Re: [Ecrit] planned-changes: two questions
Randall Gellens <rg+ietf@randy.pensive.org> Tue, 14 September 2021 18:57 UTC
Return-Path: <rg+ietf@randy.pensive.org>
X-Original-To: ecrit@ietfa.amsl.com
Delivered-To: ecrit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD2D33A291A for <ecrit@ietfa.amsl.com>; Tue, 14 Sep 2021 11:57:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, T_FORGED_RELAY_MUA_TO_MX=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1mDSKKeWLEDR for <ecrit@ietfa.amsl.com>; Tue, 14 Sep 2021 11:57:33 -0700 (PDT)
Received: from turing.pensive.org (turing.pensive.org [99.111.97.161]) by ietfa.amsl.com (Postfix) with ESMTP id F0B5C3A2917 for <ecrit@ietf.org>; Tue, 14 Sep 2021 11:57:32 -0700 (PDT)
Received: from [99.111.97.181] (99.111.97.161) by turing.pensive.org with ESMTP (EIMS X 3.3.9); Tue, 14 Sep 2021 11:57:32 -0700
From: Randall Gellens <rg+ietf@randy.pensive.org>
To: Brian Rosen <br@brianrosen.net>
Cc: Jeff Martin <Jeff.Martin@comtechtel.com>, Dan Banks <dbanks=40ddti.net@dmarc.ietf.org>, ecrit@ietf.org
Date: Tue, 14 Sep 2021 11:57:31 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <7C3C1133-9556-4865-AABB-A7C69242E738@randy.pensive.org>
In-Reply-To: <932C8052-7C92-474E-A6CA-F280B25837DC@brianrosen.net>
References: <A0FC259C-DF34-4496-9013-422006278DA6@randy.pensive.org> <FB2A33E8-E146-404B-B150-1496C40510EF@brianrosen.net> <5577e2e6daa4405bbe12ef61675e1f55@bell.ca> <DE195D79-5A01-48EE-95CA-6C4B82E0886D@brianrosen.net> <e6e17f501711441188119cdfbe384d3d@bell.ca> <3AD58DEC-1DC9-4BC0-B55C-4E782E4AAA74@brianrosen.net> <E20342E7-2EFB-4479-96C2-85B4B7E16989@randy.pensive.org> <A7D59E8E-A014-4CC8-A0FF-5F58E81C6D4A@brianrosen.net> <2b4abbef37be4131a87471af75b6e7da@bell.ca> <CF2E8EDC-B38D-4742-B317-F3CE3E831578@brianrosen.net> <f82108f590674341a22da9c2e4c649e0@bell.ca> <7C4F6B87-C480-4963-B582-7639A9A1B029@brianrosen.net> <89a34416a9224a3bbccb520408283373@bell.ca> <D3AA7F51-01F4-4ED6-BFC3-2B3BF5AB1536@brianrosen.net> <DA890A1B-E22F-4EBB-B312-53A6C5BCD7B9@randy.pensive.org> <3441984B-D273-48FC-BCF1-AACB4AFCA2BF@brianrosen.net> <E31A5619-0FC6-45FD-8541-644C269AE5EC@randy.pensive.org> <83D1AC98-BE13-4BB7-AAC0-D9D60719D0F6@brianrosen.net> <4aa79e0c61394f588c61badeb779de16@bell.ca> <CO6PR09MB8600D17E58AECCC9E80C20889FD59@CO6PR09MB8600.namprd09.prod.outlook.com> <DM5PR1701MB181841BF7E917A62D89BACD0A7D69@DM5PR1701MB1818.namprd17.prod.outlook.com> <9953AB0C-E4C8-4395-8014-9F8E7A5FD949@brianrosen.net> <CO6PR09MB860009C5324D1380484280719FD69@CO6PR09MB8600.namprd09.prod.outlook.com> <3F2B5D84-9B76-483B-A1FA-467CD26C5BA3@brianrosen.net> <ADFD1EA2-6114-40A1-A4A5-6B2F379B148D@randy.pensive.org> <8696CD3E-46AF-43C7-82E5-D71FEB073918@brianrosen.net> <AF1EFC94-0BAB-41B8-BC6D-D5923B450AC4@randy.pensive.org> <A892C21A-8D63-459A-A976-0FCC4E2A1198@brianrosen.net> <D9737F56-57F2-4AF3-A06A-50CBDC533D6D@randy.pensive.org> <932C8052-7C92-474E-A6CA-F280B25837DC@brianrosen.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_4C2D44E0-7010-467A-9A1E-8DDAADB7A929_="
Embedded-HTML: [{"HTML":[495, 72468], "plain":[164, 24938], "uuid":"026B774D-ED5F-4409-869D-CA7C96B60D23"}]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ecrit/aQ_bKwp40VZpqdUFrTtw_paZ8VE>
Subject: Re: [Ecrit] planned-changes: two questions
X-BeenThere: ecrit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Emergency Context Resolution with Internet Technologies <ecrit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ecrit/>
List-Post: <mailto:ecrit@ietf.org>
List-Help: <mailto:ecrit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 18:57:39 -0000
