Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Esko Dijk <esko.dijk@iotconsultancy.nl> Thu, 02 April 2020 08:22 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 951DA3A0D5F for <core@ietfa.amsl.com>; Thu, 2 Apr 2020 01:22:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-m1zgJR-imv for <core@ietfa.amsl.com>; Thu, 2 Apr 2020 01:22:55 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60132.outbound.protection.outlook.com [40.107.6.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE61B3A0D5D for <core@ietf.org>; Thu, 2 Apr 2020 01:22:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T4H8frLnIk+qEcK7jVw3+LIuApvnj/5o0sBV546aUZsPvXPV4b1v74bohxiRcSPFMJN2mZxz/tHhfkG0hTlgImffnoFCeb4NvKAXAhE+e7/kWDerJK4Iy6b06SJMGrGm5X2liSQjvMrozj/yuXeO47W2YZQChmOxOIrHijZnZYAT3KaACcwVEE84pCZyo5iupfMg7neYEScDfvIaKo/NQXD2MgVit4t5XtjoEtyN0rEx4G8xj9Vrs/QTi9dUoDBW+XmtN2G/3B07WSS+1/6uhe8IUIELgM/0sp5SBxw27dl/zdMaK+mftk417WSod6kZcIgRpx+ByuNdhPriWc8qig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sYEw7eJcFdMRK+iksi2KHphMZ12WLCGr5t/uJ3BiESg=; b=hcu3FC00lfoi2thgIulOfcH3YlFWaQlz2xvQEic3vBo79EHc2xL7/62zdHRRXO6IOMpmllp/yrNo9geFDCCcUEWsGtp74RnTmy0uWQm0mW30KVdCzZyGdBqC9Q1xy9I8Rse8LYCbzh97lKtHYo65diM5CvKBDg3UWlN8KZvGmAD3wQv1RiPXUT2JKKiIQkPvgOBBoUgCkFy/dDtYMtz+sU+slRyL8q1I+PNQ87t9GtyR0p9okvy6CH6Mdl8/bru9xlTq7xQaCXZ4mdEP0m+NS+xEo883WvkvB6qT3BjG8r9+zM8ExK1FhjuB1OroxG+67n/1tKiRP5w8cdb+Wqd0Iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector2-iotconsultancynl-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sYEw7eJcFdMRK+iksi2KHphMZ12WLCGr5t/uJ3BiESg=; b=chlWRpBntrY2n6MM6uaR72RYGG6L3YhO6vvAlO9m1d0m6leASJG4fbkbbIeEABxJo4mSOjdITxa6wuA8zitlsMx8YmgllLd9yDvNgfBMoEL50TygFjY3nIn6rm+Rjl/PwcfCajR8FOPnKWem+ltVoK6aepe2mIeXnrUp4MULoVA=
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM (10.161.62.28) by AM5P190MB0562.EURP190.PROD.OUTLOOK.COM (10.161.81.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.19; Thu, 2 Apr 2020 08:22:52 +0000
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f]) by AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f%3]) with mapi id 15.20.2856.019; Thu, 2 Apr 2020 08:22:52 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Achim Kraus <achimkraus@gmx.net>, Thomas Fossati <tho.ietf@gmail.com>, Klaus Hartke <hartke@projectcool.de>
CC: "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
Thread-Index: AQHWBAJ4QQxxhgNVoE6+AM1rLNkaVahcnYmAgAAdZICABcLe8IAAHjWAgABVYQCAAP5CIIAADCeAgAAkYYCAAE/IAIAAUBuAgADFdpA=
Date: Thu, 2 Apr 2020 08:22:51 +0000
Message-ID: <AM5P190MB02755F6BA4AFF11C3BFC5F18FDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
References: <580bb0f4-89c4-2d11-b17b-520ddfe89c33@gmx.net> <000501d60452$c96cfa00$5c46ee00$@augustcellars.com> <1e74313a-d258-622f-d43e-ff1fa8f7d06d@gmx.net> <AM5P190MB027536259A44102F7AB9E058FDC80@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAAzbHvbeEyws+wVchovoVTK=WutWoHCNcfv8LrpxmshLxJ_w+Q@mail.gmail.com> <011301d6077c$b5d347b0$2179d710$@augustcellars.com> <AM5P190MB0275218BA7C801E50C8353F0FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAObGJnOscTtyeQ+qvD0N0w_TD2JfV8h9+=zf=bz-jrr7LWhD2Q@mail.gmail.com> <CAAzbHvaJy9WfMOzzKhczreuZBcbA5TDQ5ThtGMT7eVj2Jf83gQ@mail.gmail.com> <CAObGJnOcP_FxNuORqAvpBE-P+nRdPjxcXVdb-VTN5in5obanmw@mail.gmail.com> <02ec5628-3f7d-ff5d-620c-c0a90a4b89b0@gmx.net>
In-Reply-To: <02ec5628-3f7d-ff5d-620c-c0a90a4b89b0@gmx.net>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [85.147.167.236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bbf7ddc0-e5d8-4027-c7ab-08d7d6df096b
x-ms-traffictypediagnostic: AM5P190MB0562:
x-microsoft-antispam-prvs: <AM5P190MB0562DDF47EB3EDEA172E1B17FDC60@AM5P190MB0562.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0361212EA8
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM5P190MB0275.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(376002)(39830400003)(136003)(396003)(346002)(366004)(8676002)(71200400001)(53546011)(44832011)(2906002)(186003)(33656002)(66476007)(81156014)(81166006)(52536014)(66946007)(7696005)(76116006)(8936002)(55016002)(26005)(6506007)(9686003)(966005)(4326008)(66446008)(64756008)(5660300002)(86362001)(316002)(110136005)(508600001)(66556008); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Bkqklk8+V94i7MNoUmA7K0NqOBwVxc9Qv91JVXPzjQ4iilAbFiUcgPIEvHoPyyNw1ZEeRWqkWfFPfsJZ5rtvLsWGFXnA758U2gtYJGxuzKPa9JL5faEXGPoMWHGRMD5qjWQDfnwBVbAbjqYZBtRRx8/7cOPzxMZQAou1BsOKBP/dOd2Bl1MgL/wkPwlQaWYU4UQvWW2UuKai0hVMQ3CIod5rx71B44wZu6NoLTgoOOQNbLOVMePw0N0OMRk1vzdlRApgeoOHgDPNiCUuvRYRWgRA6YoufBByuJoB6SPlXarK0DiNMQY61MtZ8DV/YCmKV5o4TIVFGQ4tqeAmfpgZ5D/Yd/Ddboq9McDxljx+5/yKmiAZh2huzNChQ6Ms4JxtTorRyDzPLHoJqMumNhJ+f5qcipjrC9hCR3GpHuYBh2u14io8LMWjfSIUvRGxHqYrW/iWxnCC0MwfIHYI8GJzuGCWvheAyyJhh04iIPZhXrSTWZuIxVJLp+JHUFbx0mAC7OZP85Ssfh5R76VxcCRpjA==
x-ms-exchange-antispam-messagedata: qaCXnpaYey9VayhNESLN8e+LOT7xw/g+8YM7DLfYrRplrsU/7sl8OJtHHdjf6ekuknMacfruQv6cDCjnHkeEzfvU6PLg088ULhbdW+4GkhurAKWFM7ITMN98ChmHQGW+oQycnfA0ulhbhYQkOS0+uA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: bbf7ddc0-e5d8-4027-c7ab-08d7d6df096b
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2020 08:22:51.8956 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SWpiCzVlIiLNnO2p/2RoMgQ6cOgjNKywFO/TcTgl2G+Sh3E4jHu3vpxfflodP3tTMPSDZ1P+dQt3gs3bECGxTpQ0Awcf4HB4YT8ubJV1W6c=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P190MB0562
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/ei5C5CQpVNqOZoLSFCgEaQvvlmc>
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2020 08:22:57 -0000

