IETF Logo Mail Archive

Re: [Ecrit] planned-changes: two questions

Randall Gellens <rg+ietf@randy.pensive.org> Wed, 08 September 2021 21:11 UTC

Return-Path: <rg+ietf@randy.pensive.org>
X-Original-To: ecrit@ietfa.amsl.com
Delivered-To: ecrit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8032E3A38B1 for <ecrit@ietfa.amsl.com>; Wed, 8 Sep 2021 14:11:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_FORGED_RELAY_MUA_TO_MX=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BL2WBFTm0d5o for <ecrit@ietfa.amsl.com>; Wed, 8 Sep 2021 14:11:03 -0700 (PDT)
Received: from turing.pensive.org (turing.pensive.org [99.111.97.161]) by ietfa.amsl.com (Postfix) with ESMTP id B8D593A38AC for <ecrit@ietf.org>; Wed, 8 Sep 2021 14:11:03 -0700 (PDT)
Received: from [99.111.97.181] (99.111.97.161) by turing.pensive.org with ESMTP (EIMS X 3.3.9); Wed, 8 Sep 2021 14:11:02 -0700
From: "Randall Gellens" <rg+ietf@randy.pensive.org>
To: "Brian Rosen" <br@brianrosen.net>
Cc: "Caron, Guy" <g.caron@bell.ca>, ECRIT <ecrit@ietf.org>
Date: Wed, 08 Sep 2021 14:11:02 -0700
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <DA890A1B-E22F-4EBB-B312-53A6C5BCD7B9@randy.pensive.org>
In-Reply-To: <D3AA7F51-01F4-4ED6-BFC3-2B3BF5AB1536@brianrosen.net>
References: <A0FC259C-DF34-4496-9013-422006278DA6@randy.pensive.org> <FB2A33E8-E146-404B-B150-1496C40510EF@brianrosen.net> <5577e2e6daa4405bbe12ef61675e1f55@bell.ca> <DE195D79-5A01-48EE-95CA-6C4B82E0886D@brianrosen.net> <e6e17f501711441188119cdfbe384d3d@bell.ca> <3AD58DEC-1DC9-4BC0-B55C-4E782E4AAA74@brianrosen.net> <E20342E7-2EFB-4479-96C2-85B4B7E16989@randy.pensive.org> <A7D59E8E-A014-4CC8-A0FF-5F58E81C6D4A@brianrosen.net> <2b4abbef37be4131a87471af75b6e7da@bell.ca> <CF2E8EDC-B38D-4742-B317-F3CE3E831578@brianrosen.net> <f82108f590674341a22da9c2e4c649e0@bell.ca> <7C4F6B87-C480-4963-B582-7639A9A1B029@brianrosen.net> <89a34416a9224a3bbccb520408283373@bell.ca> <D3AA7F51-01F4-4ED6-BFC3-2B3BF5AB1536@brianrosen.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_BC30F8B2-8CD4-4821-9890-C13183484D72_="
Content-Transfer-Encoding: 8bit
Embedded-HTML: [{"HTML":[2450, 10475], "plain":[2051, 4064], "uuid":"D77DD3B0-2BF5-4B42-A4C2-AAD9292B4040"}]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ecrit/e0kCiSkyk6XYN6MKD6XRkh-IxEA>
Subject: Re: [Ecrit] planned-changes: two questions
X-BeenThere: ecrit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Emergency Context Resolution with Internet Technologies <ecrit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ecrit/>
List-Post: <mailto:ecrit@ietf.org>
List-Help: <mailto:ecrit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2021 21:11:09 -0000

The proposed mechanism seems fragile.  A client has no way to know if 
its request to store a URI was accepted.  That makes it hard to debug.  
If there are errors of any kind when the server initially verifies a 
URI, the client has no idea.  Even if the client repeats the 
transaction, the server will silently discard the URI.  To me, that's 
asking for problems.

In my proposal, when the client requests to be notified and provides a 
URI, the server immediately does a parallel POST to that URI.  If it 
gets a 202 Accepted response to the POST (or we can choose a different 
value), it stores the URI and returns the query result.  If it gets a 
different response, it does not store the URI and returns the query 
result with a uriNotStored warning.  If a client is trying to get the 
server to launch an attack on a third party entity, that entity will 
likely not support the URI in the first place, or will likely return an 
error response.  If you want additional verification, have the server 
include the queried location in its test POST.  That way, if the client 
maliciously sent a URI of a third party LIS, that LIS will know it does 
not have a query with that location outstanding.

