IETF Logo Mail Archive

Re: [Tzdist-bis] [calsify] tzdist and IANA

Eliot Lear <lear@cisco.com> Thu, 18 July 2019 06:03 UTC

Return-Path: <lear@cisco.com>
X-Original-To: tzdist-bis@ietfa.amsl.com
Delivered-To: tzdist-bis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD074120125; Wed, 17 Jul 2019 23:03:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDAymmFmTC_X; Wed, 17 Jul 2019 23:03:00 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A071A1200B7; Wed, 17 Jul 2019 23:02:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17416; q=dns/txt; s=iport; t=1563429779; x=1564639379; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=SfPCANJzDAY+2yEDmQIy+HDwt/cfuCafVmrycB18GKY=; b=WRo/mzVaeLdi6AdfUStwxyDGFDONuV+pFIW+OVNvi9NZHnfe+Qv6hxSd vXa27naSGqcEoyPZ8FeSBI5IWsVhGqTswXkQFYT3x0PaPJB7URgVKRaM6 n2ydh3hBxFxXKdWVrM0IOG9YO7rEGj7R2prFKPCD4i7NADQGF5H1nrar2 c=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AEAACaCjBd/xbLJq1mGgEBAQEBAgEBAQEHAgEBAQGBUwUBAQEBCwGBFIFvUQEgEiqMOV+LACWHNIIgiSeGA4F7AgcBAQEJAwEBGAEKDAEBg3pGAoJrNAkOAQMBAQQBAQIBBW2FPAyFSgEBAQECAQEBbAQHBQsLDgonByEGHxEGE4MiAYFqAw4PD60TH4Uogk0NghcQgTQBgVCKJYF/gREnDBOCTD6CGkcBAYE6EUyDB4ImBIoOghCIU5UFLUAJghuCH4EMgiaBB4RuhFKDdBuDGoodilOUfYF1iwiDCwIEBgUCFYFQOESBFDMaCBsVOyoBgkEJNYsIhUE9AzCLFYJSAQE
X-IronPort-AV: E=Sophos;i="5.64,277,1559520000"; d="asc'?scan'208,217";a="14366072"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Jul 2019 06:02:57 +0000
Received: from [10.61.214.125] ([10.61.214.125]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id x6I62uIP016899 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 18 Jul 2019 06:02:56 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <98A352CD-3386-49FB-B6C1-D4EC61BB79EC@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_83CC8AD2-6D68-4074-A595-B3865B0DFD9B"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 18 Jul 2019 08:02:56 +0200
In-Reply-To: <6e243cf0-a3ff-82a1-3cae-70fbf699f1f7@gmail.com>
Cc: Daniel Migault <daniel.migault@ericsson.com>, Paul Eggert <eggert@cs.ucla.edu>, tzdist-bis@ietf.org, IETF-Calsify <calsify@ietf.org>
To: Michael Douglass <mikeadouglass@gmail.com>
References: <CADZyTkkNuenOTx77cB8vFzWaSjp_fqtEgaYd00t5e2+Kk6MtRA@mail.gmail.com> <47038bd0-210a-4dbc-173c-15bfa89ac54f@cs.ucla.edu> <6a50708d-5fac-1da9-56b3-ed1cea793752@fastmail.com> <6b1616e3-bfc0-a22a-2aa9-11033c525ff3@cs.ucla.edu> <CADZyTkms=skOgqfoDxTF6TSZBsWbfaCmfPBWCG0E9qb4-qA0Uw@mail.gmail.com> <6e243cf0-a3ff-82a1-3cae-70fbf699f1f7@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client: 10.61.214.125, [10.61.214.125]
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tzdist-bis/Seug9RkUOoa3fVBTSTFyT2SWi88>
Subject: Re: [Tzdist-bis] [calsify] tzdist and IANA
X-BeenThere: tzdist-bis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Extensions to Time Zone Data Distribution Service <tzdist-bis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tzdist-bis>, <mailto:tzdist-bis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tzdist-bis/>
List-Post: <mailto:tzdist-bis@ietf.org>
List-Help: <mailto:tzdist-bis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tzdist-bis>, <mailto:tzdist-bis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2019 06:03:04 -0000

Hi everyone,

While the IANA does a great job at servicing our assigned number needs and delivering the TZ database to developers, they is not set up, nor do they have any experience, to handle the load that end clients could place on them.  Moreover, they are in no position to support millions of people if something goes wrong.  And make no mistake: something will go wrong.  I would be okay with a limited tzdist service for those who are going to be distributing the data themselves, but the order of receivers should be on 100s not millions.

