Re: [homenet] New version draft-mglt-homenet-naming-architecture-dhc-options-02.txt

Daniel Migault <mglt.ietf@gmail.com> Mon, 07 July 2014 12:46 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BDF51B2845 for <homenet@ietfa.amsl.com>; Mon, 7 Jul 2014 05:46:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fo6IF9O3fQG for <homenet@ietfa.amsl.com>; Mon, 7 Jul 2014 05:46:28 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96E721B281F for <homenet@ietf.org>; Mon, 7 Jul 2014 05:46:27 -0700 (PDT)
Received: by mail-wi0-f177.google.com with SMTP id r20so6805166wiv.4 for <homenet@ietf.org>; Mon, 07 Jul 2014 05:46:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=VVzQ7+oypbMTORpDsJHYJxGb/oOLvmoxwV0pxTE4phU=; b=rukbcw7FeCA55tlBIEe2V503R5aH8Hf2BGdw+rwUs3ojaSqZtvKYWc7P8mm5g7EZpx vC51S+LgsgJG/oSqjiu5q6UvQ8WYzVD+F2m0o+E/UHfDyS2VnMnHiHcsUxCtcR+0qybg 1TwQrEFWuyvGFGemzlwbsgrrhqZ7Td8CMufLNibxtxaIpPp/KvboAvQ2CtK33jrTuNod UiEq8494KeDe1zt9RtM8yYxxZx8W7xfJvdDAMp3wLk2PGisvw+YF9W1IdBloTjBEqzPJ 831HfG5vNeyCzXbdn0S9WFOTd/g74oqsh2qsKaCm3wP3uiiofUT3VCKVGgAMofKqrGDi SsOQ==
MIME-Version: 1.0
X-Received: by 10.194.60.240 with SMTP id k16mr33134763wjr.0.1404737186066; Mon, 07 Jul 2014 05:46:26 -0700 (PDT)
Received: by 10.194.51.131 with HTTP; Mon, 7 Jul 2014 05:46:25 -0700 (PDT)
In-Reply-To: <CADZyTk=kST4zPaPzz4DsAcCOtmYbQo-s2du+nEvJv0MSrneEMg@mail.gmail.com>
References: <CADZyTkk6rUuFJ5Wds2hioBBQa9-kXDJxyg_gBGQ1R6u5CHF2Ww@mail.gmail.com> <87fvij5wdw.wl.jch@pps.univ-paris-diderot.fr> <CADZyTkk2bv7T-Bs_ckG4i2MpXVDRqLA2R1dQgrMVrPSckOy-GQ@mail.gmail.com> <87k37uy703.wl.jch@pps.univ-paris-diderot.fr> <CADZyTk=YgD=JtyDpEz8TXOQmHxKzBoiEZbbW0LhZQy2GaKLqZQ@mail.gmail.com> <87vbrcydr9.wl.jch@pps.univ-paris-diderot.fr> <CADZyTk=kST4zPaPzz4DsAcCOtmYbQo-s2du+nEvJv0MSrneEMg@mail.gmail.com>
Date: Mon, 7 Jul 2014 14:46:25 +0200
Message-ID: <CADZyTkmZ+rC99qeC7gFEwc4JBoX9sHBUpo7p89+VC6zY7Z8drQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Juliusz Chroboczek <jch@pps.univ-paris-diderot.fr>, "homenet@ietf.org" <homenet@ietf.org>
Content-Type: multipart/alternative; boundary=047d7bacc1e4fa768604fd99dc7e
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/PqD2FNG49oxdqAQlKfof9g7252g
Subject: Re: [homenet] New version draft-mglt-homenet-naming-architecture-dhc-options-02.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jul 2014 12:46:32 -0000

Hi

Please see my comments inline.