Doing a parallel POST from the server to the client is one small 
transaction; this mechanism provides immediate feedback to both client 
and server.  If there are DNS failures or network congestion or 
whatever, the server returns uriNotStored and the client can try again 
later.

As for multiple IDs in a single notification POST, having the client 
specify in the initial request the maximum it is prepared to accept 
seems reasonable.  We can require that clients support a minimum number. 
  If a server has more than the maximum, it sends them in multiple 
POSTs, with whatever separation in time it chooses.  A server can 
include fewer IDs in a POST than the client's maximum.

We can have a 'test' notification value that is used both for the 
initial verification test and for periodic keep-alive tests.

--Randall

On 8 Sep 2021, at 12:17, Brian Rosen wrote:

> Okay, I think the three of us are converging,  Here is a restatement 
> of your description:
> 1) In a validation query, a Client can request to be notified when the 
> proffered LI should be revalidated, and provides a URI to send the 
> notifications to;
> 2) In the validation response, the Server provides an ID that the 
> Client associates with the LI it just validated.   The server may 
> silently ignore repeated requests to store a URI where the test in 4 
> below fails.
> 3) Immediately thereafter, if the URI is new to the Server, the Server 
> sends a ‘test’ notification to the URI, with an empty ID.
> 4) The recipient at the URI is expected to respond with the ID 
> provided in step 2. If it does, the Server stores the URI for future 
> notifications.  If it does not, the server ignores the request to 
> store the URI.
> 5) Some time after, the Server notifies the Client of an upcoming 
> planned change by sending a notification to the successfully tested 
> URI with the location ID;
> 6) The client revalidates each LI in its database that matches the ID 
> as of the date of the planned change. If no ID matches, it is a no-op 
> at the Client. Revalidations may also result in no-op at the Client.
> 7) LIs at the Client that are invalidated by the planned change are 
> modified in its database to be valid (which probably mean another 
> revalidation cycle) with an effective date set to <revalidateAsoF> 
> value.
> 8) The Server may send ’test’ notifications to the URI without any 
> ID as a form of “keep-alive”.  Any ID provided by the Server to 
> the client may be used as the response to the test transaction
>
>
> There has been a discussion of sending more than one ID in a 
> transaction.  I think that is a decent idea, but I worry about how big 
> that could be.  Either we put a hard limit in the text or have 
> something in the response to the test transaction that specifies a 
> size limit for that client.
>
> Brian
>
>> On Sep 7, 2021, at 8:31 PM, Caron, Guy <g.caron@bell.ca> wrote:
>>
>> 1) In a validation query, a Client can request to be notified when 
>> the proffered LI should be revalidated, and provides a URI to send 
>> the notifications to;
>> 2) In the validation response, the Server provides an ID that the 
>> Client associates with the LI it just validated;
>> 3) Immediately thereafter, the Server sends a ‘test’ notification 
>> to the URI, without any ID;\
>> [br[For every new ID?  Or just once?  I wanted this to be a one time 
>> registration.
>> [GC] Just once per offered URI.
>>
>>
>> 4) The recipient at the URI is expected to respond with the ID 
>> provided in step 2. If it does, the Server stores the URI for future 
>> notifications. If it does not, the Server [let’s pick one: reject 
>> silently the URI and block the Client permanently/provides a 
>> ‘uriNotStored’ warning response to the URI {not compatible with 
>> the current proposal to test outside of LoST}/reject silently the URI 
>> and block the Client temporarily/other?];
>> [br]I don’t think an explicit failure is a problem.  The LoST 
>> server can limit retries if it needs to.
>> [GC] Ok for HTTP failures but what I’m talking about is when it 
>> fails to return the ID, like in your DoS example.
>>
>>
>>
>> 5) Some time after, the Server notifies the Client of an upcoming 
>> planned change by sending a notification to the successfully tested 
>> URI with the location ID;
>> 6) The client revalidates each LI in its database that matches the ID 
>> as of the date of the planned change. If no ID matches, it is a no-op 
>> at the Client. Revalidations may also result in no-op at the Client.
>> 7) LIs at the Client that are invalidated by the planned change are 
>> modified in its database to be valid (which probably mean another 
>> revalidation cycle) with an effective date set to <revalidateAsoF> 
>> value.
>> [br]I wanted periodic keep alives.  How would that work?
>> [GC] You mean at step 3? As I mentioned below, I was wondering about 
>> the necessity for periodic tests. If the group is convinced it is 
>> needed, the Server can simply redo step 3 and the Client can respond 
>> with one or many IDs it has from that Server.

v2.8.7 | Report a Bug | By Email