Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)
Barry Leiba <barryleiba@computer.org> Mon, 08 February 2021 14:08 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDCB03A15AD; Mon, 8 Feb 2021 06:08:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsfcfeP8yX50; Mon, 8 Feb 2021 06:08:49 -0800 (PST)
Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D70333A15C4; Mon, 8 Feb 2021 06:08:48 -0800 (PST)
Received: by mail-lj1-f172.google.com with SMTP id a22so1392318ljp.10; Mon, 08 Feb 2021 06:08:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ovmsf/uOBi/l3dTBSJgi0juCutJNc4yX/hl7OnfQbEI=; b=ivvXmNi/DnHY1I4HWCRZf/HfMVVketbSxqWRCk5xLCkmvySlItg/zhIl2cs1EtXv6h g4oBL+HPPOEbmAPKKh1FtVhR8zsgADhKhyaN1q7d6APhz08uipxfIXYacTQ1vUzn4qmJ xn/NpkBMtiikzCoKHgm6bqL77bRbiYtIJnoRXpQGVVJEwWnkWuf3nSrFeZlkNAD4VZkQ ztsMQjOSNtoZGVTszIO9gEn4qw3U65644UJRAVtYusf4d9puMq88pGcQG+frzT2LxjYG yEkzmu9lZCic3ocQ+iB40YwJ/F5GBugxkJwX3N077YxwlIvYs5inf39iWYXQu5Vg5AZw mOdQ==
X-Gm-Message-State: AOAM533mj05RmIAP3J/p9D8Xr/sa1d7s9P9rrI7V51RatSika/5/egnZ sLjKVRwPWBrt8cuZViZv1W9dxpXSaU8HQ6i25Z84ZOao5jo=
X-Google-Smtp-Source: ABdhPJy6SvLnWJcOh+ExWNk17KMOvC/eVoWXlnbtY69xvVJsEZQB6/2fbPxFnJTUkej9XJch+7yNP+/sTwED0cP0lxg=
X-Received: by 2002:a2e:93c7:: with SMTP id p7mr11125274ljh.75.1612793324899; Mon, 08 Feb 2021 06:08:44 -0800 (PST)
MIME-Version: 1.0
References: <159730632066.12379.5174560093789503034@ietfa.amsl.com> <20201103170958.GA45088@hephaistos.amsuess.com> <20201103172739.GE45088@hephaistos.amsuess.com> <CALaySJKZHtcnm1LRsLpcdoqdBEJRWbJbF6gpj6VsGJg8PiUV4w@mail.gmail.com>
In-Reply-To: <CALaySJKZHtcnm1LRsLpcdoqdBEJRWbJbF6gpj6VsGJg8PiUV4w@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Mon, 08 Feb 2021 09:08:33 -0500
Message-ID: <CALaySJKZ3e9S2w9oXL-OXfm+qNCDiii8Mas-+aSC48u_vuopuA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Christian Amsüss <christian@amsuess.com>
Cc: draft-ietf-core-resource-directory@ietf.org, jaime.jimenez@ericsson.com, core-chairs@ietf.org, The IESG <iesg@ietf.org>, core WG <core@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/syJDl6wcoTTwQOWPD46zm5fImoE>
Subject: Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 14:08:53 -0000
Ping... On Fri, Jan 29, 2021 at 10:05 AM Barry Leiba <barryleiba@computer.org> wrote: > > Ben, can you check version -26 and see how much of your ballot is > addressed there? > > Christian, do you think you've addressed all of Ben's issues in -26? > > Barry > > On Tue, Nov 3, 2020 at 12:28 PM Christian Amsüss <christian@amsuess.com> wrote: > > > > (This is one of the point-to-point follow-up mails on the RD -25 > > reviews; for the preface, please see the preceding mail on "The various > > positions on draft-ietf-core-resource-directory-25" at > > <https://mailarchive.ietf.org/arch/msg/core/xWLomwwhovkU-CPGNxnvs40BhaM/>). > > > > As DISCUSS: > > > > > I agree with Roman that the authorization model seems under-developed. > > > While I recognize that there is need for flexibility across various > > > deployments, I think that we should be providing a default model (and > > > procedures for it) that will apply in many cases, and let > > > deployments specify alternate models if needed. This stuff is hard > > > enough to get right that we should have a secure option that people can > > > use if they don't need to have customized details. (To be clear, I > > > agree with the change of focus from -24 to -25 on the properties that a > > > security policy needs to provide and/or consider, as that is > > > fundamentally the important thing. I just want a fallback/default > > > option that "does something reasonable in most cases" in addition. > > > Doing that by reference to some other existing thing would be fine, if > > > such a thing exists.) > > > > response: > > > > There is no external policy we could reference, so a new section was created. > > The First-Come-First-Remembered policy implements one of the candidates that > > were considered for this role, and was picked because unlike its "endpoint name > > comes from the certificate" it is a mode which an implementation can use > > without any further configuration whatsoever. > > > > The related changes can be viewed in > > https://github.com/core-wg/resource-directory/issues/258. > > > > > In particular, the current text seems to rely on the authorization > > > model including: > > > > > > (1) the RD knowing how clients will be using it (and thus what > > > properties the RD needs to enforce), which in the general case cannot be > > > known (though for static networks it could be), yet I don't see any > > > discussion that indicates this as a prerequisite; and > > > > > > (2) the client either knowing out-of-band that an entity is authorized > > > to act as a RD or just blindly trusting any of the unauthenticated (*) > > > advertisement mechanisms. (* Yes, there may be some protection in the > > > network on subscribing to the relevant multicast address, DNS-SD, etc., > > > but the client cannot a priori know that such protections are in place.) > > > > > > Relatedly, the naming model and naming authority should have some > > > clearer discussion. We do mention in Section 7 the possibility for a > > > weak naming model where the RD is responsible for enforcing uniqueness > > > of names but otherwise link attributes are the primary authorization > > > criteria (vs. a traditional scheme with a naming authority and naming > > > hierarchy), but with