IETF Logo Mail Archive

Re: [Ace] [Emu] New Version Notification for draft-ietf-ace-wg-coap-eap-04.txt

Göran Selander <goran.selander@ericsson.com> Mon, 06 December 2021 11:13 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F44A3A05A4; Mon, 6 Dec 2021 03:13:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4YpF3fSlIdq; Mon, 6 Dec 2021 03:13:41 -0800 (PST)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30048.outbound.protection.outlook.com [40.107.3.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04A213A05A0; Mon, 6 Dec 2021 03:13:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oZE2w4SVdc/WdA6f32alyHX9S6dIVMBVCNjZQc7uXYZcSYE/GhqeDJcMysxrmWGT4ZFrSY7qKlao2oNdPwzvL3DGewP8vvmCT9qD2DsUZdLHNUCRwtJl3pHPa0QlSsYwIJag8rvjFsS6ug9t/vmpR/RUCNKsDKE8DS89L+BWOq7PYDjSQxRs1Sh25g/3pzk1Gd/EDJqagHftksUuGRjCGdPuoLmpN79F4vXD0u2Ey1r3mvyEMg1Jv97kEx8jsIpFv9t9dgzatRsg7IjSuZt4MqzAW3Xg2SNSaZm8G0/151hSwbtbP4e9VETVR7CxBDL+ulm9/9IPGkaTtyXYtDiX3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rFGSnU+qNFpx9ri3Fa1K7cEJNdoJIT4BlTq5uyFfd7k=; b=XaTOaHhzIVbnoAfpY2R6KA+uL+BDKj9BExDTv7wFWm+pCARkCuB06K9BYOSRBcl5noWze/qWHHD/Apq33r+cyfpBpzDCkLx/Mpel81UrZSeB2piXo+ZpYLxtJzY0CByk8YX+nAlJR3oBgJJpM3TTo5TP68nUt5nt88YH8mSoPTZAdZJBwZDtOg4yEA/uhFmx+V8DUXwe87PF5OWuj2q5BfkXBoDTSah6kYZJzRLID6NuU81wvmcSidJda1h3tEKyONXEtZrLXnx+bghYrTXSOJC2q2v4+2bjs/GOAHEtmY9hNqSUX5y0f2x39EaN4VNnRyDdzlJ3nOkcWSjZ9VIU7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rFGSnU+qNFpx9ri3Fa1K7cEJNdoJIT4BlTq5uyFfd7k=; b=lnsDOg7QZJr7GE/cR+YwfJT4vNWeC+4Gm8d4MJNi86iV7mdf/DaTWhFc3RU8Ovem4cTfvGVMen7Zs1ozG1umLYUFeOkZjuad86+88Yhu0LrX1o4e5wp30q1zYYWPAZSbw/764b2iK0SUagDLmQgHOFRuUuMfoblDz2lMcKkh8nU=
Received: from AM4PR0701MB2195.eurprd07.prod.outlook.com (2603:10a6:200:45::6) by AM0PR07MB6322.eurprd07.prod.outlook.com (2603:10a6:20b:159::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4778.8; Mon, 6 Dec 2021 11:13:31 +0000
Received: from AM4PR0701MB2195.eurprd07.prod.outlook.com ([fe80::7dea:b76c:191:ec29]) by AM4PR0701MB2195.eurprd07.prod.outlook.com ([fe80::7dea:b76c:191:ec29%11]) with mapi id 15.20.4778.010; Mon, 6 Dec 2021 11:13:31 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Dan Garcia Carrillo <garciadan@uniovi.es>, "ace@ietf.org" <ace@ietf.org>, EMU WG <emu@ietf.org>
CC: "garciadan@uniovi.es" <garciadan@uniovi.es>
Thread-Topic: [Emu] New Version Notification for draft-ietf-ace-wg-coap-eap-04.txt
