IETF Logo Mail Archive

Re: [Dots] AD review of draft-ietf-dots-server-discovery-10

Benjamin Kaduk <kaduk@mit.edu> Sun, 27 September 2020 19:53 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69FE63A0AF3 for <dots@ietfa.amsl.com>; Sun, 27 Sep 2020 12:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cwy-dND2QNTG for <dots@ietfa.amsl.com>; Sun, 27 Sep 2020 12:53:37 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8689A3A0141 for <dots@ietf.org>; Sun, 27 Sep 2020 12:53:37 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 08RJrX93010035 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 27 Sep 2020 15:53:35 -0400
Date: Sun, 27 Sep 2020 12:53:32 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jon Shallow <supjps-ietf@jpshallow.com>
Cc: supjps-ietf-draft-ietf-dots-server-discovery.all@ietf.org, dots@ietf.org
Message-ID: <20200927195332.GE89563@kduck.mit.edu>
References: <20200918202211.GI89563@kduck.mit.edu> <0e5701d68ffc$c6365b70$52a31250$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0e5701d68ffc$c6365b70$52a31250$@jpshallow.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/LTE4CrjxGKvG48w6w5mjnKm9--o>
Subject: Re: [Dots] AD review of draft-ietf-dots-server-discovery-10
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Sep 2020 19:53:39 -0000

Hi Jon,

Thanks for ths implementation insight (I reply to the original message that
has the complete list of mechanisms you implemented, presumably in priority
order).

A few notes inline.

On Mon, Sep 21, 2020 at 10:51:27AM +0100, Jon Shallow wrote:
> Hi Ben,
> 
> > -----Original Message-----
> > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of
> > Benjamin Kaduk
> > Sent: 18 September 2020 21:22
> > To: draft-ietf-dots-server-discovery.all@ietf.org
> > Cc: dots@ietf.org
> > Subject: [Dots] AD review of draft-ietf-dots-server-discovery-10
> 
> Thanks for this,
> 
> I have implemented this (for both DOTS client r and Call Home DOTS server)
> as
> IP-Address
> Domain
> DHCP
> S-NAPTR
> DNS-SD
> And one or more of these can be defined, so providing a search order.
> 
> I will try to address the more technical comments that you raised as some of
> these may have been triggered by doing the above work.  For the sake of
> brevity, I am skipping over the nits which can be addressed by the authors.
> 
> > 
> >    o  Expiry of a lease associated with a discovered DOTS agent.
> > 
> > Is this specifically a DHCP lease, or a more generic concept?
> 
> Interesting question - DNS has a TTL - should we be enforcing a refresh here
> as well?
> - my implementation does not do this at present

I see Med added mention of TTL in the staged changes, which helps clue in
the reader.  I don't know whether we specifically need to mandate a
refresh, since that is probably covered by the core DNS specs (not that
they are an easy read to digest...)

> >       Let's consider that the DOTS server is reachable at
> >       2001:db8:122:300::1 while the Call Home DOTS client is reachable
> >       at 2001:db8:122:300::2.  The DHCP server will then return one DOTS
> >       reference identifier and a list that includes both
> >       2001:db8:122:300::1 and 2001:db8:122:300::2 to a requesting DHCP
> >       client.  That list is passed to the DOTS client (or Call Home DOTS
> >       server) which will try to establish connections to the addresses
> >       of that list and destination port number TBD1 (or TBD2).  As a
> >       result, the DOTS client (or Call Home DOTS server) will select
> >       2001:db8:122:300::1 (or 2001:db8:122:300::2) as a DOTS server (or
> >       Call Home DOTS client).
> > 
> > I mostly expect pushback from TSV-area reviewers about giving the
> > allocated port numbers such importance in selecting the peer address to
> > use.
> 
> We do need a method for differentiation between whether the address is for a
> DOTS server or Call Home Dots client.

Definitely.  They tend to try to push people to use a dynamic
port-discovery mechanism and avoid assuming that a registered port is used
for the registered use, but I don't have great insight into the specific
considerations there, so we may have to wait and see.

