Re: What is the right way to do Web Services discovery?
Joe Touch <touch@isi.edu> Tue, 22 November 2016 19:03 UTC
Return-Path: <touch@isi.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3174129B2B for <ietf@ietfa.amsl.com>; Tue, 22 Nov 2016 11:03:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.396
X-Spam-Level:
X-Spam-Status: No, score=-8.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R15dF8JdTx1l for <ietf@ietfa.amsl.com>; Tue, 22 Nov 2016 11:03:30 -0800 (PST)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93F8F129B21 for <ietf@ietf.org>; Tue, 22 Nov 2016 11:03:30 -0800 (PST)
Received: from [192.168.1.189] (cpe-172-250-251-17.socal.res.rr.com [172.250.251.17]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id uAMJ31d8000627 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 22 Nov 2016 11:03:02 -0800 (PST)
Subject: Re: What is the right way to do Web Services discovery?
To: Phillip Hallam-Baker <phill@hallambaker.com>, IETF Discussion Mailing List <ietf@ietf.org>
References: <CAMm+LwgtJuLdL_RKJNSVNGODGj8D25nfj0jkhnBLFS=aaXG+rA@mail.gmail.com>
From: Joe Touch <touch@isi.edu>
Message-ID: <2c897b3e-49d7-76d8-ac8b-8e01d16adb36@isi.edu>
Date: Tue, 22 Nov 2016 11:03:00 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CAMm+LwgtJuLdL_RKJNSVNGODGj8D25nfj0jkhnBLFS=aaXG+rA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------99DDBC476A45EB04258963C1"
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/a9AAUm16jYC6Mmo8GnYN_z8Zi94>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 19:03:33 -0000
Hi, all, I'm curious as well, esp. from the perspective of IANA ports. IMO, HTTP is missing two key capabilities: - a portmapper service, like RPC (yes, this could be mDNS, basically) - a coordination service, to allow processes to register to handle subtrees of the URN namespace while sharing a port These two features would avoid the ongoing need for "yet another copy of HTTP" port assignments. Joe On 11/22/2016 7:04 AM, Phillip Hallam-Baker wrote: > I am asking here as there seems to be a disagreement in HTTP land and > DNS land. > > Here are the constraints as I see them: > > 0) Foir any discovery mechanism to be viable, it must work in 100% of > cases. That includes IPv4, IPv6 and either with NAT. > > 1) Attempting to introduce new DNS records is a slow process. For > practical purposes, any discovery mechanism that requires more than > SRV + TXT is not going to be widely used. > > 2) Apps area seems to have settled on a combination of SRV+TXT as the > basis for discovery. But right now the way these are used is left to > individual protocol designers to decide. Which is another way of > saying 'we don't have a standard'. > > 3) The DNS query architecture as deployed works best if the server can > anticipate the further requests. So a system that uses only SRV+TXT > allows for a lot more optimization than one using a large number of > records. > > 4) There are not enough TCP ports to support all the services one > would want. Further keeping ports open incurs costs. Pretty much the > only functionality from HTTP that Web Services make use of is the use > of the URL stem to effectively create more ports. A hundred different > Web services can all share port 80. > > 5) The SRV record does not specify the URL stem though. Which means > that either it has to be specified in some other DNS record (URI or > TXT path) or it has to follow a convention (i.e. .well-known). > > 6) Sometimes SRV records don't get through and so any robust service > has to have a strategy for dealing with that situation. > > 7) If we are going to get to a robust defense against traffic > analysis, it has to be possible to secure the initial TLS handshake, > i.e. before SNI is performed. This in turn means that it must be > possible to pull information out of that exchange and into the DNS. > Right now we don't know what that information is but this was not a > use case considered by DANE. > > 8) We are probably going to want to transition Web Services to > 'something like QUIC' in the near future. Web Services really don't > need a lot more than a TCP stream. Most of HTTP just gets in the way. > But the multiplexing features in QUIC could be very useful. > > > > > Right now we have different ideas on how