Re: [homenet] Simple Homenet Naming Architecture...
Ted Lemon <mellon@fugue.com> Tue, 14 March 2017 15:25 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07F95129590 for <homenet@ietfa.amsl.com>; Tue, 14 Mar 2017 08:25:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PbREDPpefZNz for <homenet@ietfa.amsl.com>; Tue, 14 Mar 2017 08:24:59 -0700 (PDT)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AFE9128DF6 for <homenet@ietf.org>; Tue, 14 Mar 2017 08:24:59 -0700 (PDT)
Received: by mail-qk0-x231.google.com with SMTP id 1so249844081qkl.3 for <homenet@ietf.org>; Tue, 14 Mar 2017 08:24:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=MzBbAxMD+KouOWxNeKcZl6B4lbyQMOJv+GaryFr9dCQ=; b=SYuZ9FlqQS0HkqvaynIllsvVCFNdu4Wdx5REkjl22jhntmeQ0pdmhiU8mg1Caea/se T8lQWOTfG2xAHwJ1Cf8fwz6r7RVYV/zSONayJo95+/VrSzHSFAFnQ5eSXk1Df+hB9N0c dvjcaWhrPfmWQq0KyV79R/9m4ma3CaFl99zQlRE7cpp6US9juPBGVlDNxWeJhDq2GcHX bFGAAVIL1v6F0oclcjwJYWWzndYhvQiRU+dr9zt+iSA9Wv8bcrpBrlyBeO/vX1ezC66X U9PRT00bssrm5jR8ICGIzlwhP435MbpzTwNzXw1uByWhdBDeLzkLtR/SJ0i4i4luDZTu Li9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=MzBbAxMD+KouOWxNeKcZl6B4lbyQMOJv+GaryFr9dCQ=; b=KomTsOUVWLTnn7gSK0VvhWGNBBCTtaurVBz49DMn0Lt7SjYTKS45iP7zrmJt8PgelV 8XTFIIApjvMoY2oW1/xXh7pvEcroQcrS0JdJYtrHHXTlprY0xFpS8vCjHY3wCHSKoDJR 7y2AnWSqAGXa+PEu5blQ7VwNOooLLOp+DfCp0LtqN091JgTYa6VVxSo4+L+K53QAOpUX UjNB0DFMsU8KMMmCA/mSs5jsFBIMntoBfvxZf2p2y7q+4K7Cs+ko1w9vP96g8nKU/2OG qtsIcqjuIDLPbq+muDjzPdJS1VqVUbjJTBbh2AdjYnlOCanYiE5/O5JTIH7GSP/Cb5II 25kg==
X-Gm-Message-State: AMke39m8HRCTO+A05gFlLFwwZvKam2jwN+w6N9MmqPgU4/a+6BeqA+vvIb4OZFuki2clZw==
X-Received: by 10.55.146.4 with SMTP id u4mr35581167qkd.37.1489505098719; Tue, 14 Mar 2017 08:24:58 -0700 (PDT)
Received: from [10.0.30.228] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id 44sm14599195qts.15.2017.03.14.08.24.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2017 08:24:58 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <C0007C56-4A75-4790-998B-50C2CCA04ACE@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_25A4F294-A75C-446E-ADC8-234DCB849B1D"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 14 Mar 2017 11:24:56 -0400
In-Reply-To: <80BCEE0D-BF31-45F1-A21C-0FE3A24CB492@iki.fi>
Cc: HOMENET <homenet@ietf.org>
To: Markus Stenberg <markus.stenberg@iki.fi>
References: <148944217975.20370.12525433504127407949@ietfa.amsl.com> <BEF262EC-51EB-464B-AD9E-0CCF25ECD48F@fugue.com> <80BCEE0D-BF31-45F1-A21C-0FE3A24CB492@iki.fi>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/yAA9qBZ6HkrexELarS1lXILhOYA>
Subject: Re: [homenet] Simple Homenet Naming Architecture...
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 15:25:02 -0000
On Mar 14, 2017, at 4:49 AM, Markus Stenberg <markus.stenberg@iki.fi> wrote: > S3.3: Why MUST filter out globals? I do not see the reason, and if I do not, casual reader might not either. If it is just an opinion, it could be SHOULD perhaps. Are you talking about this text? Local names appear as subdomains of [TBD1]. These names can only be resolved within the homenet; not only is [TBD1] not a globally unique name, but queries from outside of the homenet for any name, on or off the homenet, must be rejected with a REFUSED response. This text is actually wrong. The correct behavior is specified in RFC 5625, section 6.2. The point is to avoid being an amplifier for DDoS attacks. > The subsection lists 3 functions (querying, aggregating, relaying) but says there are only two types of proxies. I am slightly confused. The confusion here is twofold. First, I used the term "relaying proxy" in the first sentence, and then started using the term "querying proxy" to mean the same thing in later sentences, but didn't notice until you pointed it out that I had done this. The other issue is that there are actually three functions here, and I only really talk in detail about two. Bear in mind that we talked about a two-layer architecture, and this is the easy layer, but it has to support the other layer. In order to support the other layer, it's (maybe) necessary to have a DNS proxy on every link that can assert that a DNS query was received on-link, in order to support stateful DNSSD. We didn't really go into any detail about that in this version of the architecture. The other two functions are the hybrid that asks questions using mDNS in response to queries over DNS, and the hybrid that asks questions using DNS to proxies that do mDNS. So the first of these is the querying proxy, and the second is the aggregating proxy. I'm not actually convinced that we want to do stateful hybrid DNSSD using DNS update; if we don't, then the third function goes away. > My reading (which you do not state explicitly) is that you advocate a solution where you have ‘aggregating proxy’ which asks for results from multiple links, and combines them, handling uniqueness of responses; however, the devices themselves will not even know they are ‘computer 72’ and not ‘computer.local’ which they advertise on the link. This gets quite awkward as devices come and go if they do not locally know their name, unless the aggregating function is fully stateful and robust (= mappings stay constant until end of time) and it can somehow determine that moved node (computer.local which moved from link A to link B to new name computer-2.local as there was computer.local already on the link B) is still same. I am not sure, but I think you are alluding here to the problem that if you have a computer that connects to one link sometimes and another link at other times, it will present the same name on both links and this will create a conflict. Otherwise naming conflicts of this type are quite rare. But it sounds like you've encountered them enough to be concerned about it. In the case I'm talking about, defending the name doesn't work, because the device always presents the same name, and so the number keeps creeping up, which is not desirable. In any case, given that you've done some hacking in this space, it would be helpful if we could have a more detailed conversation about it at IETF, so that I can understand your experiences. > Anyway, it looks like a good start, at least no mention of dnssec or crazy delegation to random third party by default. That's the second layer. I don't think it's crazy or random, but yes, it's not present in the simple architecture, since there was clearly demand for an architecture that was easier to implement than the DNSSEC/delegation architecture. Personally, I think that we need a real security model, and so proposing this as a separate architecture is somewhat harmful, but I admit that the real security model is hard [tm].