IETF Logo Mail Archive

Re: [tae] New draft: announcing the supported transports via DNS

Joe Touch <touch@ISI.EDU> Tue, 06 October 2009 16:52 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tae@core3.amsl.com
Delivered-To: tae@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 21BD628C186 for <tae@core3.amsl.com>; Tue, 6 Oct 2009 09:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WcyvPnyrW2hy for <tae@core3.amsl.com>; Tue, 6 Oct 2009 09:52:36 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by core3.amsl.com (Postfix) with ESMTP id 2C26028C14B for <tae@ietf.org>; Tue, 6 Oct 2009 09:52:36 -0700 (PDT)
Received: from [75.214.167.79] (79.sub-75-214-167.myvzw.com [75.214.167.79]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id n96GpNYc006379 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 6 Oct 2009 09:51:25 -0700 (PDT)
Message-ID: <4ACB758B.909@isi.edu>
Date: Tue, 06 Oct 2009 09:51:23 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>
References: <Pine.LNX.4.64.0909180057060.5479@zippy.stdio.be> <77F0974F-62CD-411C-96D3-C29E6D872DEA@asomi.com> <Pine.LNX.4.64.0910010305520.3645@zippy.stdio.be> <4AC60448.2050507@isi.edu><Pine.LNX.4.64.0910050457450.6309@zippy.stdio.be> <4AC9F478.6080308@isi.edu> <038301ca45e3$aa7ad5b0$c2f0200a@cisco.com>
In-Reply-To: <038301ca45e3$aa7ad5b0$c2f0200a@cisco.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: n96GpNYc006379
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tae@ietf.org
Subject: Re: [tae] New draft: announcing the supported transports via DNS
X-BeenThere: tae@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Architecture Evolution <tae.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tae>, <mailto:tae-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tae>
List-Post: <mailto:tae@ietf.org>
List-Help: <mailto:tae-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tae>, <mailto:tae-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2009 16:52:37 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

...
>> > There are numerous applications that use reverse DNS for verification,
>> > e.g., HTTP name-based access, SSL, etc. Users don't have control over
>> > reverse DNS.
> 
> Agreed.
> 
> But how is reverse DNS authentication relevant to selection of 
> a transport protocol?

If all you have is an IP address (whether the user types it in or it is
provided in-band), the only thing you can lookup in the DNS (to find the
supported transports for that address) is reverse DNS.

...
>> > First, the DNS is not always available or desirable.
>> > 
>> > Second, if you solve this for the DNS, you can use a similar solution
>> > directly between the endpoints without involving the DNS.
>> >
>> > Third, if you force all endpoints to support a default 
>> > transport to talk
>> > to the DNS, you have a default transport to talk to all other 
>> > endpoints anyway.
> 
> I sure would like to see your straw man proposal, because I
> cannot fathom how you would accomplish this feat.

First, I don't need to provide a strawman to express concerns with an
existing proposal. We aren't picking a place for lunch*.

Second, I'm basically suggesting that this all boils down to the need
for a transport negotiation protocol between the endpoints. There are
numerous challenges to designing an effective negotiation protocol:

	- latency to detect supported protocols
	- latency to fallback if not supported
	- interaction with NATs/firewalls

Just saying "use the DNS" doesn't solve these problems any better than
"build a new exchange protocol", and adds other problems:

	- support for non-DNS endpoints (IP address specified)
	- involvement of a third party (lack of fate-sharing)

Joe

*(typical lunch location negotiation rules are "if you shoot down a
proposed site, you must counter with an alternative you are willing to
accept")
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkrLdYsACgkQE5f5cImnZrvsjwCg5P6SGGzdxBwr2FtPr2aSPS/k
Fa0AnjEmKD99tDni7QysjTpPDAeC/B4Z
=+SUt
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email