[babel] DTLS Cached Info support in Babel

"STARK, BARBARA H" <bs7652@att.com> Wed, 16 June 2021 22:04 UTC

Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E24F3A003E for <babel@ietfa.amsl.com>; Wed, 16 Jun 2021 15:04:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsP_3Je1vP5Z for <babel@ietfa.amsl.com>; Wed, 16 Jun 2021 15:04:49 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C686D3A0035 for <babel@ietf.org>; Wed, 16 Jun 2021 15:04:49 -0700 (PDT)
Received: from pps.filterd (m0049295.ppops.net [127.0.0.1]) by m0049295.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 15GLrlH8001565 for <babel@ietf.org>; Wed, 16 Jun 2021 18:04:49 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049295.ppops.net-00191d01. with ESMTP id 397n81egev-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <babel@ietf.org>; Wed, 16 Jun 2021 18:04:48 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 15GM4lCb019716 for <babel@ietf.org>; Wed, 16 Jun 2021 18:04:47 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [135.47.91.177]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 15GM4hfl019598 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <babel@ietf.org>; Wed, 16 Jun 2021 18:04:43 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [127.0.0.1]) by zlp30486.vci.att.com (Service) with ESMTP id 8FB45400599B for <babel@ietf.org>; Wed, 16 Jun 2021 22:04:43 +0000 (GMT)
Received: from GAALPA1MSGEX1AC.ITServices.sbc.com (unknown [135.50.89.98]) by zlp30486.vci.att.com (Service) with ESMTP id 579F0400599A for <babel@ietf.org>; Wed, 16 Jun 2021 22:04:43 +0000 (GMT)
Received: from GAALPA1MSGEX1AA.ITServices.sbc.com (135.50.89.96) by GAALPA1MSGEX1AC.ITServices.sbc.com (135.50.89.98) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Wed, 16 Jun 2021 18:04:42 -0400
Received: from GAALPA1MSGETA03.tmg.ad.att.com (144.160.249.125) by GAALPA1MSGEX1AA.ITServices.sbc.com (135.50.89.96) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Wed, 16 Jun 2021 18:04:42 -0400
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.176) by edgeal3.exch.att.com (144.160.249.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Wed, 16 Jun 2021 18:04:35 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aNKFrNU5RajI6spPy/EUcAJFrTB0Tg7pS73rn9QfzecmYcyckgftV+30akM12EOZiAWeg6Zefxx3z6w3UmXrsWZsvAtR33ikYdBU3iuFKimY6cuyULHGHv8qIM5HsfE9S+jVB388HU6PMXZ+SnS+HLbFeDgHyTltHsVpi8gXS6+83ZDZl4EUrvq0f6C/hf3yAujN96E3IV2tcadja7YwqU1Q44Wyzz15R4O+et1OUNzTnz4D+qAdQ3j2QrjIlaf1nV6RSnk32/CwWmdCKX4+71EI+5rfiNcXOTnDe1g9Clc5PSSoFE56El3B1OSwkhHk1iR1+kf6YyO8+NBYrXAfrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EZBj+aZkYSG9OZI6ieFFZzSdAZ/RIINyXRN3mpBTFpU=; b=RC4boBxKjn0lIZeKSIrvwDYLvMeUiBEzC4RavV2lN2mhOTrE1wtDJ3h40Fx1HxA3oounNzOD6DQUvMQe/Z1Ek7xoqvAbqTjEBYTc/pIGQODK9WJcbeV3QdL0EFvQJrndzc9DnEzcfLPvOjDEFi36UTZpF6nP7ReYMxsA6tbJcn5FfqUOaVlj7HguISgcsPS9q7PWce7Vdd4OGW63eNdJ18kNqVWoXoJ6y++3eV2UhWPTtc4Fz7gfjSgUx1HBHoJGdDmnxQxNve0o7g3Uu2s7ME6KOxJEwksGe2SncEP/YDeXCNIf08BXL2aSXCsV+MIybx+579bHxAV30jrtOEDdNQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EZBj+aZkYSG9OZI6ieFFZzSdAZ/RIINyXRN3mpBTFpU=; b=aNoEU1L98ZI3IRXvRmBnk/8STgt1Wpzkq/KLoyyh4q3cV4dHIn1MySpFTjso3mBh/GuG+27THEh0hicD+0gp+Fx7i3GVDoZOakSesKRJgG8coxOLpXhYR6KKSRAh/YZV5clqIgsEYU1P3WlAlZ8OqDRQs+I3CiYcQSEGLDr04Ho=
Received: from DM6PR02MB6924.namprd02.prod.outlook.com (2603:10b6:5:25f::7) by DM6PR02MB6478.namprd02.prod.outlook.com (2603:10b6:5:20b::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.20; Wed, 16 Jun 2021 22:04:34 +0000
Received: from DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::402e:8894:b968:f5a7]) by DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::402e:8894:b968:f5a7%6]) with mapi id 15.20.4219.026; Wed, 16 Jun 2021 22:04:34 +0000
From: "STARK, BARBARA H" <bs7652@att.com>
To: "'Babel at IETF'" <babel@ietf.org>
Thread-Topic: DTLS Cached Info support in Babel
Thread-Index: AddiviIkIceKTifmTW2xhiGnwBT1jg==
Date: Wed, 16 Jun 2021 22:04:34 +0000
Message-ID: <DM6PR02MB69248067593B6110F622817DC30F9@DM6PR02MB6924.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=att.com;
x-originating-ip: [45.18.123.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c6bbacbb-bd72-4b20-8f57-08d93112b9ae
x-ms-traffictypediagnostic: DM6PR02MB6478:
x-microsoft-antispam-prvs: <DM6PR02MB64788617F7EA5731E0CE62BCC30F9@DM6PR02MB6478.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TKmu1sy9HjESylopDDfpFwCEA5ADE0nsp90Ups7vpq4pwxa0LIFLBybDgnFdDwX9vIIZ8CD1AKDqOm2r0sJvwl3hslC1x4j36zsS3pE56+jQRFO9bNSF2Py38Sk/BQDe2uKupst2HWQ9dOTZQFUSs2yoWq8vhegQp5E8ieJnqjvhJVzhMajcW5JgWlWHl2eTYNYrYUFbkgBDwnWI5Iexdmc2jcKOvT7ellzXyvgDHTZ5UCWCkWDqd6UEpsTn5+His+cebFytmUoW7mgmxSAoMMzOIO/BNe2XK3yhhD0YcjTTszwfrueFRMzWKwmmG/4pSpIr81SgFK/LrY0u0cyejRqOJis6V2A4Z7h/3B+kHBvUN8j1LJ13ExciF3BTdPPvzmzkMtPRmOStznqTEAGtX5wpoe4FkvJWGyxUTDlmNZ0bW3bya6/jzonPiN95SmVpPqQYTXQa3cmI9WQn7XKaQksXGUm/zx4B/BvYW47+2x4gmyZcHysb/J20ZVcuymwilsbTyN26ZoZbwoyXF7PF44oslHS4TjqfHy7vSzOTlWI1spfzL2f2b2hnAkImFnx1vzbSDhd5HLhzgTFe55JMQEFkI/9iXpVHowgmXAhQ7Lp8Ok23r+Me38LYlK7epC6eeJoo9x8tMYmFtJPO67xB1xaPVj9s2kRHpIq02xhPOC+/9ykuqBqgiFZqjtAGHuJ4VYKHXGrPzwby2jvqOb3g6w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR02MB6924.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(346002)(136003)(376002)(39860400002)(122000001)(71200400001)(7696005)(83380400001)(6506007)(2906002)(52536014)(966005)(33656002)(316002)(38100700002)(478600001)(8936002)(26005)(5660300002)(55016002)(86362001)(9686003)(8676002)(186003)(6916009)(82202003)(66946007)(66476007)(64756008)(66556008)(66446008)(76116006); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?0E/kPJukKrwdeV1MMUtLJFhG7AHiVQxXrRF+F/yuklYhIDYUAAhkgZU0X6vh?= =?us-ascii?Q?M4tFS7eUPoT1ymfaOA730z0dRfsMPtDYhR1VHkcNVOfMax8K2ZkYQ71QZLDZ?= =?us-ascii?Q?dWtnpzts40ICFPGIf+3UK6mQhCzqJz/wwjPIIvgbx2jiZNfRZIHvFTMeiR+2?= =?us-ascii?Q?eDL564xToL/V/J4QjVC5LdEWLsFIIWsBkNCDNKMn9EJgE+P++FlQ5dPCLdAA?= =?us-ascii?Q?r84Zh+WPFiTsElTOnM71clTnlDlJvxTXFi4/9DYk3vX6wnFNxPKb1k1zIhYi?= =?us-ascii?Q?kOo7cwP7R6IoSFCXz2F4XuH2nv6MJOxUGG4ZzuJPN/lzdUYUmhalFDZQvlVC?= =?us-ascii?Q?PVhk5vmtib+MeqSjRiychAtBiqvv3yqeLw0F50GGGlsGXhjPfFuvmnDz6dI0?= =?us-ascii?Q?RnpepHFhzlVfkb9WNL47ZyHGDBo3b7cy9oQfFJcMlLO9uPAm1FeylFQ6rwvT?= =?us-ascii?Q?8lSqtMhGIJfD8HWTf39cCl9GBvRa5HUYOdelvOAdMsVwkyS3s1mbL7+lCquD?= =?us-ascii?Q?csLHVneJP2FJIcRoHrN901fI1zptelIfbmTKEleCFEWEDEgqerLcT8MzcOUO?= =?us-ascii?Q?43eOjNj7sIpVb9b+8DN4/Uwst0mYIfaq+mJj+vJ3eymUicagvNcocA6uUW7/?= =?us-ascii?Q?X59bVbuJEt0yPBphgSYzQg2cK3WO4qQvcrAv2SrjZIb1WQT3GIzc4rXkfcXZ?= =?us-ascii?Q?EPz15vOl87W1jo0BglR2uRJCPKQo0qSXB3t4VyOViQMne6d3cFSJJ8PnPm6o?= =?us-ascii?Q?mJ9FtxLTPBziNUAB30Mk7A6ciaVpdc0+UnO7eDP4PdEqdN1MQG9CviSFimD6?= =?us-ascii?Q?HXyDpcZI4v0QrCYSnyUiph6HE2/AKpzFh0IZjGFD8ADzlD6JbtiLYbfnp1RL?= =?us-ascii?Q?73/dKoo46m8my7c1qLGsoM3kZLAn7gifTkZ0Va0PdQgXC9aiwOyxA2dh4bE9?= =?us-ascii?Q?D9zXCc+H+l4jjBLSwF9J9fKUFDOHgpwv9VFfnWw28usLSo9JNmWC6SIOaNPR?= =?us-ascii?Q?WEoSQJJk5PR5guRKFXkSu+x0pwk9xXBJg3VkdGlbbL1+wcPdfCR0e/xTMkc+?= =?us-ascii?Q?tcZXyQe751qg4WyW4Cn+vmRnWHByWi1tPty3uFwwE1HFCtLULzASTYx/BKl6?= =?us-ascii?Q?vZsVU/m/TnAfrsHDopLKYPSGfnlXDA41v4XITV5FytagfU2Z1iFVNbvbzPVB?= =?us-ascii?Q?gZe6MZqpcySVpdHCeBxQRoLuJOHUBWDHuPZ63kqbYOE3aWTx57MWaIQk94yC?= =?us-ascii?Q?C/i4CVq/4p74+Nj5Ha8J9zGL7TjmqprS4vweA8WJFZf6tF5Hc4TZfIl1mQ4O?= =?us-ascii?Q?uY7d+RgMn6fsk+kTfYdKK7Ue?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR02MB6924.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c6bbacbb-bd72-4b20-8f57-08d93112b9ae
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jun 2021 22:04:34.2868 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MMm+5aqD013kCfylKwfF9uweVoGxsnoOf0SVHlX3d4jWfHA6WYRUobC8M6Is6VD9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR02MB6478
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: 54BC5520E15792B58D3096FAD3AC1691A7E97E82D5D319CDC690925BD52C43592
X-Proofpoint-ORIG-GUID: yzBqOZ40ABlmmjcwthaPXsXiXUFie2Ef
X-Proofpoint-GUID: yzBqOZ40ABlmmjcwthaPXsXiXUFie2Ef
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-06-16_16:2021-06-15, 2021-06-16 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 impostorscore=0 adultscore=0 malwarescore=0 priorityscore=1501 spamscore=0 bulkscore=0 suspectscore=0 clxscore=1015 mlxlogscore=999 lowpriorityscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106160124
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/_CpfRdQTko0sEAkQn1GdvXWMNSw>
Subject: [babel] DTLS Cached Info support in Babel
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jun 2021 22:04:55 -0000

