[Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-04
Benjamin Kaduk <kaduk@mit.edu> Mon, 14 February 2022 19:24 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19F0F3A0C3E; Mon, 14 Feb 2022 11:24:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4uumyRtSgjaZ; Mon, 14 Feb 2022 11:24:31 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12DDC3A0BD2; Mon, 14 Feb 2022 11:24:30 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 21EJMHti004373 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Feb 2022 14:22:23 -0500
Date: Mon, 14 Feb 2022 11:22:17 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: draft-ietf-ace-cmpv2-coap-transport.all@ietf.org
Cc: ace@ietf.org
Message-ID: <20220214192217.GA12881@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ZEaQ0J8AhNx0VkI2q0R3-7wuXTM>
Subject: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-04
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2022 19:24:36 -0000
Hi all, Jumping right in... I guess this is probably more of a comment on draft-ietf-lamps-cmp-updates, but since we are duplicating some of its content I will still call it out as a as a serious concern. My concern relates to the usage of the "cmp" well-known URI -- we hvae some text in §2.1 that effectively says that a local site can just put more path segments under that path at its own discretion, and there's not even any restrictions made on the structucture of the additional path segments -- the next segment could be an operational label or a profile label, in the examples given. This seems entirely at odds with the purpose of well-known URIs as per RFC 8615 -- they are to be URIs whose semantics are entirely specified by a protocol specification and are *not* subject to local operator control. While it is possible for a specification to introduce additional structure under its registered well-known path, it's expected that the semantics of those subtrees are still specified by the protocol, and any extensions are to be managed by a (sub-)registry. See, for example, §8.3.2 of RFC 8995, that establishes a sub-registry for the path components under /.well-known/brski . Any changes here will of course need to be synchronized with draft-ietf-lamps-cmp-updates, but I don't think this draft can go forward in its current form. Abstract This document specifies the use of Constrained Application Protocol (CoAP) as a transfer mechanism for the Certificate Management Protocol (CMP). purpose of certificate creation and management. Is the last quoted sentence (fragment) an editing artifact or is there supposed to be more content there? CoAP is an HTTP like client-server protocol used by various constrained devices in the IoT space. nit: hyphenate "HTTP-like" Section 1 messages. The Constrained Application Protocol (CoAP) defined in [RFC7252], [RFC7959] and [RFC8323] is a client-server protocol like HTTP. It is designed to be used by constrained devices over (editorial) I would suggest putting a paragraph break before talking about CoAP. Section 2.2 If the port number is not specified in the authority, then port 5683 MUST be assumed for the "coap://" scheme and port 5684 MUST be assumed for the "coaps://" scheme. If I'm not mistaken, these ports 5683/5684 are the normal default ports for coap/coaps, as mandated by RFC 7252. We don't need to restate that requirement using normative keywords, as the normative requirement is made in RFC 7252. Instead (if anything), we should just provide a statement of fact, e.g., "the default port for coap: scheme URIs is 5683 and the default port for coaps: scheme URIs is 5684 [RFC7252]". But really, we should be able to expect people to know to find the deafult port for a given URI scheme. Section 2.3 CoAP POST request. A CMP client SHOULD send CoAP requests marked as Confirmable message ([RFC7252] section 2.1). If the CoAP request is nit: singular/plural mismatch "message"/"requests". Since we use the singular in the next sentence, going to singular here is probably best, e.g., "SHOULD send each CoAP request marked as a Confirmable message". successful then the server MUST return a "2.05 Content" response code. [...] Perhaps I am reading too much into the analogy between HTTP and CoAP and thus to the applicability of draft-ietf-httpbis-bcp56bis (currently with the RFC Editor), but it doesn't seem terribly useful to name a specific response code here. The standard CoAP semantics apply, and we could probably just say that "the paylaod of a successful response contains the DER-encoded ...". When transferring CMP PKIMesssage over CoAP the media type "application/pkixcmp" MUST be used. Do we want to say media type or content-format here? Section 2.4 These structures may contain many optional and potentially large fields, a CMP message can be much larger than the Maximum