Eliot


> On 18 Jul 2019, at 05:03, Michael Douglass <mikeadouglass@gmail.com> wrote:
> 
> I guess my feeling on the privacy issues is that it should be a client choice. Certainly for a mobile device such as a phone the entire data set would be reasonable - especially if there were a way to reduce it to currently active data.
> 
> However, for small devices - often with a fixed location - being able to retrieve a single zone is probably appropriate.
> 
> I suspect the current approach we have implemented for updating downstream servers (though all downstream servers are really clients) would work for anybody. However - it does assume that we can have a sequence#/timestamp per zone
> 
> On 7/17/19 22:13, Daniel Migault wrote:
>> If I understand correctly the suggestion is to have tzdist server uploading the tzdata from IANA and client connecting to these tzdist servers. While some local network may have a local tzdist server, I would have expected that we could end up in having a global tzdist service that could be used by default by any client - let say tzdist.org <http://tzdist.org/>. of course tzdist.org <http://tzdist.org/> could be operated by multiple operators, and one of these could be the IANA. I am wondering if that is something in line with the latest messages..
>> 
>> Retrieving the tzdb from IANA for example by a tzdist server is already something that can be done via FTP HTTP for the full tzdb or incrementally via rsynch. If IANA is operating a tzdist server, we could use a request with a "changedsince" parameter. Using the mechanism defined by tzdist seems to me appropriated as the root zone is distributed using a distribution master. My understanding is that we define an efficient way to do that in tzdist. Is that correct ?
>> 
>> If the iana is not expected to serve client, I am wondering how the difference between clients and secondary would be made. Do we expect specific prmary/secondary relation being pre-agreed ?
> I don't know there is any difference between clients and secondary servers. I would expect servers nearer the root to not be open to anybody but only to a small set of pre-registered servers as you suggest. I suspect that vendors - if they use this service would want to provide their own servers to their systems - e.g. Apple, MS, Ubuntu, AWS etc etc
>> 
>> I understand Paul's suggestion as a generic suggestion that client generally should retrieve the full tzdb rather than a specific tz, in which case, this request should be optimised. As I understand it the privacy concern is more associated to the information leaked to the tzdist server as I assume that all exchanges would be performed over TLS. One concern I have regarding the use of TLS is that it protects the channel to the tzdist server, but I am not sure how the client can effectively check the data is in accordance to the one distributed by IANA. I am also wondering if we should not look at mechanisms that authenticate the data. This could in return prevent the need to use TLS.
> I'm guessing the use of tls for most isn't an issue. tzdata is fairly slow moving and we're probably considering a once or twice a day check. Nothing compared to your facebook interactions.
> 
> For small devices though it might be useful on a per zone basis
> 
> 
> 
>> 
>> Yours,
>> Daniel
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On Wed, Jul 17, 2019 at 8:40 PM Paul Eggert <eggert@cs.ucla.edu <mailto:eggert@cs.ucla.edu>> wrote:
>> Ken Murchison wrote:
>> 
>> > "Clients" of the IANA TZDIST server would either be primary or secondary servers
>> > and would be fetching ALL changed zones.  There should be no end-user clients
>> > talking to an IANA TZDIST server.
>> 
>> True, I was worried more about privacy between clients and the secondary servers.
>> 
>> > There is no way to serve up raw tzdata via TZDIST
>> 
>> Yes, and part of the proposal would be to improve TZDIST so that clients can
>> obtain the entire tzdb efficiently. For secure clients there should be little
>> reason to request just a subset of tzdb when the entire database is so small.
>> 
>> _______________________________________________
>> calsify mailing list
>> calsify@ietf.org <mailto:calsify@ietf.org>
>> https://www.ietf.org/mailman/listinfo/calsify <https://www.ietf.org/mailman/listinfo/calsify>
>> 
>> 
>> _______________________________________________
>> calsify mailing list
>> calsify@ietf.org <mailto:calsify@ietf.org>
>> https://www.ietf.org/mailman/listinfo/calsify <https://www.ietf.org/mailman/listinfo/calsify>
> _______________________________________________
> Tzdist-bis mailing list
> Tzdist-bis@ietf.org
> https://www.ietf.org/mailman/listinfo/tzdist-bis

v2.23.0 | Report a Bug | By Email