using IDs seems simpler and unambiguous. If using civic address elements, what are the matching rules? --Randall On 14 Sep 2021, at 11:23, Brian Rosen wrote: > Yeah, but if we were going from a push (notification) mechanism to a > pull (polling) mechanism, which I oppose, but if we were, then I think > what Dan did is pretty good, and better than having IDs the client has > to track and much better than just a TTL. > > Brian > >> On Sep 14, 2021, at 12:57 PM, Randall Gellens >> <rg+ietf@randy.pensive.org> wrote: >> >> I wasn't clear that Dan was making a specific proposal; I interpreted >> his description as what he implemented. As I understand, he uses a >> separate API (not LoST) that returns partial civic addresses. What I >> described is how I would fit what he did into what the draft does >> now, specifically, a new LoST query instead of a non-LoST API, and >> IDs. >> >> --Randall >> >> On 14 Sep 2021, at 5:28, Brian Rosen wrote: >> >> Dan’s proposal doesn’t use IDs. He returns partial civic >> addresses. >> >>> On Sep 13, 2021, at 6:12 PM, Randall Gellens >>> <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> >>> wrote: >>> >>> Fitting his concept into the draft leads us to retain the concept of >>> the server returning an ID with a query result; the change is that >>> instead of a notification URI we have a new query. I suppose this >>> new query (e.g., "plannedChangesRequest") could either return a list >>> of all IDs potentially invalidated with an "asOf" date, or the query >>> could contain a set of IDs and the response can indicate the "asOf" >>> date for each queried ID. >>> >>> --Randall >>> >>> On 13 Sep 2021, at 14:45, Brian Rosen wrote: >>> >>> Well, since there is no planned changes, it’s suggested that LISs >>> revalidate periodically. I think 30 days is the suggested >>> frequency. >>> A user configured address is validated when they enter it. That >>> doesn’t work well now, but newer systems using LoST will make that >>> immediate. The systems usually don’t allow an invalid location to >>> be configured. I never thought that was a good idea, but that’s >>> what I’ve seen. They don’t initiate service, or keep the old >>> address until it’s validated. >>> >>> Yes. I think you have described Dan’s proposal correctly. He >>> didn’t have IDs, the system delivers addresses and AsOf dates. He >>> had the notion of a partial civic address, which may make the change >>> list much smaller. >>> >>> Brian >>> >>>> On Sep 13, 2021, at 5:27 PM, Randall Gellens >>>> <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> >>>> wrote: >>>> >>>> Do LISs frequently revalidate addresses? An address that's user >>>> configured is likely to be wrong (not where the user is at the time >>>> of a call) but still valid. >>>> >>>> If I understand Dan's suggestion and how it would fit into the >>>> draft, the LoST server returns an ID in the response, as in the >>>> current draft, but instead of the client providing a URI which the >>>> server stores and later sends a POST to, we define a new LoST query >>>> (e.g., "plannedChangesRequest"), and in the response to that, the >>>> server includes sets of IDs and "asOf" dates. Is that it? >>>> >>>> --Randall >>>> >>>> On 13 Sep 2021, at 5:30, Brian Rosen wrote: >>>> >>>> The kind of thing I’ve seen many times is an annexation. It’s >>>> announced months, sometimes years in advance. While there are >>>> clear boundaries, they very often don’t match postal boundaries >>>> or the existing “unincorporated community name”, A4. It takes >>>> weeks to months of prep to figure out which entries will change and >>>> which stay the same. Of course a good reason it takes that long is >>>> that at present, there is nothing like LoST Planned Changes, so >>>> it’s got a whole lot of manual work. I am aware that sometimes, >>>> things really do change where you don’t find out more than 24 >>>> hours ahead. Usually, that’s poor planning, rather than an >>>> actual short fuse change, but it happens, and has to be dealt with. >>>> >>>> Just polling is a really poor answer IMO, because you