IETF Logo Mail Archive

Re: [DNSOP] Cache utilization review and suggestion for EDNS client-subnet

Mukund Sivaraman <muks@isc.org> Thu, 04 February 2016 15:26 UTC

Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 580821B3165 for <dnsop@ietfa.amsl.com>; Thu, 4 Feb 2016 07:26:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUGW6ktiOLeI for <dnsop@ietfa.amsl.com>; Thu, 4 Feb 2016 07:26:02 -0800 (PST)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by ietfa.amsl.com (Postfix) with ESMTP id 4F3091B316C for <dnsop@ietf.org>; Thu, 4 Feb 2016 07:26:02 -0800 (PST)
Received: from jurassic.l0.malgudi.org (unknown [115.118.209.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 950BF2FA028A; Thu, 4 Feb 2016 15:25:58 +0000 (GMT)
Date: Thu, 04 Feb 2016 20:55:55 +0530
From: Mukund Sivaraman <muks@isc.org>
To: Yuri Schaeffer <yuri@nlnetlabs.nl>
Message-ID: <20160204152554.GA1383@jurassic.l0.malgudi.org>
References: <20151228022914.GA11204@jurassic.l0.malgudi.org> <56B32D33.5020203@nlnetlabs.nl> <20160204111710.GA8514@jurassic.l0.malgudi.org> <56B33CC0.8070102@nlnetlabs.nl> <20160204124621.GA28915@jurassic.l0.malgudi.org> <56B35738.2050600@nlnetlabs.nl> <20160204144339.GA32208@jurassic.l0.malgudi.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK"
Content-Disposition: inline
In-Reply-To: <20160204144339.GA32208@jurassic.l0.malgudi.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/cWr2LNYEUfkQgwDymyyCnFm9ZVE>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Cache utilization review and suggestion for EDNS client-subnet
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 15:26:03 -0000

On Thu, Feb 04, 2016 at 08:13:39PM +0530, Mukund Sivaraman wrote:
> Hi Yuri
> 
> On Thu, Feb 04, 2016 at 02:50:48PM +0100, Yuri Schaeffer wrote:
> > > I don't follow. Are you saying you are saving the SOURCE
> > > PREFIX-LENGTH from the original query (responsible for the cache
> > > entry) alongside the cache entry?
> > 
> > Yes.
> > 
> > > If so, I don't follow why this is required. Can you explain?
> > 
> > Certainly!
> > 
> > Suppose I query for 128.0.0.0/4 and get the response is 128.0.0.0/4/8.
> > And suppose I would cache it like:
> > 
> > A)	128.0.0.0/?/8
> > 
> > That is, discard the SOURCE PREFIX-LENGTH.
> > 
> > Maybe I also ask for 129.0.0.0/8 for which the authority replies with
> > the same SCOPE. My cache now contains:
> > 
> > A)	128.0.0.0/?/8
> > B)	129.0.0.0/?/8
> > 
> > Suppose again I want to have an answer for 128.0.0.0/4. Which cache
> > entry would be correct - if any? Do I need to requery the authority?
> > Do I need to consider the bits from the client address that where
> > masked? Or would I pretend the mask bits are 0? I can't decide, but I
> > sure like to use my cache rather than asking the authority!
> > 
> > If I had saved this in my cache:
> > 
> > A)	128.0.0.0/4/8
> > B)	129.0.0.0/8/8
> > 
> > The answer should be obvious: "A". The server wants to receive 8 bits
> > information but this is the answer I would have got when I would
> > provide just 4.
> 
> Is this example for considering that a 128.0.0.0/4/8 answer is different
> from a 128.0.0.0/4/4 answer when both are available answers to be
> returned by an auth for a 128.0.0.0/4/0 query? Other than that, I don't
> see what saving SOURCE PREFIX-LENGTH seperately alongside
> <address,address-prefix-length> would provide. If both answers were
> treated identically, it can be cached at 128.0.0.0/4.
> 
> If any one of these two different answers is found in cache, from the
> description above, you'd use it and not fetch from authority (where you
> might get the other answer for a 128.0.0.0/4 query). I.e., this is no
> different from caching at /SOURCE when SCOPE > SOURCE.

I thought of one case where saving a longer *SCOPE* separately apart
from the caching address prefix length can be useful.  This is in case
the resolver is a ECS option forwarder (intermediate) and wants to
provide the same syntax response /SOURCE/(>SOURCE) in its reply message
to the downstream resolver.

In practice, a resolver implementation wouldn't use a longer prefix when
it has a shorter source prefix configured as policy. This is why there's
the question of why the spec even talks about sending SCOPE > SOURCE
assuming the answer section is for ADDRESS/SOURCE/SOURCE.

>  It would seem that in proper ECS operation, SCOPE need never be
>  greater than SOURCE. Why have this specified at all? The description
>  in the draft is short.

		Mukund

v2.23.0 | Report a Bug | By Email