Re: sockets APIs extensions for Host Identity Protocol
Keith Moore <moore@cs.utk.edu> Wed, 09 May 2007 13:19 UTC
Return-path: <discuss-bounces@apps.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hlm4i-0000bt-EW; Wed, 09 May 2007 09:19:24 -0400
Received: from discuss by megatron.ietf.org with local (Exim 4.43) id 1Hlm4h-0000bn-Sl for discuss-confirm+ok@megatron.ietf.org; Wed, 09 May 2007 09:19:23 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hlm4h-0000be-JB for discuss@apps.ietf.org; Wed, 09 May 2007 09:19:23 -0400
Received: from shu.cs.utk.edu ([160.36.56.39]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hlm4g-0004Gk-5B for discuss@apps.ietf.org; Wed, 09 May 2007 09:19:23 -0400
Received: from localhost (localhost [127.0.0.1]) by shu.cs.utk.edu (Postfix) with ESMTP id A8ECA1EE1A8; Wed, 9 May 2007 09:19:21 -0400 (EDT)
X-Virus-Scanned: by amavisd-new with ClamAV and SpamAssasin at cs.utk.edu
Received: from shu.cs.utk.edu ([127.0.0.1]) by localhost (shu.cs.utk.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldCucsR0NapS; Wed, 9 May 2007 09:19:16 -0400 (EDT)
Received: from lust.indecency.org (user-119b1dm.biz.mindspring.com [66.149.133.182]) by shu.cs.utk.edu (Postfix) with ESMTP id 50AB81EE191; Wed, 9 May 2007 09:19:15 -0400 (EDT)
Message-ID: <4641CA52.70504@cs.utk.edu>
Date: Wed, 09 May 2007 09:19:14 -0400
From: Keith Moore <moore@cs.utk.edu>
User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326)
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Subject: Re: sockets APIs extensions for Host Identity Protocol
References: <Pine.SOL.4.64.0705041801060.14418@kekkonen.cs.hut.fi> <20070507082737.GB21759@nic.fr> <46413DD7.8020702@cs.utk.edu> <20070509121703.GA21070@nic.fr>
In-Reply-To: <20070509121703.GA21070@nic.fr>
X-Enigmail-Version: 0.95.0
OpenPGP: id=E1473978
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 2beba50d0fcdeee5f091c59f204d4365
Cc: discuss@apps.ietf.org
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: general discussion of application-layer protocols <discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>, <mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org
>> In those cases, the programmers are also crippled and prevented from >> dealing effectively with various cases that are now increasingly >> common in the Intenet today: NATs, multiple addresses for source and >> destination (not all of which work equally well), IPv4 vs IPv6 (for >> which the default address selection rules are woefully inadequate), >> multi-faced DNS, LLMNR, etc. >> > > I strongly object to the idea of application programmers dealing with > NAT, IPv4 vs. IPv6 or source address selection for the eternity. The > wiring of level-3 details in the applications is precisely what makes > the transition to IPv6 so difficult. Applications should not have to > be "ported to IPv6". They should work the same with both level-3 > protocols (and, indeed, they do, in every language but C). > In a sense, I agree with you that we don't want most applications having to deal with these things, and we certainly don't want to saddle the application with having to deal with these problems forever. However, I do not reach the same conclusion about the API that you appear to reach, for a few reasons. First is that there will always be some applications (such as diagnostic tools) that need to know more about the network, so it is necessary to have an API that allows those applications to function. Second, I don't share the view that many seem to have that applications in general should be IP version agnostic. IPv4 with NAT is far too brain-damaged, and has such limited reach, so there is a strong case to be made that in some point in the future, many kinds of apps should operate only under IPv6. Similarly there is a case to be made for some legacy apps (e.g. apps that exist mostly to talk to obsolete hardware) to operate only under IPv4. Third, while it is well and good to talk about ideals, the notion that "applications should not have to" deal with these things ignores the fact that in the current network architecture, applications _do_ have to deal with these things. This isn't just a consequence of NATs, but also of the IPv6 architecture which insists that (for a variety of reasons) hosts shall have multiple addresses, but fails to provide hosts (and host stacks) with an effective mechanism for selecting among those addresses on behalf of applications. Such selection needs to take a variety of factors into account, including the communications topology of the application (is it multiparty or point-to-point?) the application's need for bandwidth, the likely duration of the application's association with peers, the ability of the application to tolerate and recover from changes in IP address, the way that the different address prefixes are used by the network (ELIAs can be used differently than globals, and link-locals are certainly used differently than globals), and so forth. Fourth, for a variety of reasons, DNS names are not and have never been adequate as general purpose endpoint identifiers, and this situation is getting worse rather than better. One reason is that DNS names are not equivalent to host names, and