IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-httpssvc-02.txt

Patrick McManus <mcmanus@ducksong.com> Tue, 10 March 2020 13:31 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC8A3A1343 for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2020 06:31:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=ZrIQEFwC; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=UoMoPYG9
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U6RsIp55qLVA for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2020 06:31:08 -0700 (PDT)
Received: from outbound1b.ore.mailhop.org (outbound1b.ore.mailhop.org [54.200.247.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74C533A1327 for <dnsop@ietf.org>; Tue, 10 Mar 2020 06:31:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1583847067; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=rjX+BBJqj8XYSZZMAAVw6QI3MAkUaV6NnLOG1lx7fWOK93+H0RroCeS4waUgCEk6xXSeOL4iFk6GM t9+EpsMF626O57PGGeLgJc0EYjZJ4mkXA3LdBX2ghYeZlMkxJuvAmIs+Rw9VMO7KaAm9Yt5TTfZRTx YQ94tFU06Y6w8lPZx4puCEDj/HfQTjHhVQhh/LWMj1OsnODODSnahZdzSyXFdbYPX0Cwlx5abL5uY+ lJc6R+hSNJWBS58677ycZXe6CgTQcRukH9mZqxgoeIFhDKyH8QuXBw4CI4T2lTzZLj8MRMoL2pDYQS LVrxXNWZ7z3iNl2TnUgA2a2D97+y01g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=4W5MjhkvIkPP4dNtm+QbafWUIbmFBbpnHIHttABk1v0=; b=txA0CFMV8V9Coy9c9mrq8jdbPX8NJkrllnBVe7nHCzxHpW3XMnvQDFCJFRtmStVDYZjPKMsQHBNpc5429ZzMtMWJs9r7i4Rmo9JS8S9wua/HjWeFw6qHPVZmMNFeTaWNiMUhJtzi7Wn07WB8FRF5iHprBRq LLUsT54/gtomXe11RH6WyRIMvyPvGeDJ7pMmOFL73AYWy0vhPgV2x7kIZYbAESjhyT0DUb9fenIn4e Ous+Q5fyVXcLJjZ42Lp7HiP/8sSvorB8mdT4bXoI0vcVpkX7aYkxu5XRbeEUBXe2b+xsmOssIk+CDf f37dT9r3iPiKYVZ3jMC4AN+mC6zbgsg==
ARC-Authentication-Results: i=1; outbound3.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.210.50; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=4W5MjhkvIkPP4dNtm+QbafWUIbmFBbpnHIHttABk1v0=; b=ZrIQEFwCffmTjdKzNMok9wuCU4HblZLs31udpfGPGsl32kpqve1VHFQ/4Xq9HQCCUB2N20fFSN16y DOFEqYF/qOQVGzq7zZf+fs5r1fKzkXF8NgTGlalAoWL+kDhzm/uOKQC9hsz7R4vAMNJl4PoC4zKNGg 24LLLRnswGHkddQs=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=4W5MjhkvIkPP4dNtm+QbafWUIbmFBbpnHIHttABk1v0=; b=UoMoPYG9hvBiabWdlu6MaxBwvIoZEIZw/OU8rSc4zMz8GUG5S88S4Ruhc1r7Ti4dwQsvOm383wcRP qaMYhanPCho8c+o1DazxLlR6wSJCzE1fDn0ruECiBkTmTp0Ti9bTtlWZPZjL8p+3jzwH4fYk+aw7AU qDpamwRWcneUXQ5BqulJHFaOjBaVvi1U0ccg5qUd5Nuut6L7iijDbwgC6h8CQTwsC9n4hdhASXgENl sVazGhgd8rnCg1rhXGULpssNcGsveDhjfYqoEIv10DHgDRh/1cVDq9cTWvojqsX2D73u8bCQHimvrO XEwONZtrzAAy1GjWLoql6DPTeUpATIg==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 648c1ceb-62d3-11ea-b80e-052b4a66b6b2
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.210.50
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-ot1-f50.google.com (unknown [209.85.210.50]) by outbound3.ore.mailhop.org (Halon) with ESMTPSA id 648c1ceb-62d3-11ea-b80e-052b4a66b6b2; Tue, 10 Mar 2020 13:31:06 +0000 (UTC)
Received: by mail-ot1-f50.google.com with SMTP id f21so13075008otp.12 for <dnsop@ietf.org>; Tue, 10 Mar 2020 06:31:05 -0700 (PDT)
X-Gm-Message-State: ANhLgQ0Jvnpl9QwnBm15weECqNVvlDB9Q7MZyfXjduvxc2dbWiIQB4qw d6algqZZNqyvW6D2bwyAOSudWtIapXgzvD+d9rc=
X-Google-Smtp-Source: ADFU+vvQMys80paXswgzMgTx9MFE4LWQKbg9BbAtEyjotK7lQJhUMddAW8GzOach/6tPSw3X7Kfg4bD/droDI/iBVG4=
X-Received: by 2002:a9d:4508:: with SMTP id w8mr17926091ote.154.1583847064898; Tue, 10 Mar 2020 06:31:04 -0700 (PDT)
MIME-Version: 1.0
References: <158378460735.5647.5593000704951647849@ietfa.amsl.com> <CAHbrMsD4w7+gx7LhM5YSyBK3cRp4D7qNXOj27pZXns34LMRvZA@mail.gmail.com> <2163206.Wd1G8mu5uQ@linux-9daj> <CAKC-DJgHvwxz_JwXA29mXa1b748gnb0GLmszbDwszhNuFPyWBw@mail.gmail.com>
In-Reply-To: <CAKC-DJgHvwxz_JwXA29mXa1b748gnb0GLmszbDwszhNuFPyWBw@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Tue, 10 Mar 2020 09:30:53 -0400
X-Gmail-Original-Message-ID: <CAOdDvNq27UPg9BtdC83CTMYf3tLdLeGaucVuDNrXvc9cALso-Q@mail.gmail.com>
Message-ID: <CAOdDvNq27UPg9BtdC83CTMYf3tLdLeGaucVuDNrXvc9cALso-Q@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Paul Vixie <paul@redbarn.org>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae8ff905a08021e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/57Xv7rt4jByrPGqwzxCV71oQRg8>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-httpssvc-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 13:31:18 -0000

