Re: [Anima] Result//RE: Adoption call for draft-vanderstok-anima-constrained-join-proxy-04, ends November 15th 2020

Peter van der Stok <> Mon, 30 November 2020 13:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 12D533A0AC5; Mon, 30 Nov 2020 05:03:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.116
X-Spam-Status: No, score=-2.116 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5MEZJksELfve; Mon, 30 Nov 2020 05:03:02 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 786383A0ABD; Mon, 30 Nov 2020 05:03:01 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0088318027684; Mon, 30 Nov 2020 13:02:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h= mime-version:content-type:date:from:to:cc:subject:reply-to :in-reply-to:references:message-id; s=key; bh=CPGl1sSWUZOKoPhAUp dt7okg2qh5km6YxS1jPPmRpww=; b=Ma8ofmnUHtRr1LP45+1YL0Vp2i5SZ6uKGv 3cirnIJn8GWSN3vC9oMbY5tLwOt3EDtq42yM5ZPAVkJvdubZKAzl4FALhNt6Exh5 WKxrWfTF2UmvI6SIX5aAzETullphQx+iYLs/2nQhGxvuGPRWPEhEKPqY7+7xNtyN XxjABMt3Y=
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 50, 0, 0, , d41d8cd98f00b204,, , RULES_HIT:41:72:152:273:327:355:379:582:599:800:877:960:962:967:969:973:983:988:989:1152:1189:1208:1212:1221:1260:1313:1314:1345:1359:1431:1436:1437:1516:1517:1518:1575:1588:1589:1592:1594:1605:1617:1730:1775:1792:2068:2069:2194:2198:2199:2200:2525:2526:2527:2551:2553:2557:2561:2564:2682:2685:2689:2691:2693:2734:2859:2861:2898:2900:2902:2907:2911:2917:2924:2926:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3421:3571:3586:3622:3769:3865:3866:3867:3868:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4250:4321:4361:4362:4379:4425:4470:4605:5007:6117:6119:6248:6261:6298:6657:6659:6678:6691:7576:7903:7904:7974:8531:8603:8660:8828:8957:9010:9025:9036:9040:9080:9108:9163:9177:9545:10004:10026:10848:11232:11656:11658:11914:11984:12043:12050:12114:12294:12295:12438:12555:12698:12737:12740:12895:12986:13137:13139:13148:13150:13153:13158:13161:13228:13229:13230:13231:13255:13846:1387
X-HE-Tag: snow77_551026e273a2
X-Filterd-Recvd-Size: 32720
Received: from (imap-ext []) (Authenticated sender: by (Postfix) with ESMTPA; Mon, 30 Nov 2020 13:02:58 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_6141ff5b5779149438330ded3fc22049"
Date: Mon, 30 Nov 2020 14:02:58 +0100
From: Peter van der Stok <>
To: Esko Dijk <>
Cc: Sheng Jiang <>,,,, Toerless Eckert <>
In-Reply-To: <AM8P190MB097955D3B14DD26A984EDFD9FDF50@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <> <AM8P190MB097955D3B14DD26A984EDFD9FDF50@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
User-Agent: Roundcube Webmail/1.4-rc2
Message-ID: <>
Organization: vanderstok consultancy
X-Originating-IP: []
Archived-At: <>
Subject: Re: [Anima] Result//RE: Adoption call for draft-vanderstok-anima-constrained-join-proxy-04, ends November 15th 2020
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Nov 2020 13:03:05 -0000

Hi Esko,

thanks for the comments.
In the text of version 1 of the WG join-proxy draft (to be published,
once version 0 is approved by the chairs), the approach to stateless jp
is with an additional port. No parsing is needed. Indeed that was a
The additional port does not need not need IANA registration.
(discussion is needed ?)
The stateful approach is described in version 1 as described by you. I
will check on misunderstandings.

BTW both solutions work in my implementation.

Please have a look to version 1, once it is published.


Esko Dijk schreef op 2020-11-30 13:50:


