IETF Logo Mail Archive

Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)

"James Galvin" <galvin@elistx.com> Fri, 04 May 2018 13:31 UTC

Return-Path: <galvin@elistx.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE92412706D for <regext@ietfa.amsl.com>; Fri, 4 May 2018 06:31:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=elistx-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0ADtv9waTjp for <regext@ietfa.amsl.com>; Fri, 4 May 2018 06:31:44 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32B1F126FB3 for <regext@ietf.org>; Fri, 4 May 2018 06:31:44 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id h2-v6so27309904qtp.7 for <regext@ietf.org>; Fri, 04 May 2018 06:31:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=elistx-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding:embedded-html; bh=sKIONdE46snyd09VJ/N+ErTONpBFnoLEII+KNQqEml8=; b=jB1Nlzs+yFJrgJl6ixiuPU5mIVPOpUJ/LaqCF/8CsWgadMsreGHwvXdTVVMFmzSNJU f2Cjr1FpFGleE0asdi12Fq6TLEetHZlWGVINZ+jLPSx7VDlQ/uV0NuQPQpSkDuvKPQoJ Q2O4yD98mP+SoHDwIjsFywDxlo+B9T/jFadC8yQOUlTBeIo9UsljuPTzWIcOtxlSKd2g 5x830Rj9JDclC7ITIR5ZZf7hoRWcqjGLEzaJFAfrANeycRFquvFLlAC+40e0eiAehbXt uT9qi5QTYPakpBBr+xxd73+jr9g6TbKiWSmVQKR0dlFdZcgFUEv4EgUvTU+LYr1J4Hzd JUtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding:embedded-html; bh=sKIONdE46snyd09VJ/N+ErTONpBFnoLEII+KNQqEml8=; b=JeYLDt6RFdy0D+AhMWbEDi0jJG0Dtft1uUjWrTWdEC587Yn0Al2wlMLQcGg8sGosy+ 62S0j5UMqLRBmEuP+496I0I9Z35mBTipHFItE/gxCBgFZR4mkmMwzIvimwJG719JPbOF 10+T0tpg0Tv27RES3l4O+jpFfrN0fRUcvSPf9H6nFBTs4CYHSPjsDRjMZGsT2fBZDPtE /FTHGrWMGYIYGf5F4I9YTKU6nTX0Vodw2R2k87jscABHND4L7ymisHUyMiXbvhkKQXVE TXcyXlMV3GfUUWhZLvE0lduVYjIYyOQiwrNX1hmad2y+s2jPfjFXx3Bhu7IwONkSF6FC nqGw==
X-Gm-Message-State: ALQs6tAVlKzq6gsfV1QinvHwmCJ5bapM0LEhcAmYo4xoB/kiasfMneEM UHHy3JNoonM7QmBcRXxDFgXVfw==
X-Google-Smtp-Source: AB8JxZqPG68HP9+btbA/g7pokaEIQh0gFm/cg2klsf7fWtByMH3aX9EWo2QC2TugtgCZpMT2tN47ig==
X-Received: by 2002:a0c:b897:: with SMTP id y23-v6mr11262546qvf.188.1525440703205; Fri, 04 May 2018 06:31:43 -0700 (PDT)
Received: from [10.0.0.103] ([2601:154:c200:10:61ca:aef2:62c5:36ff]) by smtp.googlemail.com with ESMTPSA id v14-v6sm9649990qto.72.2018.05.04.06.31.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 May 2018 06:31:42 -0700 (PDT)
From: James Galvin <galvin@elistx.com>
To: "Gould, James" <jgould@verisign.com>
Cc: Patrick Mevzek <pm@dotandco.com>, regext@ietf.org
Date: Fri, 04 May 2018 09:31:50 -0400
X-Mailer: MailMate (1.11.2r5479)
Message-ID: <CF701CA2-F63A-4573-AB87-68E3AB30C635@elistx.com>
In-Reply-To: <48889EC8-FF2C-4CF3-B5E1-9DC5482E06E9@verisign.com>
References: <3266784A-E663-4465-8ABF-A3305B83C253@verisign.com> <e7916b75-1555-14e3-43bc-644059cd68f0@switch.ch> <605AC23F-D7B3-4A37-876E-45EC8E6BEEB8@verisign.com> <84309e91-dbe9-8865-fd06-528266aa93e7@switch.ch> <FAFB62AE-C0D1-4D74-888C-00C632D73211@verisign.com> <1522912361.3587146.1327243736.6AB5A07D@webmail.messagingengine.com> <58605AC6-A8B3-4428-A71E-580E6BC01EFF@verisign.com> <1524032366.3941888.1341940112.7D43F230@webmail.messagingengine.com> <BEC1040F-25C7-4F52-BB94-1F55BFA4C1C7@verisign.com> <1524203922.4022062.1344535160.39F0C10F@webmail.messagingengine.com> <83479150-4E98-452F-B27B-BD286AA18C1B@verisign.com> <1524425212.2370983.1346768616.2A2DE208@webmail.messagingengine.com> <48889EC8-FF2C-4CF3-B5E1-9DC5482E06E9@verisign.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_4F872405-1BB3-4385-B52E-28DAA9249543_="
Content-Transfer-Encoding: 8bit
Embedded-HTML: [{"HTML":[1854, 15045], "plain":[475, 9603], "uuid":"3464A4E3-49A3-4146-83EB-231D1B52440A"}]
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/g7oi_moUSAVOA1WqCbSJSxl3ZAM>
Subject: Re: [regext] Poll messages with unhandled namespaces (was Re: I-D Action: draft-ietf-regext-change-poll-07.txt)
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 13:31:48 -0000

