Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Achim Kraus <achimkraus@gmx.net> Mon, 06 April 2020 13:42 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 307543A05A0 for <core@ietfa.amsl.com>; Mon, 6 Apr 2020 06:42:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmyKrL82HOwe for <core@ietfa.amsl.com>; Mon, 6 Apr 2020 06:42:45 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2848A3A0597 for <core@ietf.org>; Mon, 6 Apr 2020 06:42:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1586180540; bh=6KrFcsgkM8NOviWHJ+ylWeGRpwQ2SRUcML61FkfpTCw=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=AoSauWUkaCKkzesUuZOJH6k8bEXb67OruPME1u5U39GfFQbDcokm1cuqSas6BcTC+ CL+ogG5kL1D6Kony4kLJIZiODD7XCG79Zo3uAmKfNqvnMf3HGuyCkiZof9R+DKsx8T SEVHsxM1Wope2vB2WZ1lpVNJEPit2Ka9IS/iHg24=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.45] ([178.2.223.124]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N49hB-1jCXy12INN-0103fm; Mon, 06 Apr 2020 15:42:20 +0200
To: Jim Schaad <ietf@augustcellars.com>, 'Esko Dijk' <esko.dijk@iotconsultancy.nl>
Cc: core@ietf.org
References: <580bb0f4-89c4-2d11-b17b-520ddfe89c33@gmx.net> <000501d60452$c96cfa00$5c46ee00$@augustcellars.com> <1e74313a-d258-622f-d43e-ff1fa8f7d06d@gmx.net> <AM5P190MB027536259A44102F7AB9E058FDC80@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAAzbHvbeEyws+wVchovoVTK=WutWoHCNcfv8LrpxmshLxJ_w+Q@mail.gmail.com> <011301d6077c$b5d347b0$2179d710$@augustcellars.com> <AM5P190MB0275218BA7C801E50C8353F0FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAObGJnOscTtyeQ+qvD0N0w_TD2JfV8h9+=zf=bz-jrr7LWhD2Q@mail.gmail.com> <CAAzbHvaJy9WfMOzzKhczreuZBcbA5TDQ5ThtGMT7eVj2Jf83gQ@mail.gmail.com> <CAObGJnOcP_FxNuORqAvpBE-P+nRdPjxcXVdb-VTN5in5obanmw@mail.gmail.com> <02ec5628-3f7d-ff5d-620c-c0a90a4b89b0@gmx.net> <AM5P190MB02755F6BA4AFF11C3BFC5F18FDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <020701d60907$fb3ba720$f1b2f560$@augustcellars.com> <AM5P190MB02756F537F757941D123AF17FDC70@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <02c601d609e0$e0afcbf0$a20f63d0$@augustcellars.com>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <85fcff3a-0ce6-f255-c023-d5b49cd3589b@gmx.net>
Date: Mon, 6 Apr 2020 15:42:19 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <02c601d609e0$e0afcbf0$a20f63d0$@augustcellars.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:m3/cL+cuOBrZBNvQ/AHneqXbJTlnFBDJ+khPMpAKV25aRDO43Oq jAx1F5JpNOmxVp0WBrMupuBf775noYAL4DI6T088fGK3tvuniLqR2dvR4e0lXQ7o7Unp8bS kgxOuj8tqsAQIbfJ8gbkcor1Jr6MgZOiIOaq2V4NSDGrdCKzLtnYUQVT8wzJORUW2OhzdK9 78QAPZ2ujIefW35W8Rt3Q==