> > Section 5.1.3
> > 
> >    are used to reach the peer DOTS agent.  In other words, the name
> >    conveyed in OPTION_V6_DOTS_RI MUST NOT be passed to underlying
> >    resolution library in the presence of OPTION_V6_DOTS_ADDRESS in a
> >    response.
> > 
> > I'm not sure how much of this needs to end up in the document itself,
> > but can we walk through the scenarios here, especially when the
> > DNS-resolution addresses for the name in question differ from the
> > addresses in OPTION_V6_DOTS_ADDRESS?  I don't understand yet why/how
> > this scheme ends up being safe, and am hoping that you have a head start
> > over me on doing the analysis :)
> 
> I don't immediately recall the rational for this, but if both are returned
> there needs to be a preference for one of them and  think that
> OPTION_V6_DOTS_ADDRESS is the priority.  It is conceivable that the
> OPTION_V6_DOTS_RI, when resolved, may point to an address that is not in the
> local domain (i.e. traffic needs to go via a DOTS gateway rather than direct
> to a DOTS server).
> 
> >    If the DHCP client receives OPTION_V6_DOTS_RI only, but
> >    OPTION_V6_DOTS_RI option contains more than one name, as
> >    distinguished by the presence of multiple root labels, the DHCP
> >    client MUST use only the first name.  Once the name is validated
> > 
> > Is there a reason to make this "use the first one" vs. "ignore the whole
> > thing as malformed?
> 
> 5.1.1. implies that that there can only be a singular dots-agent-name, so I
> would go for "ignore the whole thing as malformed" (but raise an alert that
> there is a misconfiguration).

Med noted that rejecting it would prevent receiving the requested service.
This is hopefully an exceptional case, so presumably would not matter too
much, and is just a tradeoff on strict compliance vs runtime resiliance
(roughly speaking, the Postel principle).

> > 
> > Section 5.2.3
> > 
> >    To discover a peer DOTS agent, the DHCPv4 client MUST include both
> >    OPTION_V4_DOTS_RI and OPTION_V4_DOTS_ADDRESS in a Parameter
> > Request
> >    List Option [RFC2132].
> > 
> > Why is the v4 case a MUST but the v6 case was only MAY?
> 
> I think that this was down to NAT being more likely in V4, and so the IP
> addresses take preference over the domain name returned.  That said, I guess
> V6 could be a MUST as well.
> 
> I do recall that I had issues with the DHCP client (Centos) for V4 - where I
> could not just ask for these options and get back a sensible response -
> there was an inherent assumption that it would normally be used for getting
> the DHCP IP/Name etc for the requesting interface, not for just requesting
> the information of some remote object.  This was not an issue for V6.  It
> maybe that I had to provide both options for it to work - I need to go back
> and test this out at some point.
> 
> > 
> > Section 6
> > 
> >    1.  A DNS domain name is retrieved for each combination of interface
> >        and address family.  A DOTS agent has to determine the domain in
> >        which it is located relying on dynamic means such as DHCP
> >        (Section 5) . [...]
> > 
> > Hmm, this may be worth a closer look.  If I understand correctly, if the
> > procedures in Section 5 only give you a name, you're supposed to use DNS
> > to get IP addresses to talk to, from that name.  So is this procedure
> > only applicable when the A/AAAA lookup fails?  Otherwise I'm not sure
> > how you would get only a name but not full contact information, from the
> > section 5 procedure.  Or, if the intent of "the name is passed to a name
> > resolution library" in Section 5 is to induce the S-NAPTR lookups
> > defined here, Section 5 should be more clear about that.
> 
> My understanding was that we need to start with a seed domain that needs to
> be 'acquired' from somewhere.  The standard domain that is allocated to a
> device may not be the same domain that handles the DOTS S-NAPTR - hence
> OPTION_V(4|6)_DOTS_RI responses can be used to get the DOTS relevant domain.
> 
> > 
> >    a.example.net.
> >    IN AAAA  2001:db8::1
> > 
> > I'm sure my INT-area colleagues will appreciate the IPv6 examples :)
> 
> I firmed up on the final version of this after many failing attempts to get
> things right and working!

Thanks again,

Ben

v2.23.0 | Report a Bug | By Email