[Sis-ams] a design question for us to think about
Scott Burleigh
Scott.Burleigh at jpl.nasa.gov
Mon Feb 5 13:09:37 EST 2007
Hi, AMS fans. A small design issue has come up (a couple of times,
actually) that I would like to hear opinions on from the WG.
In a nutshell: because messages that cross continuum boundaries are sent
by the destination continuum's RAMS gateway as enclosures within private
messages on subject zero -- which every node automatically, invisibly
invites at registration time -- it's possible for remotely announced
messages on subject X to be delivered to a node that has never invited
or subscribed to messages on subject X. That is, the absence of an
invitation or a subscription to messages on a given subject doesn't
prevent reception of messages on that subject sent by nodes in other
continua -- though it *does* prevent reception of messages on that
subject sent by nodes in the local continuum.
This hasn't seemed like a high-priority problem, but it eventually needs
to be resolved somehow: message reception behavior should be consistent,
one way or the other, regardless of whether the sender/announcer is in
the local continuum or a remote continuum.
There are two ways we can go here:
1. Provide a way for nodes to exclude reception of uninvited messages
from remote continua that is as effective as the absence of an
invitation is in excluding reception of uninvited messages from within
the local continuum. [Note that the delivery of *unauthorized* messages
(e.g., a denial-of-service attack) can be prevented already, using
standard AMS mechanisms: there can be a constrained list of authorized
issuers of messages on a given subject, and node authentication at
registration time can be used to assure that a given node is an
authorized issuer.]
2. Just say that AMS provides ways to receive messages but no way to
prevent reception of a message, and provide some sort of automatic
default invitation (issued at registration time) so that locally
sent/announced messages are received even in the absence of an explicit
invitation, just as remotely sent/announced messages are.
We really don't have any requirements from anybody one way or the other
that I can recall. Is it important to be able to exclude uninvited (as
opposed to unauthorized) messages, or is it important to enable delivery
-- announcement, say -- of messages that haven't been specifically invited?
Any strong opinions on either side?
Scott
More information about the Sis-ams
mailing list