naming as a fundamental prerequisite of any > > > authentication/authorization scheme, I think clearer discussion of how a > > > naming model is to be selected (and, perhaps more importantly, that it > > > must be fixed as part of a given deployment) for a given network is > > > needed. > > > > respond: > > > > The responsibilities are the other way around. The RD does not need to know the > > clients' expectations, the clients may only expect things they know to be true > > of the RD. > > > > See GENERIC-WHOPICKSMODEL. > > > > > If I understand correctly, we have some codepoint squatting going on in > > > the examples (e.g., for resource types). > > > > response: > > > > The rt=temperature-c, rt=light-lux and if=sensor are used where endpoints > > mimick the examples of RFC6690; it is a point here to have things look just > > like in direct discovery. > > > > The if=core.a and if=core.p use values from the expired and partially abandoned > > core-interfaces -- given its future is unclear, they've been replaced by > > examples with tag URIs, as has the et=oic.d.sensor (a value that's registered, > > but not to for et but for rt) and rt="light"; rt=sensor was dropped as it was > > not essential to the example. > > > > The individual changes are listed in > > https://github.com/core-wg/resource-directory/pull/266. > > > > > We should talk about the security properties of the various RD discovery > > > mechanisms that are defined. > > > > response: > > > > A section was added in the security considerations on this topic (see > > https://github.com/core-wg/resource-directory/pull/275 for text > > changes). It does not go into the properties of each mechanism, as the host > > discovery steps are generally unprotected; instead, it emphasizes the > > importance of checking the RD's authorization for any security properties the > > client would expect. In the context of the server authorization topic (see > > OPEN-SERVER), it was added that if the authorization is conditional on the > > resources being advertised with a particular resource type, that authorization > > already needs to be checked during the discovery phase (details in > > https://github.com/core-wg/resource-directory/pull/306). > > > > As COMMENT: > > > > > My apologies for where these comments diverge off into rambling > > > incoherency, or where I'm misunderstanding something that's clearly laid > > > out; this document had the misfortune of being the last one I got to > > > this week. > > > > > > Section 1 > > > > > > [RFC6690] only describes how to discover resources from the web > > > server that hosts them by querying "/.well-known/core". In many > > > constrained scenarios, direct discovery of resources is not practical > > > due to sleeping nodes, disperse networks, or networks where multicast > > > traffic is inefficient. These problems can be solved by employing an > > > entity called a Resource Directory (RD), which contains information > > > about resources held on other servers, allowing lookups to be > > > performed for those resources. > > > > > > nit(?): I'd consider specifying that the RD is "a trusted entity". > > > (Even when the resources themselves are authenticated, a hostile RD can > > > still deny existence of a given resource, so by choosing to use an RD > > > there is some level of trust involved.) > > > > response: > > > > Putting it in there as a trusted entity would give the reader a wrong > > impression of the general case. Any trust placed in the RD must be earned by a > > security policy backed by the RD's credentials. > > > > > Section 2 > > > > > > Resource Directory (RD) > > > A web entity that stores information about web resources and > > > implements the REST interfaces defined in this specification for > > > discovery, for the creation, the maintenance and the removal of > > > registrations, and for lookup of the registered resources. > > > > > > nit: the list structure is not parallel here. Maybe "for discovery, > > > creation, maintenance, and removal of registrations, and for lookup of > > > the registered resources"? > > > > response: > > > > The intended structure that's linearized into the sadly untreeish structure of > > written language was > > > > * discovery > > * of registrations > > - creation > > - maintenance > > - removal > > * lookup > > > > I think this is what the current text expresses, whereas the proposed one > > groups discovery with "of registrations", while it's more a top-level thing. > > > > > Commissioning Tool > > > Commissioning Tool (CT) is a device that assists during the > > > installation of the network by assigning values to parameters, > > > naming endpoints and groups, or adapting the installation to the > > > needs of the applications. > > > > > > Is "the installation of the network" a one-time event? (Might a CT be > > > involved when adding a new device to a network at a later time?) > > > > response: > > > > CTs can come back to help new devices into the network; the text has been > > clarified to that point in > > https://github.com/core-wg/resource-directory/pull/295. > > > > There are remaining questions about how long a network can operate autonomously > > while the CT is absent and can thus not refresh registrations, but those exceed > > the scope of the document. (Discussed at > > https://github.com/core-wg/resource-directory/issues/290). > > > > > Section 3.1 > > > > > > Information SHOULD