Re: [dnssd] The DNSSD WG has placed draft-sctl-service-registration in state "Call For Adoption By WG Issued"

Ted Lemon <mellon@fugue.com> Thu, 12 July 2018 04:10 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70580130EC6 for <dnssd@ietfa.amsl.com>; Wed, 11 Jul 2018 21:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OUxpWA1wIy0v for <dnssd@ietfa.amsl.com>; Wed, 11 Jul 2018 21:10:49 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 711CA130DE8 for <dnssd@ietf.org>; Wed, 11 Jul 2018 21:10:49 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id p185-v6so5146129itp.4 for <dnssd@ietf.org>; Wed, 11 Jul 2018 21:10:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xjSdUI+4Jv9dVQU7zpq3v9c/p/E6iK1yDSu5RmgViAI=; b=FVccYQNJNv2wIMMUyo9ZCJmjR9BuyNX99jG8IzIuu/xydYWRsqYkQiO7TLIiftY6m6 llVpHPxu3KKui6oD0D2C/JVFs/DTzXMq/PXwqMiW4KrJhH/QwmCc7PTMw7xZ09NS4b7E g8uzPMF1Wm03PgdoSU6LezDLdNv6y0bfghZ+hHgcWmQPcVakjuRB5mC42eVuHIBLwCDF I42EgyHlIRx13jcmIJ7o8E9ulYccZwqs0W51Sz4/byysTpCUS1jVT7Mqpt2IF5/FmLq+ JHLgxL8kQQtvx0XMLL7zEsnib1jhDMh2sPyvhjcRof8YW4to+1leOH7x7RJIVG/1A6ik NJdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xjSdUI+4Jv9dVQU7zpq3v9c/p/E6iK1yDSu5RmgViAI=; b=sIis3aoXBeHA8LTGkn8XfejxMFPwm7/dLx5oCX4QIXVR7KDMXjsjQMACTnCdUpORiY 7xQ7GVtelD4tyTp36OiadAEGyC2azMc4A2xqnTdlZlKrwqOwGDerKh+0fozP1DmY/AlW neo+OU7TMHBjZHdISlBP2XaYRrzu2XvJsCpRdqaLnKqk/zCndkRgYQzFDDDCAf+Hy9pB i5BdEn75GM+Qu8F7vAqOYcaJIwTezCb2/kelOnu6zafwrmbjrXcE8i7O95sReY35NVl0 RyT0+cz8TlT310Saehv/qNUOMdKTe3/jXoUbMfDJ/tBEjjjX/Yd2sBImq3hrh1ir887J HtpA==
X-Gm-Message-State: AOUpUlHzW9N8ihtRDinylsnRPFA3Aidih42YOPYmO8BznQ9IONZVhuA7 v2I09umap68fZhGMdDYUBIWTegOrIoyxXKknpC2zWQ==
X-Google-Smtp-Source: AAOMgpcv3vqAxMByxfdit9wlhQySyrrx3ETUdZR+COkjNQ7JYHVwHRBZUYRL1HNY9mXZJk56306pOvdVgAMGQQJO8vg=
X-Received: by 2002:a24:4dd3:: with SMTP id l202-v6mr188970itb.144.1531368648695; Wed, 11 Jul 2018 21:10:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:5f86:0:0:0:0:0 with HTTP; Wed, 11 Jul 2018 21:10:08 -0700 (PDT)
In-Reply-To: <87r2kbcl3h.fsf@toke.dk>
References: <153064569308.5111.7449468818446130425.idtracker@ietfa.amsl.com> <EB70166C-B64B-4509-909D-76978CA00A36@apple.com> <87lgare65v.fsf@toke.dk> <AC270951-0AA4-45D0-9F1A-83067489BF27@fugue.com> <87in5td3ar.fsf@toke.dk> <A667C059-FEBB-4159-A053-0B7AFE35F5FD@fugue.com> <87r2kbcl3h.fsf@toke.dk>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 12 Jul 2018 00:10:08 -0400
Message-ID: <CAPt1N1=kNRiNLMEkSjMmcG+U5Bg6OACkQTAkO6t1b-rzYnza0w@mail.gmail.com>
To: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= <toke@toke.dk>
Cc: David Schinazi <dschinazi@apple.com>, dnssd <dnssd@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005381710570c58c94"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/makmD7wQ5HhT9fPIQlU63MhxzTc>
Subject: Re: [dnssd] The DNSSD WG has placed draft-sctl-service-registration in state "Call For Adoption By WG Issued"
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 04:10:54 -0000

I just did a somewhat larger-than-expected update to the document to
capture Toke's comments thus far.   I also got a surprise guest review from
a friend of mine, Tamara Kemper, who revealed a few opportunities to make
the document clearer and better scoped.  In the process of doing these two
things I noticed that I'd fairly significantly misstated how SRV records
work and left out some important details.   The new document fixes all of
these things (I hope).   Sorry for adding so much text during an adoption
call, but I didn't want to leave it for later because it would have made
reading the document kind of unpleasant for Stuart, who I hope will review
it this weekend, and if I hadn't done it now it would have taken at least
twice as long later.  The good news is that I'm pretty chuffed about the
quality of the document now.

