IETF Logo Mail Archive

Re: [Ace] End-to-End Scenarios

Göran Selander <goran.selander@ericsson.com> Wed, 23 September 2015 06:12 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE5AF1A0276 for <ace@ietfa.amsl.com>; Tue, 22 Sep 2015 23:12:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.901
X-Spam-Level:
X-Spam-Status: No, score=-3.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPHfdyYEohnK for <ace@ietfa.amsl.com>; Tue, 22 Sep 2015 23:12:15 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 096571A02BE for <ace@ietf.org>; Tue, 22 Sep 2015 23:12:13 -0700 (PDT)
X-AuditID: c1b4fb2d-f79626d000004282-3d-560242bb59a8
Received: from ESESSHC014.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id BF.FC.17026.BB242065; Wed, 23 Sep 2015 08:12:12 +0200 (CEST)
Received: from ESESSMB303.ericsson.se ([169.254.3.186]) by ESESSHC014.ericsson.se ([153.88.183.60]) with mapi id 14.03.0248.002; Wed, 23 Sep 2015 08:12:11 +0200
From: Göran Selander <goran.selander@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] End-to-End Scenarios
Thread-Index: AdDzTJuCqeOcgZ3iQWWV4hFj3veTUQBpM2AA///tTYCAADkdAIABWr+AgAApmQA=
Date: Wed, 23 Sep 2015 06:12:11 +0000
Message-ID: <D2280E0F.376E5%goran.selander@ericsson.com>
References: <021b01d0f34f$3ef676d0$bce36470$@augustcellars.com> <D2261B8C.3736D%goran.selander@ericsson.com> <049601d0f4f8$d40e7b50$7c2b71f0$@augustcellars.com> <D226C278.3750F%goran.selander@ericsson.com> <006901d0f5c2$c32de5d0$4989b170$@augustcellars.com>
In-Reply-To: <006901d0f5c2$c32de5d0$4989b170$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [153.88.183.154]
Content-Type: text/plain; charset="utf-8"
Content-ID: <77885BC2F1FF87408D87B1F724962358@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplkeLIzCtJLcpLzFFi42KZGfG3RnePE1OYwakFzBbfv/UwW6ye/p3N gclj45zpbB5LlvxkCmCK4rJJSc3JLEst0rdL4MqYvGopc8GXqIrTs6+xNzCeiOhi5OSQEDCR mDf3DyuELSZx4d56ti5GLg4hgaOMEr1T7jBDOEuAnLszWECq2ARcJB40PGICsUUE3CTOTl4G FhcWUJfYcPorVFxDYsqcd8wQtp9E380bbCA2i4CqRMfMeYwgNq+AhcSanV9ZIRZ0Mkk82TSf HSTBKeAgsf3tebChjEAnfT+1Bmwos4C4xK0n85kgThWQWLLnPDOELSrx8vE/sBdEBfQkVl5v YoOIK0ksuv0ZqJ4DqFdTYv0ufYgx1hJL/x1jhbAVJaZ0P2SHuEdQ4uTMJywTGMVnIdk2C6F7 FpLuWUi6ZyHpXsDIuopRtDi1uDg33chYL7UoM7m4OD9PLy+1ZBMjMN4Obvmtu4Nx9WvHQ4wC HIxKPLwL2JnChFgTy4orcw8xSnOwKInztjA9CBUSSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXA yJLx1ipFa9ruExJuxf0XuDzPmr85OP350Zeb5VIs/DZdvfrna2HQn/v7/7tOW/Vxa1rYrzt3 RD6eTa0T+drjcq/p3cqFM5Ms5KPFhTYaZF530ypKOWkfv5/haMHUtfcPTmqxK2pxCgs59Cmj duaDOI6pXxdee3Ym7NLVAJlZTkFM/YUv1utfyVJiKc5INNRiLipOBAAv0ctgmAIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/BaXxVq3hMSCMHkwe03k8VatR9iM>
Subject: Re: [Ace] End-to-End Scenarios
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 06:12:18 -0000


On 2015-09-23 07:43, "Jim Schaad" <ietf@augustcellars.com> wrote:

>
>
>> -----Original Message-----
>> From: Göran Selander [mailto:goran.selander@ericsson.com]
>> Sent: Tuesday, September 22, 2015 12:02 AM
>> To: Jim Schaad <ietf@augustcellars.com>; ace@ietf.org
>> Subject: Re: [Ace] End-to-End Scenarios
>> 
>> 
>> 
>> On 2015-09-22 07:37, "Jim Schaad" <ietf@augustcellars.com> wrote:
>> 
>> >
>> >
>> >> -----Original Message-----
>> >> From: Göran Selander [mailto:goran.selander@ericsson.com]
>> >> Sent: Monday, September 21, 2015 9:45 PM
>> >> To: Jim Schaad <ietf@augustcellars.com>; ace@ietf.org
>> >> Subject: Re: [Ace] End-to-End Scenarios
>> >>
>> >>
>> >>
>> >> On 2015-09-20 04:51, "Jim Schaad" <ietf@augustcellars.com> wrote:
>> >>
>> >> >The previous discussion got sidetracked from where it really needed
>> >> >to
>> >>go.
>> >> >So I want to do a restart and focus on a different aspect.  In order
>> >> >to evaluate a solution, one needs to have as comprehensive list of
>> >> >the unique scenarios where the solution needs to function.  I want
>> >> >to try and get some help in building this list.  The list will also
>> >> >need to include some
>> >> >security constructs that may be included.   I am assuming that there
>> >>has
>> >> >been something that created the security context and that the
>> >> >security context is distributed to the correct entities.  (I
>> >> >understand that one variation for doing so assumes that the context
>> >> >may be relayed to the server via the client.)
>> >>
>> >> Just to be clear, there are ACE use cases where a client and a server
>> >>does not  have context with each other, and we need support from COSE
>> >>to establish that  using a TTP, but I understand if you don’t want to
>> >>discuss that in this mail thread.
>> >
>> >I understand that this is needed.  This is going to be true for the
>> >multi-cast DTLS as well.  I am assuming that this protocol is going to
>> >be written using the REST principles so that this conversation is
>>relevant.
>> >What would still need to be discussed at a later date is the internal
>> >message structure.  How much do we believe that the requirements of
>> >this are currently documented?
>> 
>> For example, ACRE (draft-seitz-ace-core-authz-00) contains the basic
>>cases.
>> And, yes, one of the principles of ACRE is to establish context using
>>RESTful
>> resources. But there is no list of requirements. In the next version
>>this will
>> probably be more clear.
>> 
>> >
>> >>
>> >> >
>> >> >I think the list starts as follows:
>> >> >
>> >> >1.  One way command: This covers Put, Delete and so forth.
>> >> >	C1 sends a command to S1.   S1 can 1) not reply, 2) reply success,
>> >> >3) reply failure
>> >> >
>> >> >2.  Query/Response:  This covers Get
>> >> >	C1 requests R1 from S1.  S1 can 1) reply with data, 2) reply with
>> >> >failure.
>> >>
>> >>
>> >> I don’t understand the distinction between "command with reply” in 1.
>> >>and
>> >> "Query/Response” in 2.
>> >>
>> >> Do you consider POST be of type 1. or type 2., or doesn’t it matter?
>> >
>> >I would think of POST as being of type 1.  The difference for me
>> >between type 1 and type 2 is the question  - does this operation
>> >require a response or is the response just necessary if the CoAP
>>message is
>> marked
>> >confirmable.   The concept of a Get for which there is no response
>>makes
>> >no sense.  This is not true for a POST.
>> >
>> >>
>> >>
>> >> In terms of security constructs, there is a need for a 2-pass PUT
>> >>Query/Response  (e.g. "Lock a door") , whereas GET Response could be a
>> >>1-pass secure message  (properly identified and versioned) preceded by
>> >>an unprotected GET Request.
>> >> But maybe this comes later? (There is also a 4-pass “Unlock a door",
>> >>but I don’t  think that should be solved by COSE.)
>> >
>> >Please explain.  I don't understand what you are saying.   A couple of
>> >flow diagrams may be helpful.
>> 
>> 
>> Publish-subscribe is one example of 1-pass GET Response (between S1 and
>>S2 in
>> 4. below).
>> 
>> 
>> For 2-pass PUT (should probably be POST) Query/Response “lock a door”
>> think e.g. about:
>> 
>> http://www.theguardian.com/technology/2015/may/26/high-tech-thieves-
>> jamming
>> -technology-steal-car
>> 
>> 
>> The current protocol is based on the user watching the blinking lights
>>of the car
>> confirming it being locked. Better if the key device verified that the
>>lock request
>> was received, and if not alerted the user.
>> 
>> For "Unlock a door” think of the same scenario where the PUT/POST unlock
>> request from the key device is recorded by the adversary. Then it waits
>>for the
>> user to give up and leave. Then it plays back the recorded request
>>(note, this is
>> not a replay). This can be mitigated by more round trips, actually
>>3-pass is
>> sufficient. But again, this should probably be in the application of
>>COSE.
>> 
>
>So if I understand correctly, you are talking about the fact that there
>might be some special circumstances  that might be applied to a series of
>related messages where each message will have different content and might
>be different operations (i.e. a Put followed by a Get).