have to >>>> revalidate the entire dataset to find the entries that changed. >>>> I’ve built many systems with TTL where the TTL was gradually >>>> reduced around a change so that the entries that changed had short >>>> TTLs and the entries that didn’t had longer ones. That only >>>> works if you know far enough in advance that a change is coming. >>>> That’s generally true for the events that planned-changes is >>>> designed for, but not always. If your norm is 90 day TTL, and >>>> something comes up where you find out 30 or 60 days in advance, >>>> then that idea won’t work. >>>> >>>> Dan’s system fixes that, by having a poll for changes. He >>>> publishes a list of entries that will change. That can be polled >>>> frequently, because it’s small. If I understand the “partial >>>> civic” idea, it can often be very small. >>>> >>>> I still prefer push, because it actually fits the problem: the >>>> server wants to tell the client that something is changing. But >>>> I’m willing to do what Dan suggests. It’s not my favorite, but >>>> it will work. Just using TTL won’t, in my opinion. Either you >>>> have to do way too frequent full revalidations, or you miss events. >>>> >>>> I’ve never liked the fact that LoST servers have 99.99% of >>>> transactions that are mostly worthless - revalidations of things >>>> that didn’t change. >>>> >>>> But as editor, I will write up whatever the work group consensus >>>> is. >>>> >>>> Brian >>>> >>>>> On Sep 10, 2021, at 4:11 PM, Jeff Martin >>>>> <Jeff.Martin@comtechtel.com <mailto:Jeff.Martin@comtechtel.com>> >>>>> wrote: >>>>> >>>>> Brian wrote: >>>>>> [the client] not knowing well in advance [of a server change] is, >>>>>> I think, unacceptable >>>>> >>>>> In my outlined suggestion, I ended with: >>>>> The data in the [server] issued set could be further extended to >>>>> convey upcoming potential impacts to ids that have not yet been >>>>> impacted. >>>>> >>>>> The server's issued set(s) could contain 'invalidAsOf' indicators >>>>> with the locationIds, similar to the draft's server-pushed >>>>> <locationInvalidated invalidAsOf="..." ...>. So if a server >>>>> knows "well in advance", say 24 hours, as long as the clients pull >>>>> within 24 hours the clients would also know well in advance. My >>>>> outlined suggestion also includes server-provided TTL in server >>>>> responses to give hints to clients about polling frequency. >>>>> >>>>> Balancing the tradeoffs of polling vs uri+push requires answering >>>>> this question: What will be the typical and/or exceptional >>>>> lead-times for servers operators to know about upcoming changes? >>>>> >>>>> If it's common that server operators themselves often identify >>>>> changes with less than one-hour notice, then the complexity of >>>>> client-registered-uri with server-push is more justified. >>>>> >>>>> But if it's common that server operators usually identify changes >>>>> with one day or more notice, and one-hour notice is very uncommon, >>>>> then the simplicity of polling is more justified. >>>>> >>>>> IMO based on experience at my company, days of lead time (not >>>>> hours) is typical for server operators dealing with "planned >>>>> changes" that affect validity. So the simplicity of polling with >>>>> responses that include 'invalidAsOf' is better than the >>>>> complexity of uri+push, whose benefits would rarely be realized in >>>>> an environment dominated by days of lead time. >>>>> >>>>> /Jeff/ >>>>> >>>>> >>>>> From: Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> >>>>> Sent: Friday, September 10, 2021 10:30 AM >>>>> To: Dan Banks <dbanks=40ddti.net@dmarc.ietf.org >>>>> <mailto:dbanks=40ddti.net@dmarc.ietf.org>> >>>>> Cc: Jeff Martin <jeff.martin@comtechtel.com >>>>> <mailto:jeff.martin@comtechtel.com>>; ecrit@ietf.org >>>>> <mailto:ecrit@ietf.org> >>>>> Subject: