Re: [Uri-review] URI scheme registration request

[John Wason <wason@wasontech.com>]

Claiming that the different scheme types are simply "proxies" is 
inaccurate.  The different transport types have incredibly important 
performance and security implications that are best transmitted as a 
single piece of data. Also, a single client can connect to different 
services using different transport types so there isn't really a single 
place that the "proxy" can be specified. The chances of a user getting a 
two piece connection command correct vs just changing a few letters in 
the URI are remote. The "click to connect" type usage would not work.  
Because Robot Raconteur mostly runs on LAN the DNS system is not used 
for many connections.  Because of this the same URI with only the scheme 
changed can connect to different services. This means that the "proxy" 
specification would point to a different resource which is also not a 
correct usage of the "proxy" concept.

"For example, the +ws(s) identifiers appear to just be an alias of ws 
and wss."

No they aren't.  The protocol needs to be specified.  It is true that 
rr+ws etc. are compatible with WebSockets but it is just a stream 
wrapper.  The rr+ws is critically important to the software library to 
identify how to connect to the service.

  "rr and rr+cloud are being defined as aliases = VERY BAD.  There is no 
reason to do that."

Except that for users there may be cases where one is more clear than 
the other.

On 12/1/2015 4:12 PM, Roy T. Fielding wrote:
> On Nov 20, 2015, at 8:20 PM, John Wason <wason@wasontech.com 
> <mailto:wason@wasontech.com>> wrote:
>>
>> I have prepared a more detailed description of the transports and URI 
>> request.  Please let me know if you need further specific details:
>>
>> Robot Raconteur URI Scheme Improvement
>> John Wason
>> Wason Technology, LLC
>> wason@wasontech.com
>> 11/20/15
>> *Introduction*
>> Robot Raconteur is being improved to better comply with web standards 
>> by adding support for WebSocket transports and implementing a new URI 
>> scheme that can be registered with IANA.The URIs for Robot Raconteur 
>> use the following basic format:
>> rr+transport://hostname:port/path/to/endpoint?service=servicename&nodename=targetnodename&nodeid=targetnodeuuid
>> The scheme is “rr”, “+”, and then the transport type.For instance for 
>> TCP the scheme is “rr+tcp”. If TLS is used, “rr” is replaced with 
>> “rrs” to indicate the extra security.For TCP a secure transport would 
>> use the scheme “rrs+tcp”. The following schemes are used and will 
>> each be discussed in detail in the following sections:
>> ·rr+tcp
>> ·rrs+tcp
>> ·rr+local
>> ·rr+usb
>> ·rr+pci
>> ·rr
>> ·rr+cloud
>> ·rr+ws
>> ·rrs+ws
>> ·rr+wss
>> ·rrs+wss
>> Each of these schemes corresponds to a different selection of 
>> transports and security options.
>> The hostname and port correspond to the hostname and port of the 
>> target machine.If no port is specified the default is used.For 
>> rr+local, rr+tcp, rr+usb, rr+pci, rr, and rr+cloud the port must not 
>> be included as these do not use ports to find the target.
>> The absolute path (/path/to/endpoint) in the example is only used for 
>> WebSockets with HTTP to identify the WebSocket target and must be 
>> empty or “/” for all other transport types.
>> The query contains the name of the service to connect to.It may also 
>> contain the nodeid and nodename if desired to help find the node.The 
>> same endpoint can provide connection to multiple nodes so this 
>> provides a way to select the target node. The query string can also 
>> be used to pass extra parameters to the WebSocket HTTP server if 
>> desired.The query string is passed unmodified to the server.
>> All nodes can be secured with username and credential pairs.
>> A functional example of a Robot Raconteur URI is:
>> rr+tcp://192.168.2.3:48653/?nodeid=a7aa5f85-dfa7-41fe-89a1-1ebff43b9580&service=create
>> The following sections will describe the exact transports and how 
>> they create connections to the target nodes.
>
> I still don't see what the purpose is for all these new schemes.  Yes, 
> provisional should have a low bar, but there
> should at least be an indication that each scheme being registered 
> provides new identifiers.
>
> For example, the +ws(s) identifiers appear to just be an alias of ws 
> and wss.  Aliases are bad.
> rr and rr+cloud are being defined as aliases = VERY BAD.  There is no 
> reason to do that.
>
>> *TCP Transport*
>> ·rr+tcp – Standard TCP communication
>> ·rrs+tcp – TLS TCP communication
>> The TCP Transport operates by connecting to a remote port and then 
>> using the Robot Raconteur protocol to communicate.The official listen 
>> port is 48653.The path must be “/” or empty. The first handshake 
>> contains the target nodeid and/or nodename to identify which node 
>> should be connected.Both can be blank to connect to the default node 
>> on the endpoint.The communication can be wrapped in TLS using Start 
>> TLS semantics.The first message contains the target nodeid and/or 
>> nodename and a flag to start using TLS.The server node then provides 
>> a certificate signed by Wason Technology, LLC issued to the UUID 
>> (nodeid) of the node.The client can also provide a signed certificate 
>> to provide certificate based authentication.
>> Discovery for TCP is accomplished through UDP packets that are 
>> broadcast periodically on port 48653.The packets contain the nodeid, 
>> nodename, the connection URI, and some additional metadata to help 
>> identify the capabilities.The information is generally only used to 
>> connect to the “Service Index” that runs on all nodes.This index 
>> provides detailed information about the services available and how to 
>> connect.The clients will interrogate the nodes through the Service 
>> Index to determine if the node matches the search criteria.During 
