IETF Logo Mail Archive

Re: [6tisch] [Ace] Optimizing EAP-over-CoAP payload

Abhijan Bhattacharyya <abhijan.bhattacharyya@tcs.com> Wed, 14 October 2015 11:10 UTC

Return-Path: <prvs=722a458ff=abhijan.bhattacharyya@tcs.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25C391A016B; Wed, 14 Oct 2015 04:10:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lf61ErwmoKAc; Wed, 14 Oct 2015 04:10:23 -0700 (PDT)
Received: from inkolg01.tcs.com (inkolg01.tcs.com [121.241.215.10]) by ietfa.amsl.com (Postfix) with ESMTP id B12321A0161; Wed, 14 Oct 2015 04:10:19 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2AyAgBINR5W/wQXEqxeg3puvgIBDYFaFwEJgnKCCn8CHIFVFAEBAQEBAQGBCoQmAQEBAwEBAQEgSwsFCwsHBgEDAQIBAigDAgICJR8DBggGCgEIFAeICxWuKAEBAW+TVgEBAQEBAQEBAQEBAQEBAQEBAQEBAReFS2qEOYEGhDQOMAoMAQQHBoIoOxQdgRQFhz2FUXSIE4UZhUuEDxWEJZIJg28fAQGCUQIdgVxphSaBSQEBAQ
X-IPAS-Result: A2AyAgBINR5W/wQXEqxeg3puvgIBDYFaFwEJgnKCCn8CHIFVFAEBAQEBAQGBCoQmAQEBAwEBAQEgSwsFCwsHBgEDAQIBAigDAgICJR8DBggGCgEIFAeICxWuKAEBAW+TVgEBAQEBAQEBAQEBAQEBAQEBAQEBAReFS2qEOYEGhDQOMAoMAQQHBoIoOxQdgRQFhz2FUXSIE4UZhUuEDxWEJZIJg28fAQGCUQIdgVxphSaBSQEBAQ
X-IronPort-AV: E=Sophos;i="5.17,681,1437417000"; d="scan'208";a="13034318"
X-DISCLAIMER: FALSE
In-Reply-To: <561E1D9F.3060803@ackl.io>
References: <56162F1A.5020503@ackl.io> <DEC84E1F-F40D-48C2-8CBD-8262FADD45B2@um.es> <OF8676C547.C1DA2D9E-ON65257EDD.00415177-65257EDD.00465A76@tcs.com> <561E1D9F.3060803@ackl.io>
To: Alexander Pelov <a@ackl.io>
MIME-Version: 1.0
X-KeepSent: A8F0C789:50692FBC-65257EDE:003B852E; type=4; name=$KeepSent
X-Mailer: IBM Notes Release 9.0 March 08, 2013
Message-ID: <OFA8F0C789.50692FBC-ON65257EDE.003B852E-65257EDE.003D5A1E@tcs.com>
From: Abhijan Bhattacharyya <abhijan.bhattacharyya@tcs.com>
Date: Wed, 14 Oct 2015 16:40:07 +0530
X-MIMETrack: Serialize by Router on INKOLM102/TCS(Release 9.0.1FP4|June 07, 2015) at 10/14/2015 16:40:08, Serialize complete at 10/14/2015 16:40:08
Content-Type: multipart/alternative; boundary="=_alternative 003D5A1B65257EDE_="
Archived-At: <http://mailarchive.ietf.org/arch/msg/6tisch/s9piV7ViPPlEIbD92mkHbJE1bL4>
Cc: 6tisch@ietf.org, Ace <ace-bounces@ietf.org>, Rafa Marin Lopez <rafa@um.es>, dan.garcia@um.es, ace@ietf.org
Subject: Re: [6tisch] [Ace] Optimizing EAP-over-CoAP payload
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2015 11:10:27 -0000

Hi Alexander,

> Thanks for pointing your draft - very interesting work.
Thanks a lot.

> However, it seems to me that it solves only a subset of the problems
> at which EAP-over-CoAP is aimed.
You are right.
To be precise, the work I pointed out actually starts after the EAP. We 
tried a propose a very lightweight version of session-key establishment 
using CoAP assuming that the master keys have been previously configured 
(may be through EAP!). The idea is as follows:

The DTLS protocol can be separated into two parts in terms of 
functionality. First is secure session establishment and the next one is 
providing channel security with inherent reliability and replay 
protection. However, we think that the required exchanges in DTLS session 
establishment (I am only talking about symmetric system) may be bit heavy 
for really constrained networks with intermittent connectivity and 
bandwidth constraint. So, we propose to push the session establishment 
part to application layer (CoAP) and leverage the inherent "lightweight 
yet reliable" nature of CoAP (considering the CON mode). We believe, it is 
better to put more control to the application layer when you are dealing 
with constrained environment. The application layer session establishment 
mechanism over CoAP establishes a secure session which finally produces 
the same tuple as in DTLS session establishment ,i.e, <Server_write_key, 
Client_write_key, Server_IV, Client_IV>.

Then the responsibility is transferred to the transport layer and the 
channel security is provided using conventional DTLS-PSK record 
encryption. Thus it takes all the advantage of DTLS record encryption. The 
idea is to use the best of the worlds. CoAP's lightweight-ness coupled 
with record protection from DTLS. This was just an experimental work to 
solve some immediate problems at hand. However, if this kind of 
cross-layer approach makes sense then it may  spawn extended ideas.

 > ..... Maybe there could be some kind of cooperation .....
Its a good proposition. But we need to know if there is enough traction in 
the community for extending the work. May be we can discuss if we happen 
to meet in Yokohama.

Regards
Abhijan Bhattacharyya
Associate Consultant
Scientist, Innovation Lab, Kolkata, India
Tata Consultancy Services
Mailto: abhijan.bhattacharyya@tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Consulting
____________________________________________


"Ace" <ace-bounces@ietf.org> wrote on 10/14/2015 02:47:19 PM:

> From: Alexander Pelov <a@ackl.io>
> To: Abhijan Bhattacharyya <abhijan.bhattacharyya@tcs.com>, Rafa 
> Marin Lopez <rafa@um.es>
> Cc: 6tisch@ietf.org, dan.garcia@um.es, ace@ietf.org
> Date: 10/14/2015 02:51 PM
> Subject: Re: [Ace] Optimizing EAP-over-CoAP payload
> Sent by: "Ace" <ace-bounces@ietf.org>
> 
> Hi Abhijan,
> 
> Thanks for pointing your draft - very interesting work.
> 
> However, it seems to me that it solves only a subset of the problems
> at which EAP-over-CoAP is aimed. Most notably, it is limited to a 
> specific authentication method (DTLS-PSK), whereas EAP is an 
> extensible framework. Maybe there could be some kind of cooperation 
> between the two, e.g. you could specify an EAP method like 
EAP-DTLS-PSK-short?
> 
> Best,
> Alexander
> 

> Le 13/10/2015 14:48, Abhijan Bhattacharyya a écrit :
> Hi Rafa, 
> The application layer driven approach is really interesting in the 
> constrained environment context. We had a similar approach for 
> secure session establishment (assuming that boot-strapping is 
> already done) which performs the session establishment in CoAP but 
> uses the DTLS encryption and header-structure for secure exchange of
> the application-layer message. Coincidentally we have also defined 
> an option called "Auth" . 
> 
> Here is the link to the draft: https://tools.ietf.org/html/draft-
> bhattacharyya-dice-less-on-coap-00 (Had an older work in progress: 
> https://tools.ietf.org/html/draft-bhattacharyya-core-coap-lite-auth-00
> . But this one did not provide channel security). 
> I submitted this draft to dice, however, dice was not really the 
> place to discuss this. Our draft is due to expire in about 4 days. 
> 
> 
> 
> Regards
> Abhijan Bhattacharyya
> Associate Consultant
> Scientist, Innovation Lab, Kolkata, India
> Tata Consultancy Services
> Mailto: abhijan.bhattacharyya@tcs.com
> Website: http://www.tcs.com
> ____________________________________________
> Experience certainty.        IT Services
>                        Business Solutions
>                        Consulting
> ____________________________________________
> 
> 
> "Ace" <ace-bounces@ietf.org> wrote on 10/13/2015 12:11:46 AM:
> 
> > From: Rafa Marin Lopez <rafa@um.es> 
> > To: Alexander Pelov <a@ackl.io> 
> > Cc: 6tisch@ietf.org, Dan Garcia <dan.garcia@um.es>, Rafa Marin Lopez
> > <rafa@um.es>, ace@ietf.org 
> > Date: 10/13/2015 12:16 AM 
> > Subject: Re: [Ace] Optimizing EAP-over-CoAP payload 
> > Sent by: "Ace" <ace-bounces@ietf.org> 
> > 
> > Dear Alexander:
> > 
> > Thanks for your comments 
> > 
> > > El 8 oct 2015, a las 10:53, Alexander Pelov <a@ackl.io> escribió:
> > > 
> > > Dear Rafa,
> > > 
> > > I've been reading the latest version of your draft ( draft-marin-
> > ace-wg-coap-eap-01.txt ), and I have a couple of questions regarding
> > some of the payload options, which could be optimized even further:
> > > 
> > > 1) Use shorter name for the /auth resource
> > > 2) Mandate the use of zero-length CoAP token
> > > 
> > > The first, and the more simple one, is - would it be possible to 
> > change the name of the authentication resource from /auth to a 
> > shorter one (like /a)? Maybe it could be an option to change the 
> > name of this resource, based on the underlaying architecture, e.g. 
> > an RFC could mandate that in a specific network the resource could 
> > be named /a, whereas the default value could remain /auth?
> > 
> > [Rafa] I do not see any problem to shorten the resource name.
> > 
> > > 
> > > The second, which is a little bit more subtle. Tokens are used to 
> > match responses to requests, but during the authentication/
> > authorization phase a single peer (endpoint) would communicate with 
> > a single authenticator. Moreover, the communication happens in a 
> > serial fashion, and responses are piggybacked. This falls in the 
> > case when zero-length token is also advised by RFC7252. Do you think
> > that it would be appropriate to make the use of zero-length token 
> > mandatory for EAP-over-CoAP?
> > 
> > [Rafa] I guess you are referring to this text:  
> > 
> > "An empty token value is appropriate e.g., when
> >    no other tokens are in use to a destination, "or when requests are
> >    made serially per destination and receive piggybacked responses.”
> > 
> > I would say that using zero-length token is possible. What I am not 
> > sure is whether make it mandatory or not. I mean we could say that 
> > if the client sends a zero-length token the server can consider it 
> > OK as per the text above. If there is a non-zero length token value 
> > should be also fine.
> > 
> > What do you think?
> > 
> > Best Regards.
> > 
> > > 
> > > Best,
> > > Alexander
> > > 
> > > _______________________________________________
> > > Ace mailing list
> > > Ace@ietf.org
> > > https://www.ietf.org/mailman/listinfo/ace
> > 
> > -------------------------------------------------------
> > Rafael Marin Lopez, PhD
> > Dept. Information and Communications Engineering (DIIC)
> > Faculty of Computer Science-University of Murcia
> > 30100 Murcia - Spain
> > Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> > -------------------------------------------------------
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Ace mailing list
> > Ace@ietf.org
> > https://www.ietf.org/mailman/listinfo/ace
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain 
> confidential or privileged information. If you are 
> not the intended recipient, any dissemination, use, 
> review, distribution, printing or copying of the 
> information contained in this e-mail message 
> and/or attachments to it are strictly prohibited. If 
> you have received this communication in error, 
> please notify us by reply e-mail or telephone and 
> immediately and permanently delete the message 
> and any attachments. Thank you
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email