Re: [DNSOP] I-D Action: draft-ietf-dnsop-session-signal-03.txt

Petr Špaček <petr.spacek@nic.cz> Tue, 11 July 2017 07:18 UTC

Return-Path: <petr.spacek@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D46641319B6 for <dnsop@ietfa.amsl.com>; Tue, 11 Jul 2017 00:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2QjPOXmPeea for <dnsop@ietfa.amsl.com>; Tue, 11 Jul 2017 00:18:10 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2D021319B4 for <dnsop@ietf.org>; Tue, 11 Jul 2017 00:18:09 -0700 (PDT)
Received: from [192.168.3.103] (unknown [95.82.146.6]) by mail.nic.cz (Postfix) with ESMTPSA id DDB346091C; Tue, 11 Jul 2017 09:18:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1499757488; bh=LdxOZrRWe1m0RjX8EH5+S2+E/aA7DsjFeByu12qLGew=; h=To:From:Date; b=AfWSDIbOvltWUIR6T2miIDt3P9JOqvFd507l7rB7/9424bZGyGfWZ0z4voouleN6q ZL7PqHT5VGgekKxuetISQYngM3C7LKfUF/VJv+dm6uw3y5aRj7kJcoqqEFKlMNJ7Qg BSrkCx2M/oKrsLRV63HuUSbHzd/JNVeY8ObK64cg=
To: dnsop@ietf.org
References: <149912520399.16222.12738253224617069728@ietfa.amsl.com>
From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <petr.spacek@nic.cz>
Organization: CZ.NIC
Cc: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= <ondrej@sury.org>
Message-ID: <89e8d29c-1692-732c-df3b-8b7915415629@nic.cz>
Date: Tue, 11 Jul 2017 09:17:57 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <149912520399.16222.12738253224617069728@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kE7KzQUFobjPsxzW3dFQ8jhq99w>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-session-signal-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 07:18:13 -0000

Hello dnsop,

reading throught the latest version, I object to the proposed TLV format.

I feel that implications from switch to non-RR format are underestimated
and following e-mail attempts to explain why I believe it is a bad idea.
Please accept my apology for such long e-mail.


Overview
--------
1. Parsing the new format itself is not the hard because it is similar
to other rdata, even though not very same (see below).

2. The hard part is integration into rest of the program and "wider
ecosystem" including all the bells and whistles.

This includes:
- from_wire/to_wire conversion
- from_string/to_string conversion
- ability to log and process those logs
- support in traffic analysis tools
- support in data formats used for storing DNS messages

It is *very important* to consider that there is plenty of software
which do not need to understand DNS semantics but just DNS message
format (message collectors, statistic tools etc.).

3. We need to keep in mind that introducing very new format (instead of
using <owner,class,TTL,rrtype,rdata> structure) change affects not only
servers and resolvers but everything in DNS ecosystem, *including data
formats* used to store messages.

Can we represent messages with the new format in dnstap, C-DNS, and all
the DNS_in_JSON flavors? If not, how should we handle this problem?


Why it is harder to implement it everywhere that it seems
---------------------------------------------------------
The main reason is that every DNS software already has its own set of
utility functions for operating on RR format. Switching over to a TLV
format gets more complicated when we start speaking about
logging/filtering and other integration aspects because will have to
include new conditions in all code paths as well.

Why is this so different from adding new RR type? New RR type and new
TLV format surely need new code for en/decoding, but again, this is the
easy part.

The main problem integration with everything else. Normal RR processing
already has all the abstraction and APIs ready, including all sorts of
utility functions.

I.e. existing message matching code will have to be extended with
if (opcode == SESSION_SIGNALING) {
    // comparison function for SS
} else {
    // comparison function for normal data
}

Similarly when it comes to logging, it is not just calling log_rr()
anymore. It is now
if (opcode == SESSION_SIGNALING) {
    // log function for SS
} else {
    // log function for normal data
}


I will try to describe an example with python-dns library (because it is
small and easy to read, it would be the very same for e.g. Knot resolver):

If we used normal RR format, it is just matter of dropping one file
(e.g. rdtypes/class/SS.py) with methods for en/decoding. The existing
infrastructure of the library would take care of all the message parsing
(incl. handling of malformed/truncated messages etc.), printing,
comparison, logging etc. and all this "integration" is "for free"
because the libraries already have it for everything in RR format.

[In fact, when we talk about normal RR format, we might not even need to
write the en/decoders! Right now we are working on an prototype
implementation of https://tools.ietf.org/html/draft-levine-dnsextlang-07
which generates en/decoders "for free".]

By diverting from RR format we will lose all this.


For example in CZ.NIC we are maintaining several tools which do not need
to "understand" semantics of DNS messages but have to parse them. All
these would have to be modified. RR-based format will "just work" with
these because support for uknown RR types is already there.

Of course, there needs to be code to do the actual session logic, but
re-use of existing infrastructure allows developers to focus on the
session logic and not on re-inventing the integration.



Why TLV format is not effective as fool-proof measure
-----------------------------------------------------
DNS servers should already be returning NOTIMP for unknown opcodes
already so it should be sufficient counter-measure to avoid getting
records into caches etc.

In any case, the new TLV format does not prevent people from doing
mistakes (or attacks) and sending SS data along with non-SS data, i.e.
there has to be code to handle these error cases regardless of format.

If we can agree on the previous point, i.e. necessity to handle bad
messages anyway, we are left with problems related to caching/AXFR. This
gets us to the very same situation as with OPT RR which has similar
semantics and definitelly should not get into cache/AXFR, etc. I.e.
similar measures can be re-used insted of inventing new ones.


Conclusion
----------
If we consider that there is plenty of software reading DNS traffic,
e.g. for doing statistics, testing software which read/generate DNS
messages etc., the new TLV format is unnecessairly hard to implement in
rest of the DNS ecosystem. Sticking to standard
<owner,class,TTL,rrtype,rdata> format would solve this particular problem.


Thank you for your time and attention.

Petr Špaček  @  CZ.NIC

On 4.7.2017 01:40, internet-drafts@ietf.org wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations of the IETF.
> 
>         Title           : DNS Session Signaling
>         Authors         : Ray Bellis
>                           Stuart Cheshire
>                           John Dickinson
>                           Sara Dickinson
>                           Allison Mankin
>                           Tom Pusateri
> 	Filename        : draft-ietf-dnsop-session-signal-03.txt
> 	Pages           : 27
> 	Date            : 2017-07-03
> 
> Abstract:
>    This document defines a new Session Signaling OPCODE used to
>    communicate persistent "per-session" operations, expressed using
>    type-length-value (TLV) syntax, and defines an initial set of TLVs
>    used to manage session timeouts and termination.  This mechanism is
>    intended to reduce the overhead of existing "per-packet" signaling
>    mechanisms with "per-message" semantics as well as defining new
>    signaling operations not defined in EDNS(0).
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-session-signal/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-session-signal-03
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-session-signal-03
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-session-signal-03
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/