> Hello all, 
> Sorry for the late notice - I also support adoption of a join proxy solution, which is a necessary component for constrained usage of BRSKI.  I do believe the present document needs some work and maybe even reconsideration of solutions. 
> Let me first provide a few high-level comments for discussion before doing a complete review of the document. 
> 1. Stateful solution 
> The proposed solution looks good; although I would do some minor reformulation of the text. Current text says that the Pledge P sends a link-local IPv6 packet to the Join Proxy J, where J then modifies the IPv6 packet and sends it onwards. This should be described more as follows to comply with IPv6 architecture:  the Join Proxy creates a new IPv6 packet containing the exact DTLS message of the received link-local packet and sends the new IPv6 packet to the Registrar. 
> This avoids tampering with IPv6 addresses; just describe it as a new packet.  The Join Proxy then itself uses its own IPv6 address as source (typically an address that is non-link-local, selected to match the scope/prefix of the Registrar destination IPv6 address.) 
> 2. Stateless solution 
> The proposed stateless solution is also good to have - to lower the risk of certain resource exhaustion / buffer overflow attacks on the Join Proxy J. However, I see an issue in how it is currently defined: 
> J creates a CBOR-formatted payload that is definitely not a DTLS record and then sends it to port 5684 (CoAP + DTLS) and expects the Registrar to parse it.  This goes against RFC 7252 defined usage of the coaps port; you can't send anything to there that's not a DTLS message! Also in a typical Registrar implementation the DTLS stack that's receiving the UDP messages on port 5684 would get really confused - and clearly dismiss the packet as an error.  Surely we don't want to meddle with the DTLS server stack of a Registrar to enable these join-proxied messages to be received?  (There are some further reasons why we don't want this - I can discuss more if needed) 
> There are some solutions to this issue: 
> * J sends the CBOR structure over UDP to a new UDP port <TBD>, which is IANA-registered as a port for a new protocol defined here ("constrained join proxy protocol" or so).  This new protocol defines the CBOR data format to use.  The expert reviewers may complain that this uses up valuable UDP port space; in which case option B below can be considered.
> * J sends a new Non-Confirmable CoAP request which is unprotected coap:// (just like the current CBOR defined payload is unprotected, too ) to port 5683 (the default port for unprotected coap:// ) , where the CoAP message payload carries the same CBOR structure.
> Internally, the Registrar then receives this CoAP request on port 5683 address to a defined well-known resource, unpacks the DTLS record from the CBOR payload, and sends that DTLS record to its DTLS server internally where it is processed as usual. For any DTLS message back to J again a new CoAP request to J can be used, using as destination UDP port the same port from which the first CoAP request was received.  This has the advantage over A) that no new port needs to be IANA-registered - the existing CoAP port 5683 is re-used and only a new well-known resource needs to be defined as the "join-proxy relay resource".  Disadvantage is that the Join Proxy also has to act as CoAP server to be able to receive the DTLS records coming back from Registrar. 
> * J sends the CBOR structure over UDP to a dynamic UDP port <dyn> whose value J needs to know in advance, for example by configuration (of mesh-network wide data) or by discovery (e.g. coap discovery, DNS-SD, etc.). The value <dyn> is different than 5684. The service at port <dyn> then internally forwards the DTLS record to port 5684 where it is processed as usual.
> Note that both above solutions have 2 additional / potential advantages from the current one in the draft: 
> * the Registrar's interface towards Join Proxies can be separated out as a separate component, so the existing Registrar code needs no modification. It just keeps listening to DTLS on port 5684 as usual; as if the Pledges are connecting directly.
> * the Registrar's interface towards Join Proxies can be separated out to a different node altogether, which is useful in cases where say the Registrar is under control of another 3rd party and isn't able to process join-proxy protocol traffic. Then the Registrar Interface component can be placed at another node e.g. at the customer's domain, and any node J discovering for a Registrar will find the IP address of the Registrar Interface (RI). The latter then forwards the traffic as normal DTLS packets to Registrar.
> With the option B) above I have some implementation experience and I can say that it works :)     
> A) and C) should work as well; note that these are most similar to the current draft's solution.  In case C) instead of discovering the address of a Registrar, the node J now needs to discover both address and port of the Registrar (Interface). All known discovery methods can also discover port so that should be fine. 
> Best regards 
> Esko 
>  |  Email/Teams: 
> From: Anima <> On Behalf Of Sheng Jiang
> Sent: Friday, November 27, 2020 04:20
> To: Sheng Jiang <>om>;
> Cc:; Toerless Eckert <>
> Subject: [Anima] Result//RE: Adoption call for draft-vanderstok-anima-constrained-join-proxy-04, ends November 15th 2020 
> Hi, ANIMAer, 
> We have received supports for this adoption and has no objection. Consequently, the chairs consider the documents pass the adoption call. The authors shall resubmit this document with draft-ietf-anima-*, and the chairs shall approve it. However, The chairs do worry a little bit there is little discussion in the mail list to help the quality of this document. The authors please continue to refine the document and invoke WG discussion. 
> Thanks and regards, 
> Sheng 
> From: Anima [] On Behalf Of Sheng Jiang
> Sent: Monday, November 2, 2020 3:05 PM
> To:
> Cc:; Toerless Eckert <>
> Subject: [Anima] Adoption call for draft-vanderstok-anima-constrained-join-proxy-04, ends November 15th 2020 
> Hi, dear ANIMAer,
> This message starts a two-week adoption call, it ends on November 15th, 2020.
> draft-vanderstok-anima-constrained-join-proxy-04 has been presented to the WG for a long while and the WG showed good interest and had discussions. It was presented several times and had no opposition. The draft is clearly in scope of ANIMA charter and milestones. Giving the dependent BRSKI has passed the IESG evaluation, the chairs feel that it may be the right time to call the adoption.
> We therefore are asking the ANIMA working group for adoption of the following work:
> Title:    Constrained Join Proxy for Bootstrapping Protocols
> Name:     draft-vanderstok-anima-constrained-join-proxy-04
> Authors:  M. Richardson, P. van der Stok and P. Kampanakis
> URL:
> This document is intended to become a standards track ANIMA WG document.
> Please express your support or rejection. If you think this document should _not_ be adopted, please also explicitly indicate the reasons.
> Regards,
> Sheng