only be stored in the RD if it can be obtained by > > > querying the described device's /.well-known/core resource directly. > > > > > > When might that not be the case? > > > > response: > > > > The prime example here is with devices that don't even have a copy of what they > > might want to (but can't for resource constraints) express there; those use a > > CT to do their work. > > > > The second example I can come up with is when devices have complex > > confidentiality requirements on the links, but rely on the RD and thus publish > > data to an authorized RD of which they don't even know who precisely might be > > authorized to read them. > > > > > Section 3.2 > > > > > > The RD architecture is illustrated in Figure 1. An RD is used as a > > > repository of registrations describing resources hosted on other web > > > servers, also called endpoints (EP). An endpoint is a web server > > > associated with a scheme, IP address and port. A physical node may > > > > > > (side note) hmm, I feel like in the HTTP world an endpoint is more > > > likely to be associated with a DNS name than an IP address, in common > > > usage. Also, we later go on to assert that the endpoint's name has > > > primacy and that the IP address/port can be ephemeral. > > > > response: > > > > This is leading the reader from the CoAP definition of endpoints to the > > endpoints as registrants as used in the RD. > > > > > An endpoint uses specific interfaces to register, update and remove a > > > registration. It is also possible for an RD to fetch Web Links from > > > endpoints and add their contents to its registrations. > > > > > > At the first registration of an endpoint, a "registration resource" > > > is created, the location of which is returned to the registering > > > endpoint. The registering endpoint uses this registration resource > > > to manage the contents of registrations. > > > > > > Does the "RD fetches links unilaterally" case count as a "first > > > registration of an endpoint"? I'm having a hard time seeing how these > > > two statements are consistent with each other, and a naive reading > > > admits the possibility that a given endpoint could be "locked out" of > > > the ability to manage the contents of its registrations. > > > > response: > > > > The act of the endpoint triggering the RD to fetch links from it is the > > creation. And the "locking out" is the correct reading -- a client that uses > > simple client has no way of managing the contents. If it were capable enough to > > do that, it'd go the regular registration route. > > > > > Section 4 > > > > > > REST clients (registrant-EPs and CTs during registration and > > > maintenance, lookup clients, RD servers during simple registrations) > > > MUST be prepared to receive any unsuccessful code and act upon it > > > according to its definition, options and/or payload to the best of > > > their capabilities, falling back to failing the operation if recovery > > > is not possible. In particular, they should retry the request upon > > > > > > "MUST be prepared [...] to the best of their abilities" seems > > > non-actionable. The stuff after "In particular", on the other hand, is > > > actual concrete guidance that could be mandated using normative > > > language. > > > > response: > > > > Right; fixed in https://github.com/core-wg/resource-directory/pull/276. > > > > > Section 4.1 > > > > > > 1. In a 6LoWPAN, just assume the Border Router (6LBR) can act as an > > > RD (using the ABRO option to find that [RFC6775]). Confirmation > > > can be obtained by sending a Unicast to "coap://[6LBR]/.well- > > > known/core?rt=core.rd*". > > > > > > nit(?): I was unaware that "Unicast" was a proper noun. > > > > response: > > > > Addressed in https://github.com/core-wg/resource-directory/pull/277. > > > > > Section 4.3 > > > > > > "core.rd" in the query string. Likewise, a Resource Type parameter > > > value of "core.rd-lookup*" is used to discover the URIs for RD Lookup > > > operations, core.rd* is used to discover all URI paths for RD > > > operations. [...] > > > > > > Is the distinction between URIs (for RD Lookup) and URI paths (for RD) > > > important here? > > > > response: > > > > No, it isn't. Fixed in https://github.com/core-wg/resource-directory/pull/277. > > > > > While the link targets in this discovery step are often expressed in > > > path-absolute form, this is not a requirement. Clients of the RD > > > SHOULD therefore accept URIs of all schemes they support, both as > > > URIs and relative references, and not limit the set of discovered > > > URIs to those hosted at the address used for URI discovery. > > > > > > I'm not sure I see how the "not limit [...] to those hosted at the > > > address used for URI discovery" follows from the non-requirement for > > > expression of the link-targets from discovery in path-absolute form. > > > (Given the ability to send the discovery query to a multicast address, > > > the guidance seems okay; it's just the "therefore" that is puzzling me.) > > > > response: > > > > If it was a requirement on the server, the clients could rely on it and thus > > implicitly limit the set by failing to parse the full URIs. > > > > (It could say "explicitly or implicitly limit", but only the "implicitly > > limit" case justifies the "therefore".) > > > > > It would typically be stored in an implementation information link > > > (as described in [I-D.bormann-t2trg-rel-impl]): > > > > > > Req: GET /.well-known/core?rel=impl-info > > > > > > This seems to be depicting a link-relation type that is not registered > > > at https://www.iana.org/assignments/link-relations/link-relations.xhtml > > > , i.e., codepoint squatting. Please put in a stronger disclaimer that > > > this is an example link relation type, not just an example exchange. > > > > response: > > > > A note has been added that the type is just proposed in a WIP document (in > > https://github.com/core-wg/resource-directory/pull/278). > > > > > Section 5 > > > > > > These first few paragraphs give the impression that this is > > > first-come-first-served with minimal authentication or authorization > > > checking. Mentioning that there are authorization checks, with a > > > forward-reference, might be helpful. > > > > response: > > > > It's more a last-come-longest-remembered, but even the most minimal security > > policies would ensure that the registration resources belong to the "same" > > device (for whatever the policy defines as same). > > > > Clarified in https://github.com/core-wg/resource-directory/pull/292. > > > > > further parameters (see Section 9.3). The RD then creates a new > > > registration resource in the RD and returns its location. The > > > > > > Is this returned "registration resource" expected to function as a > > > "capability URL" (https://www.w3.org/TR/capability-urls/) that would > > > need to contain an appropriate amount of entropy to be reasonably > > > unguessable by parties other than the registrant-ep/CT responsible for > > > it? > > > > response: > > > > No, it is not a capability URL -- it will be discoverable through the endpoint > > lookup interface. > > > > Note that around ACE, bearer tokens (which capability URLs are) are generally > > discouraged in favor of proof-of-possession tokens. > > > > > The registration request interface is specified as follows: > > > > > > Interaction: EP -> RD > > > > > > I thought that the CT could be a requestor as well as the EP. > > > > response: > > > > Yes it can be. The expression in the interaction tables is an artifact of the > > CTs being a not-even-special case of EPs, but as we have both of them in the > > rest of the text, so do we now in those lists. (Changes in > > https://github.com/core-wg/resource-directory/pull/309). > > > > > well. The endpoint name and sector name are not set when one > > > or both are set in an accompanying authorization token. > > > > > > What should the RD do if they are set but also present in the > > > accompanying authorization token? > > > > response: > > > > The wording has been updated in > > https://github.com/core-wg/resource-directory/pull/273; it now (by > > construction, but also explicitly) explains conflict handling. > > > > > Req: POST coap://rd.example.com/rd?ep=node1 > > > Content-Format: 40 > > > Payload: > > > </sensors/temp>;ct=41;rt="temperature-c";if="sensor", > > > > > > (side note) XML for the sensors, not SenML? With Carsten as an author, > > > even? ;) > > > > response: > > > > This is clearly a mistake, and got removed in an emergency update in > > https://github.com/core-wg/resource-directory/pull/279. > > > > More seriously, though, these examples are from RFC6690 (which does not have > > ct= entries for reasons of chronology), and keeping them aligned is a good > > thing. > > > > > An RD may optionally support HTTP. Here is an example of almost the > > > same registration operation above, when done using HTTP. > > > > > > Req: > > > POST /rd?ep=node1&base=http://[2001:db8:1::1] HTTP/1.1 > > > Host: example.com > > > > > > Wouldn't "Host: rd.example.com" be closer to "almost the same > > > registration"? > > > > response: > > > > Fixed in https://github.com/core-wg/resource-directory/pull/277. > > > > (I had brief qualms about introducing a protocol-negotiation situation here, > > but performing "almost the same registration" over two protocols already > > necessarily does that). > > > > > Section 5.1 > > > > > > I'm a little uneasy about specifying new behavior for POST to the > > > existin /.well-known/core that was defined by RFC 6690 for other uses. > > > What factors go into using the same well-known URI vs. defining a new > > > one for this usage? > > > > response: > > > > It-always-having-been-that-way, primarily. As no large deployments are known, > > this is fixed in https://github.com/core-wg/resource-directory/pull/259 > > by switching to a standalone /.well-known/rd. > > > > > The sequence of fetching the registration content before sending a > > > successful response was chosen to make responses reliable, and the > > > caching item was chosen to still allow very constrained registrants. > > > > > > I'm not sure what "the caching item" is supposed to be (if it's not a > > > typo/misordering of words). > > > > response: > > > > Now phrased as "the point about caching" (in > > https://github.com/core-wg/resource-directory/pull/277) which should > > be easier to read. A few lines up we recommend that the RD caches the .wk/c, > > and this provides the rationale. > > > > > Section 5.3 > > > > > > queries concerning this endpoint. The RD SHOULD continue to provide > > > access to the Registration Resource after a registration time-out > > > occurs in order to enable the registering endpoint to eventually > > > refresh the registration. The RD MAY eventually remove the > > > registration