X-UI-Out-Filterresults: notjunk:1;V03:K0:1/15FwVw9RE=:V3ESoxjn9diu5EjsVLMHVe wRiZH01kQJszzgi+wHvGsVe+XdN2f66LugElRj0W/5kpFt/XX8uF0vQuFYsIUl7uHU4uVY2Jf PUqkoYbR3tURtfNSqc/5DCHRNacxsu6UxlFikWRFK2hzth3h0lEagNhK5T1A5FB+cEEcs0OBB /5P0KzBGJymtwzc3XrFn9LFbc0q0awpaipfItNccl5fDYHA190yuYpeG6PP1PjRl6dnOWlcFn j0wQose+cQEdGyCgaItbLsx8BW7LNrNavhXhds+VuMdlyq1L19Ql0WTtAVLac9uZlJRYfB97o ZIIXIoB+GXBiL8fwN3Dmkj/70RrYDIOOtJsFix/6KJn/TlacVWcgxyIdQqok4DBuqpcUvzkTy RW5DQNSy2dPqtVqNUk3Y7mWVMIc3zJOAJxjZhlrur4RlYlm0h8jtIHyt4akEgvDpNCx5U/hJL elz1uu2h3V4bEq6PLZD1DwvXPQWV36T6qwp0aeNoBlpJPByb8fI0qBZSLfF1czOoX6bso2SsY HQueRNQpCSAVKC3/FfPrePxtGsCEF57s2u5a8D7JzuFR1bF4pAod7l9PtWiP7gUs0T/2m4Mh4 lXP4+jkJ5i1BzyE7YnC6FQfM7MUVH5biJ8wRMST8swtAlJGZbmbBlGhOOv59gdBxkt1RYx7mT 1vvVRzCvl6oLFdFD5/NSSgNpj0uRrNDtyk8ZCngpslxn8BGJNxbQVZ1QG+LlVW8W+TSAaaUPw Oxbx2gh+9IHCVMl3E6LGnxoL0mhf2jwF1DQ7l73QRIDQ3sR9dEdQVfGqC7Br4j3T0VHE/EvMV SPE5UBVpWM04Qax2PlqsCUtZi7POJc8PDAEp91ygyBuaQjoXcHKjKE+16YKX0a53LHOeaQVUu 9B1pdgSDHojfN1gILnjeeiwm5ahhHmOSEls1dDdft998E/c4zKgbKd2JliqVx3/zGUaYfT6Or uDRkR86nHN773/ShU24bcCZnCPF9aPfGarDIjj1drDMZEvXoBBUyIYjtbRcIqM1I9gluDtBoW 8Dr7q/tbosfY8FZ++dmDJePokszQtnWQYwYV7BsvdtDonpx7YJDUBP/8iDk332Le61M9dsFca Zqzju43ARGBtiHTmezVU4zCM02dhUaOxSvwy2EfiD90lvhOjkpr8N8Os6LUZ9uVumbptn8dVm vU41LuQKIFrYRshculbBKcm4FiQhSOYs3tgf4SvR9qTIZHbEqHkqwgtkLUsxYZsvHFPYI55ul FwM1VggvgL2PWtxE1
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/1gsQSSSYJT3MpLA3EYQd-Jtnyxo>
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 13:42:55 -0000

Hi Esko,
Hi Jim,

as I promised to Jim, I spent some time over the weekend to investigate
more about the java-multicast features. A prepared a Californium PR with
my results.

Generall I still feel, that it is much easier, to use a differnt ports
for multicast and unicast, than to try to use the same port for
multicast and unicast simultaneously.
Over the weekend I failed frequently, sometimes it ended even in
situations, where the multicast request reaches all endpoints (multicast
and unicast) and the deduplication then got activated.  It's not even
easy to see, if the server really differentiate between unicast und
multicast reliable. On my experiments it first shows as "random", if the
response indicates a unicast or multicast request. Then I found, that
the request was delivered to all endpoints and just the first response
was also used for the other requests. When I introduced a warning in the
deduplication, I saw much more frequently, that the setup is still
broken or got broken again. Therefore I would consider, that using the
same port requires intensive test or much more guidance how to setup the
multicast endpoint in order to work reliable.
So I'm everything else than sure, that the current setup in Califonium
will work reliable for different OS and java versions. We will see.

Somehow my personal feeling is, that other protocols don't distinguish
the processing of received records based on receiving them  via unicast
or multicast. If so, that pattern using a different ports for multicast
and unicast in order to reliable distinguish between multicast and
unicast, would be easier to support.

