IETF Logo Mail Archive

Re: [regext] Comments to the feedback about epp-over-http

Matthias Pfeifer <info@freshmail.de> Mon, 28 March 2022 21:40 UTC

Return-Path: <info@freshmail.de>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFB653A1996 for <regext@ietfa.amsl.com>; Mon, 28 Mar 2022 14:40:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJKxx58pcijV for <regext@ietfa.amsl.com>; Mon, 28 Mar 2022 14:40:38 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E7193A198F for <regext@ietf.org>; Mon, 28 Mar 2022 14:40:37 -0700 (PDT)
Received: from [10.0.1.188] ([213.172.96.242]) by mrelayeu.kundenserver.de (mreue010 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MJmbB-1nJt3i3Efx-00K7Ui for <regext@ietf.org>; Mon, 28 Mar 2022 23:40:35 +0200
Message-ID: <00b8f459-2af2-be7e-2f70-af1de533014f@freshmail.de>
Date: Mon, 28 Mar 2022 23:40:34 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
References: <7EAC16D6-392C-4A5C-AD2C-A1F18C1DECC6@verisign.com> <a11242a1-6c29-cf0f-68e4-3b444d4e683f@iit.cnr.it>
From: Matthias Pfeifer <info@freshmail.de>
To: regext@ietf.org
In-Reply-To: <a11242a1-6c29-cf0f-68e4-3b444d4e683f@iit.cnr.it>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K1:O51ab48t92h0EsT24kMT+SLrKmJDaaekNVvtwNLMRgMdyvv9+75 K/cjD/jT7VwRUGFnSLcX4uBolrB/wnwddhrcMy+0IeL1okn/ecQCsX870fPvPiIuOwNM9iz 41Lah0mdrKPkbwlAsG+0yCciuGu4kpA4dpIhllEUouo24xvbepn/eDQnuRxMC0pkhZ7rYU4 pnjMeiXr9+yWmlQWN5nVg==
X-UI-Out-Filterresults: notjunk:1;V03:K0:AXUmxX3Xznk=:jUO8rY0yyiR8bGzz+jhOrX KeV2HH4cTz6oX0g3OVlPUwHdUJPSXJ16gqlQOjoOejc0Uk+GxOxwzWysF2FKm5CvHbw4Qo/5G BK9+L45zr1IupUIV3Kln//HJxZElCWrC46++dxXcUy8ggNa7Fdk2VeBiA7KZlIyhsN/CiM/9e QQp33o7DJpSkSOiOIW52Y5WfXdkTYMM5rTEv1sWbxCxgU1KTWSSTQbXQe50MeEGaf6UIovhMC E0ntvCSEKbGWnYquL39DgDDCFeHytnwTbEFo3IFxTmHbQXNYvycfvp4scgZpi0Mgjf7itRnp4 BbKKLFTtZS83r21rLdE/H1OyNwKc6cMC29VPo2NiXa7cRUGStqiFWsgyWtk/3XpmsCb37AfPi A1enUgb8vKrAJ41IXjUrjTR7qG2fNyK52CzY9zliHb2jtEYsmbaBvG7YsEPZD78IVaziI7tR6 j1937xbr+RizTuaLrN4u+/RtC+hZuUHXeh4KI8DRXdwHKqxvE8IN+3LUGc+/Fsmz8wcqxYEon AsfDjzacvY6xkPA7nxXUJQ+N8WYYuXBz7lrDSXtl/bI5F8ECujo2tXNPjvJ10dc0Oq2fn0Y2B Pys3kE1+qF4WkIqEYsR+IavDIMlF3fqtAB57t342JSeMan08RdUFTg65yOMWW1DeaeCJXJahz SjL4P9TrjP7JvG3CVf7nd12YGI4TTPiPa1nUhZJY1EuIBtDXD6FK2fgdhJv6s0nOife8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/fPhviqY_Rycl0mfKYQeZhSm2XR8>
Subject: Re: [regext] Comments to the feedback about epp-over-http
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 21:40:42 -0000

Hello,

i would also add a comment and questions:

 >In the perspective of moving to the cloud to achieve scalability and
 >  cost reduction, it should be further noted that application protocols
 >   that aren't based on HTTP can be hardly migrated by using cloud-
 >   native features, both on client side and server side.  In addition,
 >   from the security point of view, registries would be limited in terms
 >   of the third-party security services available to protect their EPP
 >   servers.

Can you please elaborate on

 >"registries would be limited in terms of the third-party security 
services available to protect their EPP >servers."

Why?


And also on

 >"and should be further noted that application protocols
 >that aren't based on HTTP can be hardly migrated by using cloud-
 >native features, both on client side and server side. " (since the 
cloudproviders offer tcp LB as well)


 >While TCP is connection-oriented, HTTP is stateless but not session
 >less.  This means that, by making an EPP session untied from the
 >network connection, the EPP communication over HTTP is more flexible
 >and efficient than over TCP.

They work on different Layers so IMHO its hard to make a comparsion in 
that way.


 >While HTTP load balancers are very common and are quite often 
software, TCP load
 > balancers are usually implemented in dedicated hardware

Whats the point? TCP and HTTP LBs are even used in combination

 >An EPP server made up of a server pool must always operate with
 >respect to the constraint that, once an EPP session is established,
 >all the requests related to that session should be processed by the
 >servers in the pool as long as the session is alive.

This is true in general and there are workarounds (eg CARP or VRRP  and 
token)
The LB part looks too one-sided to me

And a comment:

 >The reasons why we have used session cookiea are that they represent a 
standard method >(RFC6265), >well known to the community of REST service 
implementers, largely used and natively >supported by >libraries and 
frameworks on both client and server side. For example, it is the same 
 >method used by >rdap-openid to map an RDAP session and tie it to an 
access token :-)

 > Which method other than session cookie shoud be used instead ?

For (REST) API I would prefer token(JWT) based model in general. Login / 
Logout including session management would add (at least a little bit) 
more complexity and probably CORS issues on client side.


Why we don't chase the transport protocol restriction out of EPP in 
general? :)


Thx and best, Matthias




On 28.03.22 12:56, Mario Loffredo wrote:
> The reasons why we have used session cookiea are that they represent a 
> standard method (RFC6265), well known to the community of REST service 
> implementers, largely used and natively supported by libraries and 
> frameworks on both client and server side. For example, it is the same 
> method used by rdap-openid to map an RDAP session and tie it to an 
> access token :-)

v2.8.7 | Report a Bug | By Email