Thread-Index: AQHXybF2mLQfmFRkEUWu5QYVf5AUZ6wT/efLgAtOX4CABjTwTA==
Date: Mon, 06 Dec 2021 11:13:31 +0000
Message-ID: <AM4PR0701MB2195FA695541F76CE88B7178F46D9@AM4PR0701MB2195.eurprd07.prod.outlook.com>
References: <163516103436.11405.13911066633297545379@ietfa.amsl.com> <bc792146-39c4-73a3-63e2-7db7acf7aa2f@uniovi.es> <HE1PR0701MB3050A49DC2D32180B2831D6889839@HE1PR0701MB3050.eurprd07.prod.outlook.com> <AM4PR0701MB219545F3A90E17FD18844F13F4629@AM4PR0701MB2195.eurprd07.prod.outlook.com> <821f9e4b-c052-6b46-0a72-7974017bf335@uniovi.es>
In-Reply-To: <821f9e4b-c052-6b46-0a72-7974017bf335@uniovi.es>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cb9191c2-2404-4f90-c56e-08d9b8a96fe5
x-ms-traffictypediagnostic: AM0PR07MB6322:EE_
x-microsoft-antispam-prvs: <AM0PR07MB63223517BBF7337613349E3FF46D9@AM0PR07MB6322.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OFTaY7gDxZjAKInBMVvY1pUAMxd4+8LFWLT03tQ5erFPsMvCB4Kd48GW1GxhU3yn6icizzlmKMuOBpoAhIKk4iVbF4C+/nkYKbSmxn7LyqNMATUOI0m1ndVuNvEINpQvJYGW0tTEWh+MSZhxgCkj51FmKGUrhZm2S3dboiBHOvooox5QRL+aLNmv2jCtfW094iWerYL33SowSq5CIWbwQgkagims4JC7QaDn90azfO1TCc+LCe1j/Cj/Jvwsch7y24ozpHSSzNf+lYuapiDpcYvXAd2kbkZghLKB/dYbjZKJLpSXLjSOPSPLOUAxu4aYw78Y873eD8vdJp2hDpD/yvYlIg6Mu2M2mWC6GpFkLoZMeLlE3NuMjaPMyE6kQu3msyqP/KfRl5i3ZbbWV251tPh5JAWJ+wrTncUzQJqWXSSmjUgRiAUi2+7PYRDsDZ/8L1mHp2eqaQhGlNWUqMXPOubcvCevxWxtPD2sGQ+xRVoPhn+Lw9md6/Z7fmQfZkk9MWGEWmA5nBVXdhmi7Z6iHOjHTai3XHS9TIcCm2YU8mMKdcm6fTlh5MrDeqKpa/hqn6OlU9Na9Mp6+OssuaCsNC7GOG7P/w+SqTQwxrKSmoA+N2N9TVdDH2NeCD9OvO9JSOw1KMvFFcBNnNUnSyRXjZPtOoXnp2+A6UXkywkjiTbkgfpcRwsKpl/6a7u2NO+sd44ED2bYXCcTYSJsuZNfcd4m0tHuvX35h5bnKG+ULJUMs56o9ilmShv9WbD1LT/+M5RxwMMGKQye4H71vauK8dR0akrUetW9lVuYgc1jBEMqDrFk/Op5HOyIZrCleCHLfhjFvOm2PxF5OAfY2f+JAQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM4PR0701MB2195.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(66574015)(2906002)(76116006)(91956017)(33656002)(508600001)(7696005)(66446008)(66556008)(186003)(6506007)(38070700005)(15650500001)(9686003)(26005)(8936002)(52536014)(8676002)(316002)(66946007)(4326008)(296002)(64756008)(66476007)(55016003)(86362001)(110136005)(38100700002)(122000001)(71200400001)(82960400001)(166002)(5660300002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MaxJnJW0ejzZD0LvkiRkEp1PIOPFzeGd9cedtKDTVONU+GOYKvsyULvD5enJixUeWiRfOaAVxKpSPb5rlysX0NEZQ6oMawsH4/msyP3imXDyW08b8zKyGhHqH1DtupVRMtNbNveQXTlZ1l16ggUGtGmti9nXNX0k2QL6g9Obh9laRpyVw1ze5PORK4x5kDgYDhEmJeE6MQL7hb7D0dgLpHDiqHsAloYgPImwpY6b7U0cbDqPkBh1zHd2SioWqpN9EklRJmoKdj8/BCsCoXXem/IfLvlG3xanIKONPN7IY0w+/47lkVdgVX0DzrihElUGO5xjWAhZyekFil3HQPKsJ84YUCXLp4srP72CqLhXnyKcoqtbEEpHhsqoG7R4gWu4jDwq/9PeHL9EajMLW9BfgoKlOjP/qaJd6VWLKnk+DJbN4Y8/c/9MxHknOntVNNZz4d0qpRoxGtsKBUsAguQH6lefktgqm9/JQXI0OAnis+ue7UL0OsoloAY4mrZhCwV21bRORiVEAd4wIsJ+Wh5v0UxoRx7Me+Zb8NVUHRFm4RH1/JUL0Ku+0RiTpmA9GUzdgPbOMGciJ1iLehf7c2SIx0uJaICqsdgiurcVnS/fzZ3pJ3NeoOhSQy0KWUMINqU0Rz14M/VbRSqKdkuUpK4kEJH4wT9/pXkHEevn7wm/IpDWX4rz2ho+9RXe7a/0nZU1m5PqivwRgXhFlLPrpUR0EiMRdkzJVtndEoXfzDi9dfCl3o4+qT7HmZbIeGLzhTLMnADzgrXiP4rDXZs5SnkpSDdr8nuZyofgopFLZDARhrcfBUOelz+NfS6wA6nr1RiIZV0a/0VOBMSXGDf+epKN7NZecNHiqkQkrgju7EnpjEanwehMvmLVrqjPYmudjmRFAHMbOzZRVIxvEzpjv5jo407crjgu1ZJy3uVaJLW0msl4gm2a9lfY7UU3XJINMMbxchd6Rjk/hRGHJYVIpTBZx43AZ0FJHY81gd11lehZOaqxxaS7pXM89i4glz/xi9NSeJ7wT5+3n0lfSleU4NVfAdO/RzyMa5BXATbfuoI/Vwb185NxNt4ktrxyYvPIhFeS1ZH5lcIw579pVKCJ1+Ap32eEWJC91CTRsdXotWVF+AcMu0QqxSImUlGZAdLKgeg1JnmFOUR0Ti11wzKp53L9WiPAPB0c19krsh2fw/t7YcqhwHiVW+1SBKa8IcqnjquXQGVAqaAm9nOmwyKEzQvGv6Vmq0+7aQYwcapfJp6R344Ftd73vpWysT0j3q4a1ZoqZVeNc5LLmcPd+4CUvsKSGlXFw8gumlE00+1m4eOePIBgnVuI2RKX6pm4Y1uOyI1dum2z5/AD+/DfLdE5G24bjSbR2SG9A3r55H2izsZToVjp9MPHERHDEgkGeTHLE4/WkWI6ogT689T8snBl+n97l/4BSzfce2ZsEfRNCqB6jLQbrQ+8v7cMVrEhmDmAUC1bVn4Aw4UcsGlsS6KYVotWFXBRNrt75f9vdc9fKLbPDOE6a2e3kEzlxGumz7rVaK7Zt+foT5Y+X2sr1VJSx8c8Wo50Ns1pUmXfHnbqM71R1e4RJIh/PfMg1s2hodWoZmLAqlr31JyBEjGeZYFBNV79jb+do7pPwW86ZOwznlWAJaqCiQyYkRcEQqd2aTCpXCSjYbt4V5GKwn/iITz4GgFDIV6AGbOfXKEfUm+Qpjc8E5I=
Content-Type: multipart/alternative; boundary="_000_AM4PR0701MB2195FA695541F76CE88B7178F46D9AM4PR0701MB2195_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM4PR0701MB2195.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cb9191c2-2404-4f90-c56e-08d9b8a96fe5
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Dec 2021 11:13:31.4519 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9ppRwyyU/r7KX8gCNs0K799E9IkQq2AiaMB7McRsiJWJVFeSDzVAPMTaZCRU2S/HFc3VzKV+j1BjpgME6X5y3sqrtLS2eGxxIOmywPFoM8o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6322
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/xax6DUjrfK3bbJKJ-tp2SUqCdb0>
Subject: Re: [Ace] [Emu] New Version Notification for draft-ietf-ace-wg-coap-eap-04.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2021 11:13:46 -0000

