Re: [Dots] AD review of draft-ietf-dots-server-discovery-10
Benjamin Kaduk <kaduk@mit.edu> Sun, 27 September 2020 19:53 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69FE63A0AF3 for <dots@ietfa.amsl.com>; Sun, 27 Sep 2020 12:53:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cwy-dND2QNTG for <dots@ietfa.amsl.com>; Sun, 27 Sep 2020 12:53:37 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8689A3A0141 for <dots@ietf.org>; Sun, 27 Sep 2020 12:53:37 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 08RJrX93010035 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 27 Sep 2020 15:53:35 -0400
Date: Sun, 27 Sep 2020 12:53:32 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jon Shallow <supjps-ietf@jpshallow.com>
Cc: supjps-ietf-draft-ietf-dots-server-discovery.all@ietf.org, dots@ietf.org
Message-ID: <20200927195332.GE89563@kduck.mit.edu>
References: <20200918202211.GI89563@kduck.mit.edu> <0e5701d68ffc$c6365b70$52a31250$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0e5701d68ffc$c6365b70$52a31250$@jpshallow.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/LTE4CrjxGKvG48w6w5mjnKm9--o>
Subject: Re: [Dots] AD review of draft-ietf-dots-server-discovery-10
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Sep 2020 19:53:39 -0000
Hi Jon, Thanks for ths implementation insight (I reply to the original message that has the complete list of mechanisms you implemented, presumably in priority order). A few notes inline. On Mon, Sep 21, 2020 at 10:51:27AM +0100, Jon Shallow wrote: > Hi Ben, > > > -----Original Message----- > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of > > Benjamin Kaduk > > Sent: 18 September 2020 21:22 > > To: draft-ietf-dots-server-discovery.all@ietf.org > > Cc: dots@ietf.org > > Subject: [Dots] AD review of draft-ietf-dots-server-discovery-10 > > Thanks for this, > > I have implemented this (for both DOTS client r and Call Home DOTS server) > as > IP-Address > Domain > DHCP > S-NAPTR > DNS-SD > And one or more of these can be defined, so providing a search order. > > I will try to address the more technical comments that you raised as some of > these may have been triggered by doing the above work. For the sake of > brevity, I am skipping over the nits which can be addressed by the authors. > > > > > o Expiry of a lease associated with a discovered DOTS agent. > > > > Is this specifically a DHCP lease, or a more generic concept? > > Interesting question - DNS has a TTL - should we be enforcing a refresh here > as well? > - my implementation does not do this at present I see Med added mention of TTL in the staged changes, which helps clue in the reader. I don't know whether we specifically need to mandate a refresh, since that is probably covered by the core DNS specs (not that they are an easy read to digest...) > > Let's consider that the DOTS server is reachable at > > 2001:db8:122:300::1 while the Call Home DOTS client is reachable > > at 2001:db8:122:300::2. The DHCP server will then return one DOTS > > reference identifier and a list that includes both > > 2001:db8:122:300::1 and 2001:db8:122:300::2 to a requesting DHCP > > client. That list is passed to the DOTS client (or Call Home DOTS > > server) which will try to establish connections to the addresses > > of that list and destination port number TBD1 (or TBD2). As a > > result, the DOTS client (or Call Home DOTS server) will select > > 2001:db8:122:300::1 (or 2001:db8:122:300::2) as a DOTS server (or > > Call Home DOTS client). > > > > I mostly expect pushback from TSV-area reviewers about giving the > > allocated port numbers such importance in selecting the peer address to > > use. > > We do need a method for differentiation between whether the address is for a > DOTS server or Call Home Dots client. Definitely. They tend to try to push people to use a dynamic port-discovery mechanism and avoid assuming that a registered port is used for the registered use, but I don't have great insight into the specific considerations there, so we may have to wait and see. > > Section 5.1.3 > > > > are used to reach the peer DOTS agent. In other words, the name > > conveyed in OPTION_V6_DOTS_RI MUST NOT be passed to underlying > > resolution library in the presence of OPTION_V6_DOTS_ADDRESS in a > > response. > > > > I'm not sure how much of this needs to end up in the