Re: [nbs] A suggestion for an "on-demand API".
sowmini.varadhan@oracle.com Fri, 17 December 2010 23:21 UTC
Return-Path: <sowmini.varadhan@oracle.com>
X-Original-To: nbs@core3.amsl.com
Delivered-To: nbs@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A71953A69C5 for <nbs@core3.amsl.com>; Fri, 17 Dec 2010 15:21:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.499
X-Spam-Level:
X-Spam-Status: No, score=-6.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBcGyBuZuzEA for <nbs@core3.amsl.com>; Fri, 17 Dec 2010 15:21:22 -0800 (PST)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id BFF6F3A69ED for <nbs@ietf.org>; Fri, 17 Dec 2010 15:21:22 -0800 (PST)
Received: from rcsinet13.oracle.com (rcsinet13.oracle.com [148.87.113.125]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id oBHNN68a011036 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 17 Dec 2010 23:23:08 GMT
Received: from quasimodo.us.oracle.com (quasimodo.us.oracle.com [10.152.12.37]) by rcsinet13.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id oBHNN5UW020559 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 17 Dec 2010 23:23:06 GMT
Received: from quasimodo.us.oracle.com (localhost [127.0.0.1]) by quasimodo.us.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id oBHNDOI7020765; Fri, 17 Dec 2010 18:13:24 -0500 (EST)
Received: (from sowmini@localhost) by quasimodo.us.oracle.com (8.14.4+Sun/8.14.4/Submit) id oBHNDMlg020764; Fri, 17 Dec 2010 18:13:22 -0500 (EST)
X-Authentication-Warning: quasimodo.us.oracle.com: sowmini set sender to sowmini.varadhan@oracle.com using -f
Date: Fri, 17 Dec 2010 18:13:22 -0500
From: sowmini.varadhan@oracle.com
To: Javier Ubillos <jav@sics.se>
Message-ID: <20101217231322.GB20694@quasimodo.us.oracle.com>
References: <20101214144734.GC12378@quasimodo.us.oracle.com> <1292401029.4804.30.camel@bit> <20101215154556.GE16665@quasimodo.us.oracle.com> <1292500103.4804.1313.camel@bit>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1292500103.4804.1313.camel@bit>
User-Agent: Mutt/1.5.14 (2007-03-31)
X-Source-IP: quasimodo.us.oracle.com [10.152.12.37]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090209.4D0BF0DA.0156,ss=1,fgs=0
Cc: nbs@ietf.org, christian.vogt@ericsson.com
Subject: Re: [nbs] A suggestion for an "on-demand API".
X-BeenThere: nbs@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <nbs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nbs>
List-Post: <mailto:nbs@ietf.org>
List-Help: <mailto:nbs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Dec 2010 23:21:23 -0000
On (12/16/10 12:48), Javier Ubillos wrote: > > > * B requires authenticated connections. > >=20 > > If B is the passive side of the connection, how would it mandate that > > it requires authenticated connections e.g., if it got a SYN without > > a name, what should it do? (I think this also brings us back to Erik's > > original point about exposure to DOS) > > In the TCP scenario, the SYNACK would include a name-extension header > (or some similar mechanism) with some flag requiring the initiator to > send whatever is necessary for authentication. In the simplest-case this > could be a name-extension header with a resolvable name (FQDN). > As we are still using IP "on-the-wire", and I think the syn-cookies may > not use the names in the hashes, I don't think any new weaknesses are > introduced.=20 I'm not sure I see what you have in mind since the details have to be fleshed out, but I dont see how, for example, B can require authenticatation of, e.g., udp. > I don't think names should be re-verified. However, if there would be a > reason for doing this, it could either be triggered/configured by the > application or be a default for whichever name-resolution mecanism one > chooses. In the DNS/FQDN case, I don't see why one would need to > re-verify the mapping during the session. If it is due to impersonation If we store name(A) with IP(A) for a connection what assertion can we make about the state of the system at any instant in time: if name(A) and IP(A) diverge, how does one make sense of the observed internal state? Stepping back a bit, in your original mail, you had said: > At IETF79, at some point after the name-based sockets BoF. > Together with Erik Nordmark and Christian Vogt, we sat down, discussed a > bit about name-oriented APIs and gravitated towards this idea: > The cost for behavior and an API should be incremental and optional, in > the sense that; you should only pay the price for a feature if you > really want to have it. > E.g. > * A web-server only requires a session-handle, the web-server will reply > to any-one initiating a session. No "extras" are asked for. > > * Some other application might require authenticity of name->IP binding, > and is also prepared to pay the cost for that authenticity (typically a > round-trip). I'd interpret that as - a vanilla version of AF_NAME would just move the DNS and addr resolution (currently done in user space, to obtain the addrs needed for setting up AF_INET[6] sockets) under the hood (i.e., behind the socket(..AF_NAME) implementation) - if the application desires, the API should allow the socket end-points to exchange names and do any authentication needed, but afaict this can only be done after any intial connection setup/validation etc steps have been completed. Also, it seems to me that if we associate a name with any connection, that name must also be tied to a "last verified timestamp" of some sort, in order for it to be meaningful- that would allow then applications to decide the when/where/how-often of authentication. Does that make sense? --Sowmini
- [nbs] A suggestion for an "on-demand API". Javier Ubillos
- Re: [nbs] A suggestion for an "on-demand API". sowmini.varadhan
- Re: [nbs] A suggestion for an "on-demand API". Javier Ubillos
- Re: [nbs] A suggestion for an "on-demand API". sowmini.varadhan
- Re: [nbs] A suggestion for an "on-demand API". Javier Ubillos
- Re: [nbs] A suggestion for an "on-demand API". sowmini.varadhan
- [nbs] Name->Locator validation. (Was: Re: A sugge… Javier Ubillos
- [nbs] (Was: Re: A suggestion for an "on-demand AP… Javier Ubillos
- Re: [nbs] Name->Locator validation. (Was: Re: A s… Brian E Carpenter
- Re: [nbs] (Was: Re: A suggestion for an "on-deman… sowmini.varadhan
- Re: [nbs] Name->Locator validation. (Was: Re: A s… Javier Ubillos
- Re: [nbs] (Was: Re: A suggestion for an "on-deman… Javier Ubillos