IETF Logo Mail Archive

[Ace] DTLS proxy in EST-coaps

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 17 November 2017 01:16 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97A78126D0C for <ace@ietfa.amsl.com>; Thu, 16 Nov 2017 17:16:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OevkLqyBAlsD for <ace@ietfa.amsl.com>; Thu, 16 Nov 2017 17:16:36 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89A09126CD8 for <ace@ietf.org>; Thu, 16 Nov 2017 17:16:36 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 4720820072 for <ace@ietf.org>; Thu, 16 Nov 2017 20:18:22 -0500 (EST)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 7E92182639 for <ace@ietf.org>; Thu, 16 Nov 2017 20:16:35 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
to: ace@ietf.org
In-Reply-To: <8736.1510870569@obiwan.sandelman.ca>
References: <dc29b128ae34d174f729f4d22cb1e489@xs4all.nl> <HE1P121MB0012C2A56A83DB5B004E3BE08D2E0@HE1P121MB0012.EURP121.PROD.OUTLOOK.COM> <0ad947db-efdc-ebcc-1b6f-6dd8b1074259@cisco.com> <8736.1510870569@obiwan.sandelman.ca>
X-Mailer: MH-E 8.6; nmh 1.7-RC3; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 16 Nov 2017 20:16:35 -0500
Message-ID: <17202.1510881395@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/WL7ZM0QvzRcFJzcy4CTUN2bfiBo>
Subject: [Ace] DTLS proxy in EST-coaps
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 01:16:38 -0000

Hi,

I'm slowly absorbing the contents of draft-vanderstok-ace-coap-est-02.
I'm building draft-ietf-6tisch-zerotouch-join with the assumption that it
might run over DTLS, use EDHOC w/OSCORE, or some DTLS-over-CoAP mechanism.

I looked through section 6, and I don't understand why COAPS would be used
From the Registrar through an ESTcoaps-to-HTTPS Proxy to the MASA. The
Registrar as not in the constrained networks, and can speak HTTPS just fine.
That's why we proxy the COAPS traffic to the Registrar, so that the
Registrar does not have to live (entirely) in the constrained network.

So, in the ANIMA BRSKI context, we have the Join Proxy to connect the insecure
(unencrypted) network with the JRC as we can not assume the registar (JRC) is
within radio distance of all pledges.

For EDHOC and DTLS-over-COAP, we can use the option as described
in draft-ietf-6tisch-minimal-security section 5.1 to keep the proxy
stateless.

For DTLS, I thought we had a few IDs on how to relay DTLS in a stateless manner.
I can't seem to find any (Yes, I did look through expired drafts too).

Are there some options for DTLS?
Is there a way to statelessly (on the join proxy) relay traffic?

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email