IETF Logo Mail Archive

Re: [APPS-REVIEW] Review of HTTP Binding for DSKPP

Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Sat, 22 September 2007 14:24 UTC

Return-path: <apps-review-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IZ5ub-0003Ca-Q0; Sat, 22 Sep 2007 10:24:49 -0400
Received: from apps-review by megatron.ietf.org with local (Exim 4.43) id 1IZ5ua-0003CV-KF for apps-review-confirm+ok@megatron.ietf.org; Sat, 22 Sep 2007 10:24:48 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IZ5ua-00035f-Ad for apps-REVIEW@ietf.org; Sat, 22 Sep 2007 10:24:48 -0400
Received: from mail.gmx.net ([213.165.64.20]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1IZ5uP-0006nk-0g for apps-REVIEW@ietf.org; Sat, 22 Sep 2007 10:24:38 -0400
Received: (qmail invoked by alias); 22 Sep 2007 14:24:20 -0000
Received: from p54987604.dip.t-dialin.net (EHLO [192.168.1.4]) [84.152.118.4] by mail.gmx.net (mp018) with SMTP; 22 Sep 2007 16:24:20 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX180r8pEg2k0M2miYfoEEjY7MZr9diIP1kP9eqcUfa AzqqyTjsP7Qfa+
Message-ID: <46F52594.305@gmx.net>
Date: Sat, 22 Sep 2007 16:24:20 +0200
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Barry Leiba <leiba@watson.ibm.com>
Subject: Re: [APPS-REVIEW] Review of HTTP Binding for DSKPP
References: <46E93396.2090003@gmx.net> <F6E2234BBB9D34C94306BF50@446E7922C82D299DB29D899F> <46F4E31A.2050700@gmx.net> <3EF861EB9E7E71DCF1B32820@Uranus.local>
In-Reply-To: <3EF861EB9E7E71DCF1B32820@Uranus.local>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
Cc: apps-REVIEW@ietf.org
X-BeenThere: apps-review@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Applications Review List <apps-review.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/apps-review>, <mailto:apps-review-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/apps-review>
List-Post: <mailto:apps-review@ietf.org>
List-Help: <mailto:apps-review-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/apps-review>, <mailto:apps-review-request@ietf.org?subject=subscribe>
Errors-To: apps-review-bounces@ietf.org

Hi Barry,

Barry Leiba wrote:
>> I am not sure whether the separate port number idea will find a lot of
>> excitement since the downside is that a network operator that just 
>> does not
>> care about the specific protocol (even through he does not mind 
>> allowing end
>> hosts to run it) will essentially block it.
>
> Hannes, I'm not sure I understand what you're saying here, so maybe 
> you should explain more.  What I read it as saying is that you don't 
> like using a separate port because you *want* to sneak through 
> firewalls without telling the firewall administrators.  There be 
> dragons, and that was Chris's point.  A protocol that looks like HTTP 
> but is used for a different purpose should be on a different port.
>
> Actually, I've had this argument with people within my company too, 
> and it might be that we aren't clear about what the port-number list 
> *is*: it should be more like a list that maps *applications*, rather 
> than *protocols*, to ports.  In most cases, that's the same.  But with 
> SMTP and HTTP, at least, it's not.
>
I agree that it would be nice to allow administrators to make these type 
of decisions.

In other areas in the IETF folks also had the idea that the network 
administrators are going to configure their networks in such a way that 
the protocols would work. SIP and NAT/Firewall traversal is a good 
example. It took a while to realize that this is not a good approach.

DSKPP is an application layer protocols that allows an end point to 
retrieve keying material for usage with other protocols. Typically, the 
client on an end host will interact with a server in it's home network.
If I am in a hotel network and want to obtain new keying material for 
usage with my VPN client and the network administrator of the hotel 
network does not know the port number used by DSKPP then it might happen 
that I just cannot use the protocol.

Now, there are also other protocols flying around in this space; 
actually a large number of protocols in this identity management space 
that happen to run on top of HTTP without using an additional port (at 
least to my knowledge).

I don't see why these protocol should work in all environments (where 
HTTP traffic is allowed to bypass a middlebox) but a protocol developed 
within the IETF isn't just because there is this idea of a "clean 
architecture".

Does my reasoning make sense to you?

Ciao
Hannes

> Barry



_______________________________________________
APPS-REVIEW mailing list
APPS-REVIEW@ietf.org
https://www1.ietf.org/mailman/listinfo/apps-review

v2.23.0 | Report a Bug | By Email