Apparea meeting Nov 9, 2009 1) Dan Wing: short announcement of GROBJ BOF (10 mins) 2) Dan Wing : Building IPv6 Applications which Access IPv4 Servers (draft-wing-v6ops-v6app-v4server-01.txt) - 15 mins 3) Peter Saint-Andre : Apps Review Team - 5 mins 4) Peter Saint-Andre : TLS server identity checks in application protocols (draft-saintandre-tls-server-id-check) - 20 mins [with discussions] 5) Magnus Westerlund : IANA ports and service names registry - 20 mins [with discussions] 6) John C Klensin : FTP commands and extensions registry - 15 mins 7) Spencer Dawkins : Subscription/Notification for Lightweight Directory Access Protocol (LDAP) (draft-dawkins-ldapext-subnot-01.txt) - 20 mins 45 mins for the remaining of the session: 8) Short presentations about other Apps BOFs 9) Open mic GROBJ BOF topic Dan Wing: Solving redirect problems is hard, but it's even harder to do per-protocol. BOF is Wed afternoon 1510. GRO's allow referral between protocols, such as SIP and XMPP Building IPv6 Apps Topic For detail, see draft-wing-v6ops-v6app-v4server-01.txt. Summary: Most of the time, the 6-4 problems don't exist, in particular, when you're using DNS. Sometimes, however, a v6-only host can get a v4 address. An app-specific solution is to have dual-stack proxy. In general, a broader solution under the app layer is to make code changes to the IPv6 side to encode v4 in v6. Ted Hardie asked if TLS breaks this broader solution, but Dan answered no. Dave Crocker asked if the cost-benefit analysis has been done (answer; not yet). Subscription/Notification for Lightweight Directory Access Protocol (LDAP) Topic For detail, see draft-dawkins-ldapext-subnot-01.txt Summary by Spencer: 3GPP working on "Unified Subscriber Data" with aggressive timelines. Why not use RFC 4533 or 3928? A key difference: 3rd party subscriptions. Question for this audience: is this an appropriate LDAP extension? we think the LDAPext list is the right place for discussions Apps-Review team topic The focus of the team is Apps/RAI/Security. Site is http://www.apps.ietf.org. Ping Peter if you're willing to help, or want review Server ID Checking Topic For detail, see http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-02 Peter St. Andre: Lots of protocols use X.509, each has to define it's own identity checking rules, so they're all slightly different. This I-D show similarities/differences. The process is that the server presents multiple identities (i.e. subjectAltNames including domain names, IDNAs, fall back to CN), and there are various rules for checking different idents. Various issued covered include client checking, fingerprint matching, non-X.509 certs, use beyond TLS (ipsec, dtls, etc) and wildcard identities. Pete Resnick asked if this involved new rules for how CA generate certs? No, just rules for clients. Pete pointed out that stricter rules for signing certs would also be useful. Dave asked if this is a component, and nobody's going to use it, it's a waste of time. is there a context specified in the I-D? Answer: this has been shown to be hard to get right if it's done over again in each application protocol that uses TLS to verify server. There are a lot of non-obvious edge cases. Ports Topic For detail, see http://tools.ietf.org/html/draft-ietf-tsvwg-iana-ports-03 The goal of this document is update registration procedures and unify registries. It updates existing RFCs. It doesn't have guidance to app designers, nor does it specify port/name spaces. Question: if I already own a name in /etc/services, do I have to register again in SRV? Answer: yes One goal is to allow IANA to specify format, and there are a few syntax changes Basically US ASCII a-z, 0-9, hyphen, case insensitive, no hyphen start/end. Some old names like "whois++" will need fixing to meet new syntax that doesn't allow '+' (in this case, whoispp is preferred). New names will be added as aliases so the original names won't disappear. Stuart Cheshire pointed out there are 10k names, almost all human mnemonics; however, with SRV, they're being used programatically. Is anyone is using these strings in (e.g.) getservbyname? In reality, most apps use the well-known port directly. Joe touch pointed out that NATs may involve manual changes to /etc/services files which involve typing in the human mnemonic. One issue is name length: 14 may be bad; there are 90ish id's that are 15 characters. there is a Bluetooth interop issue. In the previous way these registries were maintained, you got TCP and UDP, even if you didn't want both. Sometimes you'd get 30ports, sometimes not. IANA couldn't assign a name without a number. In the new way, the default is one port per service, one port for all versions includes secure. IANA may recover/reuse/transfer assignments. Assignment is first-come-first-serve without a port number, otherwise expert review. In the past we've seen ~4k/year, constant over last 10y. Comment: Olafur asked if merging the registries is really wise. He has a draft to register just SRVs. Lisa asked if TSV would be a better area to ask for consensus here, but the response was that this is about applications' needs. FTP commands and extensions registry Topic ... no comments recorded 6Lowapp BOF topic Carsten Bormann: we have 6lowpan and roll WGs already, now it's time to talk about applications IRI BOF topic Larry Masinter: a group of browser makers are also discussing this topic (HTML5). HTML5 originally contained its own description, different processing rules, etc. -- describing what browsers currently do (which is not what's in the RFC) DECADE BOF Topic Richard Woundy: this is about storage in the network. P2P is large % of network traffic. ISP-hosted caches for P2P apps do exist, but because the protocols are varied and evolving, such a cache is both complex and limited. Brief discussion on how DECADE is complementary to ALTO, not conflicting. Ed Juskevicius question: how do apps/people compete with each other for space? A: good topic for bof Stuart Cheshire: is this just allowing ISPs to minimize the amount of traffic they're transferring? A: cost for different links are different, so sometimes this displaces traffic to cheaper sources. HyBI BOF Topic Joe Hildebrand: HyBi = Hypertext Bidirectional, now morphing more into discussions of bidirectional communication between browser and server Per-area office hours Topic Alexey asked: is a good idea? Open Mic Topic Barry Leiba: VWrap is starting, please participate. Dave Crocker: need protocol help for VWRAP Agenda bash added: HTTP usage preso. Lisa Dusseault; see slides in proceedings.