Re: [nbs] A suggestion for an "on-demand API".
Javier Ubillos <jav@sics.se> Thu, 16 December 2010 11:46 UTC
Return-Path: <jav@sics.se>
X-Original-To: nbs@core3.amsl.com
Delivered-To: nbs@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37AAE3A70E2 for <nbs@core3.amsl.com>; Thu, 16 Dec 2010 03:46:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.644
X-Spam-Level:
X-Spam-Status: No, score=-1.644 tagged_above=-999 required=5 tests=[AWL=0.006, BAYES_00=-2.599, HELO_EQ_SE=0.35, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ya1nlDR-9DHd for <nbs@core3.amsl.com>; Thu, 16 Dec 2010 03:46:46 -0800 (PST)
Received: from letter.sics.se (letter.sics.se [193.10.64.6]) by core3.amsl.com (Postfix) with ESMTP id 0D5D93A70E1 for <nbs@ietf.org>; Thu, 16 Dec 2010 03:46:45 -0800 (PST)
Received: from [193.10.66.63] (bit.sics.se [193.10.66.63]) (Authenticated sender: jav@sics.se) by letter.sics.se (Postfix) with ESMTPSA id 8C53240103; Thu, 16 Dec 2010 12:48:29 +0100 (CET)
From: Javier Ubillos <jav@sics.se>
To: sowmini.varadhan@oracle.com
In-Reply-To: <20101215154556.GE16665@quasimodo.us.oracle.com>
References: <20101214144734.GC12378@quasimodo.us.oracle.com> <1292401029.4804.30.camel@bit> <20101215154556.GE16665@quasimodo.us.oracle.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-RlP3y4cLBNE5c7waSiJJ"
Date: Thu, 16 Dec 2010 12:48:22 +0100
Message-ID: <1292500103.4804.1313.camel@bit>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.3
Cc: nbs@ietf.org, christian.vogt@ericsson.com
Subject: Re: [nbs] A suggestion for an "on-demand API".
X-BeenThere: nbs@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <nbs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nbs>
List-Post: <mailto:nbs@ietf.org>
List-Help: <mailto:nbs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2010 11:46:47 -0000
On Wed, 2010-12-15 at 10:45 -0500, sowmini.varadhan@oracle.com wrote: > On (12/15/10 09:17), Javier Ubillos wrote: > > > > The way I picture it, not necessarily. I think that the name-exchange > > should be an optional part (perhaps default?). In the exchange above > : > > What could go wrong is if > > * B requires authenticated connections. > > If B is the passive side of the connection, how would it mandate that > it requires authenticated connections e.g., if it got a SYN without > a name, what should it do? (I think this also brings us back to Erik's > original point about exposure to DOS) In the TCP scenario, the SYNACK would include a name-extension header (or some similar mechanism) with some flag requiring the initiator to send whatever is necessary for authentication. In the simplest-case this could be a name-extension header with a resolvable name (FQDN). As we are still using IP "on-the-wire", and I think the syn-cookies may not use the names in the hashes, I don't think any new weaknesses are introduced. Host-to-host, each TCP flow must still have it's own four-tuple to avoid the syn-cookie ordeal. This does mean that the stack needs an internal coordination (making sure that flows bound to names do not collide in their four-tuples). I don't think this is > > * A has name name(a). > > 1. A sends a packet to B with a name-exchange. > > 2. A changes name to name(a') > > 3. B now tries to authenticate A. > > > > My spontaneous answer is that the connection _should_ fail. > > If the responder cannot authenticate the packet, it shouldn't accept it. > > It could be that A has changed names, but it could also be that the > > resolution system does not have a mapping name(A) => A for B (e.g. if > > the resolution system is some DHT based solution and A & B are on > > different partitions). > > Or it could be a phishing attempt. > > Assuming that B does require authentication, if the authentication fails > > it shouldn't be accepted. Independently if whether the reason is because > > a record has "just become invalid" or it is in fact invalid :) > > But what if the authentication fails after several data packets have > been exchanged? How frequently should you reverify the [name(A), A] > mapping? That is up to the application. I don't think names should be re-verified. However, if there would be a reason for doing this, it could either be triggered/configured by the application or be a default for whichever name-resolution mecanism one chooses. In the DNS/FQDN case, I don't see why one would need to re-verify the mapping during the session. If it is due to impersonation attacks, I'd suggest the exchange of a nonce. Perhaps this should be default behavior. The name-resolution mechanism may provide a level of authenticity in the first step (whenever the check is made). I would argue that, from that point and onwards, it is up to the two hosts to maintain the relationship. I can imagine that some one would want to have a continual polling of the name->locator mapping, but I cant see what the scenario would be. Do you have any good case to test the idea with? > > > > Of course, the initiator could also set requirements for the > > > > communication. > > > > > > Please clarify - what sort of requirements? > > > > I was thinking requirements, both hard and soft as > > * Authenticity (of sender) > > of receiver, you mean? Anyway, lots of missing details as you point out > below. I was actually thinking in both ways. If either side requests an authenticity check of the name->locator mapping of the remote party. The application may just request the check and then decide what to do (with some sensible default behavior). And yes, I do leave out a lot of details. Because I don't have all the details. I'm not trying to push a ready-made proposal, but rather trying to get a discussion going on what the API/behavior _should_ be. We do have a prototype (which does not yet reflect the API very well), but I don't want to insist on having that experiment as a defined standard. I welcome more comments on ... everything and anything. There are still plenty of details to work out, and I think this is the best way of finding them and working them out. "The devil is in the details.", and this is the exorcism :) // Javier > > > * Integrity (of data) > > * Multi-homing / mobility /multi-path exploitation > > * Security (encryption of data) > > > > I can also imagine a scenario where this mechanism becomes even more > > flexible and intelligent, but I think it might be a bit premature to > > introduce those bits just yet :) > > > > > > // Javier > > > >
- [nbs] A suggestion for an "on-demand API". Javier Ubillos
- Re: [nbs] A suggestion for an "on-demand API". sowmini.varadhan
- Re: [nbs] A suggestion for an "on-demand API". Javier Ubillos
- Re: [nbs] A suggestion for an "on-demand API". sowmini.varadhan
- Re: [nbs] A suggestion for an "on-demand API". Javier Ubillos
- Re: [nbs] A suggestion for an "on-demand API". sowmini.varadhan
- [nbs] Name->Locator validation. (Was: Re: A sugge… Javier Ubillos
- [nbs] (Was: Re: A suggestion for an "on-demand AP… Javier Ubillos
- Re: [nbs] Name->Locator validation. (Was: Re: A s… Brian E Carpenter
- Re: [nbs] (Was: Re: A suggestion for an "on-deman… sowmini.varadhan
- Re: [nbs] Name->Locator validation. (Was: Re: A s… Javier Ubillos
- Re: [nbs] (Was: Re: A suggestion for an "on-deman… Javier Ubillos