resource for the purpose of garbage collection. If the > > > Registration Resource is removed, the corresponding endpoint will > > > need to be re-registered. > > > > > > (This MAY is actually a MUST for the simple registration case, per §5.1, > > > right?) > > > > response: > > > > No, it's a choice there as well. One server may keep them around forever, and > > when the simple client comes back it'll show with the same registration > > resource in the resource lookup. Another server may GC it and assign a > > different registration resource when it returns. > > > > > Section 5.3.1 > > > > > > An update MAY update the lifetime or the base URI registration > > > parameters "lt", "base" as in Section 5. Parameters that are not > > > > > > What about the "extra-attrs"; are they inherently forbidden from > > > updates? > > > > response: > > > > The introduction paragraph was overly specific and fixed in > > https://github.com/core-wg/resource-directory/pull/294. > > > > > base := Base URI (optional). This > > > parameter updates the Base URI established in the original > > > registration to a new value. If the parameter is set in an > > > update, it is stored by the RD as the new Base URI under which > > > to interpret the relative links present in the payload of the > > > original registration, following the same restrictions as in > > > the registration. If the parameter is not set in the request > > > > > > nit: is it the interpretation of relative links that is following the > > > same restrictions as in the registration, or the new value of the > > > parameter being supplied in the update? > > > > response: > > > > The restrictions apply to the new value, and were moved up there in > > https://github.com/core-wg/resource-directory/pull/294. > > > > > The following example shows how the registering endpoint updates its > > > registration resource at an RD using this interface with the example > > > location value: /rd/4521. > > > > > > The path component "4521" contains a worryingly small amount of > > > unpredictableness; I would prefer examples that used longer random > > > locations, as for capability URLs. (Throughout the document, of > > > course.) See also draft-gont-numeric-ids-sec-considerations, that I'm > > > AD sponsoring, though I do not see any clear issues on first glance. > > > > response: > > > > See comment on the original capability URL question -- they are not. > > > > > (Also, it might be worth another sentence that this update is serving > > > just to reset the lifetime, making no other changes, since this might be > > > expected to be a common usage.) > > > > response: > > > > Stating purpose rather than mechanism now (since > > https://github.com/core-wg/resource-directory/pull/294). > > > > > Section 6 > > > > > > With "Resource Lookup" and "Endpoint Lookup" as (apparent) top-level > > > siblings, would it make sense to put 6.2, or at least 6.3, as > > > subsections under 6.1? > > > > response: > > > > It would from a hierarchical table-of-contents point of view, but given the > > focus of lookup is on resource lookup, the existing sequence captures the > > narrative of "With an RD, you can look up resources, here is how you use it, > > here is what it looks like, and by the way if you really need it you can even > > look at the registrations themselves". > > > > > Section 6.1 > > > > > > Resource lookup results in links that are semantically equivalent to > > > the links submitted to the RD. The links and link parameters > > > returned by the lookup are equal to the submitted ones, except that > > > the target and anchor references are fully resolved. > > > > > > Are the "submitted ones" the submissions at registration time, or during > > > the lookup query itself? (I assume registration-time, but being > > > explicit costs little.) > > > > response: > > > > Some words added for clarity in > > https://github.com/core-wg/resource-directory/pull/294. > > > > > If the base URI of a registration contains a link-local address, the > > > RD MUST NOT show its links unless the lookup was made from the same > > > link. The RD MUST NOT include zone identifiers in the resolved URIs. > > > > > > Same link as what? > > > > response: > > > > The link the endpoint sits on; clarified in > > https://github.com/core-wg/resource-directory/pull/294. > > > > > Section 6.2 > > > > > > The page and count parameters are used to obtain lookup results in > > > specified increments using pagination, where count specifies how many > > > > > > (We haven't introduced the page and count parameters yet.) > > > > response: > > > > Wording has been enhanced in > > https://github.com/core-wg/resource-directory/pull/294. > > > > > operator as in Section 4.1 of [RFC6690]. Attributes that are defined > > > as "link-type" match if the search value matches any of their values > > > > > > Where is it specified how an attribute might be "defined as > > > 'link-type'"? This is the only instance of the string "link-type" in > > > this document, and it does not appear in RFC 6690 at all... > > > > response: > > > > That should have said "relation-types"; it does now, and also refers to > > the 6690 ABNF (since > > https://github.com/core-wg/resource-directory/pull/294. > > > > > references) and are matched against a resolved link target. Queries > > > for endpoints SHOULD be expressed in path-absolute form if possible > > > and MUST be expressed