Re: [Ace] Robert Wilton's No Objection on draft-ietf-ace-cmpv2-coap-transport-09: (with COMMENT)
Mohit Sahni <msahni@paloaltonetworks.com> Mon, 08 May 2023 20:07 UTC
Return-Path: <prvs=149202be89=msahni@paloaltonetworks.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D03B9C169526 for <ace@ietfa.amsl.com>; Mon, 8 May 2023 13:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paloaltonetworks.com header.b="piisxnvs"; dkim=pass (2048-bit key) header.d=paloaltonetworks.com header.b="LV8obD1O"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y3YsQEF76tHm for <ace@ietfa.amsl.com>; Mon, 8 May 2023 13:07:03 -0700 (PDT)
Received: from mx0b-00169c01.pphosted.com (mx0a-00169c01.pphosted.com [67.231.148.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1C4CC14CE4C for <ace@ietf.org>; Mon, 8 May 2023 13:07:03 -0700 (PDT)
Received: from pps.filterd (m0045114.ppops.net [127.0.0.1]) by mx0a-00169c01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 348GFeGt021324 for <ace@ietf.org>; Mon, 8 May 2023 12:22:41 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=PPS12012017; bh=E+MQH7AYDIBDjT8voLC/Lfh6FwrGOp5ziiw1FmYVlSs=; b=piisxnvs0LHYcBbC5cHFFtoCFp1OibPbxjlYjAKoY/doTFmLzVOWb0PuhkwMhK7xfbWv bs/6cZ4nkTHAHKrXoochoQacca2sxLKG6+Gjyrhitnp85eXqnyg9QZgNax8FyEHBhh/f AGvR0zfidJwK7ojD0XuQYEbCJrYt5mZlXpVHJ1+UkITrezDQaSWVXC0RUW21pAzDMf0j qnrQr727VM5X5Fhtm6qoXQlsrLa0tzyatf2ZterXmNtZqKGj/4DJprZGi0Dax/WmhEvU rKg0p1Src/tYGtukU06bZFh6E6oaGIyFZwjFne30UGkZLJNgn5kxrKIZSyRTejxMPq0R pw==
Received: from mail-yb1-f197.google.com (mail-yb1-f197.google.com [209.85.219.197]) by mx0a-00169c01.pphosted.com (PPS) with ESMTPS id 3qdjwphfae-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <ace@ietf.org>; Mon, 08 May 2023 12:22:41 -0700
Received: by mail-yb1-f197.google.com with SMTP id 3f1490d57ef6-b9a7e3fc659so11400955276.1 for <ace@ietf.org>; Mon, 08 May 2023 12:22:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks.com; s=google.paloaltonetworks.com; t=1683573759; x=1686165759; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=E+MQH7AYDIBDjT8voLC/Lfh6FwrGOp5ziiw1FmYVlSs=; b=LV8obD1OE/NoqGjzw6irO/3fQQtrj3wFfhtXw+YMaddMIx1efHUY1O3xsijbX+evIq 9NF5g2Wco92ASsZ6h9TZ0Qov1U/E95U9FOYEdOCip+FpyUbxkGXyaboh7uYds2OmmsqU SIlwVpL1z/uIGjvHjMbtLytXHtVaclsNGwT+eMVh3k7KxzP5egkdAyFQ2JC+1u6nRMps xtxBb2vXGS2uqWGhQ23qK/PXpgn9jL+Ousv5TcptPnZrrUnyrsm9HxINtksOEN/TwsWh dF42Gr9gfznKytAwjJjKpvYz3NmMheKkoi4HBDwWIxXHKFbRgG4BBVdBYy8dFOzzEHn2 dv6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683573759; x=1686165759; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=E+MQH7AYDIBDjT8voLC/Lfh6FwrGOp5ziiw1FmYVlSs=; b=kzfX/4siWr410T1bbF/smlS/cWBClytZqFqCU/TEW0qoU9v8eSyOmljBF6DIMMEX4E ONhYQxU6lRpNQsMq3j/QLTcUOb6tErjMpIOhVTuFTM+TrrmpawnZjjx9+bc8Buw0VSJo iJunnt0bCO3J+p6PBTkw7fWdg4wUUap0t2h0QqNxL534gOgER46ZGT1ZLUSKJ5w2X3AS ISe+khC/HXrRqAXib1OUoXyoDhgrspqidrS56fy/PQEfp134uXHBRVUkwsXlEd5WUBRk Air9altA7jqGio3hSuL1RMILPZBk4BYbJqEV7sKt8RKqqsrZzH3ldby6h3bjocWRKhBg ymzA==
X-Gm-Message-State: AC+VfDyHKxYLQQu3mfCaDyoCD7z7s4ti/MtSwaU7m4HObMmPnv/+D7hY GYGNERLZdRpO6OtbAfK8vHl1FsKuNZSxbZWsaHepr1EfcgZtNjobLoTFcv2seh7VgjcoFQgLtpc Uh6j1gLZLf7Ec8bjyWfo=
X-Received: by 2002:a25:ad65:0:b0:ba1:6097:43b1 with SMTP id l37-20020a25ad65000000b00ba1609743b1mr12892602ybe.57.1683573759604; Mon, 08 May 2023 12:22:39 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ5H+zdrfV6QQB4sAo56kICMo++DRr/pjKl/lHNdvJWT+zu1EZpPL1zpI+PXd845SoRHjVRVAcFQu+qbY4GN5ZY=
X-Received: by 2002:a25:ad65:0:b0:ba1:6097:43b1 with SMTP id l37-20020a25ad65000000b00ba1609743b1mr12892584ybe.57.1683573759289; Mon, 08 May 2023 12:22:39 -0700 (PDT)
MIME-Version: 1.0
