Re: [Ace] End-to-End Scenarios
Göran Selander <goran.selander@ericsson.com> Wed, 23 September 2015 06:12 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE5AF1A0276 for <ace@ietfa.amsl.com>; Tue, 22 Sep 2015 23:12:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.901
X-Spam-Level:
X-Spam-Status: No, score=-3.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPHfdyYEohnK for <ace@ietfa.amsl.com>; Tue, 22 Sep 2015 23:12:15 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 096571A02BE for <ace@ietf.org>; Tue, 22 Sep 2015 23:12:13 -0700 (PDT)
X-AuditID: c1b4fb2d-f79626d000004282-3d-560242bb59a8
Received: from ESESSHC014.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id BF.FC.17026.BB242065; Wed, 23 Sep 2015 08:12:12 +0200 (CEST)
Received: from ESESSMB303.ericsson.se ([169.254.3.186]) by ESESSHC014.ericsson.se ([153.88.183.60]) with mapi id 14.03.0248.002; Wed, 23 Sep 2015 08:12:11 +0200
From: Göran Selander <goran.selander@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] End-to-End Scenarios
Thread-Index: AdDzTJuCqeOcgZ3iQWWV4hFj3veTUQBpM2AA///tTYCAADkdAIABWr+AgAApmQA=
Date: Wed, 23 Sep 2015 06:12:11 +0000
Message-ID: <D2280E0F.376E5%goran.selander@ericsson.com>
References: <021b01d0f34f$3ef676d0$bce36470$@augustcellars.com> <D2261B8C.3736D%goran.selander@ericsson.com> <049601d0f4f8$d40e7b50$7c2b71f0$@augustcellars.com> <D226C278.3750F%goran.selander@ericsson.com> <006901d0f5c2$c32de5d0$4989b170$@augustcellars.com>
In-Reply-To: <006901d0f5c2$c32de5d0$4989b170$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [153.88.183.154]
Content-Type: text/plain; charset="utf-8"
Content-ID: <77885BC2F1FF87408D87B1F724962358@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplkeLIzCtJLcpLzFFi42KZGfG3RnePE1OYwakFzBbfv/UwW6ye/p3N gclj45zpbB5LlvxkCmCK4rJJSc3JLEst0rdL4MqYvGopc8GXqIrTs6+xNzCeiOhi5OSQEDCR mDf3DyuELSZx4d56ti5GLg4hgaOMEr1T7jBDOEuAnLszWECq2ARcJB40PGICsUUE3CTOTl4G FhcWUJfYcPorVFxDYsqcd8wQtp9E380bbCA2i4CqRMfMeYwgNq+AhcSanV9ZIRZ0Mkk82TSf HSTBKeAgsf3tebChjEAnfT+1Bmwos4C4xK0n85kgThWQWLLnPDOELSrx8vE/sBdEBfQkVl5v YoOIK0ksuv0ZqJ4DqFdTYv0ufYgx1hJL/x1jhbAVJaZ0P2SHuEdQ4uTMJywTGMVnIdk2C6F7 FpLuWUi6ZyHpXsDIuopRtDi1uDg33chYL7UoM7m4OD9PLy+1ZBMjMN4Obvmtu4Nx9WvHQ4wC HIxKPLwL2JnChFgTy4orcw8xSnOwKInztjA9CBUSSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXA yJLx1ipFa9ruExJuxf0XuDzPmr85OP350Zeb5VIs/DZdvfrna2HQn/v7/7tOW/Vxa1rYrzt3 RD6eTa0T+drjcq/p3cqFM5Ms5KPFhTYaZF530ypKOWkfv5/haMHUtfcPTmqxK2pxCgs59Cmj duaDOI6pXxdee3Ym7NLVAJlZTkFM/YUv1utfyVJiKc5INNRiLipOBAAv0ctgmAIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/BaXxVq3hMSCMHkwe03k8VatR9iM>
Subject: Re: [Ace] End-to-End Scenarios
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2015 06:12:18 -0000
On 2015-09-23 07:43, "Jim Schaad" <ietf@augustcellars.com> wrote: > > >> -----Original Message----- >> From: Göran Selander [mailto:goran.selander@ericsson.com] >> Sent: Tuesday, September 22, 2015 12:02 AM >> To: Jim Schaad <ietf@augustcellars.com>; ace@ietf.org >> Subject: Re: [Ace] End-to-End Scenarios >> >> >> >> On 2015-09-22 07:37, "Jim Schaad" <ietf@augustcellars.com> wrote: >> >> > >> > >> >> -----Original Message----- >> >> From: Göran Selander [mailto:goran.selander@ericsson.com] >> >> Sent: Monday, September 21, 2015 9:45 PM >> >> To: Jim Schaad <ietf@augustcellars.com>; ace@ietf.org >> >> Subject: Re: [Ace] End-to-End Scenarios >> >> >> >> >> >> >> >> On 2015-09-20 04:51, "Jim Schaad" <ietf@augustcellars.com> wrote: >> >> >> >> >The previous discussion got sidetracked from where it really needed >> >> >to >> >>go. >> >> >So I want to do a restart and focus on a different aspect. In order >> >> >to evaluate a solution, one needs to have as comprehensive list of >> >> >the unique scenarios where the solution needs to function. I want >> >> >to try and get some help in building this list. The list