Transmission Unit (MTU) of the outgoing interface of the device. [...] nit: comma splice MUST be used for the CMP Transactions over CoAP. If a CoAP-to-HTTP proxy is in the path between EEs and CA or EEs and RA then it MUST receive the entire body from the client before sending the HTTP request to the server. [...] It will be interesting to see what the ART and transport reviewers think of this guidance. It seems like it is technically possible for the proxy to use a chunked encoding and stream the message without buffering, and it's not immediately clear to me that the cost of having to buffer chunks for reassembly outweights the cost of maintaining an HTTP connection in the current threat model. Also, nit: I would suggest using "EE" singular in both instances. This will avoid unnecessary errors in case the entire content of the PKIMesssage is not received and the proxy opens a connection with the server. I'm not sure I understand where these errors are such that they would be "unnecessary". The client will certainly see an error condition even if not an error CoAP response, and the proxy will see an error condition of an incomplete request. So I guess that would just leave the CA or RA as being protected from an error condition, but I don't really see why they need to be protected from them. Isn't the occasional incomplete request just part of normal operation on best-effort networks? Section 2.6 As there are no request messages specified for these announcement messages, an EE MAY use CoAP Observe option [RFC7641] in the Get request to the CMP server's URI followed by "/ann" to register itself for any Announcements messages. [...] This is a pretty awkward sentence construction; I assume because it tries to allow for the flexibility in use of /.well-known/cmp/ that I complained about earlier. Just saying that you can use Observe with a Get request to the /.well-known/cmp/ann resource is much simpler to state. If the server supports CMP Announcements messages, then it can respond with response code 2.03 "Valid", otherwise with response code 4.04 "Not Found". [...] This reads a lot like we're trying to say that 2.03 and 4.04 are the only options, which BCP 56 (bis) says is an anti-pattern. If for some reason server cannot add the client to its list of observers for the nit: "the server" announcements, it can omit the Observe option [RFC7641] in the 2.03 response to the client. A client on receiving 2.03 response without nit: "a 2.03 response" Observe option [RFC7641] can try after some time to register again for announcements from the CMP server. nit: "the Observe option" Alternatively an EE MAY poll for the potential changes via "PKI nit: comma after "alternatively" Information" request using "PKI General Message" defined in the PKIMessage [RFC4210] for various type of changes like CA key update "PKI General Message" is a "PKIBody" type conveyed within the PKIMessage. Is it more clear to say something like '''using the "PKI General Message" choice for the PKIBody of the PKIMessage [RFC4210]'''? (editorial) I'd also suggest ending the sentence there, and starting a new sentence to list the common types of changes that would be polled for, perhaps as "This procedure allows the EE to receive various types of changes, like ..." or to get current CRL [RFC5280] to check revocation or using Support messages defined in section 5.4 of Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile] . [...] The Support messages seem to be in §4.3 of the lightweight profile now (not 5.4). Also (editorial), the list structure here seems hard to follow ("like <A> or <B> to <X> to <Y> or using <C>". There are no list separators (e.g., commas), and there is not clear parallelism between the structure of each list item (e.g., the last one is just "using Support messages" but the lead-in to the list is "various types of changes like" -- "combining those to "various types of changes like using Support messages" doesn't make a coherent clause ... so it's unclear if it's supposed to be part of the same list or not). It will also simplify the implementation of CoAP-to-HTTP proxy. nit: singular/plural mismatch (the singular would need an article, for "a CoAP-to-HTTP proxy"). Section 3 Although CMP protocol does not depend upon the underlying transfer mechanism for protecting the messages but in cases when an end to end secrecy is desired for the CoAP, CoAP over DTLS [I-D.ietf-tls-dtls13] SHOULD be used. [...] I'm not sure I understand what you mean by "end-to-end secrecy" for CoAP here -- DTLS is going to terminate at the closest entity that's named at the CoAP layer, which could include a CoAP or CoAP/HTTP proxy. Full end-to-end secrecy between client and origin server would require an object sercurity mechanism like OSCORE. DTLS would provide confidentiality