IETF Logo Mail Archive

Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profile-06

Cigdem Sengul <cigdem.sengul@gmail.com> Mon, 17 August 2020 21:25 UTC

Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A91803A11F2; Mon, 17 Aug 2020 14:25:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B737ScTgFhUn; Mon, 17 Aug 2020 14:25:17 -0700 (PDT)
Received: from mail-vs1-xe2f.google.com (mail-vs1-xe2f.google.com [IPv6:2607:f8b0:4864:20::e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E441A3A11F1; Mon, 17 Aug 2020 14:25:16 -0700 (PDT)
Received: by mail-vs1-xe2f.google.com with SMTP id k25so9025772vsm.11; Mon, 17 Aug 2020 14:25:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+qi0860Q/e1Ncu3irLGMD5sBqNFEpFKYZQuzKvWeg6w=; b=CSaRamvb0E4dzeNacHyuVtEJ8E+sifIMW6M+jZrd0w9PuK9JNJyk7ozd240KMomQ2h bGzlVuyDCHu10mLs1Nt9MQIdHtzm3BkiP9b3K+1zAAugi93f8ptC1lA9COmBUSeFpLn3 pi7YBCNOo2L0xEJPMB8XAuy/5UOItKrEaCrwQHklkguwAkz7uCo7BxNurZnMWA4aeKMz v5GLsazk4FxedF+HSzIGxBOZy8E7QxwX63/HXsbFaDq2sq/a1zPESnSmU0NFBscvlqZy hRRzJCUpmsggDn53YZKva5ma8yTE1xRnXfa487K2B0lsdzF8dpwPcPa3w5fvfCXllDo+ PpMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+qi0860Q/e1Ncu3irLGMD5sBqNFEpFKYZQuzKvWeg6w=; b=LMZo1I3e2MuggTRJzvAZ9fhIjEo41kvHA8D3AtmWKIwcIXEYDAwfA9ekMbhvN1yLmi Qo2OM0RdVanaq01bOM/hDf1JK+2H6ViiNQND7SHT2QT9yG0LlIP2+sPqzG0EwP7K8Iar stSl5E6hFcEiS05F+kKFQvdEWTS/PVBJjZ1vjLnpbuuBVuG/gq5exEMCgQGfPlWt5dQo JQ4Uo8bxH3no7rWvwl1zjA9oD/dE2pu52K6V96l3K7NoKBuzWe5L4S9cgL6GD9jP8dIX NuwpSMFz3XVYnHVtf3CORg4OZ9aLij8UxJ5YneE8V46lu7bjp6Gu63nkP8YEziEsiWsL OZog==
X-Gm-Message-State: AOAM532/jMdF8aoU6DRP90DKnlYM39S23n67zOuKJe07eXLfxiUnorly htldWZU7vVIrKeORrfGgVkarYXlh8pEBKmByudF73pIy9YNlWg==
X-Google-Smtp-Source: ABdhPJwP2udl9XvouQdSfLsirzRaor09b23cydQC4OFMInSH7dAweq9R4GLnJD0gq6qbLLzjVLyPDdQxGt+RRLEv/Eg=
X-Received: by 2002:a67:e45:: with SMTP id 66mr9464334vso.191.1597699515804; Mon, 17 Aug 2020 14:25:15 -0700 (PDT)
MIME-Version: 1.0
References: <00dd01d6734e$09020920$1b061b60$@augustcellars.com> <CAA7SwCMAQw84Qr3z+3oPrfjyFoYF2pfCCt7a+zoFHDcKwLxtiA@mail.gmail.com> <00f601d67409$4a3f04e0$debd0ea0$@augustcellars.com> <CAA7SwCPCBknichaNZwrS3ig-hSUGTP=Gfsd3=gAFhH0PRmuc6Q@mail.gmail.com> <014901d674b3$d16e19b0$744a4d10$@augustcellars.com> <CAA7SwCONyAOpO9+TKZNB3UHsuBOQzQ99+b1KP57ek+d-k8LCsg@mail.gmail.com> <015c01d674c2$8dd3be30$a97b3a90$@augustcellars.com>
In-Reply-To: <015c01d674c2$8dd3be30$a97b3a90$@augustcellars.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Mon, 17 Aug 2020 22:25:04 +0100
Message-ID: <CAA7SwCPr8sJwnjBEzPMTqcbHEW-V5dFa-eTXO1VTQGL5xi0ndg@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: draft-ietf-ace-mqtt-tls-profile@ietf.org, Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000018f06a05ad196866"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-INIvkwY4FZzR66kyVJ4fK4x1u0>
Subject: Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profile-06
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 21:25:19 -0000

Hello Jim,

I understand that it's an optimization to improve message delay. I wonder
also if a client then can do CONNECT - PUBLISH - DISCONNECT before
receiving a CONNACK as a best-effort publish? assuming CONNECT succeeds...
Should we just not cater to those cases?

What about stating in 2.2.6.1 - after "the Broker MUST
   send a CONNACK message to the Client." (or maybe somewhere higher up):

-> The client MUST NOT send any packets other than DISCONNECT or an AUTH in
response to the broker AUTH's message until it has received a CONNACK.
-> The server MUST NOT process any packets other than DISCONNECT or an AUTH
in response to its AUTH message before it has sent a CONNACK.

--Cigdem









On Mon, Aug 17, 2020 at 7:16 PM Jim Schaad <ietf@augustcellars.com> wrote:

>
>
>
>
> *From:* Cigdem Sengul <cigdem.sengul@gmail.com>
> *Sent:* Monday, August 17, 2020 10:45 AM
> *To:* Jim Schaad <ietf@augustcellars.com>
> *Cc:* draft-ietf-ace-mqtt-tls-profile@ietf.org; Ace Wg <ace@ietf.org>
> *Subject:* Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profile-06
>
>
>
>
>
>
>
> I've got that from MQTT v5 spec:
>
> If a Client sets an Authentication Method in the CONNECT, the Client MUST
> NOT send any packets other than AUTH or DISCONNECT packets until it has
> received a CONNACK packet [MQTT-3.1.2-30].
>
>  and:
>
> If the Server rejects the CONNECT, it MUST NOT process any data sent by
> the Client after the CONNECT packet except AUTH packets [MQTT-3.1.4-6].
>
>
>
> [JLS] I read this as the following would not do the publish
>
> CONNECT à
>
> PUBLISH à
>
>                 ß AUTH
>
> AUTH à
>
>                 ß CONNACK fail
>
> The PUBLISH can be received but is not processed unless the CONNACK is
> going to be a success.
>
> [/JLS]
>
>
>
> [CS] I think this sequence should not happen, as Client MUST NOT send
> PUBLISH before CONNACK.
>
> I did not know what brokers do if they receive PUBLISH (and still
> processing a CONNECT) - drop or buffer until process. I quickly browsed
> mosquitto src.
>
> It looks like the broker sets a context flag to mark the session active
> after CONNECT is processed and accepted.
>
> If this flag is not set when processing publish,  it goes to an error
> state and doesn't look like it keeps the packet.
>
>
>
> [JLS] No, Clients are allowed to send further MQTT Control Packets
> immediately after sending a CONNECT packet; Clients need not wait for a
> CONNACK packet to arrive from the Server. – this is the preceding two
> sentences to requirement MQTT-3.1.4-6.  I would agree that this is going to
> be server specific.  The following paragraph suggests that clients SHOULD
> wait for the CONNACK but it is non-normative.  I think that I would write
> my client code to wait.  I would have to work really hard to figure out
> what my code base would do for this as I know it does queue packets for
> later processing but I am not sure what it would do for this case.
>
>
>
>
>
> [CS] Ok, this is confusing.  I assumed that sentence regarding clients
> about not having to wait was when no Authentication Method set.
>
> Because there is: If a Client sets an Authentication Method in the
> CONNECT, the Client MUST NOT send any packets other than AUTH or DISCONNECT
> packets until it has received a CONNACK packet [MQTT-3.1.2-30].
>
>  In the profile, we do set an authentication method in connect to "ace".
>
>
>
> [JLS] Looks like there might be some conflicting statements here.  I don’t
> know the best way to resolve it.
>
> Jim
>
>
>
>
>
> --Cigdem
>

v2.23.0 | Report a Bug | By Email