Re: [Ace] Secdir last call review of draft-ietf-ace-extend-dtls-authorize
John Mattsson <john.mattsson@ericsson.com> Fri, 13 January 2023 07:34 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AC18C15171D; Thu, 12 Jan 2023 23:34:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xexRcnCx_fWa; Thu, 12 Jan 2023 23:34:08 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on2085.outbound.protection.outlook.com [40.107.15.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E027C1516F3; Thu, 12 Jan 2023 23:34:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cs15FvK1wUGgiozD3eA24ttEDRpIQk0roEqCyW7C3Lme6EAsw28+9+xbQ/rWMABWWaGLdFGJvAChCI3qWNMQZfxaS6mHnHUSqMigEcyQ2GkuvoJUqUOoddPh7Z2wimVDkgyNZL0Ft0BJCNeO+tlDOMbzkjw+MCGbfRNNg/71vy4csN5xODMRilz66UHCR2+XD1+OXoHoOwwHeW9mI4fnEALdCbEvoEYfA1ThpEGqRn85c8ptra0gXK86WR8sP2RGhAp75yQEhV78/CAmuZz5maRrg+TB8khxWRXkMOY5wdgvK1rFI/G32HDTRtZ+Yavt3zcknsQU6DKJKpNepCgC+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mpUPg82mlUOh/A7o1TCDxf9sZCmXkKd4865xc4zRbvk=; b=jkymYNpfx6PkEZXpk3vpmkNLq8EauUPZ00uOuhzD4uQYWVbNrk/T0LzGUFg0gEJq0RwSyyTFrzgGweHVIp+FstGe6sNcJI4T0PHXCOgTdayWD5vqDyp/l6sKeHYq2/GjEdCxrb7v2cJj9Bv4tCh29FCJrda+4AVyYOZkuwu1q3idrYcH3VeOqUv6s3UR3BhT9YKnFPUiQbaqJV8JoRZAQXSS/Bl+WqfeotdDvKGxTQzZOS4YZSQkSFzZoiPTnxkuU19YJPCwgp1Bzt8vjUfJpOcNT8maSeL8J+9ICwUnBQpgEReqdLzKsKhlXfJNFd0mc4NOrcSZ1FhTju9LF5OmlQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mpUPg82mlUOh/A7o1TCDxf9sZCmXkKd4865xc4zRbvk=; b=oZt4QNhV3Po9tDNFxZzNrnYFmOOsNmCmnpC5gA+T3TVhEcTCC3MZ9Ar+eMuf95WpuTlzVmgdGx/+PMpryYTp/ygUQbCcAFQTMD/Tc3GTq+RQ90/Ycwc3zSTss+Ir/rxJhRo0pHkFUGXYOkD7aGGYiY30llrrJjHdS5mBoDHB1BI=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by AS8PR07MB7560.eurprd07.prod.outlook.com (2603:10a6:20b:2ae::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5986.18; Fri, 13 Jan 2023 07:34:05 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::fc77:42d2:1bc6:ec49%12]) with mapi id 15.20.5986.019; Fri, 13 Jan 2023 07:34:04 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: tirumal reddy <kondtir@gmail.com>, "ace@ietf.org" <ace@ietf.org>, "draft-ietf-ace-extend-dtls-authorize.all@ietf.org" <draft-ietf-ace-extend-dtls-authorize.all@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-ace-extend-dtls-authorize
Thread-Index: AQHZJxjMtKymOh/MIUCR1G4BScgZt66b8WYf
Date: Fri, 13 Jan 2023 07:34:04 +0000
Message-ID: <HE1PR0701MB3050089AB36CC8E1F051BEF289C29@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <CAFpG3gcNF_z4=mun0YCwv6GC9YHYdU+VXrwsbT84edgTQSK8jQ@mail.gmail.com>
In-Reply-To: <CAFpG3gcNF_z4=mun0YCwv6GC9YHYdU+VXrwsbT84edgTQSK8jQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|AS8PR07MB7560:EE_
