Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-httpssvc-02.txt
Erik Nygren <erik+ietf@nygren.org> Tue, 10 March 2020 18:48 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 289CF3A0854 for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2020 11:48:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.109
X-Spam-Level:
X-Spam-Status: No, score=-3.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-1.463, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a7WvGl187tBD for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2020 11:48:20 -0700 (PDT)
Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CD6C3A0850 for <dnsop@ietf.org>; Tue, 10 Mar 2020 11:48:20 -0700 (PDT)
Received: by mail-wr1-f49.google.com with SMTP id s14so3584926wrt.8 for <dnsop@ietf.org>; Tue, 10 Mar 2020 11:48:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uZJOzdH9tqG15anoqSm47jFrU3KWZVme7pXAMbvVNl0=; b=BfZ3UwPyOmJZDT1MVioMDumDVMUID8mMDyAABefVRXQFE/EIxYMK42REJK5RbWJmG4 I8yhX+CEb0YIBjGsL0dRnIq2U7WqxP62F7S0FB/eu7JHi8/+Kl19P1JSj4bDr40H3D4Z hyzj/vd+yvOXQn9x/ZUg+07K0Pv8KmKwlc3bo7jfuV+rcFofoHlwfQMtRdrT55EMtrOT uwp8NgesO8+oX3yyCd7VnD/iK0VEyY1fK78lqybUATTBTGenJGSygrKyo3GEOQTRgx12 138XtcdEMLC1SxaCiL5N5qS5jBESfC9KBr1xpPfYDut4WOWxtR2MHe0BXe8zQNK3C775 OzUw==
X-Gm-Message-State: ANhLgQ2tQnCkOKIwcFv/BlvKqjV8sbiBIaTAHMzu8I/GmESNT1Cc3Phd q+1qtPIEvpfOIYaTAErwinsFVGjyqQVTSvK1lGw37g==
X-Google-Smtp-Source: ADFU+vtDFEIMwOMnMufP0okl3jOrZuU+cAn4cjyYACHt/UVgyXsEbp3CAxKisgi6FPrPgl0Od+Lq9WsE2cWwths+3GM=
X-Received: by 2002:adf:fad0:: with SMTP id a16mr2174139wrs.119.1583866098651; Tue, 10 Mar 2020 11:48:18 -0700 (PDT)
MIME-Version: 1.0
References: <158378460735.5647.5593000704951647849@ietfa.amsl.com> <CAKC-DJgHvwxz_JwXA29mXa1b748gnb0GLmszbDwszhNuFPyWBw@mail.gmail.com> <CAOdDvNq27UPg9BtdC83CTMYf3tLdLeGaucVuDNrXvc9cALso-Q@mail.gmail.com> <3594000.kGsIIYqScg@linux-9daj> <CAOdDvNoWPeGfnfAnvYBrL+qQ_Ekmg2in3fTbY2Y509VOvy75cA@mail.gmail.com>
In-Reply-To: <CAOdDvNoWPeGfnfAnvYBrL+qQ_Ekmg2in3fTbY2Y509VOvy75cA@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Tue, 10 Mar 2020 14:48:07 -0400
Message-ID: <CAKC-DJgNSvE+gxjKGgqejpuiDGxN_n85zpKyHfMG5-1MKpM3+A@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Paul Vixie <paul@redbarn.org>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002e992405a08490df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/H6WJv65EeVoM6M5-31bSqpcIsDg>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-httpssvc-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 18:48:22 -0000
We should also look at how and where we want to separate operational guidance from what mechanisms are available. Ideally we'd minimize foot-guns (hence the inclusion of a default transport, at least for the HTTPS use-cases) and we should have safe defaults, but I'm not sure to what degree we want to prohibit people from configuring things that may make sense in particular operational contexts. (I keep pondering if we need an "HTTPOPS" working group to provide guidance on topics like this, but I'm not sure we want to tackle that problem in this draft. ;-) Erik On Tue, Mar 10, 2020 at 2:26 PM Patrick McManus <mcmanus@ducksong.com> wrote: > alt-svc is quite robust to reachability failures of the alternative > origins should some client find itself on a network that filters full > transit. > > This process is already existing technology (rfc 7838). From that > perspective the DNS record is just a way to bootstrap it over DNS rather > than the default host/port for the URI. > > -Patrick > > > On Tue, Mar 10, 2020 at 12:24 PM Paul Vixie <paul@redbarn.org> wrote: > >> On Tuesday, 10 March 2020 13:30:53 UTC Patrick McManus wrote: >> > another positive feature of ports in this record is that it provides >> some >> > address space independent of the origin security model of the URI. By >> this >> > I mean that https://www.foo.com(implicit :443) and >> https://www.foo.com:555 >> > are different origins with different web security boundaries. While two >> > different httpssvc records for 443 and 555 (both for https:// >> www.foo.com) >> > are in the same origin.. this level of indirection can be used for A/B >> > testing or even for encoding load balancing information in a IP >> constrained >> > space. Just like the address is distinct from the URL, the port >> separates >> > the 'what' from the 'how' and that's good. >> >> your reply above precisely demonstrates the risk offered by allowing a >> service >> operator to select a non-default port. please read my down-thread >> response to >> erik nygren and consider the non-reachability impacts of such selection >> on far >> edge managed private networks, who will only build NAT, AGM, or firewall >> flow >> state for permitted (in-policy) flows. >> >> there's a separate problem on retermination, but i'll address that in >> quic-wg. >> >> -- >> Paul >> >> >>
- [DNSOP] I-D Action: draft-ietf-dnsop-svcb-httpssv… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Erik Nygren
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Patrick McManus
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Patrick McManus
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Erik Nygren
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Stephen Farrell
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Patrick McManus
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Stephen Farrell
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-svcb-htt… Paul Vixie