On Fri, Dec 2, 2022 at 9:50 AM Michael Richardson <[email protected]> wrote:
> > Daniel Migault <[email protected]> wrote: > > In my opinion the Synchronization Channel is initiated by the DM and > > follows AXFR over TLS (9103). To my understanding NOTIFY, SOA > exchange > > may be protected by TLS or not. Of course if the TLS session has not > > been established by the DM the NOTIFY cannot be protected. > > Yes. It is initiated by the DM, and it's a TCP/TLS connection from > a random port on the DM to the designated port (853) on the HNA. > So, how does the *HNA* use this connection to send a Notify from the HNA to > the DM, when doesn't initiate to the DM? > That was my reading of 9103, but now I am thinking that if the tcp session is down, protection is probably using port 853 on the DM. In that case, using the control channel or a new TLS session seems to be the same. One advantage is that PSK can be used to the already established control channel. My impression is that using the control channel is one way to do and have some benefits, but that only one way to do and other ways could include 53 or a new TLS session. > > > While I do see the point in re-using the control channel, I do not > > think we should recommend this. Firstly it mixes the following > > channels, so if we find another way to set the DM / HNA configuration > > we will always have to handle the Notify. > > > I also believe that changes > > 9103, and I believe that would be good if we could re-se > implementation > > of 9103 without modifications. It might be good to mention the > Notifies > > may also take the control channel - just leaving this as a potential > > possibility. > > 9103 documents that NOTIFY messages travel over port-53, and are not > protected. > That's fine, since they just cause an SOA query in the other direction, but > in the case of the HNA and DM, the only port that the HNA knows about that > it > can send to is the Control Channel's port. > I see your point. I think that it is worth mentioning that the reason for using the control channel is that it is the only port we know the DM is reachable. I have connected all dots -thanks for the explanation - and I am fine with your recommendation. I agree with your two points. > > -- > Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > -- Daniel Migault Ericsson
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