will also >> >> >need to include some >> >> >security constructs that may be included. I am assuming that there >> >>has >> >> >been something that created the security context and that the >> >> >security context is distributed to the correct entities. (I >> >> >understand that one variation for doing so assumes that the context >> >> >may be relayed to the server via the client.) >> >> >> >> Just to be clear, there are ACE use cases where a client and a server >> >>does not have context with each other, and we need support from COSE >> >>to establish that using a TTP, but I understand if you don’t want to >> >>discuss that in this mail thread. >> > >> >I understand that this is needed. This is going to be true for the >> >multi-cast DTLS as well. I am assuming that this protocol is going to >> >be written using the REST principles so that this conversation is >>relevant. >> >What would still need to be discussed at a later date is the internal >> >message structure. How much do we believe that the requirements of >> >this are currently documented? >> >> For example, ACRE (draft-seitz-ace-core-authz-00) contains the basic >>cases. >> And, yes, one of the principles of ACRE is to establish context using >>RESTful >> resources. But there is no list of requirements. In the next version >>this will >> probably be more clear. >> >> > >> >> >> >> > >> >> >I think the list starts as follows: >> >> > >> >> >1. One way command: This covers Put, Delete and so forth. >> >> > C1 sends a command to S1. S1 can 1) not reply, 2) reply success, >> >> >3) reply failure >> >> > >> >> >2. Query/Response: This covers Get >> >> > C1 requests R1 from S1. S1 can 1) reply with data, 2) reply with >> >> >failure. >> >> >> >> >> >> I don’t understand the distinction between "command with reply” in 1. >> >>and >> >> "Query/Response” in 2. >> >> >> >> Do you consider POST be of type 1. or type 2., or doesn’t it matter? >> > >> >I would think of POST as being of type 1. The difference for me >> >between type 1 and type 2 is the question - does this operation >> >require a response or is the response just necessary if the CoAP >>message is >> marked >> >confirmable. The concept of a Get for which there is no response >>makes >> >no sense. This is not true for a POST. >> > >> >> >> >> >> >> In terms of security constructs, there is a need for a 2-pass PUT >> >>Query/Response (e.g. "Lock a door") , whereas GET Response could be a >> >>1-pass secure message (properly identified and versioned) preceded by >> >>an unprotected GET Request. >> >> But maybe this comes later? (There is also a 4-pass “Unlock a door", >> >>but I don’t think that should be solved by COSE.) >> > >> >Please explain. I don't understand what you are saying. A couple of >> >flow diagrams may be helpful. >> >> >> Publish-subscribe is one example of 1-pass GET Response (between S1 and >>S2 in >> 4. below). >> >> >> For 2-pass PUT (should probably be POST) Query/Response “lock a door” >> think e.g. about: >> >> http://www.theguardian.com/technology/2015/may/26/high-tech-thieves- >> jamming >> -technology-steal-car >> >> >> The current protocol is based on the user watching the blinking lights >>of the car >> confirming it being locked. Better if the key device verified that the >>lock request >> was received, and if not alerted the user. >> >> For "Unlock a door” think of the same scenario where the PUT/POST unlock >> request from the key device is recorded by the adversary. Then it waits >>for the >> user to give up and leave. Then it plays back the recorded request >>(note, this is >> not a replay). This can be mitigated by more round trips, actually >>3-pass is >> sufficient. But again, this should probably be in the application of >>COSE. >> > >So if I understand correctly, you are talking about the fact that there >might be