>
>
> On Sat, Jul 5, 2014 at 12:12 AM, Juliusz Chroboczek <
> jch@pps.univ-paris-diderot.fr>; wrote:
>
>> > The main idea is that the CPE builds the zone for the whole home
>> network.
>>
>> Thanks for the clarification.
>>
>> Daniel, perhaps I'm still misunderstanding something -- but I'm afraid
>> that
>> right now I'm strongly opposed to this protocol.  I hold no opinion yet on
>> whether proxying is necessary (although I hope it isn't), but I am
>> strongly
>> opposed to binding the DNS proxy role with the CPE at the protocol level.
>> (This does not mean that the DNS proxy cannot be colocated with the CPE,
>> only that I find a protocol that mandates this kind of colocation
>> unacceptable.)
>>
>
I do not think our architecture is bound to the CPE. In the architecture
document we mention that the CPE is the most likely to host the DNS zone
for the home network. However, I agree it can be any other node. We do not
either mandate any collocation of functions. If you could point specific
sections, that would help to clarify the next versions.

Similarly, I do not recall using the term proxy in one or the other draft,
and I do not see what could be considered as a proxy. More specifically,
suppose you have a authoritative DNS server in your homenet work. In the
draft we said a CPE will most likely handle this function. This server MAY
NOT want to respond for queries that are coming from outside the home
network. In this case, This server outsources the authoritative server for
queries coming from the Internet to a third party. DNS queries for the
Domain name of the home network will be answered by the "CPE" when the
query comes form the home network and by the "third party" when the query
comes from outside the home network.

>
>
>>  > I am rephrasing your use case to make sure we have the same in mind.
>> Please
>> > clarify if we do not agree on the use case. You consider is a web
>> server in
>> > the home network, that you want to be reachable from the Internet. In
>> order to
>> > do that you buy a specific domain name www.homenet.com. The domain is
>> hosted
>> > on a Public Authoritative Server, you edit the zone, add the IP address
>> of
>> > your server.
>>
>> Oh, nothing that geeky.  I copy my vacation photographs onto my NAS.
>> I click the "share over the Internet" button on the NAS's web interface.
>> The NAS performs DynDNS registration, I get a link that I can copy-paste
>> into an e-mail to my mom: "Mom, the vacation photographs are on
>> http://www.user-fe83-paris-13.dyndns.example.com:8080/photos, the
>> password
>> is 1234."  I've avoided putting my private photographs on Google's
>> servers -- and we're changing the world.
>>
>> I click on the "share over the internet" button on my stereo's web
>> interface.  The stereo performs DynDNS registration, I get a link that
>> I can copy-paste.  "Daniel, the song you found so funny at my place last
>> night night is on
>> http://www.user-fe83-paris-13.dyndns.example.com/funny-music,
>> the password is 1234".  I've avoided sending 20MB of Ukrainian R'n'B over
>> SMTP -- and we're changing the world.
>>
>> I'm at the train station.  There's a strike on.  I'm playing Civilisation
>> on my laptop in an internet cafe.  I click the "Invite over the Internet"
>> button.  Civilisation performs DynDNS registration, I get a link which
>> I can copy-paste.  "Daniel, I'm bored, join me for a game of Civilisation,
>> link is civ://www.user-fe83-paris-13.dyndns.example.com, password is
>> 1234", and now I can wholeheartedly support the cheminot's strike -- we're
>> changing the world again.
>>
>
To me the last use case you provide is not in the scope of home network
unless you are unsing a VPN. The two first examples seems to be related to
WEBDAV. On a DNS point of view, it looks to me that they involve only a DNS
registration. Suppose there is not NAT. Your NAS requests /discovers its IP
address and then registers its IP address to the registrar. This means that
at one time you have configured your NAS with the appropriated credentials
to update your zone in the registrar. In the architecture we propose,
things may be as follows: the NAS only needs a hostname: myserver for
example. You plug the NAS in your home network, it announces its name via
DHCP. The DHCP transmit the information to the entity that manages the DNS
zone, which then outsource the zone to the registrar. You NAS does not need
to be configured to update the zone at the registrar.

