IETF Logo Mail Archive

[netconf] Re: Francesca Palombini's Discuss on draft-ietf-netconf-http-client-server-23: (with DISCUSS)

Kent Watsen <kent+ietf@watsen.net> Wed, 21 August 2024 05:25 UTC

Return-Path: <010001917365fcca-e582458e-7aa7-4c46-bf31-fbcbccefb210-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8537C14F609; Tue, 20 Aug 2024 22:25:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E3wNL4fqZfD2; Tue, 20 Aug 2024 22:25:51 -0700 (PDT)
Received: from a48-90.smtp-out.amazonses.com (a48-90.smtp-out.amazonses.com [54.240.48.90]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75C48C14F5F8; Tue, 20 Aug 2024 22:25:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1724217949; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=lOO2Gcnrdh6SquitPvaKdoDEERq9gVeSGL8ZhQUtPRA=; b=gTOhtm0Cu3gasng+GuvOeef71SYqFXbgPuMdmwn8WBpNFc0zzYbmKNun7WgYlR+E o2H6t+e+aEsORq1TFtRJC/DeyIuQy1Xacf1F1IRxjXk+ls2o2qO/VCyxOQJcnk46Kwg uiDGjJnDTCIfjMmvg1aajPCrar6ZfM+DNpay8QkU=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <010001917365fcca-e582458e-7aa7-4c46-bf31-fbcbccefb210-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AA41881B-481D-4BFD-B1BC-D911FDD40ADA"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Wed, 21 Aug 2024 05:25:49 +0000
In-Reply-To: <DC395793-7357-45E3-BF94-E99280A66C0C@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
References: <172416794310.2072814.8838102958915521258@dt-datatracker-6df4c9dcf5-t2x2k> <01000191716a91f5-134569c8-7097-4beb-a83c-1e533c72cb92-000000@email.amazonses.com> <B930CFB9-0827-4A04-B3DE-103253048DE1@mnot.net> <010001917276c9a9-61d073c7-2edc-4fb6-8397-6bf11b2cf243-000000@email.amazonses.com> <DC395793-7357-45E3-BF94-E99280A66C0C@mnot.net>
X-Mailer: Apple Mail (2.3774.400.31)
Feedback-ID: ::1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.08.21-54.240.48.90
Message-ID-Hash: FAJI25TJA6YJPSZO3QIQWRP25XPTNXD6
X-Message-ID-Hash: FAJI25TJA6YJPSZO3QIQWRP25XPTNXD6
X-MailFrom: 010001917365fcca-e582458e-7aa7-4c46-bf31-fbcbccefb210-000000@amazonses.watsen.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-netconf.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Francesca Palombini <francesca.palombini@ericsson.com>, The IESG <iesg@ietf.org>, draft-ietf-netconf-http-client-server@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [netconf] Re: Francesca Palombini's Discuss on draft-ietf-netconf-http-client-server-23: (with DISCUSS)
List-Id: NETCONF WG list <netconf.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/FkiBNdfcMfMHP0lEP5h2_HAmOP4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Owner: <mailto:netconf-owner@ietf.org>
List-Post: <mailto:netconf@ietf.org>
List-Subscribe: <mailto:netconf-join@ietf.org>
List-Unsubscribe: <mailto:netconf-leave@ietf.org>

>> Negotiating version at runtime (startup handshake) is common practice.   The way it usually goes is that the client has a list of what it allows, and the server has a list of what it supports, and the latest/newest common version is selected.  This is how it works in HTTP also, yes?
> 
> No. See:
> 
> https://httpwg.org/specs/rfc9112.html#http.version
> https://httpwg.org/specs/rfc9113.html#starting
> https://httpwg.org/specs/rfc9114.html#discovery

Fine, but your point is only made because HTTP keeps changing its transport  ;)

Assuming HTTP/4 stays with QUIC, then RFC 7301, Section 1 says:

   With ALPN, the client sends the list of supported application
   protocols as part of the TLS ClientHello message.  The server
   chooses a protocol and sends the selected protocol as part of
   the TLS ServerHello message.

In such a case, the client’s ALPN list would be [h3, h4], and the server returns one or the other, depending on what it supports, which is effectively what I wrote. 


I also note that RFC 9114 Section 3.1 says:

   A client MAY attempt access to a resource with an "https" URI by
   resolving the host identifier to an IP address, establishing a
   QUIC connection to that address on the indicated port (including
   validation of the server certificate as described above), and
   sending an HTTP/3 request message targeting the URI to the server
   over that secured connection. 

This optimization is possible if the client knows it only wants QUIC-based HTTP.   This is faster than first establishing an HTTP/2 connection and switching after receiving the "alt-svc” header.  This is also faster than the client optimistically switching after receiving a "TCP RST”, assuming the server isn't listening on tcp/443.


>> Let’s say there exists an HTTP-client that requires multiplexing, so it requires at least HTTP/2.  But it connects to a server that only supports HTTP/1.1.  IMO the negotiation should fail, letting the HTTP-client to try another server.  Isn’t this proper?
> 
> A "HTTP-client that requires multiplexing" (i.e., an application using HTTP that wants to multiplex) can use multiple HTTP/1 connections, or HTTP/2, or HTTP/3, or...

It was just an example.  The general point is that each HTTP version comes with a set of features (e.g., scalability, performance, security, etc.) and a client may require a specific feature-set.


>> The configuration -23 regards setting the client’s "list of what it allows".  It can be a list of versions, or the special wildcard value “any”.   It is expected that this “list of versions" will feed into the negotiation.  IDK, maybe you thought that the draft was always setting the client to a single version?
> 
> No; I'm only attempting to make sure that your specification doesn't actively harm the HTTP ecosystem.

Good - and thank you!


> Constraining the available versions is one way that can happen.

Can you provide a scenario where the client being configured to use specific versions harms the HTTP ecosystem?


> I continue to be concerned that you're defining a configuration language for HTTP without a strong understanding of the protocol's core concepts or common implementation patterns.

It could also be that you don’t appreciate that, by nature of this being “configuration”, it is not a "first contact” scenario.  That is, this is much more like a script using `curl` than a user using a browser.


Thanks again!
Kent

v2.37.1 | Report a Bug | By Email | System Status