some special circumstances that might be applied to a series of >related messages where each message will have different content and might >be different operations (i.e. a Put followed by a Get). This is a very general statement but what I had in mind fits into the description. We will probably have a specific proposal for how to handle this type of problems. Göran > >Side note: I have always called that a replay attack since the message >was intercepted and replayed, it is just a specialized version of one >where the message is prevented from arriving at the destination. These >show up all of the time in terms of resets or out of order replays that >need to be looked at. > >Jim > > >> >> Sorry no flow charts, but perhaps possible to understand anyway? >> >> > >> >> >> >> >> >> > >> >> >3. Observation: >> >> > C1 observes R1 on S1. >> >> > S1 can 1) reply with data, 2) reply with failure, 3) reply success >> >> >but no data (?) >> >> > C1 cancels observe of R1 on S1 >> >> > S1 can 1) reply with success, 2) reply with failure >> >> > S1 sends data on R1 to C1 >> >> > >> >> >4. Observation with data server: >> >> > C1 observes R1 from S1 on S2 >> >> > S2 can 1) reply with data, 2) reply with failure, 3) reply success >> >> >but no data >> >> > C1 cancels observing R1 >> >> > S2 can 1) reply with success, 2) reply with failure >> >> > S2 send data about R1 to C1 >> >> > ** S2 may not have access to data about R1 >> >> > ** Security context to communicate with S1 and S2 from C1 may be >> >> >different and not overlap >> >> > ** S2 may be required to verify data came from S1, but not be able >> >> >to access R1. >> >> >> >> >> >> Since you want to be exhaustive, there are operations between >> >>Resource Server >> >> (S1) and Data Server (S2). >> > >> >I don't believe that these need to be dealt with separately, but I >> >could be wrong. Are these not just the same operations with either the >> >Resource Server or the Data Server as the C1 and the other as S1? >> >Unless there are three parties I don't believe that this introduces any >> >new wrinkles. Do you have any ones in mind where there might be >> differences? >> > >> >> Mapping between your notation and notation of draft-ietf-ace-actors: >> >> >> >> C1 in ACE C; >> >> >> >> S1 in ACE RS; >> >> >> >> S2 in Data Server; >> >> >> >> >> >> Alternative data flows: >> >> >> >> C2 in Data Server requests with GET (optionally Observe) to S1 in ACE >> >>RS; >> > >> >This would be case #2 or #3 above. >> > >> >> >> >> C3 in ACE RS requests with PUT/POST to S3 (potentially S2) in Data >> >>Server; >> > >> >This would be case #1 above. >> >> >> Agree, just wanted to be explicit. >> >> Göran >> >> >> > >> >Jim >> > >> >> >> >> >> >> >> >> Göran >> >> >> >> >> >> >> >> > >> >> >5. Use of a Proxy Server >> >> > All of cases 1 through 4 need to be repeated but with a proxy >> >> >server >> >> >P1 between C1 and the entity it is talking to. >> >> > >> >> >What operations and data flows am I still missing? >> >> > >> >> >Jim >> >> > >> >> > >> >> >_______________________________________________ >> >> >Ace mailing list >> >> >Ace@ietf.org >> >> >https://www.ietf.org/mailman/listinfo/ace >> > >> > > >
- [Ace] End-to-End Scenarios Jim Schaad
- Re: [Ace] End-to-End Scenarios Olaf Bergmann
- Re: [Ace] End-to-End Scenarios Jim Schaad
- Re: [Ace] End-to-End Scenarios Göran Selander
- Re: [Ace] End-to-End Scenarios Jim Schaad
- Re: [Ace] End-to-End Scenarios Göran Selander
- Re: [Ace] End-to-End Scenarios Olaf Bergmann
- Re: [Ace] End-to-End Scenarios Randy Presuhn
- Re: [Ace] End-to-End Scenarios Olaf Bergmann
- Re: [Ace] End-to-End Scenarios Carsten Bormann
- Re: [Ace] End-to-End Scenarios Jim Schaad
- Re: [Ace] End-to-End Scenarios Göran Selander
- Re: [Ace] End-to-End Scenarios Jim Schaad
- Re: [Ace] End-to-End Scenarios Göran Selander