in URI form otherwise; the RD SHOULD recognize > > > either. The "anchor" attribute is usable for resource lookups, and, > > > if queried, MUST be for in URI form as well. > > > > > > I don't see how it can be only a SHOULD to recognize either given these > > > generation criteria. > > > > response: > > > > If the URI is on a different scheme/host, I assert things are clear. (Just to > > ensure I didn't get your point wrong.) > > > > Otherwise, in practice there can happen mistakes where server and client > > disagree about the default values of the Uri-Scheme, Uri-Host and Uri-Port > > options -- as anyone who's ever tried to set up an HTTP reverse proxy for a > > WebDAV server can attest to. We're trying to avoid creating these situations, > > but when they do happen. We don't automatically declare the offending party > > broken by putting a MUST here, but encourage the peer to assist it. The client > > can help by providing the relative reference (for then, disagreement passses > > unnoticed), and the server by recognizing the full URI (for the client may have > > obtained it and not know that it'd match what the server thinks is its Uri-Host > > name). > > > > (The "and MUST be expressed in URI form otherwise" sounds like a factual > > necessity, but it is here to rule out the corner case of a client handing out > > //hostname/path style references). > > > > > Section 6.3 > > > > > > The following example shows a client performing a lookup of all > > > resources of all endpoints of a given endpoint type. It assumes that > > > two endpoints (with endpoint names "sensor1" and "sensor2") have > > > previously registered with their respective addresses > > > "coap://sensor1.example.com" and "coap://sensor2.example.com", and > > > posted the very payload of the 6th request of section 5 of [RFC6690]. > > > > > > Er, the 6th request is a GET; do we mean to say the response to the 6th > > > request? > > > > response: > > > > Yes. Fixed in https://github.com/core-wg/resource-directory/pull/294. > > > > > Section 6.4 > > > > > > The endpoint lookup returns registration resources which can only be > > > manipulated by the registering endpoint. > > > > > > This seems to leave it unclear whether the endpoint lookup is expected > > > to return resources that the requestor will not have permission to > > > manipulate (in addition to those it does have permission for). > > > > response: > > > > Clarified in https://github.com/core-wg/resource-directory/pull/294. > > > > > While Endpoint Lookup does expose the registration resources, the RD > > > does not need to make them accessible to clients. Clients SHOULD NOT > > > attempt to dereference or manipulate them. > > > > > > But why expose them at all if they're not going to be accessible? > > > > response: > > > > They serve as identifiers (think URI rather than URL), and may additionally be > > used in implementation defined operations on the resource that could be allowed > > for administrators. Last but not least, link-format (unlike the upcoming CoRAL) > > does not have means of talking about something without naming it. > > > > (I do see the point, and if we started RD anew with the benefit of having > > CoRAL, chances are this would look a bit different, and the names would not be > > exposed to just any lookup client). > > > > The WG discussion of this did, however, lead to a point added to the security > > considerations about the RD's choice of what to put in there (change in > > https://github.com/core-wg/resource-directory/pull/267). > > > > > An RD can report endpoints in lookup that are not hosted at the same > > > address. [...] > > > > > > The "same address" as what? > > > > response: > > > > Sharpened in https://github.com/core-wg/resource-directory/pull/294. > > > > > Section 7.1 > > > > > > Whenever an RD needs to provide trustworthy results to clients doing > > > endpoint lookup, or resource lookup with filtering on the endpoint > > > > > > How will the RD know whether the client is expecting trustworthy > > > results? (When would a client *not* expect trustworthy results?) > > > > response: > > > > It won't per-client, it is configured for one. See GENERIC-WHOPICKSMODEL. > > > > > name, the RD must ensure that the registrant is authorized to use the > > > given endpoint name. This applies both to registration and later to > > > operations on the registration resource. It is immaterial there > > > whether the client is the registrant-ep itself or a CT is doing the > > > registration: The RD can not tell the difference, and CTs may use > > > > > > I suppose there might be plausible authorization models where a > > > return-routability check to a given address constitutes authorization to > > > use that address as an endpoint name, in which case the RD can tell the > > > difference between a registrant-ep and a CT attempting to act on its > > > behalf. > > > > WGF-6 > > response: > > > > The RD might do such checks, but then again the EP might just be using > > different network interfaces simultaneously. At that point where the EP uses a > > different (and usually dormant) network interface for registration, the line > > between EP and the CT gets blurry; we tolerate that blurriness because the > > distinction is not so much a technical one (the REST server does not care > > whether the request originates at its network peer, is proxied through there or > > sent from there