IETF Logo Mail Archive

Re: What is the right way to do Web Services discovery?

Jared Mauch <jared@puck.nether.net> Tue, 22 November 2016 19:42 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53AEA1296E5 for <ietf@ietfa.amsl.com>; Tue, 22 Nov 2016 11:42:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.699
X-Spam-Level:
X-Spam-Status: No, score=-5.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8dM1R4KDGCVd for <ietf@ietfa.amsl.com>; Tue, 22 Nov 2016 11:42:33 -0800 (PST)
Received: from puck.nether.net (puck.nether.net [IPv6:2001:418:3f4::5]) by ietfa.amsl.com (Postfix) with ESMTP id 1994A1294AA for <ietf@ietf.org>; Tue, 22 Nov 2016 11:42:33 -0800 (PST)
Received: from [IPv6:2603:3015:3603:8e00:9591:1a75:3eab:50c1] (unknown [IPv6:2603:3015:3603:8e00:9591:1a75:3eab:50c1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id 4868754076A; Tue, 22 Nov 2016 14:42:31 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
Subject: Re: What is the right way to do Web Services discovery?
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAMm+LwgtJuLdL_RKJNSVNGODGj8D25nfj0jkhnBLFS=aaXG+rA@mail.gmail.com>
Date: Tue, 22 Nov 2016 14:42:30 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <D98F5496-1190-41A5-9C49-77CD153934DB@puck.nether.net>
References: <CAMm+LwgtJuLdL_RKJNSVNGODGj8D25nfj0jkhnBLFS=aaXG+rA@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/j-PffHtZFFv9GPLh1asqp-xp7rg>
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 19:42:34 -0000

(Not going to address things where I perhaps disagree, but focus on areas of concern …)

> On Nov 22, 2016, at 10:04 AM, Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> 
> I am asking here as there seems to be a disagreement in HTTP land and DNS land.
> 
> Here are the constraints as I see them:
> 
> 0) For any discovery mechanism to be viable, it must work in 100% of cases. That includes IPv4, IPv6 and either with NAT.

I think must be sufficiently robust, where it’s defined as 98+%.  Studies on the operational networks seem to indicate this is the threshold is in the 95-99% range.  Saying 100% is a goal, but perhaps unrealistic.  Downgrade modes don’t necessarily represent an attack, and may be the intent of an enterprise.  (I don’t want to argue this point, but raise it for those that may not be aware).

> 
> 1) Attempting to introduce new DNS records is a slow process. For practical purposes, any discovery mechanism that requires more than SRV + TXT is not going to be widely used.
> 
> 2) Apps area seems to have settled on a combination of SRV+TXT as the basis for discovery. But right now the way these are used is left to individual protocol designers to decide. Which is another way of saying 'we don't have a standard'.
> 
> 3) The DNS query architecture as deployed works best if the server can anticipate the further requests. So a system that uses only SRV+TXT allows for a lot more optimization than one using a large number of records.
> 
> 4) There are not enough TCP ports to support all the services one would want. Further keeping ports open incurs costs. Pretty much the only functionality from HTTP that Web Services make use of is the use of the URL stem to effectively create more ports. A hundred different Web services can all share port 80.
> 
> 5) The SRV record does not specify the URL stem though. Which means that either it has to be specified in some other DNS record (URI or TXT path) or it has to follow a convention (i.e. .well-known). 

I think the historical error was that there wasn’t a Web-Property type application record similar to how we have MX records for other applications, eg: E-Mail.  This leads to many workarounds, including those of e-mail to a host record without MX presuming that was enough.  It worked well enough to be usable for decades, but also set into peoples minds that HTTP would go directly to the host vs an indirection layer similar to e-mail.
> 
> 6) Sometimes SRV records don't get through and so any robust service has to have a strategy for dealing with that situation.

I think a degrade mode, eg: what if MX records were filtered?  At some point, you want to exert pain on broken devices and networks to provide them an incentive to correct unintended behaviors.  One can’t workaround forever, there must be an inherent or implied TTL.  Anyone with legacy they carry around with them understands.  I have my own personal mistakes from 20+ years ago lying around my own infrastructure that will be painful to correct.  One should think about how we migrate things like the http application/transport away from the individual A/AAAA records (if that’s a desired goal) and how it would move further along the path.

- Jared

v2.23.0 | Report a Bug | By Email