best regards
Achim

Am 03.04.20 um 19:54 schrieb Jim Schaad:
>
>
> -----Original Message-----
> From: Esko Dijk <esko.dijk@iotconsultancy.nl>
> Sent: Friday, April 3, 2020 5:38 AM
> To: Jim Schaad <ietf@augustcellars.com>om>; 'Achim Kraus' <achimkraus@gmx.net>et>; 'Thomas Fossati' <tho.ietf@gmail.com>om>; 'Klaus Hartke' <hartke@projectcool.de>
> Cc: core@ietf.org
> Subject: RE: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
>
> Hello Jim,
>
> Could you clarify your point further?
> - what is a bad idea - having a dedicated port with dedicated for handling multicast requests?  Or the subsequent "internal routing" of the request to the unicast server at a different port? Or both?
> [JLS] I think it is a bad idea to use the port number as a means of distinguishing multicast and unicast message.    If you do something like this completely internal to your own code, then it is an implementation detail but would not map to any type of text for an IETF document.
>
> - what is a "multicast channel" , do you mean an endpoint bound to a multicast address ?
> [JLS] I use the word channel because it maps from my code base in many ways.  A "multicast channel" would map to an endpoint bound to a <multicast address, port> pair.  An analogy for those of us who are really old would be to consider UHF and VHF on your TV to be different multicast addresses, but you still need to choose the channel number (port number) in order to get a flow of information that is usable. The analogy of course breaks down because you cannot send information back to the TV stations.
>
>> some resources may only want to be on a single multicast address even
>> if the server is listening on multiple unicast addresses
>
> Sure, you can also have a dedicated server on say port :9999 that listens to multicast destination addresses only, because it is bound only to a multicast address not a unicast address. This dedicated server can then handle resources that only are to be accessed via multicast.
> But in this case, there's no "internal routing" needed to another server inside the node because the resource is only hosted at say port :9999.
> [JLS] You can have a dedicated server on say <address, port=9999> that lists for multicast traffic.  You always have the address and port as a pair.
>
>> The IP address is different for a multicast vs a unicast message
>> received at the server.  This needs to be the distinction
>
> But the case the Achim indicated is that the server may not be able to detect whether a request came in via unicast of multicast. So this cannot be the distinction, e.g. in the following case:
> 1) CoAP server at port 5683 is bound to unicast address U
> 2) at same node, same CoAP server at port 5683 is bound to multicast address M
> [JLS]  If this is really true, and I am not sure that I believe that to be the case, then the JAVA library is completely broken and needs to get fixed.    The fast look that I had at the JAVA library looks like you need to create a distinct socket for every <address, port> pair that you are dealing with.  I think that should give you all of the info that you need, but like I said, I have not done the JAVA programming itself.
>
> Now in this case if a request comes in via multicast group M destined  to port 5683, the server handling this cannot tell whether it was unicast or multicast. And if a unicast request comes in to destination address U and port 5683, the server cannot tell also whether that was unicast or multicast.
> [JLS] What is the address that is associated with the port number?  You cannot have a bare port number you also must have an IP address.  The IP address is how you distinguish unicast/multicast.
>
> [JLS]  Jim
>
> By setting it up like this instead that problem is avoided:
> 1) CoAP server at port 5683 is bound to unicast address U
> 2) at same node, same CoAP server at port 9999 is bound to multicast address M Then the server at port 5683 treats everything as unicast. (Because it is not bound to a multicast address, it won't receive any multicast requests directly.) And the server at port 9999 treats everything as multicast. (And this endpoint 9999 handles most requests by internally redirecting to server :5683, but only for those resources where multicast is allowed. Some request for multicast-only resources it can handle itself directly.)
>
> So the above "workaround" seems handy for cases where a server at one specific UDP cannot itself determine the endpoint the request came in from (could be either multicast like M or unicast like U).
