Re: [icnrg] RG Last call on the NRS documents
"Pouyan Fotouhi Tehrani" <pft@zedat.fu-berlin.de> Fri, 27 September 2019 02:01 UTC
Return-Path: <pft@zedat.fu-berlin.de>
X-Original-To: icnrg@ietfa.amsl.com
Delivered-To: icnrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 378DB120232 for <icnrg@ietfa.amsl.com>; Thu, 26 Sep 2019 19:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVH0oH4J2dNQ for <icnrg@ietfa.amsl.com>; Thu, 26 Sep 2019 19:01:13 -0700 (PDT)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F012120227 for <icnrg@irtf.org>; Thu, 26 Sep 2019 19:01:13 -0700 (PDT)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) for icnrg@irtf.org with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (envelope-from <pft@zedat.fu-berlin.de>) id <1iDfZG-001gWW-SM>; Fri, 27 Sep 2019 04:01:10 +0200
Received: from webmail1.zedat.fu-berlin.de ([130.133.4.91] helo=webmail.zedat.fu-berlin.de) by inpost2.zedat.fu-berlin.de (Exim 4.85) for icnrg@irtf.org with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (envelope-from <pft@zedat.fu-berlin.de>) id <1iDfZG-001z2f-Jy>; Fri, 27 Sep 2019 04:01:10 +0200
Received: from 87.77.121.52 (ZEDAT-Webmail authenticated user pft) by webmail.zedat.fu-berlin.de with HTTP; Fri, 27 Sep 2019 04:01:10 +0200
Message-ID: <54001.87.77.121.52.1569549670.webmail@webmail.zedat.fu-berlin.de>
In-Reply-To: <15C5F308-07ED-4D5D-B050-E2E29423E5DA@orandom.net>
References: <15C5F308-07ED-4D5D-B050-E2E29423E5DA@orandom.net>
Date: Fri, 27 Sep 2019 04:01:10 +0200
From: Pouyan Fotouhi Tehrani <pft@zedat.fu-berlin.de>
To: ICNRG <icnrg@irtf.org>
User-Agent: ZEDAT-Webmail
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Originating-IP: 130.133.4.91
Archived-At: <https://mailarchive.ietf.org/arch/msg/icnrg/NRgKHolb9zelCAQfLuqBoibFAx4>
Subject: Re: [icnrg] RG Last call on the NRS documents
X-BeenThere: icnrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Information-Centric Networking research group discussion list <icnrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/icnrg>, <mailto:icnrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/icnrg/>
List-Post: <mailto:icnrg@irtf.org>
List-Help: <mailto:icnrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/icnrg>, <mailto:icnrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2019 02:01:15 -0000
Hi everyone, here is my (late) review for [1] Architectural Considerations of ICN using Name Resolution Service (draft-irtf-icnrg-nrsarch-considerations-02) [2] Design Guidelines for Name Resolution Service in ICN (draft-irtf-icnrg-nrs-requirements-02) *Disclaimer*: we have recently published a paper on namespace management in ICN (The Missing Piece: On Namespace Management in NDN and How DNSSEC Might Help / ACM ICN '19) [3] which elaborates and addresses a number of following points in detail. Terminology: - namespace/name space: It is not clear what a namespace exactly refers to, is it an administrative entity? or set of all possible names in an ICN instance? Respectively, its use in plural (possibly referring to various naming schemes), e.g., "resolve names between different name spaces" [S 5.2., 1] or "ICN name spaces are separated into more than two name spaces" [S 6., 2], is somehow confusing. An example would be helpful. - resolution/binding/mapping: It seems that these terms are used interchangeably throughout the documents without further distinction. A formal definition, e.g., as a binary functional relation, could help to clarify the concept and also benefit the future implementation. Surely, it is also necessary to explicitly separate bindings from the resolution process. - There is a single reference to "authoritative NRS server" [S 2., 1] without describing it in detail. As the term "authoritative name server" has already a well-defined meaning in DNS context, it would be really helpful to highlight the similarities and distinctions. Management scope: - It is not clear if or how name resolution is divided between authoritative NRS servers. Is the namespace divided into smaller management units (similar to DNS zones) which are controlled by authoritative names servers or are the servers authoritative as they are authorized to take part in NRS? - Who is allowed to operate an authoritative name server? Can anyone register any arbitrary domain? These may be policy questions and out of the technical scope, yet integral for global deployment of ICN. - Is an authoritative name server responsible only for a subset of global namespace? If yes, how can be define this subset for flat names, e.g., hashes as names, without enumerating all member names? At the same time, how can be map a given name to its authoritative name server? - How is the "global ICN network domain" [S 5.2., 1] managed? Is there a (logically) centralized entity responsible for management of the global domain? How can we recognize and address possible conflicting bindings between different local/global domains? - If NRS is to operate on a global scale, it is imperative to have a logically centralized architecture which can be realized in a distributed manner (similar to DNS). Use cases: - Use cases of NRS in ICN is elaborated in [S 4.1., 2]. A possible missing use case is the producer authentication: given a name, it should be possible to verify if the publisher, identified by its digital credentials, is authorized to publish NDOs under that name or not. Security: - Bindings which cannot be authenticated are useless [S 7. 1], [S 6., 2]. If so, maybe we should also discuss adequate means to establish trust required for binding authentication. - A trust model should be defined to show how a consumer, for example, can verify the authenticity of bindings provided by NRS or detect a bogus binding spoofed by a malicious ICN node. - Deploying NRS on a global ICN domain implies a logically centralized trust model (similar to DNS). There are, however, strong opinions in the community regarding advantageous and disadvantageous of such "single rooted" trust anchors (cf. trust schemata in NDN). Experiences from the previous 30 years of DNS can guide us on deciding an appropriate trust model. - Regardless of selected trust model for NRS, its implications for consumers and general performance sacrifices on the network should be argued. I'm looking forward for your feedback. Kind regards, Pouyan Fotouhi Tehrani [3] Tehrani, P. F., Osterweil, E., Schiller, J., Schmidt, T. C., and Wählisch, M. "The Missing Piece: On Namespace Management in NDN and How DNSSEC Might Help." In Proc. of 6th ACM ICN (2019), ACM. > <Chair Hat ON> > > Folks, we have not received the necessary reviews we need to finish last > call on: > > https://datatracker.ietf.org/doc/draft-irtf-icnrg-nrsarch-considerations/ > and > https://datatracker.ietf.org/doc/draft-irtf-icnrg-nrs-requirements/ > > Please get these done, as Last Call officially ended last week. We > can’t advance these important documents without substantially more > review. > > Thanks! > > DaveO >
- [icnrg] RG Last call on the NRS documents David R. Oran
- Re: [icnrg] RG Last call on the NRS documents Pouyan Fotouhi Tehrani