Re: [Hipsec] Requesting the publication of draft-ietf-hip-native-api-07.txt
Miika Komu <miika.komu@hiit.fi> Wed, 29 July 2009 21:28 UTC
Return-Path: <miika.komu@hiit.fi>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C345F3A6EF9 for <hipsec@core3.amsl.com>; Wed, 29 Jul 2009 14:28:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCURU49Ub++a for <hipsec@core3.amsl.com>; Wed, 29 Jul 2009 14:28:15 -0700 (PDT)
Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 048A63A703C for <hipsec@ietf.org>; Wed, 29 Jul 2009 14:28:14 -0700 (PDT)
Received: from ip104.infrahip.net (81-225-222-227-no16.business.telia.com [81.225.222.227]) by argo.otaverkko.fi (Postfix) with ESMTP id 698AE25ED16; Thu, 30 Jul 2009 00:28:15 +0300 (EEST)
Message-ID: <4A70BEEE.3070505@hiit.fi>
Date: Thu, 30 Jul 2009 00:28:14 +0300
From: Miika Komu <miika.komu@hiit.fi>
User-Agent: Thunderbird 2.0.0.22 (X11/20090608)
MIME-Version: 1.0
To: Tobias Heer <heer@cs.rwth-aachen.de>
References: <4A64469A.2020402@ericsson.com> <BD65F25F-8BFE-4314-8E19-AE60C258A9B8@cs.rwth-aachen.de> <4A7069BF.60000@hiit.fi> <225D36C8-3A02-4B65-9769-005AE19D5D8A@cs.rwth-aachen.de>
In-Reply-To: <225D36C8-3A02-4B65-9769-005AE19D5D8A@cs.rwth-aachen.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hip WG <hipsec@ietf.org>
Subject: Re: [Hipsec] Requesting the publication of draft-ietf-hip-native-api-07.txt
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: miika.komu@hiit.fi
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2009 21:28:16 -0000
Tobias Heer wrote: Hi, thanks, you changes are available now in the final 08 version. > Hi Miika, > > I am fine with all changes. Below I acknowledged them one by one but I > do not have any objections. > > BR, > > Tobias > > Am 29.07.2009 um 17:24 schrieb Miika Komu: > >> Tobias Heer wrote: >> >> Hi, >> >> thanks for Tobias for good comments! A new preversion updated with the >> comments from Tobias is here: >> >> http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-08-pre1.txt >> >> I'll submit the final version today after Tobias has acknowledged the >> changes and I've written text for Ari's overlay extensions. >> >> Below some replies for the comments from Tobias. >> >>> Hi everyone. >>> Below some comments on the draft. I am sorry that these comments are >>> so late but I hope they are useful anyway. >>> Conceptual comments first: >>> --------------------------- >>> Section 4.1: The behavior of the system if HIP_ENDPOINT_ANY is used >>> is not clear. First, the text says that "any other type of address" >>> can be returned. I would like to know which addresses this could be. >>> After talking to Miika he confirmed that "any other address" means >>> IPv4 or IPv6. It would be good to be clear here. >>> The possibility of ending up with an IPv4 socket when using >>> HIP_ENDPOINT_ANY also bears a follow-up problem: Since the address >>> format of IPv4 and IPv6 differ, it is not clear what sockaddr_hip >>> should contain if the socket is bound to an IPv4 address instead a >>> HIT or IPv6 address. From the text it is not clear if a sockaddr_hip >>> would be replied at all or if a sockadr_in or sockadr_in6 would be >>> replied. After some private discussion with Miika we came up with the >>> following solution: In the IPv6 case sockaddr_hip.hip_hit_t should >>> contain a regular IPv6 address (no magic because these have the same >>> format as HITs). In the IPv4 case, the sockaddr_hip.hip_hit_t should >>> be a mapped representation of the IPv4 address in IPv6 format (see >>> RFC2553). In case the system calls accept() or recv() return a >>> sockaddr_hip after binding to HIP_ENDPOINT_ANY, the host should check >>> the type of the address with the sockaddr_is_srcaddr function to >>> determine the actual nature of the socket. I suggest to clarify this >>> issue in Section 4.1. >> >> Added one paragraph: >> >> When a connection-oriented server application binds to >> HIP_ENDPOINT_ANY and calls accept(), the call outputs always a >> sockaddr_hip structure containing information on the connected client >> with the address family set to AF_HIP. The same applies also to >> datagram-oriented recvfrom() and recvmsg() calls. If the data flow >> was based on HIP, the ship_hit field contains a HIT. In the case of >> an IPv6 data flow without HIP, the field contains the corresponding >> IPv6 address of the client. In the case of an IPv4 flow without HIP, >> the fields contains the client's IPv4 address in IPv4-mapped IPv6 >> address format as described in section 3.7 of [RFC2553]. Section 4.5 >> describes how the application can verify the type of the address >> returned by the socket API calls. >> >> Is this ok? > > Yes. > >> >>> Section 4.3: The text only considers the HIP_HIT_* wildcards but not >>> the HIP_ENDPOINT_ANY wildcard. Explanation about the possible >>> bindings for HIP_ENDPOINT_ANY (IPv4, IPv6, HIT) should be given here, >>> too. The function getsockname() and getpeername() could also return a >>> mapped IPv4 address of a IPv6 address in case the socket is not HIP. >>> Again the use of sockaddr_is_srcaddr should be considered to figure >>> out the type of socket. >> >> I did the following two changes: >> >> However, the sockaddr_hip structure does not