x-ms-office365-filtering-correlation-id: 56e19d0e-36bd-42a8-3057-08daf5388c5f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IaxoY+emBHwto+nPv8fC2ErvGado9U9Jrjkfa60iMEW70BTxqCcWz3BhxiKeX3DV43zCROPvMgk1SX1fb6M2Qd/OjjaIgdCWzxYnV4cdxoowmezkb5JK4hsy0TwIhJnzBHeXbKOfi/Aw9apFFa37AR3Zfm+HluTAvpbUUi7ff8hacEwEHMleDa06NidUU9uyFAyI/MM6EM0PwOPKWo+cxp/cX3NCUu6/igwR78td4YEwGCS1EtGxYGmF/mADtOGm6N5ZBMppipBIRLFsucJYEn4mxpQiswidSMi7g7w6Mr5o8aS3VE+t9cyN8qwW3GAcqqYGkTUcD3qKRUFoA9vatf7cudWA/agHmRr0RXO6Z12fSP2hLcCTm4t5p2SQHtBOM9eeAPiKYSc6l2LKLgRxgc2nIpB+PNNI/SXuNO/6y+L3Dko/EHaJeUsbkPx29ZlzRpdDmCiMHputhiiBgP66xAbyJVwgGB7LiLAfqTneAZr6xuYg2TTpW5vrqIh4PLOUXRbJ8d08++EN06EZAv+aqYqd13m95krUStpGbEvyoocla7kUTM24gfargdFuVSluG0XELrHNwT2DJ9mCZj8gvAGMNJEN0u637MOlb0oV+psPf1hFb+PyU4eSSU9OnbAjGkYLMXmCtTTy3cms5XvAfNSWL0YSbEpg3Noo66mo8BJERg0CEd352FcfGYR2TbyTWiL9npjWvXuEnlLfm37Rbw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(136003)(366004)(39860400002)(346002)(396003)(376002)(451199015)(26005)(186003)(53546011)(122000001)(8936002)(7696005)(6506007)(66446008)(9686003)(478600001)(33656002)(66946007)(5660300002)(55016003)(66556008)(52536014)(64756008)(66476007)(316002)(91956017)(71200400001)(38070700005)(41300700001)(38100700002)(82960400001)(110136005)(76116006)(8676002)(86362001)(83380400001)(44832011)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 98X9YL9+BXrzRGi4IwiftoCuaQFiEcT1l64HeIFpasE4nbmkcJEglFY7ncfqEaPP3qO0585mwCUXYhy7VeLAB2+RL6RMzK1b2HzUI+c2NfmqUzvXQAXJ2SslqnSWfZlZKDrCEvqCYzz/rkGktaTsq0MgedhEkXcjst0zoTvPDbw9OssSwXLhm7XAs6cK36zbMHf8gkOYNXmmWuSdp2738Va4FA43ZVhVrpEl2PM6w9BGqqBB5gBtG0A/P63s5kz5J5qd9YGZKxTe8PSDnfudZzCU0e2gWW762DWMUy7dw8o9qlTZMwi01Qcie6YoC34mPNt1z1YHNEIJdqyvPwm2tzx3nQcXn9sMwTWNCCelZ7X9+f0nQHzKQpsQXG0cZ8LlvM374zHwkdbFPuvWRsqp7rPiRxxj+gXHg8i7dIFsXHwUWTMohy8x30wj1HjC7xHPPJaD/E2b4fWSmRErTwTZOO3DzKCIFlN6ql+iJ2xwYaN5FYpRT8iTEIjfXQoS/PlreN8xP0kszYAREzTcDt9q3gZNMK8r+HPm+DdJS8CseJFYnudD1WwaaOzNY2+YRJ662htKpGBEzZ21fKCzu/xJpl5P1tP4Zx6RzpFxJjBtxc9fqqBpWxpXI0sZXOw7p1d7ynbHtX1JYY5yvmvIQukSsMPCp4bLDZHfLoGlgEPS8oWJFy8Fem5Nr6iZk0SJ76KruyhoTxXQk5ErKHWz6I2Mbzx2ywRkDlY0XiaIiggGd0eLMCzfrcyT37Qshk5RDJAaCztpp+OGXmgCm39E5dIPJx4xgM2z88C/SjSkf+GNh5HiYpm8+sGNOevajT3F9bzSpFkege1Zi7MoNtr76hnPcV7hw0nIj8hWt63z09ih2NPDDel4+t9/ydA0Dt4CLuzJqChIts7PZMYzsBlQj/ta+0LHmCbTx4RXtHJja3C3VSyZIXiogC0eQkXkCMvY19PRLnCY2KkadaOWH2PL+F87J4hXJikcy0NTbRcjWOD+mBQGKOD+relEKnf9ScdBMmSEQjw/5+3AUO4hmzUl313BYRehY6/8BAnWd9cawJpI4iiBDN+p34pA3reG30udIKJB+wGMlQJZXzOfsFDBz3t2hKptOBmuq2Qj1nhKgaSb6BSgstcBqsT4f5M7O8V9g4IyRwVsX35Doy9/n7hS2z4vJExYdZDzizPTa2mmRZRz0fnvXBaOv0ou4dfR5DhX9qSoox7J+9wECueSVk0PhfwwedgLnzAvxS8583OhbBGfDp8n2JdKWzgVibR5+00vs6pfOW0rkP56lzVTA6tdoXDP2/cENG6RMilAGR36PwZ3PAMQxHBudJ/1bTjjCpjpKYbXwtD78/1ftXlWCM/wXdtFgqHvrv9hUjpiuSxIZSkRC2G6dZ51HNIq1GdL7872XT5FHRdLOWu2iozrxs/l8BgwN9UvPR6xg82P+akkrGRzP4BM3RiK2/U6P0U4ZBc8OSDf4GVQCTzPTcXIE9KecmBJ8kgUUq1B1X59imLvHfaUIgNC4FqoK9hCnQ40ehqEnrH+VOUVyS7mbic0U4o+1gzicCfAV/uj7MtROBiRk4HS9CWnIHXLc6zU+lOx+QyJpKwC+sh/3y0fmD1UofyNj92EWvjQwv8u3z4uRl1Kn4GdgRk=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050089AB36CC8E1F051BEF289C29HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 56e19d0e-36bd-42a8-3057-08daf5388c5f