document itself, > > but can we walk through the scenarios here, especially when the > > DNS-resolution addresses for the name in question differ from the > > addresses in OPTION_V6_DOTS_ADDRESS? I don't understand yet why/how > > this scheme ends up being safe, and am hoping that you have a head start > > over me on doing the analysis :) > > I don't immediately recall the rational for this, but if both are returned > there needs to be a preference for one of them and think that > OPTION_V6_DOTS_ADDRESS is the priority. It is conceivable that the > OPTION_V6_DOTS_RI, when resolved, may point to an address that is not in the > local domain (i.e. traffic needs to go via a DOTS gateway rather than direct > to a DOTS server). > > > If the DHCP client receives OPTION_V6_DOTS_RI only, but > > OPTION_V6_DOTS_RI option contains more than one name, as > > distinguished by the presence of multiple root labels, the DHCP > > client MUST use only the first name. Once the name is validated > > > > Is there a reason to make this "use the first one" vs. "ignore the whole > > thing as malformed? > > 5.1.1. implies that that there can only be a singular dots-agent-name, so I > would go for "ignore the whole thing as malformed" (but raise an alert that > there is a misconfiguration). Med noted that rejecting it would prevent receiving the requested service. This is hopefully an exceptional case, so presumably would not matter too much, and is just a tradeoff on strict compliance vs runtime resiliance (roughly speaking, the Postel principle). > > > > Section 5.2.3 > > > > To discover a peer DOTS agent, the DHCPv4 client MUST include both > > OPTION_V4_DOTS_RI and OPTION_V4_DOTS_ADDRESS in a Parameter > > Request > > List Option [RFC2132]. > > > > Why is the v4 case a MUST but the v6 case was only MAY? > > I think that this was down to NAT being more likely in V4, and so the IP > addresses take preference over the domain name returned. That said, I guess > V6 could be a MUST as well. > > I do recall that I had issues with the DHCP client (Centos) for V4 - where I > could not just ask for these options and get back a sensible response - > there was an inherent assumption that it would normally be used for getting > the DHCP IP/Name etc for the requesting interface, not for just requesting > the information of some remote object. This was not an issue for V6. It > maybe that I had to provide both options for it to work - I need to go back > and test this out at some point. > > > > > Section 6 > > > > 1. A DNS domain name is retrieved for each combination of interface > > and address family. A DOTS agent has to determine the domain in > > which it is located relying on dynamic means such as DHCP > > (Section 5) . [...] > > > > Hmm, this may be worth a closer look. If I understand correctly, if the > > procedures in Section 5 only give you a name, you're supposed to use DNS > > to get IP addresses to talk to, from that name. So is this procedure > > only applicable when the A/AAAA lookup fails? Otherwise I'm not sure > > how you would get only a name but not full contact information, from the > > section 5 procedure. Or, if the intent of "the name is passed to a name > > resolution library" in Section 5 is to induce the S-NAPTR lookups > > defined here, Section 5 should be more clear about that. > > My understanding was that we need to start with a seed domain that needs to > be 'acquired' from somewhere. The standard domain that is allocated to a > device may not be the same domain that handles the DOTS S-NAPTR - hence > OPTION_V(4|6)_DOTS_RI responses can be used to get the DOTS relevant domain. > > > > > a.example.net. > > IN AAAA 2001:db8::1 > > > > I'm sure my INT-area colleagues will appreciate the IPv6 examples :) > > I firmed up on the final version of this after many failing attempts to get > things right and working! Thanks again, Ben
- [Dots] AD review of draft-ietf-dots-server-discov… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-server-di… Jon Shallow
- Re: [Dots] AD review of draft-ietf-dots-server-di… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-server-di… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-server-di… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-server-di… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-server-di… mohamed.boucadair