[Sis-ams] a design question for us to think about

Scott Burleigh Scott.Burleigh at jpl.nasa.gov
Mon Feb 5 13:09:37 EST 2007 

Hi, AMS fans.  A small design issue has come up (a couple of times, 
actually) that I would like to hear opinions on from the WG.

In a nutshell: because messages that cross continuum boundaries are sent 
by the destination continuum's RAMS gateway as enclosures within private 
messages on subject zero -- which every node automatically, invisibly 
invites at registration time -- it's possible for remotely announced 
messages on subject X to be delivered to a node that has never invited 
or subscribed to messages on subject X.  That is, the absence of an 
invitation or a subscription to messages on a given subject doesn't 
prevent reception of messages on that subject sent by nodes in other 
continua -- though it *does* prevent reception of messages on that 
subject sent by nodes in the local continuum.

This hasn't seemed like a high-priority problem, but it eventually needs 
to be resolved somehow: message reception behavior should be consistent, 
one way or the other, regardless of whether the sender/announcer is in 
the local continuum or a remote continuum.

There are two ways we can go here:

1.	Provide a way for nodes to exclude reception of uninvited messages 
from remote continua that is as effective as the absence of an 
invitation is in excluding reception of uninvited messages from within 
the local continuum. [Note that the delivery of *unauthorized* messages 
(e.g., a denial-of-service attack) can be prevented already, using 
standard AMS mechanisms: there can be a constrained list of authorized 
issuers of messages on a given subject, and node authentication at 
registration time can be used to assure that a given node is an 
authorized issuer.]

2.	Just say that AMS provides ways to receive messages but no way to 
prevent reception of a message, and provide some sort of automatic 
default invitation (issued at registration time) so that locally 
sent/announced messages are received even in the absence of an explicit 
invitation, just as remotely sent/announced messages are.

We really don't have any requirements from anybody one way or the other 
that I can recall.  Is it important to be able to exclude uninvited (as 
opposed to unauthorized) messages, or is it important to enable delivery 
-- announcement, say -- of messages that haven't been specifically invited?

Any strong opinions on either side?

Scott

More information about the Sis-ams mailing list