We can define then the 2 types of proxy:


  1.  Forward Proxy
     *   Client MUST include Multicast-Timeout option in its CoAP request.
     *   Client includes the usual CoAP options to construct the proxy URI, using Proxy-Uri or Proxy-Scheme etc.
     *   Proxy constructs the group communication request URI based on above options.
  2.  Reverse Proxy
     *   Client MUST include Multicast-Timeout option in its CoAP request.
     *   By the above option it follows that the client is aware of accessing a proxy and that its code is prepared to correctly handle multiple CoAP responses to 1 request.
     *   Client includes the usual CoAP option to access a resource on the server/proxy, i.e. Uri-Path, Uri-Query and in rare cases Uri-Host/Uri-Port.
     *   The reverse proxy has its own, custom, logic of constructing the groupcomm request URI i.e. deciding which resource leads to which groupcomm request.

Regards
Esko

From: core <core-bounces@ietf.org> On Behalf Of Esko Dijk
Sent: Thursday, June 2, 2022 11:26
To: core <core@ietf.org>
Cc: Christian Amsüss <christian@amsuess.com>
Subject: [core] draft-groupcomm-proxy: reverse proxies & URI embedding

Hi all,

During last interim we discussed some potential issues in the use of a reverse proxy for group communications, see https://datatracker.ietf.org/doc/html/draft-tiloca-core-groupcomm-proxy-06#appendix-A.1 . This example is based on URI mapping as used for RFC 8075 for a HTTP client that wants to access a CoAP resource.

Just to clarify, there are at least these 2 categories of ‘reverse proxy usage’ cases possible:


  1.  Client’s application process is well aware that it is using a reverse-proxy. Client’s HTTP/TC/IP stack is not aware that it is accessing a reverse proxy: for its purposes, it looks just like an origin HTTP server.  The HTTP stack may just be some default or off-the-shelf component, e.g. a Javascript library, or a HTTP stack embedded in a Wi-Fi module.
  2.  Client’s application process is not aware of any reverse-proxy functionality. It just received a URI to resolve from some external input (e.g., a user typing or scanning a QR code) and it tries to perform the request as usual thinking it will get only HTTP response. Similarly, the HTTP stack is not aware that it’s accessing any proxy. The application process just receives the (single) HTTP response and stores it or may send it to the user, or another external process.

What many people think about when they hear “reverse proxy” is case 2; however case 1 also has some practical usefulness. Now for the HTTP client case of RFC 8075 both cases could be supported, if I remember correctly.

Suppose now the HTTP client becomes a CoAP client as in the Appendix A.1 example. Then the feedback in the interim meeting was if I recall correctly, that the CoAP client wouldn’t work correctly. In both cases 1/2, the application process would only receive the very first response (out of multiple) and use it, ignoring the rest. And considering the transaction as closed, freeing the token value that was used. That means the client might re-use the token for a next request even while for the first request the proxy is still sending back responses to the client. (Client then associates responses to the wrong request, potentially – bad!)

So I recall from the discussion that necessarily the client has to be aware that it is talking to a ‘group communication’ proxy , to apply the right token processing and expiry. And the best way to guarantee that is by requiring the client to include the Multicast-Timeout option. Is that correct?

Now the next question is, if this CoAP client is aware of the proxy and must anyhow include the Multicast-Timeout option so it already has dedicated code to do that, why doesn’t this client then use the standard Forward Proxy functionality of CoAP?  There’s no need anymore to embed for example the CoAP URI into the URI path as in the example A.1 , because the client could just use a Proxy-URI option which would make the proxy a “Forward Proxy” instead of a reverse proxy. Any views on this?  If this argument holds then we could just remove any reverse proxy examples and say the client has to invoke the standard CoAP proxy methods in its request.

Best regards
Esko

v2.23.0 | Report a Bug | By Email