Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/CoAP Turkey Sandwich layer violation train wreck
Zach Shelby <zach@sensinode.com> Fri, 13 May 2011 14:25 UTC
Return-Path: <zach@sensinode.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B901E0675 for <core@ietfa.amsl.com>; Fri, 13 May 2011 07:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.149
X-Spam-Level:
X-Spam-Status: No, score=-2.149 tagged_above=-999 required=5 tests=[AWL=-1.450, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, MANGLED_BEST=2.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cEcLMgSIpwEp for <core@ietfa.amsl.com>; Fri, 13 May 2011 07:25:27 -0700 (PDT)
Received: from auth-smtp.nebula.fi (auth-smtp.nebula.fi [217.30.180.105]) by ietfa.amsl.com (Postfix) with ESMTP id B46A2E0734 for <core@ietf.org>; Fri, 13 May 2011 07:25:26 -0700 (PDT)
Received: from [192.168.1.43] (a91-156-92-242.elisa-laajakaista.fi [91.156.92.242]) (authenticated bits=0) by auth-smtp.nebula.fi (8.13.4/8.13.4) with ESMTP id p4DEPJOx008989 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 13 May 2011 17:25:20 +0300
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: multipart/signed; boundary="Apple-Mail-317-572006892"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Zach Shelby <zach@sensinode.com>
In-Reply-To: <C9F02359.AB1F%therbst@silverspringnet.com>
Date: Fri, 13 May 2011 17:25:21 +0300
Message-Id: <129AA012-582C-4426-8E1B-9966AED7F7D0@sensinode.com>
References: <C9F02359.AB1F%therbst@silverspringnet.com>
To: Thomas Herbst <therbst@silverspringnet.com>
X-Mailer: Apple Mail (2.1084)
Cc: "core@ietf.org" <core@ietf.org>
Subject: Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/CoAP Turkey Sandwich layer violation train wreck
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/core>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2011 14:25:28 -0000
This subject line is really amusing :-) No really, what is being suggested here is two things: 1. Separate ports for CoAP (NoSec mode) and DTLS/CoAP (Anything != NoSec mode) 2. A separate coaps:// scheme to indicate DTLS/CoAP Originally, the single scheme and port approach really did make sense as our security modes were pretty varied and could be accomplished by *either IPsec or DTLS*. In Prague we made an important decision to bind DTLS support strongly into CoAP. After this change, I don't see any problem going with the separate port and scheme approach if that is what the WG wants (definitely seeing support for this change). Besides, I could remove Section 7.3 all together :-) The caveat though as Carsten pointed out, is that coaps:// will require more configuration than https:// as we have more possible modes. This would need to be discussed in the security section. I guess coaps:// would need to assume some defaults unless otherwise configured. Is there any strong objection to going with this separate port and scheme model? Zach On May 11, 2011, at 9:28 PM, Thomas Herbst wrote: > +1 > > From: Robert Cragie <robert.cragie@gridmerge.com> > Reply-To: "robert.cragie@gridmerge.com" <robert.cragie@gridmerge.com> > Date: Tue, 10 May 2011 06:55:52 -0700 > To: "core@ietf.org" <core@ietf.org> > Subject: Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/CoAP Turkey Sandwich layer violation train wreck > > I have never seen what the issue is with using two ports like HTTPS: > > • One port for CoAP over UDP > • One port for CoAP over DTLS over UDP > > Robert > Robert Cragie (Pacific Gas & Electric) > Gridmerge Ltd. > 89 Greenfield Crescent, > Wakefield, WF4 4WA, UK > +44 1924 910888 > +1 415 513 0064 > http://www.gridmerge.com > > On 06/05/2011 8:49 AM, Eric Rescorla wrote: >> On Thu, May 5, 2011 at 6:24 PM, Carsten Bormann <cabo@tzi.org> >> wrote: >> >>> On May 6, 2011, at 02:51, Eric Rescorla wrote: >>> >>> >>>> 1. Use STUN as-is. >>>> >>> Yep, we are doing that. >>> (The escaping stuff is insurance for a case that is rather unlikely. We could take it out.) >>> >>> What is the status about STUN coexisting with DTLS? >>> >> As far as I know, there's no problem, since the leading bytes plus cookies make >> collisions very unlikely. >> >> >> >>>> 2. Use a leading framing byte to distinguish DTLS and CoAP from STUN. >>>> If you're really worried >>>> about compactiness, >>>> >>> (Yes, we are.) >>> >>> >>>> then pick only a single value to distinguish DTLS >>>> (e.g., 0xffffffff) >>>> >>> (That would be a bit long.) >>> >> Sorry, brain failure. 0xff >> >> >> >>>> and use all >>>> the remaining values to give you a little more room in the rest of the packet. >>>> >>> Sure, we could do that. It would mean spending another byte for all DTLS packets. >>> >> Right. My argument is that that's not that big a deal because it only >> increases space >> by ~5%. >> >> >> >>> More importantly, it also means DTLS packets no longer look like DTLS packets, which complicates debugging. >>> >> Yes, I agree that that's suboptimal. That's why I prefer separate ports... >> The material you're quoting above is just some other thoughts for dealing with >> the same port if people insist. >> >> >> >>> I would like to learn more about your plans to expand the DTLS ContentType space. >>> This hasn't changed since 1996. Of course, it could, next month. >>> Again, the escaping stuff is insurance for this case. We could take it out. >>> >> I don't think there are any immediate plans to do so--though note that >> >> http://tools.ietf.org/html/draft-seggelmann-tls-dtls-heartbeat-01 >> >> does contemplate one addition. And I would assume that we intend to >> assign the content-types towards the bottom of the range first. That said, >> I don't think TLS-WG has by any means decided to commit to not >> assigning a bunch more types. >> >> Bes,t >> -Ekr >> _______________________________________________ >> core mailing list >> >> core@ietf.orghttps://www.ietf.org/mailman/listinfo/core > _______________________________________________ > core mailing list > core@ietf.org > https://www.ietf.org/mailman/listinfo/core -- Zach Shelby, Chief Nerd, Sensinode Ltd. http://zachshelby.org - My blog "On the Internet of Things" http://6lowpan.net - My book "6LoWPAN: The Wireless Embedded Internet" Mobile: +358 40 7796297
- [core] draft-ietf-core-coap-06 The CoAP/DTLS/CoAP… Cullen Jennings
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Carsten Bormann
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Cullen Jennings
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Eric Rescorla
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Carsten Bormann
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Eric Rescorla
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Robert Cragie
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Thomas Herbst
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Zach Shelby
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Robert Cragie
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Zach Shelby
- Re: [core] draft-ietf-core-coap-06 The CoAP/DTLS/… Robert Cragie