IETF Logo Mail Archive

Re: [eppext] New draft for keyrelay available

"Gould, James" <JGould@verisign.com> Thu, 05 February 2015 15:14 UTC

Return-Path: <JGould@verisign.com>
X-Original-To: eppext@ietfa.amsl.com
Delivered-To: eppext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5698F1A88C2 for <eppext@ietfa.amsl.com>; Thu, 5 Feb 2015 07:14:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dw62HpGqULoB for <eppext@ietfa.amsl.com>; Thu, 5 Feb 2015 07:14:26 -0800 (PST)
Received: from exprod6og103.obsmtp.com (exprod6og103.obsmtp.com [64.18.1.185]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F7871A9063 for <eppext@ietf.org>; Thu, 5 Feb 2015 07:13:22 -0800 (PST)
Received: from brn1lxmailout02.vcorp.ad.vrsn.com ([72.13.63.42]) (using TLSv1) by exprod6ob103.postini.com ([64.18.5.12]) with SMTP ID DSNKVNOIkVOPGw95PxQ3Z17n+RkAV4QDlQhI@postini.com; Thu, 05 Feb 2015 07:13:24 PST
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01.vcorp.ad.vrsn.com [10.173.152.205]) by brn1lxmailout02.vcorp.ad.vrsn.com (8.13.8/8.13.8) with ESMTP id t15FDKxt016928 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 5 Feb 2015 10:13:21 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Thu, 5 Feb 2015 10:13:20 -0500
From: "Gould, James" <JGould@verisign.com>
To: Antoin Verschuren <ietf@antoin.nl>
Thread-Topic: [eppext] New draft for keyrelay available
Thread-Index: AdArSKQ+n3FmCyCWSq6l2+OWlzutMwA+eoEAALUP4qAAEcW9gAEmPdEAAANycwAAKyYUgAIEIAGAAAFOhwAAAGLyAAEsf/2AAAFq2AA=
Date: Thu, 5 Feb 2015 15:13:19 +0000
Message-ID: <1C730264-F439-4FB8-9ABF-803BB4DCC2E0@verisign.com>
References: <C80127C588F8F2409E2B535AF968B768B927CDA8@kambx2.SIDN.local> <0ED7237B-F4E8-45D7-971F-1625350DB0FC@verisign.com> <C80127C588F8F2409E2B535AF968B768B9280B52@kambx2.SIDN.local> <472EF001-1A03-4C50-A7DB-3D6B766B3BA8@verisign.com> <20150119094734.GA27180@miek.nl> <AF040383-7DED-4DDA-A52A-F40978697DF9@dnsbelgium.be> <C80127C588F8F2409E2B535AF968B768B9285C2F@kambx2.SIDN.local> <831693C2CDA2E849A7D7A712B24E257F49F33387@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <46F2F7EA-7FD4-4D47-B80D-CCC795277512@verisign.com> <831693C2CDA2E849A7D7A712B24E257F49F3353E@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <AE3FEA9E-04D3-4AA1-A5A0-08D7D3E92C99@antoin.nl>
In-Reply-To: <AE3FEA9E-04D3-4AA1-A5A0-08D7D3E92C99@antoin.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: multipart/related; boundary="_004_1C730264F4394FB89ABF803BB4DCC2E0verisigncom_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/eppext/VbVmselbzuvIknE5sca1mKhbbNQ>
Cc: "eppext@ietf.org" <eppext@ietf.org>
Subject: Re: [eppext] New draft for keyrelay available
X-BeenThere: eppext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: EPPEXT <eppext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eppext>, <mailto:eppext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/eppext/>
List-Post: <mailto:eppext@ietf.org>
List-Help: <mailto:eppext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eppext>, <mailto:eppext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2015 15:14:36 -0000

Antoin,

My understanding of EPP is that it defines 7 object verbs (check, info, create, delete, renew, transfer query / request / cancel / reject / approve, and update), where I don’t capture some of the base protocol commands like login, logout, and poll, with the ability to extend the protocol to support new objects in separate specifications that define which verbs are supported for those objects and what is passed in the commands and responses.  Nowhere does it state in RFC 5730 or RFC 3735 that an object extension must support a specific set of verbs and that a create must create “an object in the registry” with a single class of object.  The verbs supported are specific to the object that exists in some form in the registry.  An object could be a standard object like domain, it could be an immutable message object like with the key relay message, or could be a generated object based on a client info command ( Name Suggestion Mapping - http://www.verisigninc.com/assets/epp-sdk/EPP-Suggestion-Mapping.pdf and Balance Mapping - http://www.verisigninc.com/assets/epp-sdk/verisign_epp-extension_balance_v00.html).  I believe the key is that there can be many forms of objects that are supported by the server that can be represented using an EPP object extension.  The specification of the EPP object extension defines the specifics about what verbs are supported.

Reusing a create command is not simply less work but matches what the client is doing.  The client is creating a immutable message object that is delivered to a consuming client via the poll queue.  There is a message object getting created in the registry that is automatically removed once consumed.  I don’t view this as a protocol extension based on the extensibility options provided in RFC 5730.

Please show me in the RFC’s where it states that all previous commands were meant to touch an object in the registry.  There is no way that RFC 5730 could foresee all of the possible set of objects that a server could support, which is why there is the concept of an object extension.  There is variance in the set of verbs supported by the EPP domain, host, and contact RFC’s.  A transfer and renew is not applicable to a host object and a renew is not applicable to a contact object.  EPP provides the ability to specifically define what verbs apply and what data needs to be sent and received to meet the needs of the particular object.