>> this process it will also verify the TLS certificates if appropriate.
>
> Okay, it sounds like you have two identifiers: one for the service 
> index and one for the node within that service.
> Why don't you use two URIs: one for identifying the service index 
> (defines the protocols necessary to get there)
> and one for a single rr scheme that identifies the rr node ("/" being 
> the index itself)?
>
> Also, TLS implies TCP.  For most schemes, the bare name is TCP and 
> {name}s is TLS.  So, rr and rrs, or
> raconteur and raconteurs if you want to be more descriptive.  Using 
> plain rr to indicate the WebRTC
> transport is very odd.
>
>> *WebSocket Transport*
>> The WebSocket transport is an extension to the TCP transport and in 
>> the software is directly integrated into the TCP transport.It works 
>> by wrapping the TCP transport data into WebSocket binary frames. The 
>> frame boundaries are ignored as the stream is reassembled on the 
>> receiving end.The frames however shall be equal to or less than 4 KB 
>> of data per frame.
>> The transport also implements the HTTP handshake to start the 
>> WebSocket protocol using the subprotocol “robotraconteur”. The URI 
>> contains the path to the WebSocket and query information, both of 
>> which are passed unmodified to the server. The URI must contain a 
>> query parameter named “service” to identify the name of the service 
>> to connect.
>> All nodes that listen for TCP connections shall also be capable of 
>> detecting and accepting an HTTP WebSocket connection to the root file 
>> path “/” on the same port that listens for standard Robot Raconteur 
>> connections. This allows for standard web browsers to connect without 
>> additional plugins. (Note that HTTPS (wss) is not possible in this 
>> configuration. See below.)
>> TLS is somewhat complicated with WebSockets due to the handshake 
>> behavior.There are four flavors of WebSocket connections:
>> ·rr+ws – No encryption (HTTP)
>> ·rrs+ws – Encryption using the TLS Robot Raconteur transport.This 
>> does not encrypt the HTTP handshake.For local network use connecting 
>> to a device this should be sufficient as the handshake only contains 
>> the target nodeid/service information which is not considered secret 
>> data. Just after the handshake the Robot Raconteur TLS layer is 
>> activated protecting any secret data. (HTTP)
>> ·rr+wss – Encrypted HTTPS transport but no Robot Raconteur 
>> encryption.Not recommended because the target node identity is not 
>> verified. (HTTPS)
>> ·rrs+wss – Encryption HTTPS transport and TLS Robot Raconteur 
>> transport.This will encrypt the HTTP handshake and allow for identity 
>> verification of the node.Note that this is only possible when the 
>> target node has an official HTTPS certificate which is not available 
>> for IoT type devices.In those cases rrs+ws should be used as it is 
>> designed for such scenarios. rrs+wss should only be used when it is 
>> determined to be truly necessary.
>
> This just describes several access mechanism which will (after 
> accessing) make use of rr identifiers.
> You don't need new schemes for this.
>
>> *Local Transport*
>> ·rr+local
>> The local transport uses UNIX sockets or Named Pipes to communicate 
>> between nodes on the same machine.The nodeid and/or nodename are used 
>> to identify the target nodes.The host is always “localhost”.A 
>> username can be used to specify which user owns the desired node, ie 
>> “username@localhost”.The port is never used and must be left out of 
>> the URI. Access control is accomplished through file permissions and 
>> standard username/credential access control. Untrusted software shall 
>> not be allow local transport access. The path must be “/” or empty.
>
> Likewise, not an identifier. You don't need an identifier for every 
> local configuration option.
>
>> *Hardware Transport*
>> ·rr+usb
>> ·rr+pci
>> Hardware device drivers are implemented through a userspace daemon 
>> service.This service provides UNIX socket / Named Pipe connections 
>> that allow nodes to access the devices.Access control is accomplished 
>> through file permissions.Generally only admin or equivalent users are 
>> given access. Untrusted software shall not be allow local transport 
>> access. The path must be “/” or empty.
>
> Likewise, not an identifier.
>
>> *Cloud Transport*
>> ·rr
>> ·rr+cloud
>> The cloud transport is a transport based on WebRTC.The signaling as 
>> accomplished through the Robot Raconteur server.Nodes are identified 
>> by the Robot Raconteur username and nodeid/nodname pair.The hostname 
>> for each user is “username.cloud.robotraconteur.com 
>> <http://username.cloud.robotraconteur.com/>”, where username is 
>> replaced with the registered username.For instance, 
>> “johnw.cloud.robotraconteur.com 
>> <http://johnw.cloud.robotraconteur.com/>” would be the hostname 
>> “johnw”. The port must not be included. Nodes connecting to the cloud 
>> service must all have issued certificates tied to the uuid of the 
>> node (nodeid). This communication is always secured through DTLS at 
>> the WebRTC layer.Security of the overall cloud is managed by the 
>> Robot Raconteur server. The hostnames for each user are only relevant 
>> within the signaling server and do not have any general use DNS 
>> meaning. “rr” and “rr+cloud” are equivalent. The path must be “/” or 
>> empty.
>
> If this is consistent with WebRTC, then use webrtc's identifiers.
>
> In other words, what you are defining here is an identifier space for 
> rr nodes and then a
> bunch of proxy mechanisms for obtaining access to those identified 
> nodes.  We don't do that
> by multiplying schemes!  We do it by sending two identifiers: one for 
> the proxy and one for
> the resource to access.  The proxy mechanisms already have defined 
> identifier schemes.
>
> ....Roy
>


-- 
John Wason, Ph.D.
Wason Technology, LLC
PO Box 669
Tuxedo, NY 10987
(518) 279-6234
wason@wasontech.com