Re: [Ace] DTLS proxy in EST-coaps
peter van der Stok <stokcons@xs4all.nl> Fri, 17 November 2017 02:09 UTC
Return-Path: <stokcons@xs4all.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C58DE1274D2 for <ace@ietfa.amsl.com>; Thu, 16 Nov 2017 18:09:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FSwhz4nhFmVT for <ace@ietfa.amsl.com>; Thu, 16 Nov 2017 18:09:36 -0800 (PST)
Received: from lb2-smtp-cloud9.xs4all.net (lb2-smtp-cloud9.xs4all.net [194.109.24.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A12F1274A5 for <ace@ietf.org>; Thu, 16 Nov 2017 18:09:36 -0800 (PST)
Received: from webmail.xs4all.nl ([IPv6:2001:888:0:22:194:109:20:208]) by smtp-cloud9.xs4all.net with ESMTPA id FW63eYZm2nIXbFW63eClc6; Fri, 17 Nov 2017 03:09:35 +0100
Received: from 2001:67c:1232:144:b48f:66d4:33ec:d810 by webmail.xs4all.nl with HTTP (HTTP/1.1 POST); Fri, 17 Nov 2017 03:09:35 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Fri, 17 Nov 2017 03:09:35 +0100
From: peter van der Stok <stokcons@xs4all.nl>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: ace@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <17202.1510881395@obiwan.sandelman.ca>
References: <dc29b128ae34d174f729f4d22cb1e489@xs4all.nl> <HE1P121MB0012C2A56A83DB5B004E3BE08D2E0@HE1P121MB0012.EURP121.PROD.OUTLOOK.COM> <0ad947db-efdc-ebcc-1b6f-6dd8b1074259@cisco.com> <8736.1510870569@obiwan.sandelman.ca> <17202.1510881395@obiwan.sandelman.ca>
Message-ID: <b2e569c3ed738d0de6782895a7c564a7@xs4all.nl>
X-Sender: stokcons@xs4all.nl
User-Agent: XS4ALL Webmail
X-CMAE-Envelope: MS4wfGo6NSQh9Y7xtupcPcEEN0DQgYkLfjxAwyLfvCzDXbP3PY+GBAaQoig8CaZMAl2EWS8HPEmZ3DTk+aJuJtQ2IvlUbcYo2ZfHiU7V6QOzqs2tf8QqiRyj CGy7Ghgb6Vg5sJWPIlhvH2hnjcLlmnEGPexRKMv8JY1DvOp5FroqL3bJE6vEQFZujgSMa+/VM9kNr+Xx5pOmYh9qWmM85DcG+gU2EDWp6jSI8JynoMsakPkX
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Dn6Edtfw5UF_bb1TCmVqauXwwoE>
Subject: Re: [Ace] DTLS proxy in EST-coaps
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 02:09:39 -0000
> I'm slowly absorbing the contents of draft-vanderstok-ace-coap-est-02. > I'm building draft-ietf-6tisch-zerotouch-join with the assumption that > it > might run over DTLS, use EDHOC w/OSCORE, or some DTLS-over-CoAP > mechanism. Good > > I looked through section 6, and I don't understand why COAPS would be > used > From the Registrar through an ESTcoaps-to-HTTPS Proxy to the MASA. The > Registrar as not in the constrained networks, and can speak HTTPS just > fine. > That's why we proxy the COAPS traffic to the Registrar, so that the > Registrar does not have to live (entirely) in the constrained network. If this is a unrealistic use case, it should go from the document. > > So, in the ANIMA BRSKI context, we have the Join Proxy to connect the > insecure > (unencrypted) network with the JRC as we can not assume the registar > (JRC) is > within radio distance of all pledges. > > For EDHOC and DTLS-over-COAP, we can use the option as described > in draft-ietf-6tisch-minimal-security section 5.1 to keep the proxy > stateless. > > For DTLS, I thought we had a few IDs on how to relay DTLS in a > stateless manner. > I can't seem to find any (Yes, I did look through expired drafts too). You mean expired est-coaps drafts? Indeed, the draft never considered these, assuming they were off topic and were adequately treated elsewhere. The next version of est-coaps draft will be less BRSKI oriented and I think the subject of stateless join proxy is off topic. (BTW they are systematically called "circuit proxy" in keyinfra draft). > > Are there some options for DTLS? > Is there a way to statelessly (on the join proxy) relay traffic? > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] DTLS proxy in EST-coaps Michael Richardson
- Re: [Ace] DTLS proxy in EST-coaps peter van der Stok
- Re: [Ace] DTLS proxy in EST-coaps Sandeep Kumar
- Re: [Ace] DTLS proxy in EST-coaps Michael Richardson
- Re: [Ace] DTLS proxy in EST-coaps Michael Richardson
- Re: [Ace] DTLS proxy in EST-coaps Sandeep Kumar