Re: [Hipsec] HIP Registration Extension
Julien Laganier <julien.laganier.IETF@googlemail.com> Tue, 19 August 2008 17:57 UTC
Return-Path: <hipsec-bounces@ietf.org>
X-Original-To: hip-archive@lists.ietf.org
Delivered-To: ietfarch-hip-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 835193A68C3; Tue, 19 Aug 2008 10:57:46 -0700 (PDT)
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1227A3A6AB0 for <hipsec@core3.amsl.com>; Tue, 19 Aug 2008 10:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.512
X-Spam-Level:
X-Spam-Status: No, score=-2.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Qmkadp+axjS for <hipsec@core3.amsl.com>; Tue, 19 Aug 2008 10:57:44 -0700 (PDT)
Received: from deprox.docomolab-euro.com (deprox.docomolab-euro.com [212.119.9.186]) by core3.amsl.com (Postfix) with ESMTP id 72EB73A68DC for <hipsec@ietf.org>; Tue, 19 Aug 2008 10:57:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by deprox.docomolab-euro.com (Postfix) with ESMTP id 8562117028; Tue, 19 Aug 2008 19:57:34 +0200 (CEST)
Received: from deprox.docomolab-euro.com ([127.0.0.1]) by localhost (deprox.docomolab-euro.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SnPolbAHMPiE; Tue, 19 Aug 2008 19:57:31 +0200 (CEST)
Received: from DEMAIL.docomolab-euro.com (demail.docomolab-euro.com [172.27.20.3]) by deprox.docomolab-euro.com (Postfix) with ESMTP; Tue, 19 Aug 2008 19:57:31 +0200 (CEST)
Received: from [192.168.99.36] ([192.168.99.36]) by DEMAIL.docomolab-euro.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Aug 2008 19:57:29 +0200
Message-ID: <48AB098D.80704@googlemail.com>
Date: Tue, 19 Aug 2008 19:57:33 +0200
From: Julien Laganier <julien.laganier.IETF@googlemail.com>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Lauri Silvennoinen <ljsilven@cc.hut.fi>
References: <Pine.OSF.4.64.0808141955110.142735@kosh.hut.fi> <48A9A97D.6010701@googlemail.com> <Pine.OSF.4.64.0808191814110.362556@kosh.hut.fi>
In-Reply-To: <Pine.OSF.4.64.0808191814110.362556@kosh.hut.fi>
X-OriginalArrivalTime: 19 Aug 2008 17:57:29.0521 (UTC) FILETIME=[0C010A10:01C90225]
Cc: hipsec@ietf.org
Subject: Re: [Hipsec] HIP Registration Extension
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: hipsec-bounces@ietf.org
Errors-To: hipsec-bounces@ietf.org
[sorry for resent, wronly hit CTRL+ENTER]
Hi Lauri,
Some more thougths...
Lauri Silvennoinen wrote:
> On Mon, 18 Aug 2008, Julien Laganier wrote:
>>
>> Ok for the usecase, but shouldn't this be considered as an error from
>> the MN. The MN implementation supposedly knows that RVS and ICE are
>> exclusive, and shouldn't try to register for both at the same time on
>> the same node.
>
> It can and should be considered as an error from the Requester. However,
> this does not mean that the Requester cannot send such a message. I'm
> mostly concerned about the server implementation in all of the issues.
> Thus the question is: how does the server respond to a registration
> attempt having services that cannot co-exist. RFC 5203 does not provide
> instructions for this. Are you suggesting that the server should just
> silently drop such a request? If so, this should be put in clear text
> into the RFC.
I think since the RFC allows the server to cancel the earlier
(incompatible) registration, then it should do that, and grant the new one:
A registrar (and an attached service) MAY cancel a
registration before it expires, at its own discretion. However, if
it does so, it SHOULD send a REG_RESPONSE with a zero lifetime to all
registered requesters.
>>> ...
>>
>> In that case, wouldn't be needed to signal to the MN which types of
>> registration have to be canceled for the requested one to be granted?
>>
>
> This would be even better, but then we would need individual Failure Types
> for each registration that needs to be cancelled. So instead of
>
> Failure Type Reason
> ------------ --------------------------------------------
> 2 Cancellation required
>
> we would have for example:
>
> Failure Type Reason
> ------------ --------------------------------------------
> 101 RVS Cancellation required
> 102 HIP RELAY Cancellation required
> 103 ...