The chairs would appreciate a suggestion from those in this discussion 
as to what you would like to do next?

The change-poll document has been in WGLC that has now expired.  
However, you have identified a technical issue but you have not been 
clear as to whether you want a change in the existing document or you 
want a new work item for the working group?

What would you propose?  What do others think?

Antoin and Jim





On 23 Apr 2018, at 9:27, Gould, James wrote:

> Patrick,
>
>
>
> This may be an excellent topic for a working session at the next IETF. 
>  It would be great to hear opinions from others on this topic, since 
> there is obviously a gap in the interpretation of the greeting and 
> login services as it relates to responses (command responses and poll 
> response) provided by the server.
>
>
>
> Your description still leaves out a case, that I cannot prove to be 
> the dominant one but that is certainly not a negligible one: the 
> client receives the message, DOES NOT validate it per XML schema, DOES 
> NOT parse it, and just stores it (as is or with a simple 
> transformation to any other serialization format, an operation that 
> does not need to know about the schema nor the content at all) for out 
> of band later examination, and ACKs it in EPP to be able to fetch the 
> next one.
>
>
>
> How can the client ack the message if it doesn’t at least parse it 
> for the message id?  An EPP client should frame the responses per RFC 
> 5734 and will most likely parse the response to determine the result 
> of the command and in the case of a poll message parse the message id 
> to send the subsequent poll ack.  The client could use regular 
> expressions to extract the information or could do a validating DOM 
> parse and object unmarshalling to have something easier to work with.  
> There is no way for the server to know the capabilities of the client 
> other than using the login services.  Both sets of clients can be 
> fully supported if the server honors the login services sent by the 
> client.  If the client wants to retrieve everything from the server 
> for later processing, then the client can simply mirror the greeting 
> services into the login services.  Clients that do unmarshall 
> responses, will most likely use marshalling factories that will be 
> used to dynamically create the login services.  This way the server 
> will not send a response that the client does not support and will not 
> break the client.
>
>
>
> As for "A client would need to proactively deal with the
>
> unexpected if the server does not honor the login services of the
>
> client.", I think this is already the case for many registries, and 
> since a long time, so clients had to deal with that already. It is far 
> from a new hypothetical problem.
>
>
>
> Just because servers have been sending unsolicited extensions to 
> clients does not make it correct or appropriate from a protocol 
> perspective.  I believe we have examples of EPP extensions (RFC 5910 
> and draft-ietf-regext-epp-fees) that includes language related to what 
> the server should or should not due based on the client login 
> services, so this should be understood.  I believe where it is not 
> well understood is the handling of poll messages, which would be the 
> point in creating a new draft.
>
>
>
>
>
> If the registrar logs in without the secDNS extension, to use a "core" 
> example, and if it does a domain:info on a domain name which has 
> secDNS info (because it is one of his own domain for which he put 
> DNSSEC material with it before but right now in this particular 
> session it did not use the secDNS extension at login, or maybe less 
> contrived before a transfer he does a domain:info with the associated 
> authInfo on a domain name it does not sponsor)
>
> then what should the registry do? Send the secDNS part of the 
> domain:info or not?
>
> I believe not sending it creates more harm than benefits, even if the 
> registrar did not specify it at login, but clearly this is the core 
> point of our disagreement.
>
>
>
> The registry should not return the secDNS extension in the domain info 
> response for a client that does support secDNS-1.0 (RFC 4310) or 
> secDNS-1.1 (RFC 5910) according to section 2 of RFC 5910 
> (https://tools.ietf.org/html/rfc5910#page-4).  There is similar 
> language in the Registry Fee Extension related to inclusion of the fee 
> extension in the command response (e.g., “does include elements in 
> the response, when the extension has been selected during a <login> 
> command”).  The login services explicitly provide the object and 
> command / response extensions supported by the client along with their 
> versions, so why would the server not honor those services to 
> determine if and what version of an extension to return to a client?  
> The exchange of the server services in the greeting and the client 
> services in the login allow the client and server to negotiate what 
> extensions are supported on both sides.  Inclusion of an extension 
> outside of the negotiated services should result with an error on the 
> server side and the server should not return an unsupported extension 
> back in a response.  The server does not know the capabilities of the 
