Re: [homenet] I-D Action: draft-ietf-homenet-simple-naming-00.txt
Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 18 January 2018 22:07 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D19C12D84A for <homenet@ietfa.amsl.com>; Thu, 18 Jan 2018 14:07:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=npTRHwQN; dkim=pass (1024-bit key) header.d=yitter.info header.b=icU5Dc2i
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpUUlJtm_sTY for <homenet@ietfa.amsl.com>; Thu, 18 Jan 2018 14:07:15 -0800 (PST)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFF72127275 for <homenet@ietf.org>; Thu, 18 Jan 2018 14:07:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 4489FBDA57 for <homenet@ietf.org>; Thu, 18 Jan 2018 22:07:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1516313234; bh=ygMVi6y8mNpfkWtlBeCKMV3wy9FBcwfhYurnT0ISlvs=; h=Date:From:To:Subject:References:In-Reply-To:From; b=npTRHwQNsmAsKqycJ/ZtppsEvsQrwrJALchMyKKsZorPjGADWaEbEMf0kVywlRIau wzUFUl83pDTCh3dyBn//BLAmNTJW3wOifkIJESyDfWTOGREPJtDlxz5/ThoDqedJca 4xLao9F2x3BmqghMqBN+S2jASVMnEVlMfH1J8eZo=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-UHD8sKoUWf for <homenet@ietf.org>; Thu, 18 Jan 2018 22:07:12 +0000 (UTC)
Date: Thu, 18 Jan 2018 17:07:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1516313232; bh=ygMVi6y8mNpfkWtlBeCKMV3wy9FBcwfhYurnT0ISlvs=; h=Date:From:To:Subject:References:In-Reply-To:From; b=icU5Dc2iNM8rAzqEemuEzkbCxa4W/xbyf/+YLRaHKHxqfuWNc8Y6kH5Yfanyqwmek 0NYbPJjUb5NmLhi3SBdNgOtVwx3IjDQgxjc3o1xpSo8luSlXnKYXzq0S7pK1xJ499C DQYjYgvDQlAOoUB0qSMAin6C+ctQQIh8KlU1/ufI=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: homenet@ietf.org
Message-ID: <20180118220711.qlvv2j37tanmzhro@anvilwalrusden.com>
References: <150940322756.28282.5727712883225873683@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <150940322756.28282.5727712883225873683@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/MEN1DdkIhipiO9Ao0XUnzdbGkfI>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-simple-naming-00.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2018 22:07:21 -0000
Hi, I've read https://tools.ietf.org/html/draft-ietf-homenet-simple-naming-00. I have some questions & observations. Some of these are perhaps redundant to remarks I made at the mic at IETF 100. In general, as I said during the adoption discussion, the aim of the document seems a little shy of the architectural priniples. I like that the document now just says that it's not doing all of that. It seems to make a promise that the "full" version will come in the future ("A later document will describe additional functionality"), and I'm not totally convinced such a document will ever really achieve consensus. Why does this draft need to make that promise? Moreover, I'm not sure that the document is serious about the things that it says it isn't going to try to do, and that is making the document rather more complicated. I still think this is a good start given the constrained goals of the document. NIT: There is a claim In general, the set of capabilities required to discover services on any network are: that I think is a little too broad, given the list that follows. For instance, a different naming system might not use resource records. I guess this could be fixed by adding "based on DNS" or something like that after "capabilities". Similarly, section 1.1's discussion of getting keys to do dynamic update seems not to consider SIG(0). Maybe it won't scale well enough, but it surely does exist. The local-link requirement in §3.2 feels to me like a fallback to a previous model, but maybe I'm misunderstanding. Aren't we supposed to be in a world where some parts of the homenet and other parts of the homenet are on different networks? I guess that's the reason for the proxy, but then the proxy must be in multiple networks? (Maybe this is the point of the "how" in parens?) Also, given the "??? RCODE" there, I wonder whether this is an example of something that really does require some protocol extension beyond STD13 DNS? Extended error codes might be enough. In §3.3, using the bootstrap domain from DHCP or DNSSL may leak the queries to the ISP's full service resolver. Is that ok? Also in that section, the third type of bootstrap domain will almost certainly sometimes leak queries to AS112. Is that ok? (In both of these cases, I'm thinking of the case where a system is configured to use homenet but there isn't an HNR in the network.) The discussion of DNSSEC delegations near the end of §3.3 is confusing. The document already says it's not going to do the DNSSEC stuff, so I think you can leave most of that out. In §3.4, there's a requirement that queries from outside of the homenet for any name, on or off the homenet, must be rejected with a REFUSED response. Given the potential for VPNs and forwarders and so on to show up in the homenet, I'm wondering a little bit about the practical consequences of that "must." I guess it doesn't matter if the names leak because they either will work or not? Also, Names ending in 'home.arpa' should never appear in RRDATA for names that are subdomains of reverse mappings for global IP addresses. Why not? It seems to me that you could have a homenet, numbered entirely out of public v6 space, where there is no public DNS delegation. Why can't those be named inside home.arpa? (I guess the expectation of the ULA prefix says why not, but this feels like a fragile assumption to me.) The discussion of the "stable" addresses in the next ¶ seems just irrelevant: the DNS is perfectly capable of handling changing addresses, and does it all the time. By the same token, the requirement to filter out non-ULA addresses seems like it's building a restriction that is going to make the promised, later, complete homenet naming system much harder to deploy. This provision Artificial link names will be generated using HNCP. These should only be visible to the user in graphical user interfaces in the event that the same name is claimed by a service on two links. Services that are expected to be accessed by users who type in names should use [12] if it is available. seems troublesome to me. There's a restriction that the artificial names are only visible in GUIs (why only GUIs? Is the command line a GUI?), and only in case there's a collision. How is one going to troubleshoot this? Also, what if [12] isn't available? What then? §3.5 seems to me especially troublesome for the upgrade path, because even if you have a global name your minimal homenet is never going to answer for it. I think §3.6 should be removed, because the document already says it just isn't going to support DNSSEC. -- Andrew Sullivan ajs@anvilwalrusden.com
- [homenet] I-D Action: draft-ietf-homenet-simple-n… internet-drafts
- Re: [homenet] I-D Action: draft-ietf-homenet-simp… Andrew Sullivan