IETF Logo Mail Archive

[regext] Fwd: Comments to the feedback about epp-over-http

Matthias Pfeifer <info@freshmail.de> Tue, 29 March 2022 16:54 UTC

Return-Path: <info@freshmail.de>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C5973A1B01 for <regext@ietfa.amsl.com>; Tue, 29 Mar 2022 09:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAb82EDHX2-6 for <regext@ietfa.amsl.com>; Tue, 29 Mar 2022 09:54:55 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23F093A16F7 for <regext@ietf.org>; Tue, 29 Mar 2022 09:54:54 -0700 (PDT)
Received: from [192.168.178.49] ([79.229.183.167]) by mrelayeu.kundenserver.de (mreue010 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MTR6K-1nTlzd0aBo-00Ti8U for <regext@ietf.org>; Tue, 29 Mar 2022 18:54:53 +0200
Message-ID: <f9383ce9-4986-7810-b41a-ab4b9fb3164b@freshmail.de>
Date: Tue, 29 Mar 2022 18:54:52 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
References: <0ba65f7c-20ee-dc9f-3dad-f8840c19aa59@freshmail.de>
To: regext@ietf.org
From: Matthias Pfeifer <info@freshmail.de>
In-Reply-To: <0ba65f7c-20ee-dc9f-3dad-f8840c19aa59@freshmail.de>
X-Forwarded-Message-Id: <0ba65f7c-20ee-dc9f-3dad-f8840c19aa59@freshmail.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:u0hWCv0Anjpuf2dGZIg6VQ/Lt4Q9YSXayHMRpEzgKCyRDjIxc6d pQnEc5uC0EWzkkc2+fmtb1SeNLRCVPhhUf1DYNy0hMunjE/v9a2mmz+QAW65Aye+SbdwytH 7WDrO/gmThheSJCE/C81fVzRkbEtY7aBYNRLyOHT00V8XuGTU16RVJzwVtSgulvPTSZsrGy SbXb4lFPiHdKSabVnNkog==
X-UI-Out-Filterresults: notjunk:1;V03:K0:6RA8OSZcRhk=:zJHc5Ztws6O9JXJBuJ90q8 D9oOxomV5bVvVVUN/nK014tZ19XL3bDUggGvsR3nC7eny7Cq1wNMzGgArLttzzfgNZYXss8Qy 0QrDOd0xkcbr0uTVUmKEEXpsa/GPl+pOttBZ/kahtrsjRJgELAaXrCW79FZfi+tdPnoGVmxnn TDksi/BPfNyCs4c3dq8YM5OOAvlGtxyyMDt52ZF9NMXj333+ZOMrkox5qSTaZKeLMrDyj0gku RstjgaNRkbE9hjUsVq09NTqmY1Liina4HPUqQCF+4Adg8ecaY6DyIfuYcO8POcWj2CkHJJUyz Z/taE5J1XTsrIQa6l4HLoohC2z+x7aDJHjTWkk1uptxlbd8iOCJuwtfsFWhHpcqprBqz2zFeU G+T3Npc2yFy5I7r8eHxkQIZAtUiIzJKytd3QIM6wcF2TI6YqLe6zQ9xfIhXH71WPZyjVPGaXm egYlL/Q25eXyYY5+N+ct8Yqs23gQBpplQW10RYN+PJYZsBKyninol9hW8cH1LYOW1EFoqkLog eRZc6FfP8gU1fsjRWEnIHwcuwi2fmPHrWhSgby+38BggNmFZtkqtUCHVKeK025Ipa/K5ZMpE6 9B8lo0v9pp9Q6GQOS3TR7Qmlco2DejS5FUoEH7PIl0vVF0ov4jGz4zFCNdUsPtb6aYo995pdm LzAI/wmk2swYXqImaPakBCC6vxdigWMKyDQoQQJIlDPpSmOMlgFONUMd09/+SwYShjag=
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/EbBiKfQwAXjYjXpMr9gqWgmVCCM>
Subject: [regext] Fwd: Comments to the feedback about epp-over-http
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2022 16:55:00 -0000

Hello Mario,


> That said, AFAIK most of cloud providers don't allow to open low level 
sockets. You cannot use any >port except 80 and 443 (HTTP and HTTPS).  I 
imagine that they do that due to security reasons.