References: <168232523881.18618.3714297471720000853@ietfa.amsl.com>
In-Reply-To: <168232523881.18618.3714297471720000853@ietfa.amsl.com>
From: Mohit Sahni <msahni@paloaltonetworks.com>
Date: Mon, 08 May 2023 12:22:28 -0700
Message-ID: <CAMRcsGTJwXKtJC9SZRkU34nG-hqLw0pNt1XxbbxO9JjzzWn3Zw@mail.gmail.com>
To: Robert Wilton <rwilton@cisco.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-ace-cmpv2-coap-transport@ietf.org, ace-chairs@ietf.org, ace@ietf.org, mglt.ietf@gmail.com
Content-Type: multipart/alternative; boundary="000000000000e04f6d05fb338fad"
X-Proofpoint-GUID: I7nfTWjySlCptPCmC2kNq1aHVsxyufyJ
X-Proofpoint-ORIG-GUID: I7nfTWjySlCptPCmC2kNq1aHVsxyufyJ
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-08_13,2023-05-05_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 spamscore=0 suspectscore=0 adultscore=0 malwarescore=0 impostorscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1015 priorityscore=1501 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2305080128
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/T7AgZIgndVWy3e51muZcHCRsonM>
Subject: Re: [Ace] Robert Wilton's No Objection on draft-ietf-ace-cmpv2-coap-transport-09: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2023 20:07:07 -0000
Hi Robert, Many thanks for your review and comments. Please see my response below: > (1) p 2, sec 2.1. CoAP URI Format >Presumably the goal here is to keep the URLs reasonable short, is that worth stating at all? <M.S.>I left that out as it's implicit when using CoAP protocol. > (2) p 3, sec 2.3. CoAP Request Format >Noting that this is using RFC 2911 language, is this requirement specific to CMP over CoAP, or is this just restating CoAP behaviour. <M.S.> It's to avoid any ambiguity in what server should send and what client should expect. >(3) p 4, sec 2.4. CoAP Block-Wise Transfer Mode >It wasn't entirely obvious to me as to what entity "the server" is referring to in this paragraph. Perhaps worth being more specific? <M.S.> I will make it more clear that the server is referring to CA/RA in this case. >(4) p 4, sec 2.6. Announcement PKIMessage > I found this text very slightly confusing. E.g., the first part of the sentence is about supporting announcement messages, and the second part is about response codes. I presume that this is about replying to the register messages, but perhaps this could be made a bit clearer. <M.S.> The reference is in the previous paragraph where the path is mentioned """ The EE can send a GET request to the server's URI suffixed by "/ann". """ >(5) p 4, sec 2.6. Announcement PKIMessage >Would it be helpful to define or give guidance as what sort of period is recommended here (e.g., once per day, or once per year)? <M.S.> This is very implementation specific and how may resources server has and server may even have unexpected restarts. Therefore I did not provide a specific period here. >(6) p 5, sec 3. Proxy Support >Perhaps: "It is out of scope of this document to specify how a reverse ..." <M.S.> I will update the draft with your recommendation. > (8) p 5, sec 4. Security Considerations >Possibly a question for the SEC ADs, but would "without compromising the integrity of " be better than "without compromising the security" (given CMP does not provide confidentiality, as stated below)? <M.S.> This line has been rephrased quite a few times based on input from different reviewers. I did not receive a reply from SEC ADs on this comment. >(9) p 4, sec 2.6. Announcement PKIMessage >Suggest: "reason server" => "reason, the server" <M.S.