Re: [Anima] Secdir last call review of draft-ietf-anima-constrained-join-proxy-09
Mališa Vučinić <malisa.vucinic@inria.fr> Fri, 08 April 2022 17:41 UTC
Return-Path: <malisa.vucinic@inria.fr>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A350A3A1963; Fri, 8 Apr 2022 10:41:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=inria.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUJzlVZcxhe3; Fri, 8 Apr 2022 10:41:18 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AB183A1960; Fri, 8 Apr 2022 10:41:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=vvJ8S/HUMNo4FcLdbK9dRHQO+dySVBqEGa0Uw3Hfg2Y=; b=OujDk4AzTnu2V9M1q6gu6deK2zKIKmj7In7JC+8urpbHhEsmdFgX3b79 jCfuK0v6cW3+8ERBetmJ4rIxtEEj8BMgo2yXmtZw1Ko88M7hCikr1W6La QsyPKDyGbQGORXzVoL+rG+YtbVz6JZCgxsOqCmtdCVRIHS1DeW/xS1+D+ Q=;
Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=malisa.vucinic@inria.fr; dmarc=fail (p=none dis=none) d=inria.fr
X-IronPort-AV: E=Sophos;i="5.90,245,1643670000"; d="scan'208";a="30858277"
Received: from unknown (HELO smtpclient.apple) ([109.190.253.11]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Apr 2022 19:41:12 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
From: Mališa Vučinić <malisa.vucinic@inria.fr>
In-Reply-To: <YlBnlrzLf58SbU8X@faui48e.informatik.uni-erlangen.de>
Date: Fri, 08 Apr 2022 19:41:04 +0200
Cc: secdir@ietf.org, anima@ietf.org, draft-ietf-anima-constrained-join-proxy.all@ietf.org, last-call@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C896A46A-94FA-4660-9B73-7B358418EB02@inria.fr>
References: <164942421882.15991.10648263530009015921@ietfa.amsl.com> <YlBnlrzLf58SbU8X@faui48e.informatik.uni-erlangen.de>
To: Toerless Eckert <tte@cs.fau.de>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/ldOjYcrqbml7U6SSN7pCaPX6qY0>
Subject: Re: [Anima] Secdir last call review of draft-ietf-anima-constrained-join-proxy-09
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2022 17:41:27 -0000
Toerless, Thanks for the prompt feedback. See inline. Mališa > On 8 Apr 2022, at 18:49, Toerless Eckert <tte@cs.fau.de> wrote: > > Malisa, > > Thanks a lot for the review. > > Just quick feedback on one of your points > > On Fri, Apr 08, 2022 at 06:23:38AM -0700, Mališa Vučinić via Datatracker wrote: >> Interoperability-wise, the operation of a Stateful Join Proxy does not seem to >> necessitate a standardization effort as the processing is contained on a single >> network node. > > I disagree with this assessment. The stateful join proxy is a new element > establishing a distributed machinery between three components, the pledge, the > proxy and the registrar, which requires interoperability between the three. The following sentence attracted my attention: "The Pledge initiates its request as if the Join Proxy is the intended Registrar." My line of thinking was that if the pledge were specified to contact any node it discovers through the discovery mechanism, be it a Registrar or a Join Proxy, and sends to its link-local address, the processing would still be the same on the pledge and on the Registrar. But, as you say, there would still need to be a component implemented in each node to handle the Join Proxy functionality to make it work multiple hops away from the Registrar. So, indeed, text that describes that is needed from the interop point of view, so I acknowledge that my initial assessment was wrong. >> The Registrar processes the packet from the Join Proxy as any >> other packet. > > The fact that the DTLS state machinery of registrar and pledge do not have to > change over a proxy-free operation is the result of the miticulous, packet by > packet forwarding specified in 5.1. Rather a proof of the opposite of what you > claim. For example: i can easily see how i could build a proxy that would break the > connection by working differently. I see your point and thanks for elaborating on it. >> The language that describes the operation of a Stateful Join >> Proxy in Section 5.1 is informational and describes the process rather than the >> protocol. > > It describes packet forwarding based on flow lookup, network header rewrite/recreate > and delivery to new destination. If that isn't a standard demanding protocol operation, then > we should have prohibited single-router-hop rfc791 networks, bcause this is already sso > much more interoperable machinery than what is described in that rfc. I was referring to the following text in the normative 5.1 section: "Assume that the Pledge does not know the IP address of the Registrar it needs to contact. The Join Proxy has been enrolled via the Registrar and learns the IP address and port of the Registrar, for example by using the discovery mechanism described in Section 6. The Pledge first discovers (see Section 6) and selects the most appropriate Join Proxy. (Discovery can also be based upon [RFC8995] section 4.1). For service discovery via DNS-SD [RFC6763], this document specifies the service names in Section 9.2. The Pledge initiates its request as if the Join Proxy is the intended Registrar. The Join Proxy receives the message at a discoverable join-port.” I am not arguing to *remove* this text, rather to separate it from the rest of the paragraph, which clearly describes the processing at the Stateful Join Proxy. Is this text also applicable to the Stateless Join Proxy case, or I got that wrong? > Btw: Nobody says you can't build a multi-proxy-hop-network, its just not > the desire of this spec to standardize it. > > Cheers > Toerless > >> Stateless Join Proxy specification in Section 5.3 defines the message format >> that the Registrar and the Join Proxy agree on, which is necessary from the >> interoperability point of view. The message is split into Header and Content >> parts, where Header is opaque to the Registrar and just returned verbatim to >> the Join Proxy. In that sense, I don’t understand the need to specify the inner >> structure of the Header part. I believe this will only introduce >> interoperability issues with future version of the specification. In the last >> paragraph in Section 5.3, you argue that if any (new) field is not recognized >> by the Registrar, it should be ignored. But then, the protocol simply won’t be >> backwards compatible because Stateless Join Proxy will have expected the >> Registrar to echo the new fields. Why complicate this and not leave the whole >> “Header” struct as an opaque byte string that is just echoed by the Registrar? >> >> Security-wise, document is incomplete. Without protection of the Header field, >> an on-path attacker can easily alter the return address of the pledge to DoS >> it. This is all discussed in RFC8974 and RFC9031 so I don’t understand why none >> of those concerns are addressed, given the similarity of the topic. Security >> considerations or Figure 5 do not elaborate on DoS considerations of either >> approach. >> >> In general, I think that the document would use an editorial pass as there seem >> to be many small inconsistencies. For example, Security Considerations talk >> about a “CBOR map” while the normative message structure uses CBOR arrays. >> > > -- > --- > tte@cs.fau.de
- [Anima] Secdir last call review of draft-ietf-ani… Mališa Vučinić via Datatracker
- Re: [Anima] Secdir last call review of draft-ietf… Toerless Eckert
- Re: [Anima] Secdir last call review of draft-ietf… Mališa Vučinić
- Re: [Anima] Secdir last call review of draft-ietf… Peter van der Stok