contain a HIT when the >> application uses the HIP_HIT_ANY_* or HIP_ENDPOINT_ANY constants.. >> >> ..The application should be prepared to handle also IPv4 and IPv6 >> addresses in the ship_hit field as described in Section 4.1 in the >> context of the HIP_ENDPOINT_ANY constant. > > Good, thanks. > >> >>> Security considerations: The use of HIP_ENDPOINT_ANY and a resulting >>> binding to an IPv4 or IPv6 socket leads to a lower level of security >>> compared to HIP. In my opinion this should be noted in the security >>> considerations. >> >> Added: >> >> The use of HIP_ENDPOINT_ANY can be used to accept incoming or create >> outgoing data flows without HIP. The application should use the >> sockaddr_is_srcaddr() function to validate the type of the connection >> in order to e.g. inform the user of the lack of HIP-based security. >> The use of the HIP_HIT_ANY_* constants is recommended in security- >> critical applications and systems. > > okay. > >> >>> Editorial comments: >>> -------------------- >>> Section 3: I suggest to rename Section 3 ("API Overview") to >>> something like "Name Resolution Process" or "Resolver Overview" >>> because it does only talk about the resolver and not about the API in >>> general. >> >> Done. > > ok. >> >>> Section 3.1: There should be a reference to Figure 1 in the beginning >>> of Section 3.1. >> >> It was already there on the first paragraph, second sentence: >> >> Before an application can establish network communications with the >> entity named by a given FQDN or relative host name, the application >> must translate the name into the corresponding identifier(s). DNS- >> based hostname-to-identifier translation is illustrated in Figure 1. >> >>> Section 4.1: The text says that the system should return -1 and >>> EAFNOSUPPORT if AF_HIP is not supported. I suggest to emphasize that >>> this is the default behavior for unsupported address families and >>> that this does not require changes to legacy hosts. >> >> Added: >> >> This is the default behavior for unsupported address families >> and does not require any changes to legacy systems. > > Ok. >> >>> Section 4.3: The text is somewhat confusing because first the client >>> case and then the server case are explained without notable >>> distinction. I suggest to only talk about the server case here since >>> this is not relevant for the client anyway. >> >> But it is relevant to clients as well. Earlier section says: >> >> The use of HIP_ENDPOINT_ANY constant in the context of outgoing >> communications is left for further experimentation in the context >> of opportunistic mode. It can result in a data flow with or >> without HIP. >> >> I believe that it was the first sentence that was confusing you, so I >> just removed it from the text. Is it ok now? >> > > Ok. > >>> Section 4.4: The section talks about specific bindings to certain HIP >>> classes. Noting that a binding to specific HIT can also be achieved >>> by using bind() and a local HIT in sockaddr_hip.hip_hit_t may be >>> helpful. >> >> I added an introduction to the beginning of the section: >> >> A client-side application can choose its source HIT by e.g. querying >> all of the local HITs with getaddrinfo() and associating one of them >> with the socket using bind(). This section describes another method >> for a client-side application to affect the selection of the source >> HIT type where the application does not call bind() explicitly. >> Instead, the application just specifies the preferred requirements >> for the source HIT type. > > Okay. > > > > >> >>> Best regards! >>> Tobias >>> Am 20.07.2009 um 13:27 schrieb Gonzalo Camarillo: >>>> Folks, >>>> >>>> the draft below includes all the comments received during its WGLC. >>>> Please, have a final look at it because we intend to request its >>>> publication in one week. >>>> >>>> http://www.ietf.org/internet-drafts/draft-ietf-hip-native-api-07.txt >>>> >>>> Thanks, >>>> >>>> Gonzalo >>>> HIP co-chair >>>> >>>> _______________________________________________ >>>> Hipsec mailing list >>>> Hipsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/hipsec >>> -- >>> Dipl.-Inform. Tobias Heer, Ph.D. Student >>> Distributed Systems Group >>> RWTH Aachen University, Germany >>> tel: +49 241 80 207 76 >>> web: http://ds.cs.rwth-aachen.de/members/heer >> > > > > > -- > Dipl.-Inform. Tobias Heer, Ph.D. Student > Distributed Systems Group > RWTH Aachen University, Germany > tel: +49 241 80 207 76 > web: http://ds.cs.rwth-aachen.de/members/heer > > > > > > >
- [Hipsec] Requesting the publication of draft-ietf… Gonzalo Camarillo
- Re: [Hipsec] Requesting the publication of draft-… Tobias Heer
- [Hipsec] ROUTE_VIA and _DST support for HIP nativ… Ari Keranen
- Re: [Hipsec] Requesting the publication of draft-… Miika Komu
- Re: [Hipsec] ROUTE_VIA and _DST support for HIP n… Miika Komu
- Re: [Hipsec] Requesting the publication of draft-… Miika Komu
- Re: [Hipsec] ROUTE_VIA and _DST support for HIP n… Ari Keränen
- Re: [Hipsec] Requesting the publication of draft-… Tobias Heer
- Re: [Hipsec] Requesting the publication of draft-… Miika Komu
- Re: [Hipsec] ROUTE_VIA and _DST support for HIP n… Miika Komu
- Re: [Hipsec] ROUTE_VIA and _DST support for HIP n… Ari Keranen