Re: [babel] DTLS Cached Info support in Babel

"STARK, BARBARA H" <bs7652@att.com> Mon, 21 June 2021 14:19 UTC

Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 699E83A02F7 for <babel@ietfa.amsl.com>; Mon, 21 Jun 2021 07:19:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLGbfl7YwX4V for <babel@ietfa.amsl.com>; Mon, 21 Jun 2021 07:19:31 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E0A23A02BE for <babel@ietf.org>; Mon, 21 Jun 2021 07:19:31 -0700 (PDT)
Received: from pps.filterd (m0049458.ppops.net [127.0.0.1]) by m0049458.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 15LEFE47040562; Mon, 21 Jun 2021 10:19:30 -0400
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049458.ppops.net-00191d01. with ESMTP id 399wqeem4y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 21 Jun 2021 10:19:30 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 15LEJSWs010713; Mon, 21 Jun 2021 10:19:29 -0400
Received: from zlp27129.vci.att.com (zlp27129.vci.att.com [135.66.87.42]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 15LEJKMD010371 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 21 Jun 2021 10:19:21 -0400
Received: from zlp27129.vci.att.com (zlp27129.vci.att.com [127.0.0.1]) by zlp27129.vci.att.com (Service) with ESMTP id C880140169C4; Mon, 21 Jun 2021 14:19:20 +0000 (GMT)
Received: from MISOUT7MSGED1AA.ITServices.sbc.com (unknown [135.66.184.195]) by zlp27129.vci.att.com (Service) with ESMTP id B05A740169C3; Mon, 21 Jun 2021 14:19:20 +0000 (GMT)
Received: from MISOUT7MSGEX2CE.ITServices.sbc.com (135.66.184.201) by MISOUT7MSGED1AA.ITServices.sbc.com (135.66.184.195) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Mon, 21 Jun 2021 10:19:19 -0400
Received: from MISOUT7MSGETA02.tmg.ad.att.com (144.160.12.220) by MISOUT7MSGEX2CE.ITServices.sbc.com (135.66.184.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Mon, 21 Jun 2021 10:19:19 -0400
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.42) by edgeso2.exch.att.com (144.160.12.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Mon, 21 Jun 2021 10:19:08 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zbu3zqVa7+k/yTrXKbKQwK8TpO7g86Q0ElyK6PdlH0FEZgPQoJXabeMvL5HWDeFcPBEkg0R+VNpLWGizIvNx8FgBKGHbzYtWYe3CWBZ6YDaf+eQC63AEKDlmsNUgOvRyfX0lg9NhmxVtjq1C7VMNliVHVgo7zZvI8sDJjGY+wbbAReqKDuK9jjwfHANo0kTMoGyQdobxGyqDJlu6gBHfiXOwF8e/izCj55M8c6GV9x/fP6d9UcTSMuDh9hQxHpP/ifF3ArHQdNrXPOe9GJUgOJkn9mEfqq7h7q3TKwECGztUFMo6MkcT2BbOKq9/UBMyaB1iZsxLHeiDUzI0V5kQHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hhkKguXA5v1kghTP/rpkdtaL95UGzXYrDVesM0rpEPo=; b=oKMwOt1ZLKVHmL2bJ/GuoO23If6raeEiTt/9BjhAnvUjfml27s9kk+WdfI2rIw1eK2GoY0ks0cCsRJVBm0S6fqYJqiBr+jtqAbN+k2zzx7FpAB6OIr95QVElxvjHeA8QwHmsuuEQlTbE822+gefcu8OUZnWZLiQPP29JemUGMq7/rNBfM2C0Lp63V1U3FEAx8vKzmuK10RlRlgY2yyqyTiojCRW062/H4jZzLUOvicK2MG35KZj2y2Y8SgdUe+iIdwjmqndI2kCxjmiTYNybLxE7ezB0AAAqLAKodaXPLnnSppNxkuz0U0rDAW710SuER6jJ7eVwSBLzNRXVLB6bxQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hhkKguXA5v1kghTP/rpkdtaL95UGzXYrDVesM0rpEPo=; b=UGFEU/5pa5/o3Z5AG6bHxt8CaBMhxW+FiBnfW87Ywy0pP0/LN9VxRiRNMFmNJbcSCoYkp+/u1rOrZOges+futY3wgXUQJ+GFHxch6kVhEWfJzcJ6DPJE2f6JpHOYiqtJeGqmAy+ITKpAtMxPVr/WbvjE/Kd1KRgMUvSZwpJO9lI=
Received: from DM6PR02MB6924.namprd02.prod.outlook.com (2603:10b6:5:25f::7) by DM6PR02MB4604.namprd02.prod.outlook.com (2603:10b6:5:28::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.21; Mon, 21 Jun 2021 14:19:07 +0000
Received: from DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::402e:8894:b968:f5a7]) by DM6PR02MB6924.namprd02.prod.outlook.com ([fe80::402e:8894:b968:f5a7%5]) with mapi id 15.20.4242.023; Mon, 21 Jun 2021 14:19:07 +0000
From: "STARK, BARBARA H" <bs7652@att.com>
To: "'Juliusz Chroboczek'" <jch@irif.fr>
CC: "'Babel at IETF'" <babel@ietf.org>
Thread-Topic: [babel] DTLS Cached Info support in Babel
Thread-Index: AddiviIkIceKTifmTW2xhiGnwBT1jgB3LzcAAH8WMSA=
Date: Mon, 21 Jun 2021 14:19:07 +0000
Message-ID: <DM6PR02MB69244FE72DD22907ED6B10BEC30A9@DM6PR02MB6924.namprd02.prod.outlook.com>
References: <DM6PR02MB69248067593B6110F622817DC30F9@DM6PR02MB6924.namprd02.prod.outlook.com> <87lf76zqvn.wl-jch@irif.fr>
In-Reply-To: <87lf76zqvn.wl-jch@irif.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: irif.fr; dkim=none (message not signed) header.d=none;irif.fr; dmarc=none action=none header.from=att.com;