Re: [Ecrit] planned-changes: two questions >>>>> >>>>> >>>>> Minutes? >>>>> >>>>> So the clients of this service poll for changes every few minutes? >>>>> >>>>> What is a “partial civic address”? Example? Something like >>>>> an A1/A2/A4 but no street name/number, meaning any address in this >>>>> unincorporated community name? >>>>> >>>>> ISTM that a planned change quite often can’t be fixed in a way >>>>> that code could do it. So, we still need to advertise the change >>>>> well in advance of the change, and have the ability to do the AsOf >>>>> validation. Changing the way the client discovers that a change >>>>> is coming is one thing, not knowing well in advance is, I think, >>>>> unacceptable. >>>>> >>>>> Brian >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ___________________________________________________________________ >>>>> On Sep 10, 2021, at 12:13 PM, Dan Banks >>>>> <dbanks=40ddti.net@dmarc.ietf.org >>>>> <mailto:dbanks=40ddti.net@dmarc.ietf.org>> wrote: >>>>> >>>>> I am opposed to asking LoST servers to store URIs as well. I >>>>> believe it significantly overcomplicates the solution and is the >>>>> biggest reason why I have not supported the planned changes draft. >>>>> >>>>> Several years ago we implemented a mechanism to allow a LIS to >>>>> know that it needs to revalidate. Roughly described, that >>>>> mechanism consists of a web API that can be queried for changes >>>>> after a particular time. The response is a summary of changes in >>>>> terms of partial civic addresses that allow the LIS to identify >>>>> records that are likely to be affected, or possibly that there >>>>> have been so many changes that a full revalidation is recommended. >>>>> We’ve made the API discoverable via U-NAPTR using the same app >>>>> string as a given LoST server. >>>>> >>>>> Yes, the LIS has to poll the various LoST servers and ask if there >>>>> have been any changes. That is a cheap operation to implement, >>>>> and the practical difference between knowing the very instant a >>>>> change is published versus finding out within a few minutes is not >>>>> significant in any way. >>>>> >>>>> Dan >>>>> >>>>> From: Ecrit <ecrit-bounces@ietf.org >>>>> <mailto:ecrit-bounces@ietf.org>> On Behalf Of Jeff Martin >>>>> Sent: Thursday, September 9, 2021 4:09 PM >>>>> To: ecrit@ietf.org <mailto:ecrit@ietf.org> >>>>> Subject: Re: [Ecrit] planned-changes: two questions >>>>> >>>>> Asking a server to store and later user a client-provided uri >>>>> opens the door for abuse by malicious actors. Which got me to >>>>> thinking, what if we removed the client-provided uri entirely? If >>>>> no uris then no risk of abuse. >>>>> >>>>> Keep the new optional <plannedChange asOf="..."> but without 'uri' >>>>> in the client's <findServiceRequest>. Keep the new optional <ttl> >>>>> in the server's <findServiceResponse> as a hint to clients that >>>>> may want to initiate revalidation from the client side. Keep the >>>>> new optional server "unique location ID" in the server response as >>>>> discussed on this list (but not yet in published draft), which the >>>>> client could choose to associate with the client's internal >>>>> records. >>>>> >>>>> The server periodically (server policy) issues a set of >>>>> "potentially impacted" ids, where "potentially impacted" has >>>>> already been discussed on this list. Each set includes: the ids >>>>> that have been "potentially impacted" since the previous set was >>>>> issued; the time-range covered; and a TTL hint on how long until >>>>> the server is likely to issue the next list. The server keeps the >>>>> sets going back some interval defined by server policy. >>>>> >>>>> Client sends a "discovery" query to server, where server response >>>>> is: the url(s) of the most recent and past set(s); and a TTL hint >>>>> on how long until next