Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Achim Kraus <achimkraus@gmx.net> Tue, 07 April 2020 08:12 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6E33A18D1 for <core@ietfa.amsl.com>; Tue, 7 Apr 2020 01:12:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4dqSsOWzOa2D for <core@ietfa.amsl.com>; Tue, 7 Apr 2020 01:12:33 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD7003A18CD for <core@ietf.org>; Tue, 7 Apr 2020 01:12:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1586247144; bh=TQ0ZODj/NKyMRnjVKZ8iv4BKgubR7xnLiXQnbIf5ynQ=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=j8QO26rPdJQkuKZjzdL9+KlvGpZDATMOL92inhISpKBGkeEICCLiCOGBrwWtK9Ajk OLWLw5iGAH1lemvIL9RA+0G2y/1gbVA4t4Kj1426rVDUrM7jLvh5psEOZyL2F21+fm XBotnu6Jtfxy6szfL4/vphwPxGzqT4erDi9EG+lA=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.45] ([88.65.144.250]) by mail.gmx.com (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MVvL5-1jlKfC3lNl-00RtoY; Tue, 07 Apr 2020 10:12:24 +0200
To: Jim Schaad <ietf@augustcellars.com>
Cc: core@ietf.org
References: <580bb0f4-89c4-2d11-b17b-520ddfe89c33@gmx.net> <000501d60452$c96cfa00$5c46ee00$@augustcellars.com> <1e74313a-d258-622f-d43e-ff1fa8f7d06d@gmx.net> <AM5P190MB027536259A44102F7AB9E058FDC80@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAAzbHvbeEyws+wVchovoVTK=WutWoHCNcfv8LrpxmshLxJ_w+Q@mail.gmail.com> <011301d6077c$b5d347b0$2179d710$@augustcellars.com> <AM5P190MB0275218BA7C801E50C8353F0FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAObGJnOscTtyeQ+qvD0N0w_TD2JfV8h9+=zf=bz-jrr7LWhD2Q@mail.gmail.com> <CAAzbHvaJy9WfMOzzKhczreuZBcbA5TDQ5ThtGMT7eVj2Jf83gQ@mail.gmail.com> <CAObGJnOcP_FxNuORqAvpBE-P+nRdPjxcXVdb-VTN5in5obanmw@mail.gmail.com> <02ec5628-3f7d-ff5d-620c-c0a90a4b89b0@gmx.net> <AM5P190MB02755F6BA4AFF11C3BFC5F18FDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <020701d60907$fb3ba720$f1b2f560$@augustcellars.com> <AM5P190MB02756F537F757941D123AF17FDC70@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <02c601d609e0$e0afcbf0$a20f63d0$@augustcellars.com>
From: Achim Kraus <achimkraus@gmx.net>
