Re: [Anima] Result//RE: Adoption call for draft-vanderstok-anima-constrained-join-proxy-04, ends November 15th 2020

Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 30 November 2020 12:51 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D443A0B0A; Mon, 30 Nov 2020 04:51:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 539Ycm1Ka2LB; Mon, 30 Nov 2020 04:51:00 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130093.outbound.protection.outlook.com [40.107.13.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25B7A3A0AC5; Mon, 30 Nov 2020 04:50:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MdI8iZoaR2zrCxMdRkFyTpm3o3mYxk3yBj0lnADb70kI75d+sLcvhtxLe8PAViewzTsrVzSxm0C9PdrWvRdEtKptBuuY9A8g5bdHm0Db5gXOG/JYNxOQ5vjeOENag+1uGjAmEXjMVmIy6xmFEFeGEjIW2MVGyM05AfLA0yUFuht4/pEvCnwLAIWuiEgOU+L1TjpQb+ML9yJy1X3F394tPyyGig7TyLeiVf7uRPCM7CwXQAJcPuFEDv2HJcU193Y/pZ5gI58XNlYOrPVhIg5urGi9m061rbAtrK4fdBN5/bvM2sMJcG3upf+mhvB116lTFHKOfttWYOrbQIxl1BW2nQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gNZbt6VSqtmY29uJs/SOhNnpV6dZDJYRn1PchF9oy7A=; b=Ml+oXVCDNPiGe8Bvgoh4HtcdaafGvDJ3tCIiHkTl7+LGE0t1yFqu2fRfuwEKMSX+vhmzaDNg5pQI0UAyswXl85IditV3yLI+P9tj0IYCn3R+Pse6UlzTnHh36S2mSjqk64Ep4sO02nuVwzpsuJ9AqlZ7ygdWXrQO8yBadeqEIHlokFo5T/6xZkwe8IqrKRLAvyOXQXmJMw3TMg0129p9JzHO5apGEp+udo+DR1u0Dqcfhl41G0Wgx7L47tmBerQHna+HahPPbANrbCDQz90NxSm0L6S0MoeE66wh+y7s9+Z23i7TWRaDWLEskZhfz21YrorXuej0tW1dA4o8C97GPQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gNZbt6VSqtmY29uJs/SOhNnpV6dZDJYRn1PchF9oy7A=; b=qko95n0gYrKGmLEllb7Jvijj5/WC6tC+rwzx/qatfzn1z6RhzircWonQOwFuSYveOhGhQAh+AslEB4QNB1PGrrD3QdNGrsrTHWN6an0j8ADTlzisAhtpLx+nAuFoKH3RA0b+LtmElpiP2knmUBqYpLogR7uMW/9ikuXHCjKmHnE=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM9P190MB1267.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:264::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.22; Mon, 30 Nov 2020 12:50:55 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::b0bf:bd8a:de8f:55fa]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::b0bf:bd8a:de8f:55fa%5]) with mapi id 15.20.3611.031; Mon, 30 Nov 2020 12:50:55 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Sheng Jiang <jiangsheng@huawei.com>, "anima@ietf.org" <anima@ietf.org>, "consultancy@vanderstok.org" <consultancy@vanderstok.org>
CC: "anima-chairs@ietf.org" <anima-chairs@ietf.org>, Toerless Eckert <tte@cs.fau.de>
Thread-Topic: Result//RE: Adoption call for draft-vanderstok-anima-constrained-join-proxy-04, ends November 15th 2020
Thread-Index: AdbEa5xeeVR1FPrGRfSl8cITR07G4QCpxqtQ
Date: Mon, 30 Nov 2020 12:50:54 +0000
Message-ID: <AM8P190MB097955D3B14DD26A984EDFD9FDF50@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <5127745c6a534aa4a567d0eff0c9fed5@huawei.com>
In-Reply-To: <5127745c6a534aa4a567d0eff0c9fed5@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=iotconsultancy.nl;
x-originating-ip: [2001:1c02:3103:f000:752e:6f97:4a6d:998]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 84024102-4dfa-4fda-e036-08d8952e939f
x-ms-traffictypediagnostic: AM9P190MB1267:
x-microsoft-antispam-prvs: <AM9P190MB12678A939E514C13E20D61EEFDF50@AM9P190MB1267.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: smRk6i+C5vDJ2j4aHe44eXaw2Oo/KL0shRtwD0z79B3n8aHEypxeLIbotuhELaj5SayN+QcNItdxQrwr6akq3nydxfXoH5XVTHvllcjox6D+prUS3TH/VSpkjLs3kW6lf6HXYgvZwV2Oe4emx8Too07hWcGKYYcQsl5hTqfJc/jTj9V1aFhOV5BLbXx8JBqYq8ZPO7fWTcRrEj0f9kp4iLB/qUUgFTZS8VE09UzBwXOOchhNxhZuGIlA61hmbETslNFaqCkXveE/efSvbnRaa5pMP+WHYqO5YAsHlIMkso3RDcI5QmZxkk9y8W+zQjeyM/nnBnp7H6H1TdDr0xuERsdFKFIZDi5aXm/a5WMDfhHBDnmJdLZS/EOBrlqlIdtSO5Yf6oA2uG2VK6floX9bcg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(396003)(39830400003)(136003)(376002)(346002)(8676002)(166002)(7696005)(478600001)(86362001)(52536014)(186003)(8936002)(5660300002)(33656002)(64756008)(66446008)(6506007)(66556008)(83380400001)(44832011)(71200400001)(55016002)(66476007)(4326008)(53546011)(2906002)(76116006)(9686003)(966005)(316002)(66946007)(54906003)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?VkVhNHdjZkUxekpCQmpjU0l4L3ZOdUk3QjcrUDdXcm95NjZWOUYzUURNRDgv?= =?utf-8?B?azd2Q0tRbUVXaElFQWhCWUJrV1EvdUUxekNTMmErZ0JMYnlqY1Z3QVZaUjBO?= =?utf-8?B?SHNkTFI4SWxxbDdycnNRbVlXYWtzS0tCRitCY21EZ3pLdG9oVmNPVFRvbHhT?= =?utf-8?B?UmhUK20wSmZaMjhqQ0kwaGN6eFpPS2dNeWY4ZjVIUDdHT0JCRmtyRk42NDcr?= =?utf-8?B?N0VZNEZodWlVeFhUcHNLVlJLNk9BSVlUbG5CdVMrOU1GV29CdkVHQ2I1YWtM?= =?utf-8?B?OEFlc1FzMVhqcjFReUEzVnQ0bHNUQVdHdUxpZEpCWlhlRjNKUWhsWWxJcWw5?= =?utf-8?B?eFlCY3JDU0grTE1pZWxzdHM4MW5aOWd1QVUvckpxazAvZFJENys4MTBlNU1N?= =?utf-8?B?UmVWbkVuV2tkUkR0QnV2VnM0cHpMeWs0RW15NG41OHkxYkh4WUNqQ25FZmcx?= =?utf-8?B?M3lkK3dRYVRzWFMyRWRXaUxMU2VITlk0TEFsamUrRUR6dys2SkI0K0dYU1hI?= =?utf-8?B?L2V0bFJMQ20yNXdoMkJ0MjczNTlMdC90NG5GVTAxV2paeFN5U2E4R2dEc0pG?= =?utf-8?B?R0hIbThzaGNjUkpGaS9pdWNoT3RaMVJ1N2tkUHhrM2pnYUhaeWNhRVJva2tL?= =?utf-8?B?TmRsOXIyQmxLT2dTL3g2MXBxUUdNYWtOUGM1eGZkUGIwVkJOU0tHVENpVkVT?= =?utf-8?B?aS91V0Jwd3N3ais0U2pPYzlzclV2WUMxcXkyOTMzTXFyMU0zWWxYSGd3Y0cy?= =?utf-8?B?ai9RMW0yOWF5Ui9DN0lTai9WT3NrcTlQeGlYM2NaZGdzSktZT0t6c0l1UjBz?= =?utf-8?B?VlhTR1lYS2J1RUhTOWNQWDBuTmNLMTJ4cGx6Wm8vTnVwMlFVNmxaWllES0Uz?= =?utf-8?B?N0w0RmZsTFNlWkYrYU5TbldiL2VJY29IVmJjc2k4b3lpVUdrS3lhclZWc0Y5?= =?utf-8?B?V29xSlNvQTlKYlh1blkwdzFhZnp5T0pwc0JTdnNSTUpzUDFEbHV0S1dqOUhG?= =?utf-8?B?MlBVVHh1cjZXWjRac1lpc0dzU2xoOE1iTk8wbENLUzl5VHUvdURNYSthZ0xt?= =?utf-8?B?TjVVb2FSbkc1SGh6R3dob0dBR1p0MVE4RFF2aUlFclJpRXFNcWF0dmZEZTRF?= =?utf-8?B?SEtPZVg3SmtIaFVSVVo4WmU3c1lDM0NjTGc5eURodUxpamQrMitQWVBQMElr?= =?utf-8?B?RnM1WHNoQUlSRGxIc0ZUdnR3bm9ZNnNNVHNqL0dDL3lpQlBINkZxaGpYUEVV?= =?utf-8?B?YkoxTngrQ081MU9JUVRPNlh1aFpWRUFuOVltYkxybk5DZTMwWkoxUytJdFk5?= =?utf-8?B?SHJpdVlzTG1scy9sc0RHUEFwblBtTEw4bGhkRWZPVGhpWHpxYStpTWxWOThD?= =?utf-8?Q?TCqUcAFrasq3GBWHkcX0zl3pFPIgn/IA=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM8P190MB097955D3B14DD26A984EDFD9FDF50AM8P190MB0979EURP_"
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 84024102-4dfa-4fda-e036-08d8952e939f
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2020 12:50:54.9771 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PwA7eeYDd1Ok3j70Cn82EIgCpqHrnobzX00Up0ifkl0B3NxSg7Dp76XmdGRiI/kzzLOxR2DKkqalb2CNY2P8SWGWfdWZvZ6+0XGJzz7AoDU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1267
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/lvng83BpSTe7iNQr8icDQ1mdhEU>
Subject: Re: [Anima] Result//RE: Adoption call for draft-vanderstok-anima-constrained-join-proxy-04, ends November 15th 2020
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2020 12:51:11 -0000