list likely to be released. Client then >>>>> queries any of these urls, and server responds with the set that >>>>> includes: the ids that have been "potentially impacted" since the >>>>> previous set was issued; the time-range covered; and a TTL hint on >>>>> how long until the server is likely to issue the next list. >>>>> >>>>> For clients that want to be highly proactive for changes, the >>>>> client can store the "unique location id" from >>>>> <findServiceResponse> and associate to the client's internal >>>>> records. The client then periodically queries the server for the >>>>> set(s) of impacted IDs, and client gets a copy of each set. The >>>>> client uses these sets of impacted ids from the servers list to >>>>> check the clients internal records, and client can then revalidate >>>>> those. >>>>> >>>>> No more client-provided uris entirely removing the possibility of >>>>> abuse by malicious actors. >>>>> >>>>> The data in the issued set could be further extended to convey >>>>> upcoming potential impacts to ids that have not yet been impacted. >>>>> >>>>> >>>>> /Jeff/ >>>>> >>>>> From: Ecrit <ecrit-bounces@ietf.org >>>>> <mailto:ecrit-bounces@ietf.org>> On Behalf Of Caron, Guy >>>>> Sent: Thursday, September 9, 2021 7:52 AM >>>>> To: Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>>; >>>>> Randall Gellens <rg+ietf@randy.pensive.org >>>>> <mailto:rg+ietf@randy.pensive.org>> >>>>> Cc: ECRIT <ecrit@ietf.org <mailto:ecrit@ietf.org>> >>>>> Subject: Re: [Ecrit] planned-changes: two questions >>>>> >>>>> I’m aligned with Brian on the proposal to embed a reverse HTTP >>>>> transaction within an existing one. I think this is asking for >>>>> trouble. >>>>> >>>>> Guy >>>>> >>>>> De : Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> >>>>> Envoyé : 8 septembre 2021 19:32 >>>>> À : Randall Gellens <rg+ietf@randy.pensive.org >>>>> <mailto:rg+ietf@randy.pensive.org>> >>>>> Cc : Caron, Guy <g.caron@bell.ca <mailto:g.caron@bell.ca>>; ECRIT >>>>> <ecrit@ietf.org <mailto:ecrit@ietf.org>> >>>>> Objet : [EXT]Re: [Ecrit] planned-changes: two questions >>>>> >>>>> Inline. I think we need other opinions. Certainly, we don’t >>>>> have rough consensus. >>>>> >>>>> >>>>> >>>>> ________________________________________________________ >>>>> On Sep 8, 2021, at 5:45 PM, Randall Gellens >>>>> <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> >>>>> wrote: >>>>> >>>>> Why is a subsequent transaction better than a parallel one? The >>>>> subsequent transaction model delays knowledge of the state. >>>>> If the client doesn't see an immediate POST, it doesn't know if >>>>> there's been an error or not. >>>>> Yes it does. If it doesn’t see an immediate POST, then there >>>>> was a problem and it has to try again. >>>>> >>>>> If the client sees a POST and sends an ID, it doesn't know if the >>>>> server received it and stored the URI. >>>>> Technically true, but vanishingly small issue. You had a complete >>>>> HTTPS transaction, but somehow the client isn’t sure the server >>>>> got the ID. >>>>> >>>>> If the server tries a POST but gets an error, it may retry but >>>>> meanwhile the client may retry the query, since it didn't get a >>>>> POST. >>>>> That's always going to be something the server has to deal with: >>>>> re-enrollment of the URI. The client gets a normal response, and >>>>> that tells it the URI was accepted. >>>>> >>>>> Should a client retain IDs if it hasn't seen a POST? >>>>> No, lack of POST means URI is not enrolled >>>>> >>>>> Also, requiring that the client send an ID seems like it may >>>>> constrain client architectures since any part of the client system >>>>> that receives a POST must know which IDs are pending. >>>>> I don’t agree. This is a pretty normal “I send you a magic >>>>> number and you have to return it to me” thing. There are no >>>>> “pending