I am assuming that you are talking about services the cloud provider 
offers (btw, aws do tcp LB)?

If so, this should clearly stated out otherwise this could be confusing 
the technical community (which is in fact able to set up LBs nearly 
everywhere ;) )

> In addition, from what I've read, TCP load balancers are intended for 
TCP traffic on well-known ports, >such as port 25 for SMTP.

Maybe some of the crappy outofthebox do that. In general TCP doesnt 
care. well-known port numbers are just convention.



On 29.03.22 11:26, Mario Loffredo wrote:
> Hi Matthias,
>
> thanks a lot for your interest and feedback.
>
> Please find my comments inline prefixed with [ML]
>
> Il 28/03/2022 23:40, Matthias Pfeifer ha scritto:
>> Hello,
>>
>> i would also add a comment and questions:
>>
>> >In the perspective of moving to the cloud to achieve scalability and
>> >  cost reduction, it should be further noted that application protocols
>> >   that aren't based on HTTP can be hardly migrated by using cloud-
>> >   native features, both on client side and server side. In addition,
>> >   from the security point of view, registries would be limited in terms
>> >   of the third-party security services available to protect their EPP
>> >   servers.
>>
>> Can you please elaborate on
>>
>> >"registries would be limited in terms of the third-party security 
>> services available to protect their EPP >servers."
>>
>> Why?
>>
>>
>> And also on
>>
>> >"and should be further noted that application protocols
>> >that aren't based on HTTP can be hardly migrated by using cloud-
>> >native features, both on client side and server side. " (since the 
>> cloudproviders offer tcp LB as well)
>>
> [ML] I added the text above following up the feedback provided by 
> Gavin from CentralNIC who probably has already experienced some 
> drawbacks in migrating to cloud his EPP server based on TCP.
>
> @Gavin, you are surely more knowledgeable than me about this topic so 
> if you wish to integrate my response, please feel free to do it.
>
> My knowledge is limited to what I have learnt from the web.
>
> That said, AFAIK most of cloud providers don't allow to open low level 
> sockets. You cannot use any port except 80 and 443 (HTTP and HTTPS).  
> I imagine that they do that due to security reasons.
>
> Honestly don't know whether and how such a block can be bypassed.
>
> In addition, from what I've read, TCP load balancers are intended for 
> TCP traffic on well-known ports, such as port 25 for SMTP.
>
> It seems quite clear to me that cloud platforms have been designed to 
> natively support HTTP-based rather than TCP-based applications.
>
>>
>> >While TCP is connection-oriented, HTTP is stateless but not session
>> >less.  This means that, by making an EPP session untied from the
>> >network connection, the EPP communication over HTTP is more flexible
>> >and efficient than over TCP.
>>
>> They work on different Layers so IMHO its hard to make a comparsion 
>> in that way.
>
> [ML] We can compare their effects on the functioning of an EPP server.
>
> SInce in EPP-over-TCP, an EPP session is mapped on a TCP connection, 
> the session gets lost if the TCP connection breaks down.
>
> This doesn't happen in EPP-over-HTTP because the EPP session is mapped 
> on an HTTP session that is a pure logical concept.
>
> In addition, if the EPP session is maintained outside the EPP server 
> (or a pool of backend servers in a load balancing scheme) , the EPP 
> session doesn't get lost even when the server (or one of the servers 
> that has previously started the EPP session) is stopped.
>
>>
>>
>> >While HTTP load balancers are very common and are quite often 
>> software, TCP load
>> > balancers are usually implemented in dedicated hardware
>>
>> Whats the point? TCP and HTTP LBs are even used in combination
>
> [ML] The point is that HTTP load balancers are more flexible than TCP 
> load balancers because they work at a higher layer.

This is a depends-on field: This might be correct if you LB acts as a 
(reverse)proxy and can simply "more" that just routing packets (it is 
than an application in itself)


>
> Let's suppose, for example, to have an HTTP server based on HTTP/2 and 
> we want to move to QUIC.
>
> I presume that such a change would require little to no effort on the 
> HTTP load balancer.
>
Its also depends on. If someone has provide patches/upgrades for your 
device, probably yes.


I was wondering which problem do you exactly try to solve?

Bandwith issues on EPP services? :)

And the language should focus more on technical aspects and where the 
proposed tech solve concrete issues.