Hello all,

Sorry for the late notice – I also support adoption of a join proxy solution, which is a necessary component for constrained usage of BRSKI.  I do believe the present document needs some work and maybe even reconsideration of solutions.
Let me first provide a few high-level comments for discussion before doing a complete review of the document.

1. Stateful solution
The proposed solution looks good; although I would do some minor reformulation of the text. Current text says that the Pledge P sends a link-local IPv6 packet to the Join Proxy J, where J then modifies the IPv6 packet and sends it onwards. This should be described more as follows to comply with IPv6 architecture:  the Join Proxy creates a new IPv6 packet containing the exact DTLS message of the received link-local packet and sends the new IPv6 packet to the Registrar.
This avoids tampering with IPv6 addresses; just describe it as a new packet.  The Join Proxy then itself uses its own IPv6 address as source (typically an address that is non-link-local, selected to match the scope/prefix of the Registrar destination IPv6 address.)

2. Stateless solution
The proposed stateless solution is also good to have – to lower the risk of certain resource exhaustion / buffer overflow attacks on the Join Proxy J. However, I see an issue in how it is currently defined:
J creates a CBOR-formatted payload that is definitely not a DTLS record and then sends it to port 5684 (CoAP + DTLS) and expects the Registrar to parse it.  This goes against RFC 7252 defined usage of the coaps port; you can’t send anything to there that’s not a DTLS message! Also in a typical Registrar implementation the DTLS stack that’s receiving the UDP messages on port 5684 would get really confused – and clearly dismiss the packet as an error.  Surely we don’t want to meddle with the DTLS server stack of a Registrar to enable these join-proxied messages to be received?  (There are some further reasons why we don’t want this – I can discuss more if needed)

There are some solutions to this issue:


  1.  J sends the CBOR structure over UDP to a new UDP port <TBD>, which is IANA-registered as a port for a new protocol defined here (“constrained join proxy protocol” or so).  This new protocol defines the CBOR data format to use.  The expert reviewers may complain that this uses up valuable UDP port space; in which case option B below can be considered.
  2.  J sends a new Non-Confirmable CoAP request which is unprotected coap:// (just like the current CBOR defined payload is unprotected, too ) to port 5683 (the default port for unprotected coap:// ) , where the CoAP message payload carries the same CBOR structure.
Internally, the Registrar then receives this CoAP request on port 5683 address to a defined well-known resource, unpacks the DTLS record from the CBOR payload, and sends that DTLS record to its DTLS server internally where it is processed as usual. For any DTLS message back to J again a new CoAP request to J can be used, using as destination UDP port the same port from which the first CoAP request was received.  This has the advantage over A) that no new port needs to be IANA-registered – the existing CoAP port 5683 is re-used and only a new well-known resource needs to be defined as the “join-proxy relay resource”.  Disadvantage is that the Join Proxy also has to act as CoAP server to be able to receive the DTLS records coming back from Registrar.