IDs”. This is the first ID, so you need to return >>>>> it, and only it, but it’s the only ID the client has at this >>>>> point. >>>>> >>>>> What is the objection to a parallel POST? >>>>> I was taught that you don’t embed an HTTP transaction in another >>>>> with the same partner because things go wrong with timeouts and >>>>> logic. It’s not a parallel POST, it’s an HTTPS transaction >>>>> one way that encloses another HTTPS transaction the other way. >>>>> You are dependent on the inner one completing before the outer one >>>>> times out or has some other issue. I just think that’s >>>>> dangerous. I will admit that I was taught this quite a long time >>>>> ago (before HTTPS for sure) and things could have changed, but I >>>>> can’t recall an API that does that. Also note that keep alive >>>>> works exactly the same way as the initial POST. In your proposal, >>>>> those are different. That’s not much, but it’s some code. >>>>> The “test” transaction tells you that the mechanism works and >>>>> your URI is being retained, whether that happens the first time, >>>>> or a year later. >>>>> >>>>> --Randall >>>>> On 8 Sep 2021, at 14:22, Brian Rosen wrote: >>>>> I don’t think there is any fragility in the URI setup. For a >>>>> new URI, the client requests the server to keep it in a >>>>> findService. That transaction concludes by sending an ID. The >>>>> server immediately sends the test notification, to which the >>>>> client responds with the ID. At that point both sides know the >>>>> URI was accepted and the client is valid. That may be repeated >>>>> periodically so both sides know the other is happy with the >>>>> arrangements. If the client doesn’t get the test notification, >>>>> it knows the URI isn’t accepted. If the server doesn’t see >>>>> the ID, it’s knows that was a bogus request, or there is some >>>>> other problem, and it shouldn’t save the URI. >>>>> >>>>> I proposed a null ID as the test transaction flag. That would be >>>>> a piece of XML with the right namespace, the right element name, >>>>> but no value. I think that is adequate and meets Guy’s minimal >>>>> mechanism criteria. The same XML is always sent. It either has a >>>>> set of IDs or it’s empty. >>>>> >>>>> Brian >>>>> >>>>> >>>>> On Sep 8, 2021, at 5:11 PM, Randall Gellens >>>>> <rg+ietf@randy.pensive.org <mailto:rg+ietf@randy.pensive.org>> >>>>> wrote: >>>>> >>>>> The proposed mechanism seems fragile. A client has no way to know >>>>> if its request to store a URI was accepted. That makes it hard to >>>>> debug. If there are errors of any kind when the server initially >>>>> verifies a URI, the client has no idea. Even if the client repeats >>>>> the transaction, the server will silently discard the URI. To me, >>>>> that's asking for problems. >>>>> In my proposal, when the client requests to be notified and >>>>> provides a URI, the server immediately does a parallel POST to >>>>> that URI. If it gets a 202 Accepted response to the POST (or we >>>>> can choose a different value), it stores the URI and returns the >>>>> query result. If it gets a different response, it does not store >>>>> the URI and returns the query result with a uriNotStored warning. >>>>> If a client is trying to get the server to launch an attack on a >>>>> third party entity, that entity will likely not support the URI in >>>>> the first place, or will likely return an error response. If you >>>>> want additional verification, have the server include the queried >>>>> location in its test POST. That way, if the client maliciously >>>>> sent a URI of a third party LIS, that LIS will know it does not >>>>> have a query with that location outstanding. >>>>> Doing a parallel POST from the server to the client is one small >>>>> transaction; this mechanism provides immediate feedback to both >>>>> client and