Re: [nbs] A suggestion for an "on-demand API".
sowmini.varadhan@oracle.com Wed, 15 December 2010 15:54 UTC
Return-Path: <sowmini.varadhan@oracle.com>
X-Original-To: nbs@core3.amsl.com
Delivered-To: nbs@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60BC128C176 for <nbs@core3.amsl.com>; Wed, 15 Dec 2010 07:54:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0aKZwB2JA1VT for <nbs@core3.amsl.com>; Wed, 15 Dec 2010 07:54:01 -0800 (PST)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 7A97A28C147 for <nbs@ietf.org>; Wed, 15 Dec 2010 07:54:01 -0800 (PST)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id oBFFtenp027346 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 15 Dec 2010 15:55:41 GMT
Received: from quasimodo.us.oracle.com (quasimodo.us.oracle.com [10.152.12.37]) by rcsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id oBFFtdlB009679 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 15 Dec 2010 15:55:39 GMT
Received: from quasimodo.us.oracle.com (localhost [127.0.0.1]) by quasimodo.us.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id oBFFjwCa016940; Wed, 15 Dec 2010 10:45:58 -0500 (EST)
Received: (from sowmini@localhost) by quasimodo.us.oracle.com (8.14.4+Sun/8.14.4/Submit) id oBFFjung016939; Wed, 15 Dec 2010 10:45:56 -0500 (EST)
X-Authentication-Warning: quasimodo.us.oracle.com: sowmini set sender to sowmini.varadhan@oracle.com using -f
Date: Wed, 15 Dec 2010 10:45:56 -0500
From: sowmini.varadhan@oracle.com
To: Javier Ubillos <jav@sics.se>
Message-ID: <20101215154556.GE16665@quasimodo.us.oracle.com>
References: <20101214144734.GC12378@quasimodo.us.oracle.com> <1292401029.4804.30.camel@bit>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1292401029.4804.30.camel@bit>
User-Agent: Mutt/1.5.14 (2007-03-31)
X-Source-IP: quasimodo.us.oracle.com [10.152.12.37]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090201.4D08E4FC.0019,ss=1,fgs=0
Cc: nbs@ietf.org, christian.vogt@ericsson.com
Subject: Re: [nbs] A suggestion for an "on-demand API".
X-BeenThere: nbs@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <nbs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nbs>
List-Post: <mailto:nbs@ietf.org>
List-Help: <mailto:nbs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2010 15:54:02 -0000
On (12/15/10 09:17), Javier Ubillos wrote: > > The way I picture it, not necessarily. I think that the name-exchange > should be an optional part (perhaps default?). In the exchange above : > What could go wrong is if > * B requires authenticated connections. If B is the passive side of the connection, how would it mandate that it requires authenticated connections e.g., if it got a SYN without a name, what should it do? (I think this also brings us back to Erik's original point about exposure to DOS) > * A has name name(a). > 1. A sends a packet to B with a name-exchange. > 2. A changes name to name(a') > 3. B now tries to authenticate A. > > My spontaneous answer is that the connection _should_ fail. > If the responder cannot authenticate the packet, it shouldn't accept it. > It could be that A has changed names, but it could also be that the > resolution system does not have a mapping name(A) => A for B (e.g. if > the resolution system is some DHT based solution and A & B are on > different partitions). > Or it could be a phishing attempt. > Assuming that B does require authentication, if the authentication fails > it shouldn't be accepted. Independently if whether the reason is because > a record has "just become invalid" or it is in fact invalid :) But what if the authentication fails after several data packets have been exchanged? How frequently should you reverify the [name(A), A] mapping? > > > Of course, the initiator could also set requirements for the > > > communication. > > > > Please clarify - what sort of requirements? > > I was thinking requirements, both hard and soft as > * Authenticity (of sender) of receiver, you mean? Anyway, lots of missing details as you point out below. > * Integrity (of data) > * Multi-homing / mobility /multi-path exploitation > * Security (encryption of data) > > I can also imagine a scenario where this mechanism becomes even more > flexible and intelligent, but I think it might be a bit premature to > introduce those bits just yet :) > > > // Javier >
- [nbs] A suggestion for an "on-demand API". Javier Ubillos
- Re: [nbs] A suggestion for an "on-demand API". sowmini.varadhan
- Re: [nbs] A suggestion for an "on-demand API". Javier Ubillos
- Re: [nbs] A suggestion for an "on-demand API". sowmini.varadhan
- Re: [nbs] A suggestion for an "on-demand API". Javier Ubillos
- Re: [nbs] A suggestion for an "on-demand API". sowmini.varadhan
- [nbs] Name->Locator validation. (Was: Re: A sugge… Javier Ubillos
- [nbs] (Was: Re: A suggestion for an "on-demand AP… Javier Ubillos
- Re: [nbs] Name->Locator validation. (Was: Re: A s… Brian E Carpenter
- Re: [nbs] (Was: Re: A suggestion for an "on-deman… sowmini.varadhan
- Re: [nbs] Name->Locator validation. (Was: Re: A s… Javier Ubillos
- Re: [nbs] (Was: Re: A suggestion for an "on-deman… Javier Ubillos