on behalf of someone completely different) as long as the > > credentials are good. > > > > Frankly, I'm personally not too happy with distinguishing CTs in the first > > place; it is more reflective of what I understand to be an industry practice > > than a distinction in this CoAP application. > > > > > When certificates are used as authorization credentials, the > > > sector(s) and endpoint name(s) can be transported in the subject. In > > > an ACE context, those are typically transported in a scope claim. > > > > > > As Russ noted in the Gen-ART review, "transported in the subject" is > > > sufficiently vague to not really be actionable. It might be better to > > > say that the holder of the private key corresponding to the public key > > > certified in the certificate is generally considered authorized to act > > > on behalf of any identities (including endpoint names) contained in the > > > certificate's subject name. > > > > response: > > > > See GENERIC-SUBJECT. > > > > > Section 7.1.1 > > > > > > Conversely, in applications where the RD does not check the endpoint > > > name, the authorized registering endpoint can generate a random > > > number (or string) that identifies the endpoint. The RD should then > > > > > > How much entropy/randomness in the random name? Does a CSPRNG need to > > > be used? (I do see the follow-up about doubling the length in case of > > > failure or starting with a UUID if that's not possible, but some > > > guidance on where to start still seems appropriate.) > > > > respond: > > > > There is no requirement here as collisions only result in retries. > > > > For those cases where the client implementer thinks they can get away with not > > implementing retry, UUID URNs are pointed to, which themselves cover the topic. > > > > > Section 7.2 > > > > > > When lookup clients expect that certain types of links can only > > > originate from certain endpoints, then the RD needs to apply > > > filtering to the links an endpoint may register. > > > > > > As before, how will the RD know what behavior clients are relying on? > > > > response: > > > > It will not. It may, however, advertise it explicitly. If, for example, an > > application like LwM2M always ensures trusted endpoint names, the RD may > > advertise as rt="core.rd-lokup-ep example.lwm2m", and then clients that trust > > that metadatum (which they'll want to verify from some claim) know they can > > trust the RD to have checked ep names. > > > > See also GENERIC-WHOPICKSMODEL > > > > > An RD may also require that only links are registered on whose anchor > > > (or even target) the RD recognizes as authoritative of. One way to > > > > > > I don't think I can parse this sentence (especially "the RD recognizes > > > as authoritative of"). > > > > response: > > > > Rephrased to "require that links are only registered if the registrant is > > authorized to publish information about the anchor [...] of the link." in > > https://github.com/core-wg/resource-directory/pull/294. > > > > > Section 8 > > > > > > In contexts where we discuss DTLS and TLS as being generally comparable, > > > we typically will state that DTLS replay protection is required in order > > > to provide equivalent levels of protection. > > > > response: > > > > This item rippled quite a bit beyond the original response of "Huh? CoAP > > doesn't already do this? Well, here we need it". > > > > As things stand, requiring replay protection make it harder to exploit the > > issue described at OPEN-REPLAY-FRESHNESS, but once that is addressed for good, > > replay protection should not be necessary any more for the RD, as all its > > operations are becoming long-term idempotent. > > > > > We might also want to reiterate or refer back to the previous discussion > > > of the potential for attributes or resource/endpoint names, link > > > relations, etc. that may need to be confidential, the relevant access > > > control/filtering, and the avenues by which disclosure of resource names > > > can occur even when access to those resources will not be permitted. (I > > > think some of this overlaps with 8288 and 6690, but don't mind repeating > > > it.) > > > > response: > > > > There is a pointer back saying that the necessary access control depends on the > > protection objectives set in the policies (since > > https://github.com/core-wg/resource-directory/pull/250). > > > > > Section 8.1 > > > > > > It's probably worth reiterating that all name comparisons must be done > > > at sector scope (since failing to do so can lead to attacks). > > > > response: > > > > It is; fixed since https://github.com/core-wg/resource-directory/pull/296. > > > > > Endpoint authentication needs to be checked independently of whether > > > there are configured requirements on the credentials for a given > > > endpoint name (Section 7.1) or whether arbitrary names are accepted > > > (Section 7.1.1). > > > > > > I think this is more properly authorization than authentication. > > > > response: > > > > Yes; fixed in https://github.com/core-wg/resource-directory/pull/271. > > > > > Section 8.3 > > > > > > attacks. There is also a danger that NTP Servers could become > > > implicated in denial-of-service (DoS) attacks since they run on > > > unprotected UDP, there is no return routability check, and they can > > > have a large amplification factor. The responses from the NTP server > > > were found to be 19 times larger