Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?

Carsten Bormann <cabo@tzi.org> Thu, 09 April 2020 09:26 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 454273A0FCE; Thu, 9 Apr 2020 02:26:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p5LYk2swm3E6; Thu, 9 Apr 2020 02:26:55 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFED93A0FCD; Thu, 9 Apr 2020 02:26:55 -0700 (PDT)
Received: from [172.16.42.112] (p548DCD70.dip0.t-ipconnect.de [84.141.205.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 48ybPd16jTzyYS; Thu, 9 Apr 2020 11:26:44 +0200 (CEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <787AE7BB302AE849A7480A190F8B9330314921C3@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Date: Thu, 9 Apr 2020 11:26:35 +0200
Cc: Achim Kraus <achimkraus@gmx.net>, Jon Shallow <supjps-ietf@jpshallow.com>, "dots@ietf.org" <dots@ietf.org>, "core@ietf.org" <core@ietf.org>
X-Mao-Original-Outgoing-Id: 608117195.143019-d9284ae29cda676ad60c2c4dafe2b9ce
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B3883A4-9662-4E04-8FC3-00864928E801@tzi.org>
References: <787AE7BB302AE849A7480A190F8B933031490173@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <2a255f3b-6614-f950-4ecc-15f170087c9f@gmx.net> <787AE7BB302AE849A7480A190F8B933031490894@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <019301d60d05$d87fcca0$897f65e0$@jpshallow.com> <a36c6114-d979-e04a-7806-3ad350208e4a@gmx.net> <566C58A5-0373-4D34-91F8-7B664423E373@tzi.org> <787AE7BB302AE849A7480A190F8B933031491200@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <023101d60d92$3642ebb0$a2c8c310$@jpshallow.com> <f105cf6a-da87-d8da-35db-07975f064a94@gmx.net> <787AE7BB302AE849A7480A190F8B933031491DA6@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <1A59D5BE-8826-45FE-B373-CF335831B3A4@tzi.org> <787AE7BB302AE849A7480A190F8B933031491E13@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <2bd7cba1-7ab7-f028-aa96-6d654c7ffed4@gmx.net> <787AE7BB302AE849A7480A190F8B93303149212D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <90B0B5F4-1F31-4AE7-9754-6A653AEFB6B6@tzi.org> <787AE7BB302AE849A7480A190F8B9330314921C3@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
To: mohamed.boucadair@orange.com
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/rqp3ZxT_VpXZYtDdAFu0w7Nm4kc>
Subject: Re: [core] [Dots] Large asynchronous notifications under DDoS: New BLOCK Option?
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 09:26:58 -0000

Hi Med,

thank you for updating me on this information!

On 2020-04-09, at 09:56, <mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com> wrote:
> 
>> (b) the semantics of observe is that a notification is the whole new
>> state of the resource.  Proxies will implement it that way.  Of course
>> block2 modifies this semantics a bit, so nonblock2 might do that too.
>> Still, I think we need to consider what proxies (or client caches)
>> will make out of the mechanism we devise.
> 
> [Med] Agree for the generic CoAP case. 
> 
> For the particular case of DOTS, sessions are established hop-by-hp when a proxy (we called it, gateway) is involved. We have the full visibility on what happens.   

So you have application-aware proxies (which may not even be CoAP proxies).

But that doesn’t mean other proxies aren’t involved; there is also the matter of client caches, which have similar properties (caching, but no multiplexing).  So far, we have tried to keep the proxy/client-caching concept valid with extensions on CoAP; this would be the first one where we would have to say “no CoAP proxies can be used”.  I was wondering whether we can avoid this situation (can = don’t make the solution too complex).

Grüße, Carsten