IETF Logo Mail Archive

Re: [homenet] draft-mglt-homenet-front-end-naming-delegation-01

Daniel Migault <mglt.ietf@gmail.com> Wed, 07 November 2012 22:33 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1320F21F8431 for <homenet@ietfa.amsl.com>; Wed, 7 Nov 2012 14:33:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJvFyEclX86y for <homenet@ietfa.amsl.com>; Wed, 7 Nov 2012 14:33:46 -0800 (PST)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0590521F8232 for <homenet@ietf.org>; Wed, 7 Nov 2012 14:33:45 -0800 (PST)
Received: by mail-oa0-f44.google.com with SMTP id n5so2394059oag.31 for <homenet@ietf.org>; Wed, 07 Nov 2012 14:33:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=15ngTDKNHvCHyfGyC4yvegB4FrSjnxtu5K7onBcc9TM=; b=HBk77q9YLaYILGBkm4a0SQjT3bH53mOLCAj19c4JKcefaBRMTzvh9gwxHeEBgHjsp+ nU5bvw9LBj9IuGPv8TBoSUpaJ7hzSxWiGWs0XvXe6b8fIh8GTdiPVGpOkUZbFz9KSpSc XYA+O0ipUSUGbDUTO/qxFOplrWrdnjL4zYnhxNTzDu4HkwJfkVFwuYg0iuKve5bR8R3U sw53T1+mC9R81oo3J71Iy+bmOH2fl+YEyPthtmiCsbBbWVhDy1GyC7lZFwksebjl0U/F dGSrYxVHSAx3Ye3dvqTRSAbRMjez4A94zjWaPo+wmQZFhmqES74kRXidBSHOMqKeXTd0 VUlg==
MIME-Version: 1.0
Received: by 10.60.7.6 with SMTP id f6mr3304079oea.138.1352327625375; Wed, 07 Nov 2012 14:33:45 -0800 (PST)
Received: by 10.76.153.130 with HTTP; Wed, 7 Nov 2012 14:33:45 -0800 (PST)
In-Reply-To: <20121107205133.GE75182@crankycanuck.ca>
References: <20121107163120.GN74706@mx1.yitter.info> <FC97784E1B4396449E619F58B1738C1A20747D9E@PACDCEXMB15.cable.comcast.com> <20121107205133.GE75182@crankycanuck.ca>
Date: Wed, 07 Nov 2012 17:33:45 -0500
Message-ID: <CADZyTknEs-GeUcdB_oZiuUBNdD7dQBRcmkO=Z7Esiqwk87Zb4A@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Content-Type: multipart/alternative; boundary="e89a8fb2017abb010504cdef4f9b"
Cc: homenet@ietf.org
Subject: Re: [homenet] draft-mglt-homenet-front-end-naming-delegation-01
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 22:33:47 -0000

Hi Andrew,

Thank you for your comments, we are considering them for the next version.
I am answering in the text.

Mostly, I am worried that this proposal is a cure worse than the

> disease.  I've read the draft several times, and I just don't get why
> it isn't better to put all this DNS data out in a public DNS server
> somewhere, and have everything (including the nodes inside the homenet
> boundary) query that.


The architecture document recommends not to outsource everything in a
server outside the homenet.


3.7.3 <http://tools.ietf.org/html/draft-ietf-homenet-arch-06#section-3.7.3>.
 Name spaces

   It is desirable that only one name space is in use in the homenet,
   and that this name space is served authoritatively by a server in the
   homenet, most likely resident on the CER.


This is actually the only way to provide the Service Naming resolution in
case the connectivity of the homenet to the Internet is down.


3.7.5 <http://tools.ietf.org/html/draft-ietf-homenet-arch-06#section-3.7.5>.
 Independent operation

   Name resolution and service discovery for reachable devices must
   continue to function if the local network is disconnected from the
   global Internet, e.g. a local media server should still be available
   even if the Internet link is down for an extended period.




> If you want to reduce traffic, put a DNS
> cacheing resolver on the CPE.


The goal is not to reduce the traffic but to avoid exposing the CPE to
resource exhaustion by hosting a DNS service on the CPE. However caching
the Resolver may be in some case be a way to replace the what we designated
as the Homenet Authoritative Server. Of course the diagram should be
considered as a functional diagram. We will clarify this in the next
version thanks for the remark.



>  Use a simple-minded http-based
> injection protocol for DNS data that the CPE can use (we have several
> of those deployed, although none is an IETF protocol).
>

If I understand correctly, you use an http-base protocol to fill the CPE
with the appropriated DNS data. In fact we are doing the reverse. The CPE
has the data and injects the DNS Data to the Public Server, so that it can
properly perform the DNS authoritative service.

Then filling may not be appropriated, since we need to properly manage the
Public Server with appropriated data (updating information  checking
versions...). These requirements are addressed by IETF defined protocols,
benefit from multiple implementations and a lot of experience. We do not
see any reasons to do something different. On the other hand, we may also
provide some alternatives, for specific use cases. We will do that in the
next version, feel free to send these use cases on the Mailing list.


The proposal as it stands includes support for different views; for
> mixed-mode authoritative and recursive services in the same resolver,
> something we regularly say is a bad thing;


In the most common case, the DNS zone hosted by the CPE is only requested
by the Resolver. The diagram should be considered as a functional diagram.
In most common cases, the Authoritative Server will be more like a file or
cached in the resolving server. Thanks for the remark, we will clarify this
in the next version.

However you are right that in some case the Authoritative Server will be
hosted by the CPE. We still believe it is more realistic to host the
Resolving Server and the Authoritative Server on a same device, than to ask
the End User to have an additional box for their Authoritative Server. Port
binding, firewall rules on that boxe probably match the BCP. The main
advantage of having this configured in the box is that most of the
misconfiguration issues may be avoided.


and three options for
> securing zone transfers, one of which we heard in mdnsext is the
> barrier to adoption of unicast DNS DNS-SD.  Many of these tricks --
> views in particular -- work only most of the time when careful
> administrators set the whole thing up, and so I'm worried that we're
> not going to be able to build automatic tools that allow this all to
> work completely reliably, _especially_ when inside the homenet most of
> the time people will actually get mDNS answers anyway and so there'll
> be a mismatch between the name spaces.  It's mostly the complexity of
> all of this that troubles me.
>

Views are optional. Can you provide specific scenarios we need to address?


>
> How much of it is necessary?
>
> Best,
>
> A
>
> --
> Andrew Sullivan
> ajs@anvilwalrusden.com
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
>



-- 
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58

v2.23.0 | Report a Bug | By Email