[Anima] Re: Re-using the constrained Join Proxy solution defined by Thread
Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 08 December 2025 20:34 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@mail2.ietf.org
Delivered-To: anima@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2C08D979B3CC for <anima@mail2.ietf.org>; Mon, 8 Dec 2025 12:34:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iotconsultancy.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxBE_J-Tieko for <anima@mail2.ietf.org>; Mon, 8 Dec 2025 12:34:19 -0800 (PST)
Received: from dane.soverin.net (dane.soverin.net [IPv6:2a10:de80:1:4092:b9e9:2294:0:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D27D3979B3AE for <anima@ietf.org>; Mon, 8 Dec 2025 12:34:18 -0800 (PST)
Received: from smtp.soverin.net (unknown [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4dQDGq5KdSzv9; Mon, 08 Dec 2025 20:34:11 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net (Postfix) with ESMTPSA id 4dQDGq2v3MzNh; Mon, 8 Dec 2025 20:34:11 +0000 (UTC)
Authentication-Results: smtp.soverin.net; dkim=pass (2048-bit key; unprotected) header.d=iotconsultancy.nl header.i=@iotconsultancy.nl header.a=rsa-sha256 header.s=soverin1 header.b=EOJZPREH; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=soverin1; t=1765226051; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=DW/ifwMfd1vg/fdD+13iMQr/XrBNgg+ZplqNFL63WUA=; b=EOJZPREHyyMrX/st3pkLaDWwInGbli0fMYpEHp3r87AMpo13rNlhYJRXjhh4bj5bYmfXFF T5I///hoUKGrD3c8/5TRtGjd8bCY0el08M8TTl3O99VVGESfuXx7n7Sgo8uP3J3Zn3slmQ PXk8YlNzezGzmdFW/5LxBMPqa+jgQQblZ/34lff94dPKgAryBTQFoI1gBTmwCzCsrh45qO HVcvfHRuYvGl3Z/2C3eop9a3/3W7Wwj0GxY3FXgrfOl3Zd7c5/RL/Zj/3w19lrw10AHaZn l7erU3sir2gEu5P084rZ1/2ZwuhvsScFYDdt7oixsiof++T4VNCgM6J7X6ripw==
X-CM-Envelope: MS4xfEae62mK9GDzHq2N9Mtqvr6ErxJMuYIn4UEYaSOz0Ovyqnnhgfm3b5DxsO/Ur6AfzoHknw3VVS6iP4/lT1awCZfL8suDHhkI4QU/7d0wUrq5/sg6enI1 oRM3OcIhWZh32PgRMoBySvlEp09IdqCY+21530j7amiZlbG0bAiJDD1/AKIE0mHcVKoVn4+M0GPFF8/mPPodkL6hS3tiZzRc5AhA/fIHeRNhwRio5DfpAeHp
X-Soverin-Id: 019affab-f5b8-7e59-8ddd-93639b64956b
Content-Type: multipart/alternative; boundary="------------Yfz0FZo0TP0YtWD5P8edT2E8"
Message-ID: <b9e76ed9-20d9-4807-bd70-474665d8cf39@iotconsultancy.nl>
Date: Mon, 08 Dec 2025 21:34:10 +0100
MIME-Version: 1.0
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
References: <3b1c2875-4f4b-468b-b017-ab0272bf4310@iotconsultancy.nl> <3525.1765221414@obiwan.sandelman.ca>
Content-Language: en-US
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
Organization: IoTconsultancy.nl
In-Reply-To: <3525.1765221414@obiwan.sandelman.ca>
X-Spampanel-Class: ham
Message-ID-Hash: 6LFDK56O5QDRPQT3LHQLBFSB7OEXAUTF
X-Message-ID-Hash: 6LFDK56O5QDRPQT3LHQLBFSB7OEXAUTF
X-MailFrom: esko.dijk@iotconsultancy.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Anima] Re: Re-using the constrained Join Proxy solution defined by Thread
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/FaLJ0TcFLSy_AsmX-CtOpbJraHw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>
Hello,
> Esko Dijk<esko.dijk=40iotconsultancy.nl@dmarc.ietf.org> wrote:
> > that actually specifies the key elements in the form of code. Whatever we can
> > learn from this code is public knowledge, so it's the easiest way to
> > kickstart this discussion.