> I will update the draft with your recommendation. >(10) p 5, sec 3. Proxy Support >Suggest: is same => is the same. I also suggest starting a new paragraph from "Since the". <M.S.> I will update the draft with your recommendation. >(11) p 6, sec 4. Security Considerations >Perhaps "avoid small datagrams" => "avoid sending small datagrams"? <M.S.> I will update the draft with your recommendation. >(12) p 6, sec 4. Security Considerations >Suggest "Proxy can" => "The proxy can" <M.S.> I will update the draft with your recommendation. Thanks Mohit On Mon, May 8, 2023 at 12:02 PM Robert Wilton via Datatracker < noreply@ietf.org> wrote: > Robert Wilton has entered the following ballot position for > draft-ietf-ace-cmpv2-coap-transport-09: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_about_groups_iesg_statements_handling-2Dballot-2Dpositions_&d=DwICaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=J7DgfMyeL26OZuy8d3qTy_h24Ff1NatxSKMgDUj2Kxg&m=RKLav3_i3qmtpZB0CSaJvGZjZt52RTzqEQ_xXH0RqWLzn2qGHhENuIm3IT3QAExo&s=rFCJTzmdbZK4jYo6WHcc1OlY2x6krfL1zk_cpjadY7U&e= > > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dace-2Dcmpv2-2Dcoap-2Dtransport_&d=DwICaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=J7DgfMyeL26OZuy8d3qTy_h24Ff1NatxSKMgDUj2Kxg&m=RKLav3_i3qmtpZB0CSaJvGZjZt52RTzqEQ_xXH0RqWLzn2qGHhENuIm3IT3QAExo&s=hu4pAqCVPpm8TtCb8rJNVK1_-7MCiwwx4MXt-3WOixQ&e= > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Hi, > > Thanks for this document. > > I have some minor comments/suggestions that may improve this document: > > Minor level comments: > > (1) p 2, sec 2.1. CoAP URI Format > > coap://www.example.com/.well-known/cmp > coap://www.example.com/.well-known/cmp/<operation> > coap://www.example.com/.well-known/cmp/p/<name> > coap://www.example.com/.well-known/cmp/p/<name>/<operation> > > Presumably the goal here is to keep the URLs reasonable short, is that > worth > stating at all? > > (2) p 3, sec 2.3. CoAP Request Format > > If the CoAP request is > successful then the server MUST return a Success 2.xx response code > otherwise server MUST return an appropriate Client Error 4.xx or > Server Error 5.xx response code. > > Noting that this is using RFC 2911 language, is this requirement specific > to > CMP over CoAP, or is this just restating CoAP behaviour. > > (3) p 4, sec 2.4. CoAP Block-Wise Transfer Mode > > A CMP PKIMesssage consists of a header, body, protection, and > extraCerts structures which may contain many optional and potentially > large fields. Thus a CMP message can be much larger than the Maximum > Transmission Unit (MTU) of the outgoing interface of the device. The > EEs and RAs or CAs, MUST use the Block-Wise transfer mode [RFC7959] > to transfer such large messages instead of relying on IP > fragmentation. > If a CoAP-to-HTTP proxy is in the path between EEs and CA or EEs and > RA then, if the server supports, it MUST use the chunked transfer > encoding [RFC9112] to send data over the HTTP transport. The proxy > MUST try to reduce the number of packets sent by using an optimal > chunk length for the HTTP transport. > > It wasn't entirely obvious to me as to what entity "the server" is > referring to > in this paragraph. Perhaps worth being more specific? > > (4) p 4, sec 2.6. Announcement PKIMessage > > If the server supports CMP Announcements messages, then it MUST send > appropriate Success 2.xx response code, otherwise it MUST send an > appropriate Client Error 4.xx or Server Error 5.xx response code. > > I found this text very slightly confusing. E.g., the first part of the > sentence is about supporting announcement messages, and the second part is > about response codes. I presume that this is about replying to the > register > messages, but perhaps this could be made a bit clearer. > > (5) p 4, sec 2.6. Announcement PKIMessage > > A client on receiving a 2.xx success > response without the Observe option [RFC7641] MAY try after some time > to register again for announcements from the CMP server. Since > server can remove the EE from the list of observers for announcement > messages, an EE SHOULD periodically re-register itself for > announcement messages. > > Would it be helpful to define or give guidance as what sort of period is > recommended here (e.g., once per day, or once per year)? > > (6) p 5, sec 3. Proxy Support > > The CoAP-to-HTTP proxy can either be located closer to the EEs or > closer to the RA or CA. The proxy MAY support service discovery and > resource discovery as described in section 2.2. The CoAP-to-HTTP > proxy MUST function as a reverse proxy, only permitting connections > to a limited set of pre-configured servers. > > Given the RFC 2119 MUST, is there a definition or reference as to what is > meant > by reverse proxy? > > (7) p 5, sec 3. Proxy Support > > It is out of scope of > this document on how a reverse proxy can route CoAP client requests > to one of the configured servers. Some recommended mechanisms are as > follows: > > Perhaps: "It is out of scope of this document to specify how a reverse ..." > > (8) p 5, sec 4. Security Considerations > > * If PKIProtection is used, the PKIHeader and PKIBody of the CMP > protocol are cryptographically protected against malicious > modifications. As such, UDP can be used without compromising the > security of the CMP protocol. Security Considerations for CoAP > are defined in [RFC7252]. > > Possibly a question for the SEC ADs, but would "without compromising the > integrity of " be better than "without compromising the security" (given > CMP > does not provide confidentiality, as stated below)? > > Nit level comments: > > (9) p 4, sec 2.6. Announcement PKIMessage > > If > for some reason server cannot add the client to its list of observers > for the announcements, it can omit the Observe option [RFC7641] in > the response to the client. > > Suggest: "reason server" => "reason, the server" > > (10) p 5, sec 3. Proxy Support > > This section provides guidance on using a CoAP-to-HTTP proxy between > EEs and RAs or CAs in order to avoid changes to the existing PKI > implementation. Since the CMP payload is same over CoAP and HTTP > transfer mechanisms, a CoAP-to-HTTP cross-protocol proxy can be > implemented based on section 10 of [RFC7252]. > > Suggest: is same => is the same. I also suggest starting a new paragraph > from > "Since the". > > (11) p 6, sec 4. Security Considerations > > * Implementations SHOULD use the available datagram size and avoid > small datagrams containing partial CMP PKIMessage data in order to > reduce memory usage for packet buffering. > > Perhaps "avoid small datagrams" => "avoid sending small datagrams"? > > (12) p 6, sec 4. Security Considerations > > * A CoAP-to-HTTP proxy can also protect the PKI entities by handling > UDP and CoAP messages. Proxy can mitigate attacks like denial of > service attacks, replay attacks and resource-exhaustion attacks by > enforcing basic checks like validating that the ASN.1 syntax is > compliant to CMP messages and validating the PKIMessage protection > before sending them to PKI entities. > > Suggest "Proxy can" => "The proxy can" > > > >
- [Ace] Robert Wilton's No Objection on draft-ietf-… Robert Wilton via Datatracker
- Re: [Ace] Robert Wilton's No Objection on draft-i… Mohit Sahni