This is a very general statement but what I had in mind fits into the
description.  We will probably have a specific proposal for how to handle
this type of problems.

Göran

>
>Side note:  I have always called that a replay attack since the message
>was intercepted and replayed, it is just a specialized version of one
>where the message is prevented from arriving at the destination.  These
>show up all of the time in terms of resets or out of order replays that
>need to be looked at.
>
>Jim
>
>
>> 
>> Sorry no flow charts, but perhaps possible to understand anyway?
>> 
>> >
>> >>
>> >>
>> >> >
>> >> >3.  Observation:
>> >> >	C1 observes R1 on S1.
>> >> >		S1 can 1) reply with data, 2) reply with failure, 3) reply success
>> >> >but no data (?)
>> >> >	C1 cancels observe of R1 on S1
>> >> >		S1 can 1) reply with success, 2) reply with failure
>> >> >	S1 sends data on R1 to C1
>> >> >
>> >> >4.  Observation with data server:
>> >> >	C1 observes R1 from S1 on S2
>> >> >		S2 can 1) reply with data, 2) reply with failure, 3) reply success
>> >> >but no data
>> >> >	C1 cancels observing R1
>> >> >		S2 can 1) reply with success, 2) reply with failure
>> >> >	S2 send data about R1 to C1
>> >> >	** S2 may not have access to data about R1
>> >> >	** Security context to communicate with S1 and S2 from C1 may be
>> >> >different and not overlap
>> >> >	** S2 may be required to verify data came from S1, but not be able
>> >> >to access R1.
>> >>
>> >>
>> >> Since you want to be exhaustive, there are operations between
>> >>Resource Server
>> >> (S1) and Data Server (S2).
>> >
>> >I don't believe that these need to be dealt with separately, but I
>> >could be wrong.  Are these not just the same operations with either the
>> >Resource Server or the Data Server as the C1 and the other as S1?
>> >Unless there are three parties I don't believe that this introduces any
>> >new wrinkles.  Do you have any ones in mind where there might be
>> differences?
>> >
>> >> Mapping between your notation and notation of draft-ietf-ace-actors:
>> >>
>> >> C1 in ACE C;
>> >>
>> >> S1 in ACE RS;
>> >>
>> >> S2 in Data Server;
>> >>
>> >>
>> >> Alternative data flows:
>> >>
>> >> C2 in Data Server requests with GET (optionally Observe) to S1 in ACE
>> >>RS;
>> >
>> >This would be case #2 or #3 above.
>> >
>> >>
>> >> C3 in ACE RS requests with PUT/POST to S3 (potentially S2) in Data
>> >>Server;
>> >
>> >This would be case #1 above.
>> 
>> 
>> Agree, just wanted to be explicit.
>> 
>> Göran
>> 
>> 
>> >
>> >Jim
>> >
>> >>
>> >>
>> >>
>> >> Göran
>> >>
>> >>
>> >>
>> >> >
>> >> >5.  Use of a Proxy Server
>> >> >	All of cases 1 through 4 need to be repeated but with a proxy
>> >> >server
>> >> >P1 between C1 and the entity it is talking to.
>> >> >
>> >> >What operations and data flows am I still missing?
>> >> >
>> >> >Jim
>> >> >
>> >> >
>> >> >_______________________________________________
>> >> >Ace mailing list
>> >> >Ace@ietf.org
>> >> >https://www.ietf.org/mailman/listinfo/ace
>> >
>> >
>
>

v2.23.0 | Report a Bug | By Email