Re: [Ace] draft-ietf-ace-mqtt-tls-profile - Validating a subscription is in scope
Cigdem Sengul <cigdem.sengul@gmail.com> Wed, 15 January 2020 12:44 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE5561200A3; Wed, 15 Jan 2020 04:44:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tpIsvzO-t2bI; Wed, 15 Jan 2020 04:44:37 -0800 (PST)
Received: from mail-ua1-x92c.google.com (mail-ua1-x92c.google.com [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B43A120119; Wed, 15 Jan 2020 04:44:37 -0800 (PST)
Received: by mail-ua1-x92c.google.com with SMTP id z24so6165551uam.7; Wed, 15 Jan 2020 04:44:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qdBVrtOF2pVEXnLs4SLLk3kGAuEeMxY/7s3ixXrPtq0=; b=MrxFfc5kXemBThA2WY8qJpDIlSm/vGjcRUvfDGX79RPPPI4psijrIpCirdWbzxihVE K+U1jAp2ZAM1FuQCJLlIh2rG8qwd1KR8CRzBYw86P2TQN00QeQVl7vbWptU+n788eX2J 4jtROVzxYGIuQTNqeKzJjSTsWOZmFeExLX1GHgb6WFpXfdfnt5TxdpuTNOpgFIlRBjNy 0KKF0wkpzxrc0+RrgYYh/Igbu2oUQGmpM4pTfKoXY+XfqP3IsAKdkoRxqei57xYV225C doNB6UdFmxrRHhBgCDhpMfyQfUD98vGj4gg/khn5LWJK4mXRQMh7RfakJ6eIRERkbt5V bqNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qdBVrtOF2pVEXnLs4SLLk3kGAuEeMxY/7s3ixXrPtq0=; b=MWzWQ0bfe6smzoTzxV0T1Ew9ks5t4I1ihpGZYw8q/rmAfBC/fC+Kxnf/D6hk1+tCtL 6LLwH4A/Od0QaflLROuvhFDqBClp3DElTDxyJfHOntGQg5TOvp6CyBKgHFAUmza5o1EM h17A5QKEMjJFi09+odcghVJMBPYIwpjo18Jidq25VBlOhgWvi27AKs7hC8RtT/GWeE30 ZgnJKcyKqnjaOho4nGW3QCNKv7BRCdpzGboLAdpaB4Tpckr49M2EiqXluM4Tbx1KGqPt aBQZBdyU648iJLOysjyJgL80L+M/wdpLVQ25cvWv5hxYNmwEVil2TfebIcuCVm7G4eLk wKXw==
X-Gm-Message-State: APjAAAXDI5Ow8fJmVz9zfpWbaOtUjNriQBh8N/ZU9IU9+MhuQiMiwgdZ Jx23wABmdDmiTm1Q2PWLGsj3pbyGe52OlKJppZV3Akwx5K8=
X-Google-Smtp-Source: APXvYqwuROIRQj/R6vo7Kx3+yIC/4DnEv1HbiCop1B9B8mKz8lmWTNyiwtKjEgg0lrPCmkkQL2K652TsAhrkr5m13tA=
X-Received: by 2002:ab0:2ea6:: with SMTP id y6mr14024702uay.25.1579092276330; Wed, 15 Jan 2020 04:44:36 -0800 (PST)
MIME-Version: 1.0
References: <003f01d5c9b2$1fe439b0$5facad10$@augustcellars.com> <CAA7SwCOieCSUhKHGS=y+zakoPvTkaZm4jLwcVq0rCpqS=GT3JA@mail.gmail.com> <00de01d5cafa$adefb420$09cf1c60$@augustcellars.com>
In-Reply-To: <00de01d5cafa$adefb420$09cf1c60$@augustcellars.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Wed, 15 Jan 2020 12:44:25 +0000
Message-ID: <CAA7SwCNhLaXcopNV_WOZRd8B+5Ff3vJhSC_WeaFWVcmYRYZEiQ@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: draft-ietf-ace-mqtt-tls-profile@ietf.org, Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000032c35f059c2d12fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/NSJakqqX7ANZO2aYIOh44BxvAJc>
Subject: Re: [Ace] draft-ietf-ace-mqtt-tls-profile - Validating a subscription is in scope
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 12:44:43 -0000
Hello, It gets interesting when the scope is more restricted than the subscription request. For instance, the scope is sport/+ But subscription is sport/# Should this be refused? Obviously the subscriber is attempting to subscribe to more than it has permission for. But does the broker still allow the subscription but reduce it to "sport/+"? > > > [JLS] Given that this is not defined in the base MQTT specification, most > clients would not expect this if the ACE is grafted on the side of the > program. I would therefore say this is a “not authorized” and go on. > > > [CS] Agreed. Another issue that we should say something about is the case when multiple permission strings aggregated together gives enough permission to the subscription request, based on the _current_ topic hierarchy. Example: Scope strings in the token were: publish_sport/tennis publish_sport/basketball and then the client asks for publish_sport/+ If tennis and basketball are the only topics under sport, then this is a valid request. But, if the topic hierarchy is changes during the connection time (adds sport/baseball) then subscriber gets PUBLISH messages for something they should not. When topic subscriptions are not protected, the broker would send anything at the single level for sport/+ and would not worry about the new additions after the subscription. When topic subscriptions are protected, the Broker can choose to do two things: 1) Allow the subscription but internally subscribe the clients to sport/basketball and sport/tennis only. or 2) Reject the subscription and the client needs to ask for subscriptions that are a subset or equal to their permission strings. So the client specifically needs to ask for publish_sport/tennis and publish_sport/basketball matching its scope strings. But then scope parameter cannot be optional and must be included in the AS response. or 3) Allow the subscription, when a new level is added, check the permissions of all active subscribers, send DISCONNECT if the current permissions do not apply to the new hierarchy. 1 would need to be again signalled to the client, 2 might be too restrictive, and 3 may introduce a processing load if things are changing all the time (which I do not expect). Leaning towards 3... Any thoughts? --Cigdem > Jim > > > > > > --Cigdem > > > Jim > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace > >
- [Ace] draft-ietf-ace-mqtt-tls-profile - Validatin… Jim Schaad
- Re: [Ace] draft-ietf-ace-mqtt-tls-profile - Valid… Cigdem Sengul
- Re: [Ace] draft-ietf-ace-mqtt-tls-profile - Valid… Jim Schaad
- Re: [Ace] draft-ietf-ace-mqtt-tls-profile - Valid… Cigdem Sengul
- Re: [Ace] draft-ietf-ace-mqtt-tls-profile - Valid… Jim Schaad
- Re: [Ace] draft-ietf-ace-mqtt-tls-profile - Valid… Cigdem Sengul