Hi Dan,

Please find my replies to your two questions about the update inline below.

Best regards
Göran



From: Dan Garcia Carrillo <garciadan@uniovi.es>

"The communication with the last resource (e.g. '/a/w') from this point MUST be protected with OSCORE except during a new (re)authentication (see Section 3.3)."

I don't understand why there is an exception. OSCORE seems to be applied to communication with the last resource in all cases:

* In the case of new authentication the procedure explained in Section 3.2 applies protection with OSCORE in communication with the last resource.
* In the case of re-authentication, the procedure is explained in Section 3.3 to be "exactly the same" as in Section 3.2.
[authors] Yes, we agree. We can remove that part from the sentence to avoid any confusion. Nevertheless, after your comment, it would be worth stating that if the access to any other resource requires OSCORE protection can use the generated OSCORE context. Does it sound reasonable?

[GS] Yes, the established security context can be used between other resources if allowed by the application's security policy. Proposed rephrasing of step 8:

OLD

     "The IoT Device answers with '2.04 Changed' if the EAP

      authentication is a success and the verification of the "POST"

      protected with OSCORE in Step 7 is correctly verified.  The

      communication with the last resource (e.g. '/a/w') from this point

      MUST be protected with OSCORE.  Any other resource that requires

      OSCORE protection MAY be protected with this OSCORE security

      context."

NEW

     "If the EAP authentication and the verification of the OSCORE protected "POST" in Step 7 is successful, then the IoT Device answers with an OSCORE protected '2.04 Changed'. From this point on, the communication with the last resource (e.g. '/a/w')

MUST be protected with OSCORE. If allowed by application policy, same OSCORE security context MAY be use to protect communication to other resources between the same endpoints."


----

Another editorial comment refering to the recent update:


OLD
     "The reception of the POST
      message protected with OSCORE with Sender ID equal to RID-I
      (Recipient ID of the IoT device) sent in Step 2 is considered by
      the IoT device as an alternate indication of success ([RFC3748<https://datatracker.ietf.org/doc/html/rfc3748>])."


I would avoid the term Sender ID since it is all about verification of a received message, e.g. like this.


NEW

     "The verification of the received OSCORE protected "POST"

    message using RID-I (Recipient ID of the IoT device) sent in Step 2 is considered by

      the IoT device as an alternate indication of success ([RFC3748<https://datatracker.ietf.org/doc/html/rfc3748>])."




----

Section 5.1

"If the Controller sends a restricted list
   of ciphersuites that is willing to accept, and the ones supported by
   the IoT device are not in that list, the IoT device will respond with
   a '4.00 Bad Request', expressing in the payload the ciphersuites
   supported. "


Make clear (here or in a security consideration) that in case of an error message containing a cipher suite, the exchange of cipher suites between EAP authenticator and EAP peer cannot be verified. For example, a man-in-the-middle could replace cipher suites in either message which would not be noticed if the protocol is ended after step 2.


[authors] That’s right. However, after your comments, we believe this could be improved. The reason is that by default we can assume that at least cipher suite 0. AES-CCM-16-64-128, SHA-256 is implemented in both entities. As such, if the controller includes option 0 in the list of cipher suites, the controller will not receive a bad request since at least the IoT device can select cipher suite 0 and therefore the authentication will follow until the end cipher suite negotiation can be verified.  We think it is simpler and we can get rid of a bad request. Does it sound reasonable?

[GS] Sounds OK to me.

v2.23.0 | Report a Bug | By Email