>
> @Achim maybe you could comment if I've understood your use case properly.  To me the above seems more secure than trusting that a client will include a "This is multicast" CoAP Option in an honest way, which could easily be misused.
>
> thanks
> Esko
>
> -----Original Message-----
> From: Jim Schaad <ietf@augustcellars.com>
> Sent: Thursday, April 2, 2020 18:02
> To: Esko Dijk <esko.dijk@iotconsultancy.nl>nl>; 'Achim Kraus' <achimkraus@gmx.net>et>; 'Thomas Fossati' <tho.ietf@gmail.com>om>; 'Klaus Hartke' <hartke@projectcool.de>
> Cc: core@ietf.org
> Subject: RE: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
>
> Esko,
>
> That idea strikes me as a very bad idea.   If you build your code on this basis you will fall over the first time you come across a multicast channel which uses the same port as the unicast server.   The IP address is different for a multicast vs a unicast message received at the server.  This needs to be the distinction as well as the fact that some resources may only want to be on a single multicast address even if the server is listening on multiple unicast addresses.
>
> Jim
>
>
> -----Original Message-----
> From: core <core-bounces@ietf.org> On Behalf Of Esko Dijk
> Sent: Thursday, April 2, 2020 1:23 AM
> To: Achim Kraus <achimkraus@gmx.net>et>; Thomas Fossati <tho.ietf@gmail.com>om>; Klaus Hartke <hartke@projectcool.de>
> Cc: core@ietf.org
> Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
>
> Hello Achim,
>
> (see also my response to Jim)
> Using the UDP port number to detect a multicast request vs a unicast request sounds like a good use case. Just curious - I assume the security aspect requirements of RFC 7252 are taken care of in this use case?
>
> That is, a proper client sends its multicast requests always to port :9999 and the server treats these as multicast requests (e.g. only allow the request for specific resources).
> A malicious client may sends its multicast request to port :5683 to bypass the above checks. I assume the server doesn't respond to this request, because the multicast address is not bound to port 5683 but to say 9999 only.
> If the CoAP server at port 5683 cannot distinguish between unicast/multicast that would be a bad situation and the security requirements of RFC 7252 are not met.
>
> Esko
>
> -----Original Message-----
> From: core <core-bounces@ietf.org> On Behalf Of Achim Kraus
> Sent: Wednesday, April 1, 2020 22:28
> To: Thomas Fossati <tho.ietf@gmail.com>om>; Klaus Hartke <hartke@projectcool.de>
> Cc: core@ietf.org
> Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
>
> Hi,
>
>>> +---------------+                +-----------------+
>>> |               |    request    _|_                |
>>> |               |        .---> /   \   224.0.1.187 |
>>> |              _|_      /      \___/ --.   :9999   |
>>> | 192.168.0.1 /   \ ---´         |      \          |
>>> |   :54321    \___/ <---.       _|_     /  rewrite |
>>> |               |        \     /   \ <-´           |
>>> |               |         `--- \___/ 192.168.0.100 |
>>> |               |    response    |         :5683   |
>>> +---------------+                +-----------------+
>>>         Client                           Server
>
> Nice diagram.
>
>> Not sure why you would also want to rewrite the transport endpoint?
>
> I tried to follow the discussion.
> The idea to change the port as well enables java (and I guess some more) to differentiate between multicast and unicast requests. Jim also mentioned, that it enables the use of multiple servers on the same host.
> I have not enough experience with multicast in different environments to see, if that may cause more trouble (e.g. firewall etc.). I would guess, that some  implementations will just offer that variant, at least as configurable option (I would try do so for Californium).
> So my favorite for now is just implement it and see, what the user's feedback will be.
>
> If that idea gets declined (may be by negative feedback of users), I still think, that there is a demand for other means to distinguish between multicast and unicast requests. Maybe, either the usage of the uri-host option or a new option will help.
>
> This maybe considered as "too pragmatically", but on the other side I also don't see the "great benefit" in insist not to change the port.
>
> best regards
> Achim
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
>
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
>