x-originating-ip: [45.18.123.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b0ee925a-8810-4dbd-529f-08d934bf87d0
x-ms-traffictypediagnostic: DM6PR02MB4604:
x-microsoft-antispam-prvs: <DM6PR02MB46042FA453EDBAAA0CC48311C30A9@DM6PR02MB4604.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 074yXlTXQ9Cm9r5lN2BUCy7LiG1ka6Kn4cFx0vzlV39o/sMgB8MB0PtcM0Pl1HJ9WIucigNytfl6czmL3uiaybp8pNFR4KbAz4i0Kt0FtswlGrf5AQobpIYhJVnKVolBCc9yT5AO899jfypiWsCNvrWTn8Lento8Wwqk3N5TotJqmKuss8zHhrB0l9ZPRUDtGkbCHcdug3BluCbA82IJNA6hRBbd+fluIeHFmndLq+6Le8028YLTXsRP5wLFEa+8Rlv0X7cv8kuYRRPNcgXahGSnXW1/MkQNGYg23zeEnXjXwUprikbJzZjIaXDJtH7fZXeR10A3jELS+A9fnE0yXZXdo1gZoJy1EbH2AtgwiaNU40Vq4FuZIJlac/b9/Ka22NwYSltZzy/S0sRgL/YY48OTiz7P2/STyyBnFlB/dmbaT+baD8TafgjcexhBrknHLJ3hcmnxSIDvJdm3YX5omx4hmZb3qE+jqbxdtOWUuKbol4cRTRmlgrdsIBDRTF/GlGVtgDU/aCi++KyZobgbFbDIQBgm11C4nHjHmUb4qC4a+MT9bBRZXzP4O69yeXvW+m0niS68HiBTESgv0wRO1aKlNZnxFZmZAtCykk3Ljis=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR02MB6924.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(376002)(346002)(136003)(39860400002)(316002)(33656002)(9686003)(5660300002)(82202003)(83380400001)(186003)(64756008)(6506007)(6916009)(66946007)(8936002)(71200400001)(8676002)(122000001)(38100700002)(76116006)(66556008)(86362001)(66476007)(26005)(52536014)(7696005)(4326008)(2906002)(55016002)(478600001)(66446008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?zAdYb4WLzdP4b5+8Gg8JPjTClyjDkjOyIOEgf5DdnOooRgnXWsmQ3umM8WlK?= =?us-ascii?Q?wOIUArcxRR8bm+yNTyW3CYlYqCcQrxfGF3aaKuluLlZaaI3UDHYOsO7/OHhw?= =?us-ascii?Q?ASDvDnHK+nHwLt297X41oGCZvBQ30y06eIrvR+Yit2rMYrUNzcBNUnHU4lzY?= =?us-ascii?Q?BaxenWOS5UFoBH1m5ZW6vAZ69nI0hKxcIB0Z2LZonRNAvznDic3EZalf7Dru?= =?us-ascii?Q?fnWDBN0Dz/PMuyXKhfBooN3XdQVGH8PTGGGVUkiwVB+xE3x0EjQmUdLWGeNv?= =?us-ascii?Q?Z+iH4e+2ZVe6ANcRua9plAtK/h1zNGEphqacdMh1Q54/HbZ6ubkHWVzSziR6?= =?us-ascii?Q?k6DlGBlfB+2WeqfTx373NghzNf20AqPfD0E7mzFFhdZBVLMdMV2bYMa4dRno?= =?us-ascii?Q?zGaL1WApXnM6Az9XMWaqSb+sFbboJnzjt0dVTGEfn5GFb6R/7XIUyOzTsD/q?= =?us-ascii?Q?rLp2XdlXtMKzSp/q/HHYAh+AlosCUvt41U5+jn6qQdF7UMmIL+ewG9vq+fpu?= =?us-ascii?Q?Ej4sYvmQqZN/1uiszPZ7YFgPTo0ruJz27Y79WsdAVJBwrnmEWfJrUMLWuY22?= =?us-ascii?Q?fP39lESbH4GI5h/RVHopQwB4SxIkFIsiH5ekzZJilpCXF74m8kgWB2fDmPCQ?= =?us-ascii?Q?JXn5g8Q7leGA8mjvBRumUok6qjmS/1qG7CWv0xmQ85enig5BLpq9ShlZaEz2?= =?us-ascii?Q?7LUV1+9/K6IDll3IlA3L11Oh+a5CArZNbERUC3rgGptTiPr1I92wDVVrN7HC?= =?us-ascii?Q?/IEMJHIv8WKuIyYdss+3x1VmrRFeEd3wEmWgJwVvHyb5fjBWIOFy+ZBy+ElU?= =?us-ascii?Q?ZNkq2sza1YrHdjcA7+hGNdgTF8hTZBGwdSCPyXzhMgc65B3gY/XkWoifkAR0?= =?us-ascii?Q?CIaQXFNR6YRHieZWEbNY5Yl4MyICt7AmjZhCOlmeeAs3nlY8M4yXMXV2E0rp?= =?us-ascii?Q?rjquWy5oH/fNtOoahtiJiNiHXpeMEuTBQCJMEyQ8/WmbXeVS2EbyNv7L+the?= =?us-ascii?Q?aAQsbA6f8pWy4myl382BZ08l2XpT4wCOgORCxQr8KFAya+f89rQ/TMyqP8/a?= =?us-ascii?Q?rE1qoqf27SoEv1GNu7A+EyJAx9uEVL7+N/vPyCDs04hDt4R/GIdaBrzByCsn?= =?us-ascii?Q?UBCs362Izwc7gK4GspZDOeTHxucB1AnJCkBIQM5E/Li+6Hpod9JsGTbbkOLS?= =?us-ascii?Q?jUWAXsMbzplTffbBlPrvErvaXAI0md0fR2/TeLAXWpZyboLIIVoyRaeQRoE9?= =?us-ascii?Q?R2IgGLI2pM6npkIYAewkBvhsZXsnG1QXg+LBUfonh8pYrBrVSKD73jsjPV/9?= =?us-ascii?Q?Kgo=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR02MB6924.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b0ee925a-8810-4dbd-529f-08d934bf87d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jun 2021 14:19:07.0664 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dkmujJbo1s5Snegs2ee3STbNg/crFwfAXnTTrVMTtMpw3bnhupY0bouuDay49Udu
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR02MB4604
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: 6EE71DF73D66260B33714DCE8E44BB898AE4038C72D4CAA3441A6E8E7C6A2D852
X-Proofpoint-ORIG-GUID: db7l19_aNpjgHTcvOxFKqnlRKEerhbIW
X-Proofpoint-GUID: db7l19_aNpjgHTcvOxFKqnlRKEerhbIW
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-06-21_06:2021-06-21, 2021-06-21 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 impostorscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 clxscore=1011 mlxlogscore=999 malwarescore=0 mlxscore=0 bulkscore=0 priorityscore=1501 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2106210085
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/mmsLiMI84b2DSZKshz9MmVtWQCo>
Subject: Re: [babel] DTLS Cached Info support in Babel
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 14:19:34 -0000