server. If there are DNS failures or network congestion >>>>> or whatever, the server returns uriNotStored and the client can >>>>> try again later. >>>>> As for multiple IDs in a single notification POST, having the >>>>> client specify in the initial request the maximum it is prepared >>>>> to accept seems reasonable. We can require that clients support a >>>>> minimum number. If a server has more than the maximum, it sends >>>>> them in multiple POSTs, with whatever separation in time it >>>>> chooses. A server can include fewer IDs in a POST than the >>>>> client's maximum. >>>>> We can have a 'test' notification value that is used both for the >>>>> initial verification test and for periodic keep-alive tests. >>>>> --Randall >>>>> On 8 Sep 2021, at 12:17, Brian Rosen wrote: >>>>> Okay, I think the three of us are converging, Here is a >>>>> restatement of your description: >>>>> 1) In a validation query, a Client can request to be notified when >>>>> the proffered LI should be revalidated, and provides a URI to send >>>>> the notifications to; >>>>> 2) In the validation response, the Server provides an ID that the >>>>> Client associates with the LI it just validated. The server may >>>>> silently ignore repeated requests to store a URI where the test in >>>>> 4 below fails. >>>>> 3) Immediately thereafter, if the URI is new to the Server, the >>>>> Server sends a ‘test’ notification to the URI, with an empty >>>>> ID. >>>>> 4) The recipient at the URI is expected to respond with the ID >>>>> provided in step 2. If it does, the Server stores the URI for >>>>> future notifications. If it does not, the server ignores the >>>>> request to store the URI. >>>>> 5) Some time after, the Server notifies the Client of an upcoming >>>>> planned change by sending a notification to the successfully >>>>> tested URI with the location ID; >>>>> 6) The client revalidates each LI in its database that matches the >>>>> ID as of the date of the planned change. If no ID matches, it is a >>>>> no-op at the Client. Revalidations may also result in no-op at the >>>>> Client. >>>>> 7) LIs at the Client that are invalidated by the planned change >>>>> are modified in its database to be valid (which probably mean >>>>> another revalidation cycle) with an effective date set to >>>>> <revalidateAsoF> value. >>>>> 8) The Server may send ’test’ notifications to the URI without >>>>> any ID as a form of “keep-alive”. Any ID provided by the >>>>> Server to the client may be used as the response to the test >>>>> transaction >>>>> >>>>> >>>>> There has been a discussion of sending more than one ID in a >>>>> transaction. I think that is a decent idea, but I worry about how >>>>> big that could be. Either we put a hard limit in the text or have >>>>> something in the response to the test transaction that specifies a >>>>> size limit for that client. >>>>> >>>>> Brian >>>>> >>>>> >>>>> On Sep 7, 2021, at 8:31 PM, Caron, Guy <g.caron@bell.ca >>>>> <mailto:g.caron@bell.ca>> wrote: >>>>> >>>>> 1) In a validation query, a Client can request to be notified when >>>>> the proffered LI should be revalidated, and provides a URI to send >>>>> the notifications to; >>>>> 2) In the validation response, the Server provides an ID that the >>>>> Client associates with the LI it just validated; >>>>> 3) Immediately thereafter, the Server sends a ‘test’ >>>>> notification to the URI, without any ID;\ >>>>> [br[For every new ID? Or just once? I wanted this to be a one >>>>> time registration. >>>>> [GC] Just once per offered URI. >>>>> >>>>> >>>>> 4) The recipient at the URI is expected to respond with the ID >>>>> provided in step 2. If it does, the Server stores the URI for >>>>> future notifications. If it does not, the Server [let’s pick >>>>> one: reject silently the URI and block the Client >>>>> permanently/provides