You can see the diffs here:
https://github.com/StuartCheshire/draft-sctl-service-registration/commit/51b7cb54300fea7e44e8e7dee49c17e9f598b3ba
The text of the document is here:
https://github.com/StuartCheshire/draft-sctl-service-registration/blob/master/draft-sctl-service-registration.txt

I don't think this substantially changes what we'll discuss in Montreal,
but attendees who want to give technical feedback at the mic should
probably read this version.

On Tue, Jul 10, 2018 at 8:48 AM, Toke Høiland-Jørgensen <toke@toke.dk>
wrote:

> Ted Lemon <mellon@fugue.com> writes:
>
> >>>> So another way to ensure this source verification is needed, I think.
> >>>> The way I implemented it is to have the registration server only speak
> >>>> TCP; that way, source address spoofing is not possible (as that would
> >>>> make the handshake fail), and the server can simply implement a
> >>>> straight-forward ACL policy.
> >>>
> >>> This could also work, or we could use DNS cookies, but it breaks the
> >>> LLN use case.
> >>
> >> Wouldn't it be possible to specify both?
> >
> > I'm coming around to thinking this might be a good idea for some
> > cases, but I also think that the anycast use case needs to be
> > preserved, and that ought to be a simple two-message exchange in the
> > success case. The problem is deciding when TCP makes sense.
>
> Couldn't that just be left up to the client? I.e., the network SHOULD
> provide both, clients MUST support both and if the network only supports
> one use that; but if the network supports both, the client is free to
> pick whatever makes the most sense for its use case.
>
> I'm a little worried that this would lead to too many permutations to
> test interoperability, and/or just lead to cherry-picking. But it's
> definitely easier to specify than coming up for rules for when to do
> what... :)
>
> >>>> - It is not quite clear to me whether the sleep proxy described in
> >>>> section 4 is an optional feature or if its meant to be mandatory.
> >>>> Stuart explained its usefulness for devices that power off when not in
> >>>> use, requiring this function will mean that registration servers will
> >>>> need to be on the local link, which is somewhat limiting. Also, the
> >>>> implementation complexity goes way up (I certainly don't plan to
> >>>> implement this feature :)). So I think having a way for the server to
> >>>> signal "no, I can't perform sleep proxying" to the client would be
> >>>> good to allow things to fail in a graceful way.
> >>>
> >>> Sleep proxy is advertised as a service, so devices that don't
> >>> implement it can not advertise it.
> >>
> >> Ah, great. As long as its in spec to not advertise that service, that's
> >> good enough for me.
> >>
> >>> However, this breaks the LLN single-exchange use case, so I think
> >>> there's an argument that it should be required on LLNs.
> >>
> >> Hmm, I'm not sure I quite understand what you mean by single-exchange
> >> use case, then?
> >
> > An LLN device should be able to register with a sleep proxy without
> > first discovering a specific sleep proxy with which to register. It
> > should IOW be able to send a single DNS Update packet to an anycast
> > address and get back a response of "yes, we have set up a sleep proxy
> > for you."
>
> Right. And how is it supposed to discover which anycast address to use?
> Or is that going to be a special address assigned as part of the
> standard?
>
> >> What I mean is that to do sleep proxying (as I read the spec) requires
> >> raw sockets, or some other way to answer neighbour requests on the
> >> sleeping device's behalf. Which generally tends to be a privileged
> >> operation, and raises the complexity from "just answer DNS requests".
> >> And of course it requires link-local presence, which means it either
> >> requires automation (such as in homenet), or lots of manual
> >> configuration.
> >
> > Right. This is actually a really key point that we'd utterly missed.
> > Since we are supporting multiple subnets, the current sleep proxy
> > paradigm doesn't work. That doesn't mean it _can't_ work, but it is
> > different than what we'd had in mind, and is in fact more work than
> > we'd been assuming. Thanks for poking a hole in this blind spot!
>
> Haha, you're welcome ;)
>
> > I'm not sure what the answer is here—on a homenet it's not too hard to
> > imagine a solution; on an LLN I think it's not a problem, but it's
> > definitely a problem for the campus use case. I don't think this is an
> > impediment to adoption, because the registration protocol is useful
> > whether it supports the sleep proxy use case or not.
>
> Agreed.
>
> > But we need to figure out how to address this.
>
> Hmm, only thing that comes to mind is doing the proxying at layer 3
> instead; i.e., advertise the proxy's address in DNS and forward packets
> to the sleeping device using encapsulation or (*shudder*) two-way NAT.
> That would require the proxy to stay in the loop for everything to be
> transparent, though, so not sure if it's a good solution...
>
> >> I think it's not important enough to put in the effort to implement it,
> >> basically.
> >>
> >> Note that this is for my use case; I can totally agree that requiring it
> >> for homenet makes sense; but service registration can be useful in other
> >> contexts as well...
> >
> > I'm curious if I've listed the contexts that you care about, or if I
> > missed some. What contexts do you have in mind?
>
> I think my use case is covered by the campus use case, more or less.
> I.e., a managed network where devices should be able to register
> themselves automatically in (global) DNS with a minimum of
> configuration.
>
> I use it to find devices on my network; if I just configure devices to
> run the registration daemon, and put the right discovery PTR records in
> the network-local recursive resolver, I will be able to find them by
> hostname on the local link, and the registration server can be
> configured to (selectively) put things into global DNS as well. Since
> I run this on different networks, I run registration proxy in the cloud,
> where it services several networks (with different domain names). So
> anything that requires link-local presence is a hassle to support...
>
> -Toke
>