>
> Yes, but unfortunately the code can contain software patents :-(
That's no problem at all if you want to look at the code or even compile
it and use in your prototypes. Only when the code would be commercially
/ industrially used (in products or services) then patents can become
relevant.
(Says the guy who worked on patents for many years and did patent
courses, but who's not a lawyer (un?)fortunately :-) )
> > 1. Relay of DTLS (or any other protocol over UDP) packets happens in the
> > payload of unsecured coap:// messages sent to the "Border Agent" (located on
> > a Border Router i.e. 6LBR).
>
> > 2. Relay messages are secured by link-layer encryption just like all other
> > traffic in a Thread mesh network.
>
> I'm confused here.
> I know that Thread does network-layer onboarding via the Commissioner.
> (And that there can be application layer onboarding too)
> I want to be sure I understand if the 6LBR is the Join Proxy?
The Join Proxy (aka Joiner Router) can be any device in the mesh i.e.
the link-local neighbor of the Pledge (aka Joiner) with the required
relay capabilities. It's not a "sleepy device", but a sufficiently
capable always-on device.
The final target of the CoAP relay message is the 6LBR (aka Border
Agent). From there, it's relayed further in another way (tunneled) to
the Commissioner, which I didn't discuss yet in my email.
> > 3. UDP destination port of the CoAP relay messages is 61631.
> > 4. URI path of the CoAP relay messages are fixed at "/c/rx" and "/c/tx" - one
> > for each direction.
>
> Do clients then "poll" or "observe" on /c/tx?
No, it's only POST request if a UDP datagram becomes available to send
to the other side. Both sides act as CoAP client as well as CoAP server
to do this.
> > 5. Relay messages contain the state - i.e. it's stateless on the Join Proxy -
> > encoded as TLVs, not encrypted.
>
> > 6. There are TLVs for the source port of the joining device, the link-local
> > address IID of the joining device, the identity ("RLOC16") of the Join Proxy
> > itself, and finally the DTLS payload being relayed.
>
> > 7. Relay messages are sent to an IPv6 destination address of the "Border
> > Agent" that's based on configured network-wide data.
>
> I am having difficulty with these three points.
> These are TLVs in the CoAP? Or is there another layer of TLV?
The TLVs are the payload of the CoAP request message. The format of TLVs
is fully Thread-specific; not standardized by CoAP in any way.
> > - JPY message can't be sent outside of the bounds of the single mesh network
>
> Why can't we sent them further?
You could send them further, however because the CoAP message payload
(the TLVs) travels unprotected, it would mean that anyone can
potentially observe it and/or modify it when the data gets on the
Ethernet infrastructure network or on the Internet (if it would be sent
there). That's why I just say it can't be sent further; assuming the
mesh network is still some sort of "reasonably safe" environment with
trusted nodes and link layer security.
In Thread this is solved by an additional relay mechanism to send from
Border Agent to Commissioner using a fully secured "tunnel" (separate
DTLS session).
> > - it stops at the boundary (Border Agent / 6LBR). So it can't reach a
> > Registrar directly; another relay step is needed.
>
> "it" meaning the Thread version.
Indeed, for the reasons above and maybe partly just because the design
emerged in that way with multiple stages.
> > Some of these aspects could make it difficult to pass an IESG review, I
> > think!
> > Any improvement suggestions from review also can't be applied, because that
> > would lose backward-compatibility with the Thread-defined solution.
> > Overall I'm not sure how we could successfully proceed with the Thread
> > relaying solution in IETF.
>
> okay, so you think it's not a good idea.
> I agree.
Not a good idea it would seem, in IETF context. What's still possible
is to describe the Thread mechanism as informational RFC which has been
done in the past for certain third-party protocols.
And then we could decide to drop the Constrained Join Proxy draft. But
this would not provide a solution that's directly usable for the cBRSKI
case...
Esko
--
*IoTconsultancy.nl* | Email/Teams: esko.dijk@iotconsultancy.nl | +31 6
2385 8339
- [Anima] Re-using the constrained Join Proxy solut… Esko Dijk
- [Anima] Re: Re-using the constrained Join Proxy s… Michael Richardson
- [Anima] Re: Re-using the constrained Join Proxy s… Esko Dijk
- [Anima] Re: Re-using the constrained Join Proxy s… Michael Richardson