Answering the last question...

> > On the YANG model, we're dealing with some questions around the
> parameters included to support the Cached Information Extension and Raw
> Public Keys in DTLS. This is briefly mentioned in
> > rfc8968 appendix-A
> 
> [...]
> 
> > Do any of the DTLS implementations support the cached info extension?
> 
> It's definitely not supported by OpenSSL.  I haven't been able to find any
> mention of it in the gnutls docs.
> 
> > Do any of the DTLS implementations support multiple types of certs?
> 
> Raw public keys are supported by gnutls but not by OpenSSL.
> 
> > Do they implement sending the server_certificate_type and
> > client_certificate_type in the ClientHello? If so, how do they populate
> > these?
> 
> As far as I understand, you set a key on the session structure, and the
> behaviour will depend on the kind of key that you set.
> 
> > Should we allow the programmatic default to be overridden per interface
> > (or is that just too much complexity for a very optional feature)?
> 
> I'm a little confused -- isn't the cert type implied by the value of
> babel-dtls-cert-set-obj?

The babel-dtls-cert-set-obj can contain multiple certs, and each cert has its cert type (so it's possible to have certs of all types). In the abstract TLS case, it's possible to envision a use case where the TLS client tells the server it supports the server providing X.509 and raw public key certs with X.509 preferred, and saying that it (the client) only has a raw public key. So the TLS specs allow for this. But in the specific Babel DTLS case, it would be rather illogical to configure the routers asymmetrically. Nonetheless, the flexibility exists in the info/data models. Which isn't necessarily a bad thing. It just means (IMO) these parameters are highly optional and we shouldn't put a lot of effort into perfecting them. Thx for the answers. That confirms what I was suspecting. - Barbara
 
> -- Juliusz