another positive feature of ports in this record is that it provides some
address space independent of the origin security model of the URI. By this
I mean that https://www.foo.com(implicit :443) and https://www.foo.com:555
are different origins with different web security boundaries. While two
different httpssvc records for 443 and 555 (both for  https:// www.foo.com)
are in the same origin.. this level of indirection can be used for A/B
testing or even for encoding load balancing information in a IP constrained
space. Just like the address is distinct from the URL, the port separates
the 'what' from the 'how' and that's good.

On Mon, Mar 9, 2020 at 10:42 PM Erik Nygren <erik+ietf@nygren.org> wrote:

> On Mon, Mar 9, 2020 at 10:32 PM Paul Vixie <paul@redbarn.org> wrote:
>
>> On Monday, 9 March 2020 20:56:39 UTC Ben Schwartz wrote:
>> > It occurs to me that I hit "publish" on this draft without updating the
>> > release notes, so I'll mention some of the many changes since -01 here
>> > instead:
>> >
>> >  ...
>> >
>> > As always, please review and send comments.  We also expect to do a
>> > presentation on this draft (remotely) in the DNSOP session.
>>
>> i propose that section 6.2 for "port", and all references to same, be
>> removed.
>>
>
> We discussed this some on one of our authors' calls following
> my seeing you allude to this a few weeks ago.
>
> The rationale for keeping port is that HTTPS is not just about the "web"
> use-case.
> While for Web use-cases it is common for most things to always tcp/443,
> there
> are plenty of non-"Web" use-cases (such as API calls in data centers,
> service meshes, etc.)
> where non-standard ports are commonly used.  I know that Tim keeps
> highlighting
> a desire to make sure we consider these use-cases.
>
> There's a default when port is left out (perhaps that should be clarified
> better?)
> but there are cases when being able to switch to an alternate port has
> value.
> Another case where this applies is QUIC/UDP where udp/443 is commonly
> used but where operators may wish to situationally use different ports.
>
> Adding a warning that the use of non-default ports could have
> operational challenges might be warranted.  (There are also
> some confused deputy risks around non-default ports for servers
> that don't validate the port in the Host header, but others convinced
> me that that's a problem for another day.)
>
> A closely related issue is this one:
>
> https://github.com/MikeBishop/dns-alt-svc/issues/111
>
> (regarding clarifying the default port.)
>
> Does this help address the concern?
> It's helpful to know the historical context.
>
>        Erik
>
>
>
>
>
>
>> this is:
>>
>> ---
>>
>> 6.2.  "port"
>>
>>    The "port" SvcParamKey defines the TCP or UDP port that should be
>>    used to contact this alternative service.
>>
>>    The presentation format of the SvcParamValue is a numeric value
>>    between 0 and 65535 inclusive.  Any other values (e.g. the empty
>>    value) are syntax errors.
>>
>>    The wire format of the SvcParamValue is the corresponding 2 octet
>>    numeric value in network byte order.
>>
>> ===
>>
>> in the SRV RR (from RFC 2782) we specified a port number as part of the
>> RData
>> because a client would otherwise have to have an up-to-date /etc/services
>> file
>> (or local equivalent) to know what (TCP) port number a listener would
>> listen
>> on, and this seemed archaic.
>>
>> for HTTPSSVC and SVCB, the service is a constant (HTTPS) and its
>> transport
>> layer port number (443) is known. inviting listener operators to specify
>> a
>> different port number will result in unpredictable (other than
>> wide-spread)
>> failures for those accessors behind NAT, firewalls, or ALG's.
>>
>> please leave out this legacy from DNS SRV as you go forward with HTTPSSVC.
>>
>> --
>> Paul
>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email