this should work in the HTTP > space and DNS space. And this appears to be fine with the two groups > as they don't need to talk to each other. But it really isn't possible > to build real systems unless you offend the purists in at least one > camp. I think we should do better and offend both. > > So here is my proposal for discovery of a service with IANA protocol > label 'fred' > > > First the service description records. This is a TXT record setting > policy for all instances of the fred service and a set of SRV service > advertisements: > > _fred._tcp.example.com <http://tcp.example.com> TXT "minv=1.2 maxv=3" > _fred._tcp.example.com <http://tcp.example.com> SRV 0 100 80 > host1.example.com <http://host1.example.com> > _fred._tcp.example.com <http://tcp.example.com> SRV 0 100 80 > host2.example.com <http://host2.example.com> > > There is also a set of round robin A records for systems behind legacy > NAT. You could do AAAA as well but these probably aren't needed as it > is unlikely that a router blocking SRV will pass AAAA > > fred.example.com <http://fred.example.com> A 10.0.0.1 > fred.example.com <http://fred.example.com> A 10.0.0.2 > > And finally, we have the host description entries > > host1.example.com <http://host1.example.com> A 10.0.0.1 > _fred._tcp.host1.example.com <http://tcp.host1.example.com> TXT > "minv=1.2 maxv=2 tls=1.2 path=/fred12" > host2.example.com <http://host2.example.com> A 10.0.0.1 > _fred._tcp.host2.example.com <http://tcp.host2.example.com> TXT "tls=1.3" > > So here we have some host level service description tags which > obviously override the ones specified at the service level. With the > proviso that a client might well abort if the service level > description suggests there is no acceptable host. The path descriptor > allows the use of the well known service to be avoided on host1. It > defaults on host2 > > In the normal run of things, a DNS server would recognize that a > request for _fred._tcp.example.com <http://tcp.example.com> SRV was > likely the start of a request chain and send all the records > describing the service in a single bundle. This should usually fit in > a single UDP response. > > This approach gives us two levers allowing us to set policy for the > service. We can define policy for all service instances or granular > per host information. > > > The bit that I have not got nailed down is what the HTTP URL should be > after the service discovery is performed. My view is that they should > be these: > > http://host1.example.com/fred12 > http://host2.example.com/.well-known/fred > > Which works nicely with the existing code and but not for TLS > operations. We will either need certs for host1.example.com > <http://host1.example.com> and host2.example.com > <http://host2.example.com> or have to override the TLS stack to accept > certs for example.com <http://example.com>. > > The problem becomes even more apparent if the redirects are to > host1.cloudly.com <http://host1.cloudly.com> and host2.cloudly.com > <http://host2.cloudly.com> where cloudly is a cloud service provider. > So the alternative is to do this: > > > http://example.com/fred12 > http://example.com/.well-known/fred > > The problem is that it does not work well when trying to use this > strategy with existing http clients built into scripting languages. > Instead of just writing a module that does the SRV lookup and spits > out the URLs and attributes, now we need to rewrite our client so it > will hit the right DNS address. > > > Given that most libraries seem to have hooks to allow a client to make > its own TLS certificate path math choices, I am very strongly in favor > of the first approach. But I am willing to be persuaded otherwise. > > Comments?
- What is the right way to do Web Services discover… Phillip Hallam-Baker
- Re: What is the right way to do Web Services disc… Joe Touch
- Re: What is the right way to do Web Services disc… Jared Mauch
- Re: What is the right way to do Web Services disc… Ted Lemon
- Re: What is the right way to do Web Services disc… Jared Mauch
- Re: What is the right way to do Web Services disc… Mark Andrews
- Re: What is the right way to do Web Services disc… Phillip Hallam-Baker
- Re: What is the right way to do Web Services disc… Phillip Hallam-Baker