As stated many times on this list, there should be no mixing of a protocol extension and an object extension in a single specification, which is what is currently being done in draft-ietf-eppext-keyrelay.  Making draft-ietf-eppext-keyrelay an object extension that includes support for the create command addresses this issue and is not disallowed by any text that I’m aware of in the EPP RFC’S.

Thanks,


—


JG


[cid:77031CC3-BE7A-4188-A95F-D23115A30A4D@vcorp.ad.vrsn.com]

James Gould
Distinguished Engineer
jgould@Verisign.com

703-948-3271
12061 Bluemont Way
Reston, VA 20190

VerisignInc.com<http://VerisignInc.com>

On Feb 5, 2015, at 9:32 AM, Antoin Verschuren <ietf@antoin.nl<mailto:ietf@antoin.nl>> wrote:

I believe this is the essence of the confusion.
The authors believe that like Scott, an "EPP <create> Command" always creates an object in the registry. That is how we read section 2.9.3 of RFC5730.
James believes that a create command can also be used to create "something” in the poll queue only, without creating an object in the registry. Reusing the create command like this is less work.

For relay, it is not desirable to create an object in the registry, as nothing is done with the object data after queueing in the poll queue, and just polutes the registry, let alone the question of who owns the object and what will trigger it to be deleted.

For relay we are looking for a process to place data in the poll queue only without it becomming an object in the registry.
That is why the relay draft sugested a 4th section (2.9.4) of a new type of protocol commands that we will call "Communication Commands” where a command will create a poll queue message, but does not create or change any objects in the registry.

We cannot call this new command an "EPP <create> Command” under this new "Communication Commands” section, just like there is a difference between an "EPP <transfer> Query Command” under Query Commands, and an "EPP <transfer> Command” under the Object Transform Commands.

I have no deep knowledge of XML namespaces or mixing protocol and command extensions, but this is what this new command needs to do, and is something EPP hasn’t seen the need to do before. All previous commands were meant to touch an object in the registry.

- --
Antoin Verschuren

Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392
xmpp:antoinverschuren@gmail.com




Op 30 jan. 2015, om 16:08 heeft Hollenbeck, Scott <shollenbeck@verisign.com<mailto:shollenbeck@verisign.com>> het volgende geschreven:

EPP has no concept of “objects” in the poll queue. The poll queue manipulates messages. Objects are manipulated by transform commands like create, delete, etc.

I was thinking that the source client would create a relay object, which would result in a message being queued for the target client. The info could exist in both the poll message (which would be short-lived and lost once dequeued), and in the object (which would be slightly longer-lived, but would be automatically deleted when it expired).

Scott

From: Gould, James
Sent: Friday, January 30, 2015 9:57 AM
To: Hollenbeck, Scott
Cc: Rik Ribbers; Maarten Bosteels; Miek Gieben; eppext@ietf.org<mailto:eppext@ietf.org>
Subject: Re: [eppext] New draft for keyrelay available

Scott,

I believe the intent is to insert the transient object into the poll queue for the target client.  The acknowledgement of the poll message should result in the implicit removal of the transient object from the server.  With what you’re proposing, the source client would create the transient object that I’m assuming would result in a poll notification containing a signal to the client to submit an info command to get the transient object information?  I’m assuming that the target client would then need to delete the transient object once they’re done with processing the message.  I believe it’s simpler and consistent with the concept of creating a transient poll message to support the create to create the poll message and the info response poll message for the consumption of the transient object.  In this case the poll queue is functioning as the repository for the transient object with the signal and data being one and the same, and the deletion of the transient object handled via the standard poll queue mechanism.

—

JG


<image001.png>

James Gould
Distinguished Engineer
jgould@Verisign.com<mailto:jgould@Verisign.com>

703-948-3271
12061 Bluemont Way
Reston, VA 20190

VerisignInc.com

On Jan 30, 2015, at 9:20 AM, Hollenbeck, Scott <shollenbeck@verisign.com> wrote:


-----Original Message-----
From: EppExt [mailto:eppext-bounces@ietf.org] On Behalf Of Rik Ribbers
Sent: Tuesday, January 20, 2015 3:02 AM
To: 'Maarten Bosteels'; Miek Gieben; Gould, James; eppext@ietf.org
Subject: Re: [eppext] New draft for keyrelay available

Hello Maarten,

Thx for the feedback, I hope more people with experience on extending
EPP will state their opinion on the list.

We have implemented the functionality in our registration system, but
it is not very actively used. What we see is that most registrars go
insecure. Most of the time we see a transfer command followed (some
time later in time) by a domain update to remove the old key material
and add new key material. There is even a losing registrar that removes
all DNS key data when a registrant requests its authorization token
before the actual transfer.

One more opinion:

After reading through the draft again I believe I would have designed this differently. EPP commands typically act on or read data from objects, and if I'm reading keyrelay correctly the <relay> command isn't doing either of those things. It's pushing information to the server to be stored temporarily (in what?) so that it can be retrieved with a <poll> command. It would be more architecturally consistent to create a temporary relay object with the needed information and use an <info> command to retrieve the data. <poll> can be used to notify the receiving client that the information is there to be retrieved. Anyway, that's my two cents.

Rik's "not very actively used" comment is telling. DNSSEC isn't widely supported by registrars, so it makes sense that we're not seeing a lot of use. I don't have an issue with continuing work on this draft if the intention is to document the existing practice of one operator in an informational way, but I'm not comfortable with pursuing the current approach on the standards track. We should confirm the need before doing standards track work.

Scott

_______________________________________________
EppExt mailing list
EppExt@ietf.org
https://www.ietf.org/mailman/listinfo/eppext

_______________________________________________
EppExt mailing list
EppExt@ietf.org<mailto:EppExt@ietf.org>
https://www.ietf.org/mailman/listinfo/eppext

v2.8.7 | Report a Bug | By Email