emphatically not equivalent to distinguished host names, and haven't been so at least since the web came into existence. A given DNS name might be bound to a single host, multiple hosts having more-or-less equivalent function, a service, a community of users, or whatever; the binding might be stable or ephemeral; and the name might or might not be suitable as a distinguished name (one chosen preferentially over others for use in indicating that host, group of hosts, service, whatever). There's no way to tell. Another reason is that DNS is often slow and unreliable and/or out of sync with reality - one of many factors making DNS names less suitable for referrals between hosts. Another reason is that multi-faced DNS limits the visibility of DNS names even when applications are expected to work across the boundary. Another reason is that DNS is increasingly polluted. For instance, my ISP's default DNS servers lie about DNS results for domains that have no A records, even if there are other records in that domain, in order to redirect HTTP requests for misspelled DNS names to a web server that will "helpfully" offer links to alternatives (and also display advertisements). So however noble it might be to try to present apps with a simple interface based on DNS names, what this really does is to cripple apps' ability to cope with the mess that is DNS. Fifth, trying to overload so many functions in a single API inevitably masks error conditions that often need to be distinguished, and treated differently, by the application. As for the notion that applications work the same for both v4 and v6 in every language but C: This goes a long way toward explaining why network applications continue to be written in C. And that in turn goes a long way toward explaining why network applications are notoriously insecure. I know that every time I've considered writing a network application in a new language, I take a look at the network API and conclude that it's inadequate. (granted, I tend to write more esoteric applications) > If the IPv6 problems are to be useful, it is in showing that there is > ZERO probability of splitting the identifier and the locator if we > have to change the applications. > Despite the oft-cited ideal of splitting the identifier and the locator, nobody has ever to my knowledge provided a complete and convincing example of how it can be made to work well. Actually providing those identifiers, along with a scalable, reliable, fast, and secure service that maintains identifier-to-locator bindings is a nontrivial problem that tends to be overlooked. > I also really doubt that the typical application programmer is able to > do a better job than the kernel / libraries to, choose the source > address or other level-3 features. Plus, IMHO, if someone must > influence this selection, it should be the system and network > administrator, not the application programmer. > Partially disagree, because the selection is heavily dependent on the type of application and how it uses the network. I do think that the network admin has a role in explaining to the application or API how particular addresses are to be used, but I don't think it flies to expect every application to use those addresses in exactly the same way. There's a big difference in how you want to handle address selection for a mounted remote file system than in how you want to handle address selection in an email MTA. >> only if you want to limit the deployability and/or efficiency of >> your application. >> > > As an user, I would be very afraid of an application which tries to > play tricks with NAT... I guess you wouldn't use Skype then, preferring to spend lots of money on international phone calls. In my experience users tend to prefer applications that work reliably over applications that don't work reliably. Given two apps, one that copes with NAT and another that doesn't, users will use the one that copes and blame the one that doesn't - even though arguably the failure of the latter app is the fault of the network. Keith
- sockets APIs extensions for Host Identity Protocol Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Stephane Bortzmeyer
- Re: sockets APIs extensions for Host Identity Pro… Chris Newman
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Stephane Bortzmeyer
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… Stephane Bortzmeyer
- Re: sockets APIs extensions for Host Identity Pro… Stephane Bortzmeyer
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- RE: sockets APIs extensions for Host Identity Pro… Henderson, Thomas R
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Tony Finch
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- RE: sockets APIs extensions for Host Identity Pro… Chris Newman
- Re: sockets APIs extensions for Host Identity Pro… Chris Newman
- Re: sockets APIs extensions for Host Identity Pro… Chris Newman
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Tony Finch
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… Keith Moore
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… Tony Finch
- Re: sockets APIs extensions for Host Identity Pro… der Mouse
- Re: sockets APIs extensions for Host Identity Pro… Miika Komu