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2023 07:34:04.7900 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8Kgwz9Yr6cktgIdSarVCv4HcuncHYx6a8h6IAvFQBAz45XWY/cPbts/k3cgZoDL7Fj2+X6B2pKBpFIey11/+wkz7oOuiQ3Si5IHKKPuIsT0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7560
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/RcV0Bvunowc2IJ0HuDlrkw6kyEc>
Subject: Re: [Ace] Secdir last call review of draft-ietf-ace-extend-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2023 07:34:12 -0000
Hi Tirumaleswar, Thanks for your review and the good comments. See inline. We will update the document accordingly. Cheers, John From: tirumal reddy <kondtir@gmail.com> Date: Friday, 13 January 2023 at 07:32 To: secdir@ietf.org <secdir@ietf.org>, last-call@ietf.org <last-call@ietf.org>, ace@ietf.org <ace@ietf.org>, draft-ietf-ace-extend-dtls-authorize.all@ietf.org <draft-ietf-ace-extend-dtls-authorize.all@ietf.org> Subject: Secdir last call review of draft-ietf-ace-extend-dtls-authorize Reviewer: Tirumaleswar Reddy Review result: Ready with Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document updates the CoAP-DTLS profile for ACE by specifying that the profile applies to TLS as well as DTLS. Comments below: 1) In case the ace_profile parameter indicates the use of the DTLS profile for ACE as defined in [RFC9202], the Client MAY try to connect to the Resource Server via TLS, or try TLS and DTLS in parallel to accelerate the connection setup. It is up to the implementation to handle the case where the RS reponds to both connection requests. Comment> DTLS should be given higher precedence than TLS as CoAP over UDP is the first choice of implementation. John: Yes, if the Client supports both DTLS and TLS, the first choice should be DTLS unless the Client has reason to believe that only TLS will work. We will add text describing this. 2) As resource-constrained devices are not expected to support both transport layer security mechanisms, a Client that implements either TLS or DTLS but not both might fail in establishing a secure communication channel with the Resource Server altogether. Comment> If the IoT device cannot support both TLS and DTLS , is it mandatory for the device to support TLS ? Otherwise, if a device supports DTLS only and a firewall blocks the communication channel over UDP with the RS, it will fail to function. John: In general it should not be mandatory to support TLS, but a device implementing this document is supporting TLS. Most ACE clients will likely only support DTLS. Some will support both to do firewall traversal. Some will only support TLS. Yes in the case you describe the connection will fail. Things can fail to function even with TLS if the firewall only accepts connections from the other directions. We will add text with these considerations. Cheers, -Tiru
- [Ace] Secdir last call review of draft-ietf-ace-e… tirumal reddy
- Re: [Ace] Secdir last call review of draft-ietf-a… John Mattsson