Message-ID: <67d5ddf6-94dd-51af-0e43-10a078ecb5fc@gmx.net>
Date: Tue, 7 Apr 2020 10:12:23 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <02c601d609e0$e0afcbf0$a20f63d0$@augustcellars.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: de-AT-frami
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:BMQ+yXBcgnDm4N5KMPOpT+/885PtqJS7Z0BxSHPOnVs9ZbWYuLf hnWw3bOwX3wr9YgQaXLkCrQgWD5r6PPWyTLSnQLxfP5MHjL3uIJN3TtgxkNnwTjZQhVhV+U /8xEO542klz8Bi4x6QuF2WHM5kBwbwz/azGoeIdUYQmuE4VuuZDmOG/z3I7bP6B+QVspOY+ 3LFZIgLNhzik2lbrtwqZA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:zJjhqNezY2o=:+dSWlsVbn69bZHCHIAMQhA +Alm3ImbVb6KtkAZxgVWIYYSRSFmpHFC5bEyOX3LTk3mq0T0l5XwjlRuOHuwsVAeQ8YEf/OVP dBgiqLC14Yz8mT4EvNKpGh1vYhhaJ1QQZ8F8qxAKfmgU3g0haMGbDaxWVv5rIKzHlQxNZNNdQ MQpAwrJKzeEgkaZwGUx/rf96EjKQKdX4okNGXLKIQwoLNSq8BsDPQqmxvWd+p1C9ENYlcr9Uo 0zRAdOlzqIyZ7AJ9kX+uVGYdhGcJ8YIoUBvJdXyhhpA8nshgKDExjLUmqKD8+av4+xMeKfpQg K2HLpCxWhd7d6cXyRjYXECqNWQmgVyZukgAPOswKBDSFMnuloeyfXBnecbMxU63tc8gMINqdx 0Mn21cfLei9/g6ojSCDj69bhOkx1KbkIotgTjzT6pgxWznP+15vr5g0IMZIqhLAcB8icSf3Ih TNxtwAxBvCFmYD0JsNsRjXa7HWYk9cB+ZU2hOUc3pe17q4knxqx6PHDxYtcl+MXUdQPT+ZIcF NQoJJbQ/QeYflyJJ8w/J2VaCBGz+RhFM5i2BTD5riIFVCZoPZWCqFZJhjjhyJqPW140Gl+1so UgwLkc8dN0sy8eGax3S6FVQFxv9RcsUbu/kT3qO81f9KoIRFv/VB6ns8+ZqAch9sdbfGhS8HS lDjuCmBHKpRDmlUNo9ODiJRXip+iyCMOr5maxSumLv1pcnxsyW2i7Fq69GaXRyXJpQ7xRyxmP ZbguUDV5nYR8HsT4KWd1n8wbD0FoYQJ7JpHfOL+rmQg3FI5FG2cNttwNTXKI8Xrr5yg45jTyI Go98uzmsp+HblGu5BZcFzZlYF6tQFf7ysXyE6Zom0LlMEeM8wzzwHI+czqdD8nrrLboITCt0x +Xdex4/ESLVSzHbC1/ycZGzIG6HakZ9dlo2RT+BcoA7M5D+bFO+pYsIOG+/Ndso3uQdX6QBWL nJZY+2QMU1u5ilzv77SksiXcLVtbFMuvsFt/DKmS0okKqU6ESE/MWdh9+y1AdleajbxBsgGJp 4ojBxlPWaG6glFH1swaLqVr6sl8ymrBKDsCFqAl+xdfmKLXsFnbXSoVuL5xD3YDfrQnJ9BJzX MVQlWoEqqmtZVC0eCUyYwiCcQyubAg9yr4A+e9pW/1vZmwZntB81FNynVeCBBlhZmGi2Qr6Bv btFyhgVsVFvgf3oBBhOmDXPZDs+muajXDkAECgAGKgsTndzT2kBwlgOr1f6XXhg2kHS8kO/TI rqAhG8J3OHdc6hMeG
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/7QZlUTj4wEbo3wQ-T88bRGQsQ9E>
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 08:12:35 -0000