  1.  J sends the CBOR structure over UDP to a dynamic UDP port <dyn> whose value J needs to know in advance, for example by configuration (of mesh-network wide data) or by discovery (e.g. coap discovery, DNS-SD, etc.). The value <dyn> is different than 5684. The service at port <dyn> then internally forwards the DTLS record to port 5684 where it is processed as usual.

Note that both above solutions have 2 additional / potential advantages from the current one in the draft:

  1.  the Registrar’s interface towards Join Proxies can be separated out as a separate component, so the existing Registrar code needs no modification. It just keeps listening to DTLS on port 5684 as usual; as if the Pledges are connecting directly.
  2.  the Registrar’s interface towards Join Proxies can be separated out to a different node altogether, which is useful in cases where say the Registrar is under control of another 3rd party and isn’t able to process join-proxy protocol traffic. Then the Registrar Interface component can be placed at another node e.g. at the customer’s domain, and any node J discovering for a Registrar will find the IP address of the Registrar Interface (RI). The latter then forwards the traffic as normal DTLS packets to Registrar.

With the option B) above I have some implementation experience and I can say that it works :)
A) and C) should work as well; note that these are most similar to the current draft’s solution.  In case C) instead of discovering the address of a Registrar, the node J now needs to discover both address and port of the Registrar (Interface). All known discovery methods can also discover port so that should be fine.

Best regards
Esko


IoTconsultancy.nl  |  Email/Teams: esko.dijk@iotconsultancy.nl


From: Anima <anima-bounces@ietf.org> On Behalf Of Sheng Jiang
Sent: Friday, November 27, 2020 04:20
To: Sheng Jiang <jiangsheng@huawei.com>om>; anima@ietf.org
Cc: anima-chairs@ietf.org; Toerless Eckert <tte@cs.fau.de>
Subject: [Anima] Result//RE: Adoption call for draft-vanderstok-anima-constrained-join-proxy-04, ends November 15th 2020

Hi, ANIMAer,

We have received supports for this adoption and has no objection. Consequently, the chairs consider the documents pass the adoption call. The authors shall resubmit this document with draft-ietf-anima-*, and the chairs shall approve it. However, The chairs do worry a little bit there is little discussion in the mail list to help the quality of this document. The authors please continue to refine the document and invoke WG discussion.

Thanks and regards,

Sheng

From: Anima [mailto:anima-bounces@ietf.org] On Behalf Of Sheng Jiang
Sent: Monday, November 2, 2020 3:05 PM
To: anima@ietf.org<mailto:anima@ietf.org>
Cc: anima-chairs@ietf.org<mailto:anima-chairs@ietf.org>; Toerless Eckert <tte@cs.fau.de<mailto:tte@cs.fau.de>>
Subject: [Anima] Adoption call for draft-vanderstok-anima-constrained-join-proxy-04, ends November 15th 2020


Hi, dear ANIMAer,



This message starts a two-week adoption call, it ends on November 15th, 2020.



draft-vanderstok-anima-constrained-join-proxy-04 has been presented to the WG for a long while and the WG showed good interest and had discussions. It was presented several times and had no opposition. The draft is clearly in scope of ANIMA charter and milestones. Giving the dependent BRSKI has passed the IESG evaluation, the chairs feel that it may be the right time to call the adoption.



We therefore are asking the ANIMA working group for adoption of the following work:



Title:    Constrained Join Proxy for Bootstrapping Protocols

Name:     draft-vanderstok-anima-constrained-join-proxy-04

Authors:  M. Richardson, P. van der Stok and P. Kampanakis

URL:      https://datatracker.ietf.org/doc/draft-vanderstok-anima-constrained-join-proxy/



This document is intended to become a standards track ANIMA WG document.



Please express your support or rejection. If you think this document should _not_ be adopted, please also explicitly indicate the reasons.



Regards,



Sheng