>
>
> >     1) It is not scalable in term of configuration: if you have a single
>> > server, you can edit the zone. If you have 100 devices (which is not
>> much) you
>> > will not be able to do it especially if you IP prefix changes every day.
>>
>> Sure.  Just like you, I'm expecting dynamic updates.  But I don't expect
>> dynamic updates to be dependent on my CPE, which is buggy (it was provided
>> by the major competitor of your employer) and isn't available at the
>> internet cafe.
>
>
To me the Internet cafe is not the home network. The issue of buggy CPE is
an important one. The goal of the two drafts is to provide guidance to
avoid such issues... and providing no guidances or leaving things as there
are now won't solve these issues ;-)

>
>
>
>> >     2) It is not scalable in term of software installation: every
>> registrar
>> > have its own API for configuring the zone.
>>
>> Then why not standardise a registration API?
>>
>
I am not sure there is a real interest in doing so, nor that it is
feasible. The important thing is that you have the APIs of your registrar
and that you do not have to set it in all devices. Some devices like sensor
will never be able to embed these APIs anyway.


>
>>
>  > Furthermore, if you suppose all registrar agree to have a unique way to
>> > do so, -- suppose nsupdate -- all devices will have to implement this
>> > protocol. For most devices this may be not a problem, however, for all
>> > devices like sensors having to perform nsupdate every day, may impact
>> > their battery life time for nothing.
>>
> If you really believe that proxying is necessary (and I'd like actual
>> figures to support this claim -- how many devices do you have in your home
>> that cannot afford the cost of one registration every few hours?), then
>> there's nothing preventing a DNS proxy from using the standardised
>> registration protocol on behalf of its clients.  Then clients can choose
>> whether to go through the proxy, and users can choose whether use the
>> ISP-provided proxy (co-located with the CPE) or a third-party proxy that
>> happens to work.
>>
>
It is not clear what you have in mind with proxy, so I might misunderstand
your point here. It seems to me that you do not want the architecture to
prevent a host to register on its own. YES this is the case. Suppose your
Registered Domain Name for your home network is myhome.net. With our
architecture, as mentioned above, your NAS may be automatically registered
as myserver.myhome.net. If you want your server to be registered as
myserver.org, nothing prevents you from doing so. You may have two names
for the server, or a single one. In other words the proposed architecture
is compliant with existing deployment.

>
>
>> >     3) It is not automatic and flexible: A new device that is in your
>> network
>> > cannot have a name, as an admin needs to register its name in the zone
>> > myhomenet.com, or provide the credential for it to all new devices.
>>
>> That's what we have HNCP for -- for distributing random data to all
>> devices.
>>
>
I am sure I misunderstood your point, but I understand you suggest using
HNCP to distribute credentials (private keys, login password). Am I
correct?


>> >     4) It is not scalable in term of zone management and bandwidth:
>> Suppose
>> > you have n devices in the home network and a renumbering occurs. All
>> these n
>> > devices will contact the Public Authoritative Server that may be miles
>> away
>> > from your home network.
>>
>> I've got 100 devices.  I renumber.  Each device sends 500 bytes of
>> registration data.  My monthly Internet bill has just increased by 50 kB.
>>
>
That is still more than 0  ;-)

> >     5) it exposes your homenet to IP disruption. Suppose your ISP has a
>> > connectivity issue, even a node in your home network will not be able to
>> > contact your web server as the DNS(SEC) resolution is not possible.
>>
>> But my nodes are still running mDNS/zeroconf, right?  Or are you
>> deprecating
>> that?
>>
>
Interchanging mDNS and DNS for local / global scope is not an easy thing.
These protocols are different protocols and I do not think it is a good
idea to impose all devices to have both, then homenet may have different
subnetworks, mDNS can use UTF-8...  There are a lot of ongoing work in
dnssd.

By the way, I am not deprecating the use of mDNS at all it is simply
orthogonal.

>
>
>
>  -- Juliusz
>>
>
>
>
> --
> Daniel Migault
> Orange Labs -- Security
> +33 6 70 72 69 58
>



-- 
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58