Re: [Ldap-dir] DLAP Directorate review request for draft-dawkins-ldapext-subnot
"Spencer Dawkins" <spencer@wonderhamster.org> Fri, 16 October 2009 12:23 UTC
Return-Path: <spencer@wonderhamster.org>
X-Original-To: ldap-dir@core3.amsl.com
Delivered-To: ldap-dir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F24928C209 for <ldap-dir@core3.amsl.com>; Fri, 16 Oct 2009 05:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.185
X-Spam-Level:
X-Spam-Status: No, score=-0.185 tagged_above=-999 required=5 tests=[BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-r-zP1TRrXC for <ldap-dir@core3.amsl.com>; Fri, 16 Oct 2009 05:23:34 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by core3.amsl.com (Postfix) with ESMTP id 7657928C0DF for <ldap-dir@ietf.org>; Fri, 16 Oct 2009 05:23:34 -0700 (PDT)
Received: from S73602b ([199.227.132.226]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis) id 0MC3mC-1N7XGW18Ge-009DBg; Fri, 16 Oct 2009 08:23:29 -0400
Message-ID: <EBF0FA31F0774BD080D6038CCCF0BD44@china.huawei.com>
From: Spencer Dawkins <spencer@wonderhamster.org>
To: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, Alexey Melnikov <alexey.melnikov@isode.com>
References: <7A57206D08E2483A8136B7AEA627CEB1@china.huawei.com> <4AD62F79.6090703@isode.com> <8161E89A-7D94-4347-80E8-9E736B00E8CC@Isode.com>
Date: Fri, 16 Oct 2009 07:23:20 -0500
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-Provags-ID: V01U2FsdGVkX1+RbtmzEV75vQglBEilXMUpz3iSCGOX5c04euO 0csUuZg2g13MUbJYsLHNqS3DDKO1DkmWWbLgHfoj2IXI/itAqk JmP/gLMne85NUWLVUTwVKhzIWThd9tj5yPj28NYaR4=
Cc: LDAP Directorate <ldap-dir@ietf.org>, Lisa Dusseault <lisa.dusseault@gmail.com>, Xun Peng <xunpeng@huawei.com>
Subject: Re: [Ldap-dir] DLAP Directorate review request for draft-dawkins-ldapext-subnot
X-BeenThere: ldap-dir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: LDAP Directorate <ldap-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldap-dir>
List-Post: <mailto:ldap-dir@ietf.org>
List-Help: <mailto:ldap-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldap-dir>, <mailto:ldap-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2009 12:23:35 -0000
Hi, Kurt, I'm replying to a question you asked, but my reply is probably also relevant to Steven Legg's question about subscription lifetimes. > I am curious as to why firewalls and NATs are mentioned in the > applicability of the specification. Does this extension not have the > same basic issues with firewalls and NATs that simple LDAP has? That is, > LDAP generally works just fine (*) through firewalls and NATs so long as > they are configured to allow traversal, as most TCP-based client/server > protocols do. (* expecting issues with reverse NAT and knowledge > references, and the like). My understanding of this proposal (Peng is the expert on the proposal, I'm the guy who understands the IETF) is that the LDAP client would not close the TCP connection to the LDAP server, but would leave the TCP connection open, so that the LDAP server can send notifications in a timely manner. This isn't normal LDAP-style TCP connection handling, as I understand it (please correct me if I am confused). The alternatives would be o having the LDAP client poll periodically to pick up notifications (as you visualized) - this wasn't chosen, because the goal is that notifications be delivered in a timely manner, or o having the LDAP server open a TCP connection to the LDAP client - this wasn't chosen, because it trips over one-way firewall policies. So I was imagining that we would have problems with firewall and NAT binding timeouts, etc. in ways that other LDAP operations would not. That's what I was thinking about when I added this section, just before we submitted. Does this make sense? (And, if so, should this model of operation be stated more clearly in the draft? :-) As for Steven's question - I believe that the LDAP server would remove the subscription if the TCP connection is closed, or reset due to unreachability of the client. Does this make sense, or would you prefer to see an LDAP-level unsubscribe operation? I'd also like to thank you guys for the near-instantaneous feedback. Spencer
- Re: [Ldap-dir] DLAP Directorate review request fo… Alexey Melnikov
- Re: [Ldap-dir] DLAP Directorate review request fo… Kurt Zeilenga
- Re: [Ldap-dir] DLAP Directorate review request fo… Steven Legg
- Re: [Ldap-dir] DLAP Directorate review request fo… Ludovic Poitou
- [Ldap-dir] DLAP Directorate review request for dr… Spencer Dawkins
- Re: [Ldap-dir] DLAP Directorate review request fo… Spencer Dawkins
- Re: [Ldap-dir] DLAP Directorate review request fo… Spencer Dawkins
- Re: [Ldap-dir] DLAP Directorate review request fo… Kurt Zeilenga
- Re: [Ldap-dir] DLAP Directorate review request fo… Kurt Zeilenga
- Re: [Ldap-dir] DLAP Directorate review request fo… Leif Johansson
- Re: [Ldap-dir] DLAP Directorate review request fo… Kurt Zeilenga
- Re: [Ldap-dir] DLAP Directorate review request fo… Leif Johansson
- Re: [Ldap-dir] DLAP Directorate review request fo… Mark Smith
- Re: [Ldap-dir] DLAP Directorate review request fo… Kurt Zeilenga
- Re: [Ldap-dir] DLAP Directorate review request fo… Kurt Zeilenga
- Re: [Ldap-dir] DLAP Directorate review request fo… Leif Johansson