Hello Jim,

 > [JLS] I think it is a bad idea to use the port number as a means of
distinguishing multicast and unicast message.    If you do something
like this completely internal to your own code, then it is an
implementation detail but would not map to any type of text for an IETF
document.

Do you have an example, where a IETF specification uses multicast and
unicast and differs in processing on that? Otherwise the point maybe,
that other protocols, which also support multicast, process any request
in the same way, regardless if it's received via the unicast or
multicast address.

 > [JLS]  If this is really true, and I am not sure that I believe that
to be the case, then the JAVA library is completely broken and needs to
get fixed.    The fast look that I had at the JAVA library looks like
you need to create a distinct socket for every <address, port> pair that
you are dealing with.  I think that should give you all of the info that
you need, but like I said, I have not done the JAVA programming itself.

At least, it is easier to mix it up, than to do it proper.
And "wrong" maybe not too obvious, because it requires precise
mechanisms to detect that. And it may vary from OS to OS.
For linux the multicast socket seems to require to be bound to the
specific multicast address, for windows that doesn's work and seems to
be not required. So, lets see, if only "my limited java multicast
knowledge" is the gap, or other implementations will also struggle :-).

best regards
Achim

Am 03.04.20 um 19:54 schrieb Jim Schaad:
>
>
> -----Original Message-----
> From: Esko Dijk <esko.dijk@iotconsultancy.nl>
> Sent: Friday, April 3, 2020 5:38 AM
> To: Jim Schaad <ietf@augustcellars.com>om>; 'Achim Kraus' <achimkraus@gmx.net>et>; 'Thomas Fossati' <tho.ietf@gmail.com>om>; 'Klaus Hartke' <hartke@projectcool.de>
> Cc: core@ietf.org
> Subject: RE: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
>
> Hello Jim,
>
> Could you clarify your point further?
> - what is a bad idea - having a dedicated port with dedicated for handling multicast requests?  Or the subsequent "internal routing" of the request to the unicast server at a different port? Or both?
> [JLS] I think it is a bad idea to use the port number as a means of distinguishing multicast and unicast message.    If you do something like this completely internal to your own code, then it is an implementation detail but would not map to any type of text for an IETF document.
>
> - what is a "multicast channel" , do you mean an endpoint bound to a multicast address ?
> [JLS] I use the word channel because it maps from my code base in many ways.  A "multicast channel" would map to an endpoint bound to a <multicast address, port> pair.  An analogy for those of us who are really old would be to consider UHF and VHF on your TV to be different multicast addresses, but you still need to choose the channel number (port number) in order to get a flow of information that is usable. The analogy of course breaks down because you cannot send information back to the TV stations.
>
>> some resources may only want to be on a single multicast address even
>> if the server is listening on multiple unicast addresses
>
> Sure, you can also have a dedicated server on say port :9999 that listens to multicast destination addresses only, because it is bound only to a multicast address not a unicast address. This dedicated server can then handle resources that only are to be accessed via multicast.
> But in this case, there's no "internal routing" needed to another server inside the node because the resource is only hosted at say port :9999.
> [JLS] You can have a dedicated server on say <address, port=9999> that lists for multicast traffic.  You always have the address and port as a pair.
>
>> The IP address is different for a multicast vs a unicast message
>> received at the server.  This needs to be the distinction
>
> But the case the Achim indicated is that the server may not be able to detect whether a request came in via unicast of multicast. So this cannot be the distinction, e.g. in the following case:
> 1) CoAP server at port 5683 is bound to unicast address U
> 2) at same node, same CoAP server at port 5683 is bound to multicast address M
> [JLS]  If this is really true, and I am not sure that I believe that to be the case, then the JAVA library is completely broken and needs to get fixed.    The fast look that I had at the JAVA library looks like you need to create a distinct socket for every <address, port> pair that you are dealing with.  I think that should give you all of the info that you need, but like I said, I have not done the JAVA programming itself.
>
> Now in this case if a request comes in via multicast group M destined  to port 5683, the server handling this cannot tell whether it was unicast or multicast. And if a unicast request comes in to destination address U and port 5683, the server cannot tell also whether that was unicast or multicast.
> [JLS] What is the address that is associated with the port number?  You cannot have a bare port number you also must have an IP address.  The IP address is how you distinguish unicast/multicast.
>
> [JLS]  Jim
>
> By setting it up like this instead that problem is avoided:
> 1) CoAP server at port 5683 is bound to unicast address U
> 2) at same node, same CoAP server at port 9999 is bound to multicast address M Then the server at port 5683 treats everything as unicast. (Because it is not bound to a multicast address, it won't receive any multicast requests directly.) And the server at port 9999 treats everything as multicast. (And this endpoint 9999 handles most requests by internally redirecting to server :5683, but only for those resources where multicast is allowed. Some request for multicast-only resources it can handle itself directly.)
>
> So the above "workaround" seems handy for cases where a server at one specific UDP cannot itself determine the endpoint the request came in from (could be either multicast like M or unicast like U).
>
> @Achim maybe you could comment if I've understood your use case properly.  To me the above seems more secure than trusting that a client will include a "This is multicast" CoAP Option in an honest way, which could easily be misused.
>
> thanks
> Esko
>
> -----Original Message-----
> From: Jim Schaad <ietf@augustcellars.com>
> Sent: Thursday, April 2, 2020 18:02
> To: Esko Dijk <esko.dijk@iotconsultancy.nl>nl>; 'Achim Kraus' <achimkraus@gmx.net>et>; 'Thomas Fossati' <tho.ietf@gmail.com>om>; 'Klaus Hartke' <hartke@projectcool.de>
> Cc: core@ietf.org
> Subject: RE: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
>
> Esko,
>
> That idea strikes me as a very bad idea.   If you build your code on this basis you will fall over the first time you come across a multicast channel which uses the same port as the unicast server.   The IP address is different for a multicast vs a unicast message received at the server.  This needs to be the distinction as well as the fact that some resources may only want to be on a single multicast address even if the server is listening on multiple unicast addresses.
>
> Jim
>
>
> -----Original Message-----
> From: core <core-bounces@ietf.org> On Behalf Of Esko Dijk
> Sent: Thursday, April 2, 2020 1:23 AM
> To: Achim Kraus <achimkraus@gmx.net>et>; Thomas Fossati <tho.ietf@gmail.com>om>; Klaus Hartke <hartke@projectcool.de>
> Cc: core@ietf.org
> Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
>
> Hello Achim,
>
> (see also my response to Jim)
> Using the UDP port number to detect a multicast request vs a unicast request sounds like a good use case. Just curious - I assume the security aspect requirements of RFC 7252 are taken care of in this use case?
>
> That is, a proper client sends its multicast requests always to port :9999 and the server treats these as multicast requests (e.g. only allow the request for specific resources).
> A malicious client may sends its multicast request to port :5683 to bypass the above checks. I assume the server doesn't respond to this request, because the multicast address is not bound to port 5683 but to say 9999 only.
> If the CoAP server at port 5683 cannot distinguish between unicast/multicast that would be a bad situation and the security requirements of RFC 7252 are not met.
>
> Esko
>
> -----Original Message-----
> From: core <core-bounces@ietf.org> On Behalf Of Achim Kraus
> Sent: Wednesday, April 1, 2020 22:28
> To: Thomas Fossati <tho.ietf@gmail.com>om>; Klaus Hartke <hartke@projectcool.de>
> Cc: core@ietf.org
> Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
>
> Hi,
>
>>> +---------------+                +-----------------+
>>> |               |    request    _|_                |
>>> |               |        .---> /   \   224.0.1.187 |
>>> |              _|_      /      \___/ --.   :9999   |
>>> | 192.168.0.1 /   \ ---´         |      \          |
>>> |   :54321    \___/ <---.       _|_     /  rewrite |
>>> |               |        \     /   \ <-´           |
>>> |               |         `--- \___/ 192.168.0.100 |
>>> |               |    response    |         :5683   |
>>> +---------------+                +-----------------+
>>>         Client                           Server
>
> Nice diagram.
>
>> Not sure why you would also want to rewrite the transport endpoint?
>
> I tried to follow the discussion.
> The idea to change the port as well enables java (and I guess some more) to differentiate between multicast and unicast requests. Jim also mentioned, that it enables the use of multiple servers on the same host.
> I have not enough experience with multicast in different environments to see, if that may cause more trouble (e.g. firewall etc.). I would guess, that some  implementations will just offer that variant, at least as configurable option (I would try do so for Californium).
> So my favorite for now is just implement it and see, what the user's feedback will be.
>
> If that idea gets declined (may be by negative feedback of users), I still think, that there is a demand for other means to distinguish between multicast and unicast requests. Maybe, either the usage of the uri-host option or a new option will help.
>
> This maybe considered as "too pragmatically", but on the other side I also don't see the "great benefit" in insist not to change the port.
>
> best regards
> Achim
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
>
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
>