Transcript PPT Version

Emergency Contacts (ECON)
draft-hardie-ecrit-iris-03
Andrew Newton, VeriSign
Ted Hardie, Qualcomm
Hannes Tschofenig, Siemens
Andrew Newton
IETF ECRIT Working Group
1 February 2006
Washington, DC, US
Background
+ Emergency Contact (ECON) is specified as an IRIS (RFC 3981)
registry type.
▪
A simple request/response protocol using XML.
▪ Uses S-NAPTR (RFC 3958)
–
–
–
–
Profiled use of NAPTR and SRV
Distinguishes between App proto and Transfer Proto
Protocol preference can be stated.
Host/port preference can be stated.
+ IRIS was created in the CRISP working group by TLD operators.
▪
Who know a thing or two about high resolution loads, operations of
highly available services, and moving data around the globe.
A Simple Request
<request xmlns="urn:ietf:params:xml:ns:iris1">
<searchSet>
<findEconByCivic
xmlns="urn:ietf:params:xml:ns:econ1" >
<civilAddress>
<country>US</country>
<A1>New York</A1>
<A3>New York</A3>
<A6>Broadway</A6>
<HNO>123</HNO>
<LOC>Suite 75</LOC>
<PC>10027-0401</PC>
</civilAddress>
<serviceFunction>police</serviceFunction>
</findEconByCivic>
</searchSet>
</request>
A Simple Response
<response xmlns="urn:ietf:params:xml:ns:iris1">
<resultSet>
<answer>
<emergencyContact
xmlns="urn:ietf:params:xml:ns:econ1"
authority="example.com" registryType="econ1"
entityClass="econ" entityName="nypd" >
<displayName>
New York City Police Department
</displayName>
<serviceFunction>police</serviceFunction>
<uri>
sip:[email protected]
xmpp:[email protected]
</uri>
</emergencyContact>
</answer>
</resultSet>
</response>
Caching
+ Caching of answers by “seekers”.
+ In the case of civic addresses…
▪
If your civic address does not change within X number of minutes, do
not requery.
+ In the case of geo…
▪
If your coordinates stay within polygon Y for X number of minutes, do
not requery.
Database Replication in ECON
+ We take no single position on database replication with ECON.
▪
It most likely will differ greatly throughout the world.
▪ Isn’t it out of scope?
+ But we have identified 3 methods of conducting database replication
with ECON.
▪
Serialized database entries to a file as specified in IRIS.
– And the file transfer protocol of your choice. Many people like SFTP.
▪
ECONREP (ECON Replication)
– Interactive IRIS profile.
– Replication of entries before they become active.
– Incremental replication.
▪
Anything you find that works better for your situation.
– RDBMS replication
– Shared Network Memory
– Osmosis, crystal balls, and strong hope
Object Signing Considered Harmful
+ My house is on fire. Who do I call?
▪
Please update your client with the proper trust anchors.
– My house is still on fire.
▪
Please cryptographically verify these URIs.
– It’s getting hotter.
▪
Please check this CRL.
– Did I mention that my house is on fire?
+ Object signing is useful for diagnosing problems.
▪
But that happens after the incident, not during.
▪ All the mechanisms to get object signing to work seem to be a pretty
heavy price to pay for a diagnostic tool.
+ Due to the nature of ECRIT, will need to be “on-the-fly”.
▪
VERY CPU INTENSIVE
Comparison to DNS SOS and LUMP
+ DNS SOS
▪
Similar in that it is built for speed by trying to utilize UDP when possible.
▪ Unlike in that its query framework is not intertwined with its octet
framing.
– IRIS/ECON uses XML, which is much more flexible.
+ LUMP
▪
Similar in that is just as flexible in the query framework.
▪ Unlike in that it does not require heavyweight transfer protocol
interactions used by SOAP/HTTPS.
– IRIS/ECON uses UDP when possible to gain efficiencies and takes into
careful consideration the copious use of security mechanisms which may
weigh down the protocol.
Packets in a Simple UDP Transaction
Client
Server
Tell me about example.com
Here is the data
Packets in a typical TCP Transaction
Client
Server
Open a TCP connection
Are you Sure?
I need some data.
Here is the data
Thanks.
Close the TCP connection
Ok.
{
{
Yes.
Connection induced state.
Consumes memory, ports, and
CPU in the server.
NOTE: At this point 3
packets have been
exchanged, but no data
has been exchanged.
Messages in a typical TLS Transaction
Client
Server
Open a TCP connection
Are you Sure?
Yes.
TLS( ClientHello).
TLS( ServerHello).
TLS( Certificate ).
TLS( ServerHelloDone ).
TLS( ClientKeyExchange ).
TLS( ChangeCipherSpec ).
TLS( Finished ).
TLS( ChangeCipherSpec ).
TLS( Finished ).
I need some data.
Here is the data
Thanks.
TLS( ClosureAlert ).
TLS( ClosureAlert ).
Close the TCP connection
Ok.
{
This is where ECRIT data
starts to be exchanged.
UDP vs. TCP vs. TLS
+ IRIS queries over UDP, TCP, and
TLS.
+ 5 distinct queries X 500 iterations
1800000
1600000
1400000
1200000
1000000
800000
600000
400000
200000
0
▪
= 2,500 queries
+ UDP
▪
LWZ/UDP
XPC/TCP
XPCS/TLS
Milliseconds
▪
13.8 X faster than TCP
45.9 X faster than TLS
+ TCP
▪
3.4 X faster than TLS