than the request. An RD which > > > > > > (It's not clear to me why the specific discussion of NTP numbers is > > > relevant here, since RD is not NTP.) > > > > response: > > > > The section has been shortened in > > https://github.com/core-wg/resource-directory/pull/249. > > > > > Section 9.3 > > > > > > Should we also include "rt" in the initial entries? I see it is used as > > > a query parameter for resource lookup in the examples in Section 6.3. > > > > response: > > > > It's used as is any other link attribute. There's no registry for them, and > > while there's been talk over ond over that it would be nice, I don't think > > there will be any until linkformat-CoRAL conversion is defined (and even then > > it may not be comprehensive). Selectively picking some distinguished common > > link attributes into this registry won't make things less messy. > > > > The prime line of defense against this getting messy is the expert guidance > > that for some types of parameters their short names should be checked against > > "commonly used target attributes". > > > > > > > * indication of whether it can be passed as a query parameter at > > > registration of endpoints, as a query parameter in lookups, or be > > > expressed as a target attribute, > > > > > > (Since this text does not clarify about lookup of endpoints vs. > > > resources... > > > > > > Review" as described in [RFC8126]. The evaluation should consider > > > formal criteria, duplication of functionality (Is the new entry > > > redundant with an existing one?), topical suitability (E.g. is the > > > described property actually a property of the endpoint and not a > > > property of a particular resource, in which case it should go into > > > the payload of the registration and need not be registered?), and the > > > > > > ... and this text suggests that query parameters for *resource* lookups > > > need not be registered.) > > > > > > potential for conflict with commonly used target attributes (For > > > example, "if" could be used as a parameter for conditional > > > registration if it were not to be used in lookup or attributes, but > > > would make a bad parameter for lookup, because a resource lookup with > > > an "if" query parameter could ambiguously filter by the registered > > > endpoint property or the [RFC6690] target attribute). > > > > > > Then why do we use it as an example of lookup filtering in Section 6.2? > > > > response: > > > > The text suggests that target attributes for registered resources need not be > > registered. These unregistered wild-west attribute names can be used both with > > resource lookups (matching only resources which), and in endpoint lookups > > (matching endpoints that contain any resource which). > > > > If `if` were to be put in for use in an RD parameter used with lookup, that > > would not per se create ambiguous queries (the rules would still say "matches > > either"), but the results would be prone to causing confusion. > > > > > Section 10.1.2 > > > > > > Should we really be using unregistered resource types (i.e., codepoint > > > squatting) in the examples? > > > > response: > > > > Addressed together with the earlier code squatting comments in > > https://github.com/core-wg/resource-directory/pull/266. > > > > > After the filling of the RD by the CT, the application in the > > > luminaries can learn to which groups they belong, and enable their > > > interface for the multicast address. > > > > > > Just to check: the luminaries are learning their own group membership by > > > querying the resource directory? > > > > response: > > > > Not directly. They (in this very particular example that seems to be based on > > industry process but which I'd not necessarily recommend for imitation) use a > > heuristic to find any multicast URI they might possibly provide, and join that > > group. > > > > > Section 10.2.2 > > > > > > Please expand MSISDN. > > > > response: > > > > Taking a step back from this and other comments led to a drastical shortening > > of the example. > > > > See also GENERIC-ODDEXAMPLES > > > > > Section 13.2 > > > > > > I think RFC 7252 should probably be normative. > > > > > > Likewise for RFC 8288 ("the query parameter MUST be [...] a token as > > > used in [RFC8288]"). > > > > response: > > > > RFC7252 (CoAP) and RFC7230 (HTTP) were promoted to a normative reference. > > (RFC7641 (CoAP observe) wasc left as informative because while they are > > optional components, RD is not so much specified using them but more happens to > > combine with them). > > > > RFC8288 was also promoted, but not due to the quoted line (that's not > > implementation relevant but merely setting out rules for the registry > > operation), but because we explicitly pull it in in terminology and the > > information model. > > > > (Changes in https://github.com/core-wg/resource-directory/pull/307).
- [core] Benjamin Kaduk's Discuss on draft-ietf-cor… Benjamin Kaduk via Datatracker
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Barry Leiba
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Christian M. Amsüss
- Re: [core] The various positions on draft-ietf-co… Christian Amsüss
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Christian Amsüss
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Barry Leiba
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Barry Leiba
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk