Re: [arch-d] [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

[Tom Herbert <tom@herbertland.com>]

On Fri, Feb 28, 2020 at 5:32 AM Phillip Hallam-Baker
<phill@hallambaker.com> wrote:
>
>
>
> On Thu, Feb 27, 2020 at 11:36 PM Joseph Touch <touch@strayalpha.com> wrote:
>>
>>
>>
>> On Feb 27, 2020, at 4:21 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
>>
>>> IP end to end does not mean the IP address is constant end to end. It never has meant that and never will.
>>>
>>>
>>> Actually, that's the only thing it ever meant and always will. When addresses change, *by definition*, the*ends* change (and yes, that's what NATs do - they create end-to-end CONTENT transfer over separate end-to-end Internets).
>>
>>
>> By whose definition? Not by mine.
>>
>>
>> I’d start with RFCs 791 and 1122, but there’s also the pseudo header in RFC 793, to be very specific.
>>
>> TCP and TLS give me a reliable end-to-end stream. The fact that the IP address is exposed is merely an unfortunate defect in the legacy APIs.
>>
>> As the application layer designer, I am the customer here. I do not care about the IP address.
>>
>>
>> Hmmm. By what value do you call  TCP endpoint?
>>
>> You must have magic sockets that don’t actually refer to IP addresses.
>
>
> I have a library that implements RFC6763. So my application code doesn't actually consider IP addresses.
>
It's great that _you_ have a solution, but not everyone does. The
standard says that a TCP connection endpoint is defined by a 4-tuple
of source address, destination address, source port, destination port.
It is an invariant that we have forty years of operational experience
with. If you think that design decision is obsolete or should be
revisited, then by all means propose an alternative in tsvwg.

Tom

> Since the platform doesn't provide real DNS resolution, I have to write my own of course. And I will be putting DNSSEC in there at some point probably. But it is a feature set that should be in the platform.
>
> At some point, I am going to have to look at implementing TURN/STUN/PCP etc. for NAT traversal. That certainly isn't application layer code.
>
> So as far as i am concerned, I am resolving a triple of SRV prefix, DNS name and account name to a socket.
>
> The only case in which my application code would deal in a raw IP address and port is if the resolution is delegated to an external presence service. If Alice is trying to make a person-person call to Bob, we may want to route the packets direct. So there has to be some sort of presence service in the cloud to set up the connection which is going to end up telling one of them to place a call for an IP address/port and the other of them to listen for the incoming.
>
>
> The test of this design is straightforward, all the proposals for DNS privacy etc. sit inside the library. I can drop out regular client DNS for DPRIV. Or I can use my omnibroker version which makes use of the RFC6763 interface.
>
> Abstracting away from TLS and UDP means I can adapt to new transports like QUIC very easily. For certain types of message, I have my own UDP based transport. Most cryptographic service transactions consist of a single request packet followed by one to a dozen response packets. That sits in the same box.
>
>
> It really isn't 'magic', it is just understanding that this is platform code not application code.
>
> We do not have 'layers' in the Internet architecture but we have modules that we call layers. And those layers have interfaces to the layers above and beneath them that are mediated by a naming infrastructure. And we should be really explicit about what those interfaces are because they have to be stable over long periods of time.