Re: [core] Endpoint Client Name / Endpoint Name in RD draft

[Jim Schaad <ietf@augustcellars.com>]

Hannes,

 

I have been thinking about this both from what you said, but also from the
point of view that I have been trying to figure out how to get security
implemented for a resource directory and how to specify the what the set of
legal security options would be for a registration.

 

I agree that it makes no sense for an endpoint registering itself to provide
an endpoint name, this should be inferred from the security context.
However, the parameter is needed for third party registrations.  If you have
somebody registering a set of end points, the security context might say
that you can register any endpoint matching floor3-* 

 

My initial idea was to just use the path + queries to control access so

 

/rd/ep-register?ep=device1

 

However, I am now trying to deal with the difference between, if present it
must be this vs if present it must be this, if not present then default to
this.

 

Jim

 

 

From: Hannes Tschofenig <Hannes.Tschofenig@arm.com> 
Sent: Thursday, April 5, 2018 3:03 AM
To: Jaime Jiménez <jaime.jimenez@ericsson.com>
Cc: Jim Schaad <ietf@augustcellars.com>; core@ietf.org
Subject: RE: [core] Endpoint Client Name / Endpoint Name in RD draft

 

Hi Jaime, 

 

Thanks for the pointer to earlier discussions on this topic. 

 

Looking at the discussions from 2014 it appears that there is some
misunderstanding of how this endpoint name interacts with the security
protocol and what vulnerabilities are created by relying on an identifier
that is unauthenticated. 

 

I am curious what we lose if we remove this identifier altogether. The only
thing that comes to my mind is a debugging capability where you might want
to test your system without any security protocol. In any practical
deployment I would not recommend to use RD without security.

 

Ciao

Hannes

 

From: Jaime Jiménez [mailto:jaime.jimenez@ericsson.com] 
Sent: 05 April 2018 07:52
To: Hannes Tschofenig
Cc: Jim Schaad; core@ietf.org <mailto:core@ietf.org> 
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft

 

Hi,

 

You mean we should remove the “endpoint name” altogether, so not using URNs
to identify CoAP endpoints for example? 

 

The rationale for using endpoint name was at least discussed in 2014, back
then it seemed useful in the context of LWM2M.

 

http://ietf.org/mail-archive/web/core/current/msg05645.html

 

Ciao!


El 4 abr 2018, a las 22:01, Hannes Tschofenig <Hannes.Tschofenig@arm.com
<mailto:Hannes.Tschofenig@arm.com> > escribió:

Hi Jim, 

 

I had various comments: 

 

First, I argue that the LwM2M spec and the RD draft should be in sync
regarding the name of the parameter. 

 

Second, I believe that the security consideration section is correct in the
threat description but came to the wrong conclusion regarding the use of the
parameter. In essence, the parameter should be optional and probably only
used for debugging. 

 

Third, I went as far as saying that the endpoint name parameter should
actually be removed altogether. I can already see how those deploying it
will get it wrong and will introduce security problems. 

 

Ciao

Hannes

 

From: Jim Schaad [mailto:ietf@augustcellars.com] 
Sent: 04 April 2018 21:06
To: Hannes Tschofenig; 'Jaime Jiménez'
Cc: core@ietf.org <mailto:core@ietf.org> 
Subject: RE: [core] Endpoint Client Name / Endpoint Name in RD draft

 

Hannes,

 

I am not completely clear.  Are you saying that the RD should not have the
endpoint name parameter as a defined property or something else?

 

Jim

 

 

From: core <core-bounces@ietf.org <mailto:core-bounces@ietf.org> > On Behalf
Of Hannes Tschofenig
Sent: Wednesday, April 4, 2018 10:41 AM
To: Jaime Jiménez <jaime.jimenez@ericsson.com
<mailto:jaime.jimenez@ericsson.com> >
Cc: core@ietf.org <mailto:core@ietf.org>  WG <core@ietf.org
<mailto:core@ietf.org> >
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft

 

Hi Jaime, 

 

using IP address and port for an endpoint (client) name would not be a good
idea. 

In general, it was not a good idea to have this parameter defined in the
first place. It might actually be better to remove it altogether. 

 

Ciao

Hannes

 

From: Jaime Jiménez [mailto:jaime.jimenez@ericsson.com] 
Sent: 04 April 2018 17:32
To: Hannes Tschofenig
Cc: core@ietf.org <mailto:core@ietf.org>  WG; Carsten Bormann
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft

 

Hi,

 

Note that endpoint can refer to both source and destination, being and
IP:port in its simplest form: 

https://tools.ietf.org/html/rfc7252#page-6 

 

The fact that LWM2M swaps those role names might actually add to the
confusion, probably OMA LWM2M should be the one changing the terminology as
the device is mostly a “server” hosting resources and only is a “client”
during bootstrapping and registration. We could have used terms like
“servient” instead but it might be too late for that.

 

Ciao!

- - Jaime Jiménez

 

On 4 Apr 2018, at 16.41, Hannes Tschofenig <Hannes.Tschofenig@arm.com
<mailto:Hannes.Tschofenig@arm.com> > wrote:

 

Hi all, 

 

I noticed that the term “endpoint name” is used in the IETF RD draft while
the OMA LwM2M spec uses the term “endpoint client name”. Endpoint is a
confusing term since it is used differently in the CoAP spec than in the Web
environment.

 

For this reason I believe it would be better to use the term “endpoint
client name” also in the RD draft. This would improve alignment between the
two specs.

 

Ciao

Hannes

 

IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy the
information in any medium. Thank you.
_______________________________________________
core mailing list
 <mailto:core@ietf.org> core@ietf.org
 <https://www.ietf.org/mailman/listinfo/core>
https://www.ietf.org/mailman/listinfo/core

 

IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy the
information in any medium. Thank you. 

IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy the
information in any medium. Thank you. 

IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy the
information in any medium. Thank you.