Best, Matthias





>>
>> >An EPP server made up of a server pool must always operate with
>> >respect to the constraint that, once an EPP session is established,
>> >all the requests related to that session should be processed by the
>> >servers in the pool as long as the session is alive.
>>
>> This is true in general and there are workarounds (eg CARP or VRRP  
>> and token)
>> The LB part looks too one-sided to me
>
> [ML] Sorry, can you further clarify your remark?
>
> I confess that I don't know CARP and VRRP in detail but it seems to me 
> that they can't be helpful to figure out how to store session 
> information to make session survive server failures.

Its related to tcp sessions (with openbsd/carp/pfsync) you can easily 
build stateful cluster.


> In the case where sticky sessions are used and each backend server 
> maintains the HTTP sessions it starts, if a server breaks down, you 
> can recover the server but not its sessions.
>
with carp you can cus the session is handled there :)


> Whereas sessions are stored on a persistent memory outside the backend 
> servers and any server is able to serve the EPP requests, you can 
> redirect the EPP traffic to another server without any impact on 
> client side.
>
>
> Anyway, we'll further review that section to make it appear more 
> objective.
>
>>
>> And a comment:
>>
>> >The reasons why we have used session cookiea are that they represent 
>> a standard method >(RFC6265), >well known to the community of REST 
>> service implementers, largely used and natively >supported by 
>> >libraries and frameworks on both client and server side. For 
>> example, it is the same >method used by >rdap-openid to map an RDAP 
>> session and tie it to an access token :-)
>>
>> > Which method other than session cookie shoud be used instead ?
>>
>> For (REST) API I would prefer token(JWT) based model in general. 
>> Login / Logout including session management would add (at least a 
>> little bit) more complexity and probably CORS issues on client side.
>
> [ML] I would agree with you if the goal was to partially or completely 
> refactor EPP but this is not the philosophy behind this proposal.
>
> This proposal aims to preserve EPP commands semantics and makes use of 
> HTTP as a mere transport protocol.
>
> So what are the other practical methods using HTTP that way and 
> preserving the EPP commands?

You could the tcp-session requirement out and add a token based session 
system.


>
>
> James proposed his own one but the authors'opinion is that it involves 
> a very low-level approach.
>
> Except for setting the session cookie, this proposal doesn't require 
> to know any additional features used in the REST context.
>
> Therefore, I think it would be quite easy to wrap the core of an EPP 
> server to make it interact with both a TCP and an HTTP server.
>
> With regard to the use of a JWT token, while reviewing the rdap-openid 
> document the WG has already agreed that it is unfit to be used outside 
> the borders of a trusted environment. As a consequence, Scott
>
> has recently replaced tokens with sessions (the same mechanism used by 
> epp-over-http) in the interaction between a generic RDAP client and an 
> RDAP server and stated tokens to be exchanged between the RDAP server, 
> acting as registered OpenID Connect client, and an OpenID Provider.
>
> It should further be noted that not only the Login command lets the 
> client authenticate but also negotiate the XML namespaces that will be 
> valid during the EPP session. Therefore, the simple replacement of the 
> EPP authentication with another HTTP-based mechanism wouldn't be 
> sufficient.

Well, we do not need OIDC for using JWT (also OIDC wouldnt solve here 
anything).





>>
>>
>> Why we don't chase the transport protocol restriction out of EPP in 
>> general? :)
>
> [ML] Are you proposing to rewrite EPP :-) ?
>
> I don't object to the idea but, IMHO, a general refactoring of EPP 
> should also address other topics; for example, the use of JSON instead 
> of XML so that extensions can be managed more easily.
>
>
> Hope I addresed all your remarks.
>
>
> Best,
>
> Mario
>
>>
>>
>> Thx and best, Matthias
>>
>>
>>
>>
>> On 28.03.22 12:56, Mario Loffredo wrote:
>>> The reasons why we have used session cookiea are that they represent 
>>> a standard method (RFC6265), well known to the community of REST 
>>> service implementers, largely used and natively supported by 
>>> libraries and frameworks on both client and server side. For 
>>> example, it is the same method used by rdap-openid to map an RDAP 
>>> session and tie it to an access token :-)
>>
>> _______________________________________________
>> regext mailing list
>> regext@ietf.org
>> https://www.ietf.org/mailman/listinfo/regext
>

v2.8.7 | Report a Bug | By Email