> client, where sending an unsolicitated extension may result in a 
> client-side failure in the case for a validating client or a client 
> that unmarshalls the response.
>
>
>
> —
>
> JG
>
>
>
>
>
>
>
> James Gould
>
> Distinguished Engineer
>
> jgould@Verisign.com
>
>
>
> 703-948-3271
>
> 12061 Bluemont Way
>
> Reston, VA 20190
>
>
>
> Verisign.com <http://verisigninc.com/>
>
> On 4/22/18, 3:27 PM, "regext on behalf of Patrick Mevzek" 
> <regext-bounces@ietf.org on behalf of pm@dotandco.com> wrote:
>
>
>
>     On Fri, Apr 20, 2018, at 16:06, Gould, James wrote:
>
>     > Thank you for the detailed description of your reasoning.  I 
> will leave
>
>     > it that we disagree on the purpose of the login services, the 
> need for
>
>     > the server to honor the login services for poll messaging, and 
> the
>
>     > impacts in returning unsupported responses or response 
> extensions to
>
>     > clients.
>
>
>
>     Ok.
>
>
>
>     > On the impact, there are two elements to consider including
>
>     > first the XML parser in validating a response against the XML 
> schemas,
>
>     > and second is the unmarshalling of the XML to a representative 
> object.
>
>     > A client could disable the XML parser validation and move along 
> to the
>
>     > unmarshalling step.  In the unmarshalling step the client would 
> need to
>
>     > deal with receipt of unsupported content.  The client could 
> throw an
>
>     > exception because the XML (e.g., DOM tree) could not be 
> unmarshalled,
>
>     > ignore the unsupported content, or come up with some other
>
>     > representation of the unsupported content (e.g., convert to list 
> of XML
>
>     > blobs or DOM objects).  A client would need to proactively deal 
> with the
>
>     > unexpected if the server does not honor the login services of 
> the
>
>     > client.
>
>
>
>     Your description still leaves out a case, that I can not prove to 
> be the dominant one but that is certainly not a negligible one: the 
> client receives the message, DOES NOT validate it per XML schema, DOES 
> NOT parse it, and just stores it (as is or with a simple 
> transformation to any other serialization format, an operation that 
> does not need to know about the schema nor the content at all) for out 
> of band later examination, and ACKs it in EPP to be able to fetch the 
> next one.
>
>
>
>     In this case, there are absolutely none of the problem you expose:
>
>     the registry has no extra work to do, the registrar has no extra 
> work to do to understand messages in unknown namespaces, registrar is 
> not blocked at all for any new namespace introduced, the registrar has 
> no problem if the registry message does not validate per its own XML 
> schema, the registrar does not have to be proactive it can deal with 
> new cases and problems later, etc.
>
>     I really fail to see the drawbacks but of course anyone is free to 
> do differently and stick to validate and parse everything in band in 
> real time.
>
>
>
>     As for "A client would need to proactively deal with the
>
>     unexpected if the server does not honor the login services of the
>
>     client.", I think this is already the case for many registries, 
> and since a long time, so clients had to deal with that already. It is 
> far from a new hypothetical problem.
>
>
>
>     > Since this is not a problem unique to 
> draft-ietf-regext-change-poll, I
>
>     > agree that it's best suited to be addressed in a separate 
> Internet Draft
>
>     > that addresses service-aware EPP poll messaging.
>
>
>
>     I agree this should be a separate draft, to become eventually an 
> Informational Standard or a Best Practice depending on its content.
>
>
>
>     > Is there interest in such a draft by the working group?
>
>
>
>     I am interested by the subject but disagree on the offered 
> solution.
>
>
>
>     Also, it may be useful to be able (as difficult as it may be) to 
> understand a little more on the current situation, and to see how 
> registries currently handle this problem.
>
>
>
>     Note that this happens very early and not only from poll messages.
>
>     If the registrar logs in without the secDNS extension, to use a 
> "core" example, and if it does a domain:info on a domain name which 
> has secDNS info (because it is one of his own domain for which he put 
> DNSSEC material with it before but right now in this particular 
> session it did not use the secDNS extension at login, or maybe less 
> contrived before a transfer he does a domain:info with the associated 
> authInfo on a domain name it does not sponsor)
>
>     then what should the registry do? Send the secDNS part of the 
> domain:info or not?
>
>     I believe not sending it creates more harm than benefits, even if 
> the registrar did not specify it at login, but clearly this is the 
> core point of our disagreement.
>
>
>
>     --
>
>       Patrick Mevzek
>
>       pm@dotandco.com
>
>
>
>     _______________________________________________
>
>     regext mailing list
>
>     regext@ietf.org
>
>     https://www.ietf.org/mailman/listinfo/regext


> _______________________________________________
> regext mailing list
> regext@ietf.org
> https://www.ietf.org/mailman/listinfo/regext

v2.23.0 | Report a Bug | By Email