Re: [dnssd] Example Use Cases (was Re: Rechartering)
Tom Pusateri <pusateri@bangj.com> Fri, 20 July 2018 18:04 UTC
Return-Path: <pusateri@bangj.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7290E130E16 for <dnssd@ietfa.amsl.com>; Fri, 20 Jul 2018 11:04:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ym6JCRiYTNQt for <dnssd@ietfa.amsl.com>; Fri, 20 Jul 2018 11:03:59 -0700 (PDT)
Received: from oj.bangj.com (amt0.gin.ntt.net [129.250.11.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEBE7130DE7 for <dnssd@ietf.org>; Fri, 20 Jul 2018 11:03:58 -0700 (PDT)
Received: from [31.133.159.116] (dhcp-9f74.meeting.ietf.org [31.133.159.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 3667B9A; Fri, 20 Jul 2018 14:02:00 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Tom Pusateri <pusateri@bangj.com>
X-Mailer: iPhone Mail (16A5327f)
In-Reply-To: <E7BC51A1-8E17-44B1-BE3A-066068757521@gmail.com>
Date: Fri, 20 Jul 2018 14:03:57 -0400
Cc: dnssd@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D080A036-089D-4AF7-9717-0360070CDEBF@bangj.com>
References: <E7BC51A1-8E17-44B1-BE3A-066068757521@gmail.com>
To: "R. Atkinson" <rja.lists@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/4qLpwqvUDTQimkf8OyFEb18CyH8>
Subject: Re: [dnssd] Example Use Cases (was Re: Rechartering)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 18:04:03 -0000
Thanks Ran. I think this is important input for the reCharter. Tom > On Jul 20, 2018, at 12:44 PM, R. Atkinson <rja.lists@gmail.com> wrote: > > > I’d like to talk a little bit about use cases relating to both mDNS & DNS-SD. > > This is mostly prompted by the rechartering slides (which I read online, > although I have not been in Montreal for IETF this week). > > These are partly baked thoughts, written in haste, so are incomplete > and probably have typing/editing errors in places. > > 1. ZeroConf / No Infrastructure Case > > In my experience as a user and as a consultant, is that most (non-IETF :-) > residences and most small-businesses fundamentally want a zero > configuration network. The outer limit of what they might view as > acceptable infrastructure is enabling a DHCP server (facing to the interior) > on a (small) site border router that uplinks to some ISP. > > These sites have viewed the “magic” appearance of “it just works” > mDNS + DNS-SD as a huge win — a win that they really do not want > to lose. The main application benefit I see is printer discovery, but > there are other services that do get advertised and also get used > via the existing widely deployed mDNS + DNS-SD combination. > (Again, their preference is for a Zero Configuration network, even if > that means a less secure interior network deployment.) > > In this environments, the site border router typically just learns its IP address > and other configuration (e.g. ISP’s DNS resolvers) by running a DHCP/DHCPv6 > client on the exterior router interface and trusting the ISP’s DHCP reply. > The same router runs a DHCP/DHCPv6 server on the interior interface, > and the router’s DHCP replies carry along DNS resolver information learned > from the DHCP client on its exterior interface. The site does not itself > have a DNS server or even its own DNS resolver. > > In these environments, I rarely see any servers within a small business. > They might have a web site and email, but those often are outsourced > to someone other than their ISP. Email very often is really web-based email. > If they happen to have their own domain name (example.com), they > usually are NOT running the DNS name server for that and they are NOT > using that domain name on internal machines. Instead, their domain name > is advertised by their (outsourced) web site hosting company, which often > also is providing them with web-based email. > > Medical offices (in my neighborhood) seem to be migrating to “electronic > records”. In practice, this often means some deal with a local hospital. > The servers are run at the hospital IT department and client-server type > software is installed on the medical office computers (or a web application > is used instead), but the servers are all offsite and run by someone else. > Privacy laws/regulations on medical data are growing, even outside the EU, > and a common belief is that it is better to outsource the implementation > so that some other organization is responsible for privacy & security > compliance (e.g. HIPAA). > > These sites LOVE the existing mDNS + DNS-SD solution. Their only real > wish is that if they have 2 or 3 subnets, they could somehow have a single > operational mDNS environment (instead of having one mDNS environment > per subnet). At least some of my clients have enabled a non-standard mDNS > proxy that is available from a well-known IP router vendor. At their scale, > they are happy with that router vendor’s approach. I worry a bit that in a > larger network environment too much bandwidth would be consumed > (as happened historically with SLP) by that vendor’s implementation approach. > > As I have mentioned to Stuart at least once in the past, these folks really > want something that looks/feels/behaves like the old AppleTalk/EtherTalk > system — although most clients don’t use that terminology (because they > were not working age when those capabilities were widely deployed by sites > with Apple products). > > > 2. Larger Enterprise / Campus / Building-sized Case > > Larger businesses usually do have their own internal mail servers, file > servers, and DNS servers. Often their authoritative DNS servers are > different/separate from their DNS resolvers. These often have 2 logically > different WiFi networks, one for employees/internal-users and one for > guests. Sometimes the “guest” wireless is outside a corporate firewall > and only sees the public Internet. Other times the “guest” network is in > a kind of DMZ environment, so that guest’s can discover printers and > send out print jobs, but does NOT have unconstrained access to the > organization’s internal network. > > In this environment, often there is more concern about “security”, which > seems to mean some combination of “access control” (about what a > given node can see) and “authentication” (for DNS updates) relative to > DNS service advertisements. (In the extreme, I have a client who turns > on every possible security feature, including use of things like 802.1x. > This results in a more secure, if somewhat more brittle, deployment.) > > In this environment and for these users, there is MUCH more willingness > to have IT staff configure “infrastructure” (e.g., routers, switches, servers, proxies) > than in Case 1 at top of this email. This customer type also is MUCH more > interested in using access controls and/or cryptographic authentication for > any service advertisements and for any kind of DNS update. > > However, in my experience, these customers do NOT want to configure > the end-user devices — at least not beyond whatever DHCP (or DHCPv6 > + IPv6 ND) can provide by way of automatic configuration. > > Note that users in this category often want to see services for their > (logical) organization, regardless of where they are within the campus > (or which campus for multi-campus organizations). Someone who works > in “engineering” wants to see all of the “engineering” groups services > plus whatever printers are geographically near the person’s current > location. In old AppleTalk this flexibility was pretty easily deployed and > also pretty easily used. > > > Postulate: > > My postulate, again based on my own non-scientific sample, is that there > are at least 2 distinct use cases for DNS-SD (and mDNS). One case is > small scale, so scalability of solution is not as important. The other case > requires scalability. The small sites are not usually very security conscious, > while the larger sites usually are very security conscious. > > So it is conceivable that some potential products of this WG might apply > to one use case, but not to the other use case. I think we need to all keep > both use cases in mind as the WG ponders current/future work in this WG. > > Yours, > > Ran > > > > > _______________________________________________ > dnssd mailing list > dnssd@ietf.org > https://www.ietf.org/mailman/listinfo/dnssd
- [dnssd] Example Use Cases (was Re: Rechartering) R. Atkinson
- Re: [dnssd] Example Use Cases (was Re: Recharteri… Tom Pusateri
- Re: [dnssd] Example Use Cases (was Re: Recharteri… Michael Richardson
- Re: [dnssd] Example Use Cases (was Re: Recharteri… R. Atkinson
- Re: [dnssd] Example Use Cases (was Re: Recharteri… Ted Lemon
- Re: [dnssd] Example Use Cases (was Re: Recharteri… R. Atkinson
- Re: [dnssd] Example Use Cases (was Re: Recharteri… Ted Lemon