protection against intermediate nodes at the IP layer, but that's only end-to-end in a certain sense. Also, nits: "end-to-end" is hyphenated as an adjective, "the CMP protocol", and s/ but/,/ Section 9.1 of [RFC7252] defines how to use DTLS [I-D.ietf-tls-dtls13] for securing the CoAP. Once a DTLS [I-D.ietf-tls-dtls13] connection is established it SHOULD be used for as long as possible to avoid the frequent overhead of setting up a DTLS [I-D.ietf-tls-dtls13] connection for constrained devices. nit: for DTLS we typically talk about an "association" rather than a "connection" (though the latest DTLS 1.3 draft does allow "connection" as a synonym for "association"). Section 4 In case the proxy is deployed closer to the EEs then it may also support service discovery and resource discovery as described in section 2.2. [...] Why does being closer to the RA or CA obviate the proxy from supporting service and resource discovery? Won't there still be a need to expose the resources to the CoAP network regardless of how close it is to the EEs? o Use separate hostnames for each of the configured servers and then use Server Name Indication ( [RFC8446] ) in case of "coaps://" scheme for routing CoAP requests. RFC 6066 is probably a better reference for SNI than RFC 8446. Also, there still needs to be Uri-Host even when SNI is used, and the proxy needs to enforce that the two values match, in order to protect against request-smuggling attacks. Section 5 Should we say anything about how failing to receive announcement messages in a timely fashion can cause the EE to miss revocation events (and maybe other things as well)? CoAP Observe notes that it is only a "best-effort" approach and the server could lose state about subscribed clients, which is probably worth re-emphasizing. We might also note that the use of DTLS can provide confidentiality protection for CMP-level metadata (though probably cannot obscure the fact that CMP is in use). I would also suggest making a statement about what security properties are required from a CoAP/HTTP proxy. Since CMP itself provides end-to-end protections, I expect these requirements to be fairly weak (i.e., we don't need to trust the operator of it with any sensitive plaintexts), but it seems worth stating what considerations may arise. The CMP protocol depends upon various mechanisms in the protocol itself for making the transactions secure therefore security issues of CoAP due to using UDP do not carry over to the CMP layer. [...] I think what we're trying to emphasize here is "using UDP without cryptographic protections for message confidentiality and integrity", since we go on to talk about how the connectionless nature of UDP remains an issue. Also, nit: comma before "therefore". In order to to reduce the risks imposed by DoS attacks, the implementations SHOULD minimize fragmentation of messages, i.e. avoid small packets containing partial CMP PKIMessage data. Up in §2.4 we said ("MUST"!) to use block-wise transfer to avoid (IP) fragmentation. Does this guidance apply to only IP fragmentation as well, or also to CoAP-layer "fragmentation" (i.e., block-wise transfer)? The latter seems nearly impossible to achieve, given that the X.509 structures used by CMP are unchanged by this transport and are likely to be too large for a single datagram. A CoAP-to-HTTP proxy can also protect the PKI entities from various attacks by enforcing basic checks and validating messages before sending them to PKI entities. [...] What's the motivation behind just using a vague phrase "various attacks" instead of listing more details of known attacks (while still stating that the explicit listing is incomplete)? Also, we should note that putting the proxy in this position causes the proxy itself to be at risk of attack. (In particular, our requirement for CoAP-to-HTTP proxies to buffer CoAP requests before initiating the outbound HTTP request subjects them to a resource-exhaustion attack.) Section 8.1 [RFC6712] Kause, T. and M. Peylo, "Internet X.509 Public Key The RFC Editor will surely fix this, but it's quite unusual to mix "Last, FI" and "FI. Last" format for names in the same reference. Section 8.2 I think DTLS 1.3 needs to be a normative reference based on how we give SHOULD-level guidance to use it. (I don't think we're specifically tied to 1.3, though, and if for some reason DTLS 1.3 still hasn't been published by the time this document is ready, we could swap it out for DTLS 1.2.) Section 8.3 The two URIs [1] and [2] seem to be identical; are they both needed? Thanks, Ben
- [Ace] AD review of draft-ietf-ace-cmpv2-coap-tran… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Michael Richardson
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Paul Wouters
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault