Re: [core] DTLS and Epochs
Simon Bernard <contact@simonbernard.eu> Fri, 09 June 2017 17:23 UTC
Return-Path: <contact@simonbernard.eu>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEE5912871F for <core@ietfa.amsl.com>; Fri, 9 Jun 2017 10:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ymuq7XFgI_72 for <core@ietfa.amsl.com>; Fri, 9 Jun 2017 10:23:22 -0700 (PDT)
Received: from 16.mo7.mail-out.ovh.net (16.mo7.mail-out.ovh.net [46.105.72.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE460129B55 for <core@ietf.org>; Fri, 9 Jun 2017 10:23:04 -0700 (PDT)
Received: from player697.ha.ovh.net (b9.ovh.net [213.186.33.59]) by mo7.mail-out.ovh.net (Postfix) with ESMTP id 8DF255953F for <core@ietf.org>; Fri, 9 Jun 2017 19:23:02 +0200 (CEST)
Received: from [10.41.51.97] (130.163-14-84.ripe.coltfrance.com [84.14.163.130]) (Authenticated sender: contact@simonbernard.eu) by player697.ha.ovh.net (Postfix) with ESMTPSA id 90B76480083; Fri, 9 Jun 2017 19:22:58 +0200 (CEST)
To: weigengyu <weigengyu@vip.sina.com>, Carsten Bormann <cabo@tzi.org>, "Kraus Achim (INST/ECS4)" <Achim.Kraus@bosch-si.com>
References: <003501d2cd32$c4417a10$4cc46e30$@augustcellars.com> <CAAzbHvYb39cPMmw_S0eZ4RSwzzmcE7636tjyu=kyCbUtBOwb0g@mail.gmail.com> <005e01d2cd8f$ae548dc0$0afda940$@augustcellars.com> <BC45A96C78AE43AF896A65A184D287B5@WeiGengyuPC> <014601d2daf1$8f1865c0$ad493140$@augustcellars.com> <849AEC05-87E3-48A7-B5C6-E6B6C8DC98D5@tzi.org> <015501d2dafe$dc53e640$94fbb2c0$@augustcellars.com> <0EE7D28C4BD94A4BB8ACA70FF0182BFC@WeiGengyuPC> <000001d2db51$a7d31c30$f7795490$@augustcellars.com> <B6BE0059DC7749D6AA5621CAE49E5073@WeiGengyuPC> <000301d2db56$24df9ab0$6e9ed010$@augustcellars.com> <35046B0695F64F97ABE9E1965062E7FC@WeiGengyuPC> <83c2fca38c534509aa77241aa3105aad@FE-MBX1027.de.bosch.com> <4FC55496-308A-4FCA-8003-6E0B4BB92015@tzi.org> <88a7de1d-f9fe-3743-a58c-5cdd5ad7b82a@simonbernard.eu> <E76C28F9D5434CEAB7A9EB0C82011581@WeiGengyuPC>
Cc: core@ietf.org
From: Simon Bernard <contact@simonbernard.eu>
Message-ID: <33b06763-4315-dfb1-8551-988149d3d422@simonbernard.eu>
Date: Fri, 09 Jun 2017 19:22:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <E76C28F9D5434CEAB7A9EB0C82011581@WeiGengyuPC>
Content-Type: multipart/alternative; boundary="------------3F8F7E93E5117DD3C05799B6"
X-Ovh-Tracer-Id: 15669711956028700839
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeeljedrieehgdduuddtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddm
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/3ovH5L3HICtTQAcU47jZTlr4BY8>
Subject: Re: [core] DTLS and Epochs
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 17:23:25 -0000
This is the point. We agree that a new DTLS association must be established. It's ok as generally this is the peer which has a dynamic IP which will initiate this handshake. This is not optimal but this is ok (some solution is explored to optimize that like the connection ID proposed by Fossati draft-fossati-tls-iot-optimizations-00) Let's suppose a peer with dynamic IP address is observed and send notification. When its IP address changes a new observe relation should also be established to respect the same epoch/same connection constraint. If we don't, observe notifications should be dropped. The issue : this time this is not the peer with the dynamic IP address which must initiate the relation. Another issue : NAT timeout is sometime around 60s so for some use case we need to re-established observe relation each time we receive a notification ? This is not the spirit of the observe feature. Le 09/06/2017 à 18:23, weigengyu a écrit : > Hi all, > In DTLS there is a formal to calculate a cookie: > Cookie = HMAC(Secret, Client-IP, Client-Parameters) > Cookie is related to the Client-IP address and used during DTLS > handshakes. > If the IP address is changed just during handshanke stage, the > handshake will not continue. > Then it must start a new DTLS shandshake with the new IP address. > If the IP address is changed during DTLS record delivery after a > successfule handshake, > the DTLS record carried in a new IP address would be treated to belong > to a different DTLS association. > In a receiving side with an unchanged IP address, the DTLS record > would be regarded as an invalide one to be discarded according to > RFC6347. > So, for CoAP Observe if the IP address is changed, a new DTLS > association must be establishied. > Regards, > Gengyu WEI > Network Technology Center > School of Computer > Beijing University of Posts and Telecommunications > *From:* Simon Bernard <mailto:contact@simonbernard.eu> > *Sent:* Friday, June 09, 2017 6:35 PM > *To:* Carsten Bormann <mailto:cabo@tzi.org> ; Kraus Achim (INST/ECS4) > <mailto:Achim.Kraus@bosch-si.com> > *Cc:* core@ietf.org <mailto:core@ietf.org> > *Subject:* Re: [core] DTLS and Epochs > > Hi, > > We faced this issue when we tried to make observe work behind NAT in > a LWM2M context. > > My understanding is "same epoch" means implicitly "same DTLS > connection too" which is a real issue in dynamic IP address > environment (as DTLS connection is identified by IP address). "same > epoch" means "no TLS renegociation". > > IMHO, "same epoch/connection" should be replaced by "same identity" > (PSK identity for PSK, public key for RPK, CN for certificate) for > authenticated peer or "same session" for non-authenticated. In case > you want to allow TLS renegotiation you should add "same cipher" too. > But TLS renegotiation seems to be not advisable for DTLS 1.2 : > https://tools.ietf.org/html/rfc7925#section-17 and removed to DTLS 1.3 > last time I looked at it. > > I initially think about that for observe request, but maybe it can > be generalized to all request/response correlation. > > Here some discussion about this idea : > - https://www.ietf.org/mail-archive/web/core/current/msg08019.html > - https://www.ietf.org/mail-archive/web/core/current/msg08004.html > > Simon > > Le 08/06/2017 à 11:08, Carsten Bormann a écrit : >> On Jun 8, 2017, at 10:17, Kraus Achim (INST/ECS4)mailto:Achim.Kraus@bosch-si.com wrote: >>> It's still unclear to me, if this should be considered to be the "same epoch" in the meaning of RFC7252. >>> >>> I pointed to that last summer (https://www.ietf.org/mail-archive/web/core/current/msg07816.html), but I could get clarification on that. >> I think that we can agree that the current definition is >> — not fully clear >> — unrealistic in certain implementation environments (so it may not actually be implemented) >> — unnecessarily restrictive. >> >> Now the next question is what definition would >> — make sense from an implementers’ point of view >> — not be unnecessarily restrictive >> — retain the desirable security properties of the current restrictive definition >> - be clear >> - maybe also make sense for DTLS 1.3 (which isn’t fully baked yet). >> >> (And then we have to figure out the process for fixing it — that is not too hard once we know the extent of the change that needs to me made. E.g., an RFC updating RFC 7252.) >> >> Grüße, Carsten >> >> _______________________________________________ >> core mailing list >> core@ietf.org >> https://www.ietf.org/mailman/listinfo/core > > ------------------------------------------------------------------------ > _______________________________________________ > core mailing list > core@ietf.org > https://www.ietf.org/mailman/listinfo/core
- [core] DTLS and Epochs Jim Schaad
- Re: [core] DTLS and Epochs Klaus Hartke
- Re: [core] DTLS and Epochs Carsten Bormann
- Re: [core] DTLS and Epochs Klaus Hartke
- Re: [core] DTLS and Epochs Jim Schaad
- Re: [core] DTLS and Epochs Carsten Bormann
- Re: [core] DTLS and Epochs Jim Schaad
- Re: [core] DTLS and Epochs Jim Schaad
- Re: [core] DTLS and Epochs weigengyu
- Re: [core] DTLS and Epochs Jim Schaad
- Re: [core] DTLS and Epochs Jim Schaad
- Re: [core] DTLS and Epochs weigengyu
- Re: [core] DTLS and Epochs Kraus Achim (INST/ECS4)
- Re: [core] DTLS and Epochs Carsten Bormann
- Re: [core] DTLS and Epochs Jim Schaad
- Re: [core] DTLS and Epochs Simon Bernard
- Re: [core] DTLS and Epochs weigengyu
- Re: [core] DTLS and Epochs Simon Bernard
- Re: [core] DTLS and Epochs weigengyu
- Re: [core] DTLS and Epochs weigengyu