Hello Achim,

(see also my response to Jim)
Using the UDP port number to detect a multicast request vs a unicast request sounds like a good use case. Just curious - I assume the security aspect requirements of RFC 7252 are taken care of in this use case?

That is, a proper client sends its multicast requests always to port :9999 and the server treats these as multicast requests (e.g. only allow the request for specific resources).
A malicious client may sends its multicast request to port :5683 to bypass the above checks. I assume the server doesn't respond to this request, because the multicast address is not bound to port 5683 but to say 9999 only.
If the CoAP server at port 5683 cannot distinguish between unicast/multicast that would be a bad situation and the security requirements of RFC 7252 are not met.

Esko

-----Original Message-----
From: core <core-bounces@ietf.org> On Behalf Of Achim Kraus
Sent: Wednesday, April 1, 2020 22:28
To: Thomas Fossati <tho.ietf@gmail.com>om>; Klaus Hartke <hartke@projectcool.de>
Cc: core@ietf.org
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Hi,

>> +---------------+                +-----------------+
>> |               |    request    _|_                |
>> |               |        .---> /   \   224.0.1.187 |
>> |              _|_      /      \___/ --.   :9999   |
>> | 192.168.0.1 /   \ ---´         |      \          |
>> |   :54321    \___/ <---.       _|_     /  rewrite |
>> |               |        \     /   \ <-´           |
>> |               |         `--- \___/ 192.168.0.100 |
>> |               |    response    |         :5683   |
>> +---------------+                +-----------------+
>>        Client                           Server

Nice diagram.

> Not sure why you would also want to rewrite the transport endpoint?

I tried to follow the discussion.
The idea to change the port as well enables java (and I guess some more)
to differentiate between multicast and unicast requests. Jim also
mentioned, that it enables the use of multiple servers on the same host.
I have not enough experience with multicast in different environments to
see, if that may cause more trouble (e.g. firewall etc.). I would guess,
that some  implementations will just offer that variant, at least as
configurable option (I would try do so for Californium).
So my favorite for now is just implement it and see, what the user's
feedback will be.

If that idea gets declined (may be by negative feedback of users), I
still think, that there is a demand for other means to distinguish
between multicast and unicast requests. Maybe, either the usage of the
uri-host option or a new option will help.

This maybe considered as "too pragmatically", but on the other side I
also don't see the "great benefit" in insist not to change the port.

best regards
Achim

_______________________________________________
core mailing list
core@ietf.org
https://www.ietf.org/mailman/listinfo/core