Hi Babel,
On the YANG model, we're dealing with some questions around the parameters included to support the Cached Information Extension and Raw Public Keys in DTLS. This is briefly mentioned in 
https://datatracker.ietf.org/doc/html/rfc8968#appendix-A

Clearly (since they're only mentioned in an Appendix), they're highly optional.
But because it's there, we included the following items in the info model (which is now in AUTH48, so I want to avoid impacts to that):
 - the ability to express support for raw public keys, and configure certs that use raw public keys
 - a Boolean to indicate whether the extension should be "used" (per interface) 
 - an ordered list of preferred certificate types that is (supposed to be? can be?) used to populate the client_certificate_type and server_certificate_type extensions in the extended Client Hello message (per interface).

Maybe this was all overkill for something mentioned in an Appendix. But, anyway, here we are.

I think we're ok on the first item (raw public key support).
But for the other 2, there is some fuzziness.

Do any of the DTLS implementations support the cached info extension? If yes, do they programmatically decide whether they enable/use this by default on interfaces where DTLS is enabled? So whether this is enabled is just somehow decided by the implementation -- but we could allow that decision to be overridden by the user per interface? That would be consistent with the current Boolean. If none of the implementation support cached info are there any thoughts on how this might be done? There's an IESG objection to saying "Indicates whether the cached_info extension (see [RFC8968], Appendix A) is included in ClientHello and ServerHello packets. The extension is included if the value is "true"." So I'm thinking maybe it could say "Indicates whether use of the cached_info extension (see [RFC8968], Appendix A; see [RFC7924]) is enabled." Does this sound right?

The ordered list of preferred certificate types (per interface) is more of a problem It currently says:
"List of supported certificate types, in order of preference. The values MUST be among those listed in the babel-dtls-cert-types parameter. This list is used to populate the server_certificate_type extension (see [RFC8968], Appendix A) in a ClientHello. Values that are present in at least one instance in the babel-dtls-certs object of a referenced babel-dtls instance and that have a non-empty babel-cert-private-key will be used to populate the client_certificate_type extension in a ClientHello." Do any of the DTLS implementations support multiple types of certs? Do they implement sending the server_certificate_type and client_certificate_type in the ClientHello? If so, how do they populate these? If none implement this yet, any thoughts on how they might do it? Should we allow the programmatic default to be overridden per interface (or is that just too much complexity for a very optional feature)?

Thoughts appreciated.
Barbara