[Ace] DTLS proxy in EST-coaps
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 17 November 2017 01:16 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97A78126D0C for <ace@ietfa.amsl.com>; Thu, 16 Nov 2017 17:16:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OevkLqyBAlsD for <ace@ietfa.amsl.com>; Thu, 16 Nov 2017 17:16:36 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89A09126CD8 for <ace@ietf.org>; Thu, 16 Nov 2017 17:16:36 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 4720820072 for <ace@ietf.org>; Thu, 16 Nov 2017 20:18:22 -0500 (EST)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 7E92182639 for <ace@ietf.org>; Thu, 16 Nov 2017 20:16:35 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
to: ace@ietf.org
In-Reply-To: <8736.1510870569@obiwan.sandelman.ca>
References: <dc29b128ae34d174f729f4d22cb1e489@xs4all.nl> <HE1P121MB0012C2A56A83DB5B004E3BE08D2E0@HE1P121MB0012.EURP121.PROD.OUTLOOK.COM> <0ad947db-efdc-ebcc-1b6f-6dd8b1074259@cisco.com> <8736.1510870569@obiwan.sandelman.ca>
X-Mailer: MH-E 8.6; nmh 1.7-RC3; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 16 Nov 2017 20:16:35 -0500
Message-ID: <17202.1510881395@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/WL7ZM0QvzRcFJzcy4CTUN2bfiBo>
Subject: [Ace] DTLS proxy in EST-coaps
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 01:16:38 -0000
Hi, I'm slowly absorbing the contents of draft-vanderstok-ace-coap-est-02. I'm building draft-ietf-6tisch-zerotouch-join with the assumption that it might run over DTLS, use EDHOC w/OSCORE, or some DTLS-over-CoAP mechanism. I looked through section 6, and I don't understand why COAPS would be used From the Registrar through an ESTcoaps-to-HTTPS Proxy to the MASA. The Registrar as not in the constrained networks, and can speak HTTPS just fine. That's why we proxy the COAPS traffic to the Registrar, so that the Registrar does not have to live (entirely) in the constrained network. So, in the ANIMA BRSKI context, we have the Join Proxy to connect the insecure (unencrypted) network with the JRC as we can not assume the registar (JRC) is within radio distance of all pledges. For EDHOC and DTLS-over-COAP, we can use the option as described in draft-ietf-6tisch-minimal-security section 5.1 to keep the proxy stateless. For DTLS, I thought we had a few IDs on how to relay DTLS in a stateless manner. I can't seem to find any (Yes, I did look through expired drafts too). Are there some options for DTLS? Is there a way to statelessly (on the join proxy) relay traffic? -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Ace] DTLS proxy in EST-coaps Michael Richardson
- Re: [Ace] DTLS proxy in EST-coaps peter van der Stok
- Re: [Ace] DTLS proxy in EST-coaps Sandeep Kumar
- Re: [Ace] DTLS proxy in EST-coaps Michael Richardson
- Re: [Ace] DTLS proxy in EST-coaps Michael Richardson
- Re: [Ace] DTLS proxy in EST-coaps Sandeep Kumar