IETF Logo Mail Archive

Re: [Ace] Alexey Melnikov's Discuss on draft-ietf-ace-coap-est-17: (with DISCUSS and COMMENT)

Carsten Bormann <cabo@tzi.org> Fri, 20 December 2019 07:06 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A31CF120129; Thu, 19 Dec 2019 23:06:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCHeB-H-OCRh; Thu, 19 Dec 2019 23:06:38 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71FA0120090; Thu, 19 Dec 2019 23:06:38 -0800 (PST)
Received: from client-0160.vpn.uni-bremen.de (client-0160.vpn.uni-bremen.de [134.102.107.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 47fKY81L87z16rB; Fri, 20 Dec 2019 08:06:36 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <20191220004728.GF35479@kduck.mit.edu>
Date: Fri, 20 Dec 2019 08:06:35 +0100
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, draft-ietf-ace-coap-est@ietf.org, ietf@augustcellars.com, ace-chairs@ietf.org, The IESG <iesg@ietf.org>, ace@ietf.org
X-Mao-Original-Outgoing-Id: 598518393.52324-fef29e08be5cb7cc6fc3919841a5ae54
Content-Transfer-Encoding: quoted-printable
Message-Id: <954E92C2-647A-49B3-B204-22EFB61BF46B@tzi.org>
References: <157667562611.29907.6804425237641037015.idtracker@ietfa.amsl.com> <20191220004728.GF35479@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/DYxmFagSBJGHtlAIo8tL8YpXAj8>
Subject: Re: [Ace] Alexey Melnikov's Discuss on draft-ietf-ace-coap-est-17: (with DISCUSS and COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 07:06:41 -0000

On Dec 20, 2019, at 01:47, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
>> The statement above
>> 
>>      When omitted, they are logically
>>      assumed to be the transport protocol destination address and port
>>      respectively.  Explicit Uri-Host and Uri-Port Options are
>>      typically used when an endpoint hosts multiple virtual servers and
>>      uses the Options to route the requests accordingly.
>> 
>> and the last quoted statement: How can the sender know whether or not it is Ok
>> to omit Uri-Host/Uri-Port?
> 
> How do you know when you need to send SNI to a TLS server?  "If you try
> without and get a strange certificate back."  I think that a similar
> situation is possible here, though of course you may just know from
> out-of-band configuration.

RFC 7252 says:

   The default value of the Uri-Host Option is the IP literal
   representing the destination IP address of the request message.
   Likewise, the default value of the Uri-Port Option is the destination
   UDP port.  The default values for the Uri-Host and Uri-Port Options
   are sufficient for requests to most servers.  Explicit Uri-Host and
   Uri-Port Options are typically used when an endpoint hosts multiple
   virtual servers.

So there is a clear rule: If the URI has the IP address and port number (possibly defaulted), respectively, the options can be omitted.  This means you can almost always omit Uri-Port, and can omit Uri-Host if the URI had an IP address literal.  The latter is not unlikely if that URI came from a resource directory.  If the URI had a DNS name and you omit Uri-Host anyway, you are gambling that the server offers the same resource under the IP address the DNS name resolves to.  Not unlikely either, but still gambling, unless you have out-of-band information.  Now you might have verified the identity of the server already using a security protocol, in which case you could have more reason to believe you are addressing the right resource.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email