a ‘uriNotStored’ warning response to the >>>>> URI {not compatible with the current proposal to test outside of >>>>> LoST}/reject silently the URI and block the Client >>>>> temporarily/other?]; >>>>> [br]I don’t think an explicit failure is a problem. The LoST >>>>> server can limit retries if it needs to. >>>>> [GC] Ok for HTTP failures but what I’m talking about is when it >>>>> fails to return the ID, like in your DoS example. >>>>> >>>>> >>>>> >>>>> 5) Some time after, the Server notifies the Client of an upcoming >>>>> planned change by sending a notification to the successfully >>>>> tested URI with the location ID; >>>>> 6) The client revalidates each LI in its database that matches the >>>>> ID as of the date of the planned change. If no ID matches, it is a >>>>> no-op at the Client. Revalidations may also result in no-op at the >>>>> Client. >>>>> 7) LIs at the Client that are invalidated by the planned change >>>>> are modified in its database to be valid (which probably mean >>>>> another revalidation cycle) with an effective date set to >>>>> <revalidateAsoF> value. >>>>> [br]I wanted periodic keep alives. How would that work? >>>>> [GC] You mean at step 3? As I mentioned below, I was wondering >>>>> about the necessity for periodic tests. If the group is convinced >>>>> it is needed, the Server can simply redo step 3 and the Client can >>>>> respond with one or many IDs it has from that Server. >>>>> >>>>> >>>>> NOTICE TO RECIPIENT: This email, including attachments, may >>>>> contain information which is confidential, proprietary, >>>>> attorney-client privileged and / or controlled under U.S. export >>>>> laws and regulations and may be restricted from disclosure by >>>>> applicable State and Federal law. Nothing in this email shall >>>>> create any legal binding agreement between the parties unless >>>>> expressly stated herein and provided by an authorized >>>>> representative of Comtech Telecommunications Corp. or its >>>>> subsidiaries. If you are not the intended recipient of this >>>>> message, be advised that any dissemination, distribution, or use >>>>> of the contents of this message is strictly prohibited. If you >>>>> received this message in error, please notify us immediately by >>>>> return email and permanently delete all copies of the original >>>>> email and any attached documentation from any computer or other >>>>> media. >>>>> _______________________________________________ >>>>> Ecrit mailing list >>>>> Ecrit@ietf.org <mailto:Ecrit@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/ecrit >>>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fecrit&data=04%7C01%7Cjeff.martin%40comtechtel.com%7Cb6354e9963b1469a1a1808d9747845af%7Ca9a26e696ae040c1bd801ca6cc677828%7C0%7C0%7C637668882191609050%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NDkyikK2aPrzaE826qPjFrrlsn1WtrgpqjKx3KBKnQQ%3D&reserved=0> >>>> _______________________________________________ >>>> Ecrit mailing list >>>> Ecrit@ietf.org <mailto:Ecrit@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/ecrit >>>> <https://www.ietf.org/mailman/listinfo/ecrit> >>
- [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- [Ecrit] PLEASE READ: We need people to comment on… Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- [Ecrit] Fwd: PLEASE READ: We need people to comme… James Kinney
- Re: [Ecrit] planned-changes: two questions Jeff Martin
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Brandon Abley
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Dan Banks
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Jeff Martin
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Caron, Guy
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen
- Re: [Ecrit] planned-changes: two questions Randall Gellens
- Re: [Ecrit] planned-changes: two questions Brian Rosen