> ...
> This could get too complicated when the number of HIP services (and HIP
> service related specifications) increases. So I would stick to the
> single "Cancellation required" value instead and let it be local policy
> at the Requester to know which services cannot co-exist. Either way,
> isn't it better to signal "Cancellation required" than "Registration
> requires additional credentials" or "Registration type unavailable" (or
> to remain silent) in this case?
Defining new failure types wouldn't be good. I was thinking more about
piggybacking to the REG_FAILED for "cancellation required" with a
REG_TYPES_TO_CANCEL parameter containing the registrations types that
shall be cancelled before the requested registration is granted. But
that seems to complex. Since this is somehow an error case from the
requester I think we should do as I suggested earlier, i.e. the
registrar signal that incompatible registations were cancelled, and
accpet the new one.
>>> ... but nothing is said about multiple REG_INFOs in the draft.
>>
>> Thus an additional specification would be required it seems.
>
> Yes.
I am not sure it is required to indicate different lifetimes for
different services though. If you really want to handle various
lifetime, you can get the same result by announcing the min lifetime of
services you're offering for all services.
>>> 2) How to handle REG_REQUEST, REG_RESPONSE and REG_FAILED parameters
>>> that
>>> have redundant services? These parameters are of the following form:
>>> ...
>>
>> I consider this as broken behavior from the registrar side, but anyway
>> it seems the MN could simply ignore duplicates Reg types with no harm.
>
> Broken behavior yes, but again, the RFC does not state in clear text how
> to handle such a case. If a REG_REQUEST has redundant services, then
> it's broken behavior at the Requester side. If a REG_RESPONSE or a
> REG_FAILED has redundant services, then it's broken behavior at the
> Registrar side. I suggest the following:
>
> The REG_REQUEST case i.e. the client has requested redundant services.
> The server should not allow any broken behavior from the client.
> Therefore the whole packet having redundant services should be just
> silently dropped.
I disagree. If we follow the "be conservative in what you send, liberal
in what you accept", a peer receiving duplicate registration types
should just ignore the duplicated occurrences.
> Note that the process of handling the REG_REQUEST
> parameter at the server involves the creation of some kind of
> registration state and that this creation can be time and resource
> consuming.
>
> The REG_RESPONSE and REG_FAILED cases i.e. the server has granted/denied
> redundant services. This should be a local policy issue at the client.
> If the server shows broken behavior, the client can always choose to use
> another server.
>
>>> 3) What happens if registration cancellation does not succeed? In
>>> Section
>>> 5 it is said:
>>> ...
>>
>> Again that would be broken behavior from the registrar side, we have a
>> SHOULD there. If it doesn't do so, then it either doesn't reply or
>> send REG_FAILED, in any case the MN would not be be mistaken in
>> believing the cancellation was successful.
>
> Perhaps this could be clarified by saying "The Requester cannot assume
> that the cancellation was successful until it receives a REG_RESPONSE
> with a zero lifetime."
I think this is implicit in the specification, don't you think so?
>> Do you think more text is needed?
>
> Yes, at least for the "Reg Types" with different "Min Lifetime" / "Max
> Lifetime" / "Lifetime" values.
As I said, not sure that's really needed for any usecase. And in case
you really have a hard requirement to support that, you could configure
different Registrars announcing different lifetimes w/ different HITs on
the same node. That can be left to implementation.
--julien
_______________________________________________
Hipsec mailing list
Hipsec@ietf.org
https://www.ietf.org/mailman/listinfo/hipsec
- [Hipsec] HIP Registration Extension (fwd) Lauri Silvennoinen
- Re: [Hipsec] HIP Registration Extension (fwd) Julien Laganier
- Re: [Hipsec] HIP Registration Extension Lauri Silvennoinen
- Re: [Hipsec] HIP Registration Extension Julien Laganier
- Re: [Hipsec] HIP Registration Extension Julien Laganier
- Re: [Hipsec] HIP Registration Extension Lauri Silvennoinen
- Re: [Hipsec] HIP Registration Extension Julien Laganier