Re: [core] New draft-tiloca-core-groupcomm-proxy on proxied CoAP multicast operation
Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 30 March 2020 13:12 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 734F73A15A1 for <core@ietfa.amsl.com>; Mon, 30 Mar 2020 06:12:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.021
X-Spam-Level:
X-Spam-Status: No, score=0.021 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_SPF_HELO_TEMPERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urH1wOrrmDkX for <core@ietfa.amsl.com>; Mon, 30 Mar 2020 06:12:29 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70099.outbound.protection.outlook.com [40.107.7.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F3573A15A0 for <core@ietf.org>; Mon, 30 Mar 2020 06:12:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eu4B6hszCMk97JfX7cRhNvUWBsXH2OcdPRvobtkoyGbK7bDwoPmmQKmZeU/qn0C6ZBSlUdm36A2mYCErVarWPnMNi8ibx78JHK6POb//e2MfCvduVh5S+TRURyXBxq47P1duv4oZnIX+kJWhG1uyQBH53ZRBHMVtLxXXx58STUl6KdZUC2sYscDgfeS2oG+nZwsIok2G32CbhPoTTDXA1c91CTMa9ynVAIZ3JUTP4n/WHRc9zsQq28UAoXBtW/wSfMSB+97ohQPbP6DzBAXcSj7tPu/Yhm+Lf2MTpLXMdIdduwDnq+M9vraNGzBbqRgV+S0JPYGNdJElYoKXD3tdVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mbqw5bNuJcwwshjrpwhaOj2PipqKiftpXjTyV9lY5K0=; b=AfV4DaUOCKC+QA77VumQ5Ska2/0YOwVlD/IrZFuKmEuJigb/KEbDIVkYkXPXpLVoM9vhkfl1NMOaidweMzBKXCYz0rdcy7c7XIRMgtAWBvfdXOAYBd5alPhaK55MxInl3Jbu6j+2W9636XSKKKlqLnoWj6NmxcDy6TEVk2EIMQ5btjxp0mlCt7phEd2HE9dB4yDy+znfwBaFZHtd9t8HhP/8to/ovZxbOn7VOnT1It/5zPHtJxMNji3PF0aYSGsUNE3A/RPEAZ9uKwIERt403QT8DoF1PTnUO06kZIPGvmtWeSLfYMVE4//rzw0eP7XdkX9MgGPTKxuk1mlXC8SueQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector2-iotconsultancynl-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mbqw5bNuJcwwshjrpwhaOj2PipqKiftpXjTyV9lY5K0=; b=DstwqlXl0rHpuESZ7hBWf3f+d0f3Lnz8DzVhspfbZJkfKkISN5o0Rk9kS0SU2UXHBnUHpjLxZ1L18gTs/VPm7DCRYdk2jCzuiQw8H+iyzMLtlsliqKVZHs2pLgt0zcsVGkD6Nncx20iE0hN93/VZ6GINtkRDhKjYr88IpnKQBlw=
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM (10.161.62.28) by AM5P190MB0531.EURP190.PROD.OUTLOOK.COM (10.161.81.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20; Mon, 30 Mar 2020 13:12:25 +0000
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f]) by AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::8c96:a66b:e170:bf8f%3]) with mapi id 15.20.2856.019; Mon, 30 Mar 2020 13:12:25 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Christian Amsüss <christian@amsuess.com>, Marco Tiloca <marco.tiloca@ri.se>
CC: "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] New draft-tiloca-core-groupcomm-proxy on proxied CoAP multicast operation
Thread-Index: AdX3h8v3qOoNt7aTQmqeLXySL0X+xwA/0ZqAA4K0sXA=
Date: Mon, 30 Mar 2020 13:12:25 +0000
Message-ID: <AM5P190MB0275DDE559BE618264A8941EFDCB0@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
References: <AM5P190MB02753814229668BC943A5C02FDFC0@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <20200312155829.GA346418@hephaistos.amsuess.com>
In-Reply-To: <20200312155829.GA346418@hephaistos.amsuess.com>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [85.147.167.236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2de28e81-f1cb-4530-1697-08d7d4abfd9d
x-ms-traffictypediagnostic: AM5P190MB0531:
x-microsoft-antispam-prvs: <AM5P190MB0531301AFE13FC0EDC7B18FFFDCB0@AM5P190MB0531.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0358535363
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM5P190MB0275.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(366004)(136003)(376002)(346002)(396003)(39830400003)(66574012)(52536014)(66556008)(66476007)(66946007)(64756008)(186003)(66446008)(76116006)(81156014)(110136005)(5660300002)(8936002)(33656002)(8676002)(81166006)(44832011)(316002)(508600001)(6506007)(7696005)(9686003)(55016002)(4326008)(71200400001)(26005)(2906002)(86362001)(53546011); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9EmDBXSLMrdwn5UR9T+iavHMtNJ5VVrRJ4zmW8BM2V19BPBgc4YvEZkG6E0xEapJSugBznj1ZvMRlaM5mbVYwoa2hphTftbziAGA7cuBsV4HoNvUrKCvlCVO+xUDUiykpBHTjUMYLewsDLNMBpj7OZshBg8kbfxsGU2B8QHhHdUJPSKtm7rO66Bk4w0/bU02OllCrtp8v8adJLaCCwkyIc3Yud6cJu7ohI1t5LSPBj6MoNDoud6cNKf2WvYhbpY71tTtdK/8CsWpEYAMDUx6YPGEma45CzFioS1cYpJVOsIetXsarNLZfJtZtFTv4V6QqSpY22+FIe0GliLy4s3SucYraIJjYjWloiPPpdS5f459KIVgbHBkj2YabtAdT85bFgpwXvzkBA4r6my6QTfuIwJ5LukAQNybIHS6oQxeObDESs45S1bpu3TlJJAVO1BB
x-ms-exchange-antispam-messagedata: /TQ+XHinwFHG5pANoz9rmzJ50IccONkkONiERU8fyrEUzqIv2p11IHBt2mJPPR02M9z0F/IvOlWdVD2VlOrj3rKgSoJm4WyhLNnB2QWpQ3q18g3k3f/2f5GdoB0VDlIEZixbiKKPlRyrX7qVkHKdBg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: 2de28e81-f1cb-4530-1697-08d7d4abfd9d
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2020 13:12:25.4303 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: q4Lm43GYaqAj4mIzYfRHP8OBN3LYwh3tOY02S8fOl7gHyJ4Be7bzxVCnSkAMJDn108gT0cX3VwA5ydNoHYQEUHNe1iUxhODG/7iDqqeCF+I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P190MB0531
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/MYccztqTjpVue6IvxzN4R-ET7fs>
Subject: Re: [core] New draft-tiloca-core-groupcomm-proxy on proxied CoAP multicast operation
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2020 13:12:36 -0000
Hello Christian, Thanks for your review / skimming round! Please see our answers below marked "[GP]". Regards Esko -----Original Message----- From: Christian Amsüss <christian@amsuess.com> Sent: Thursday, March 12, 2020 16:58 To: Esko Dijk <esko.dijk@iotconsultancy.nl>; Marco Tiloca <marco.tiloca@ri.se> Cc: core@ietf.org Subject: Re: [core] New draft-tiloca-core-groupcomm-proxy on proxied CoAP multicast operation Hello Esko, hello Marco, hello CoRE, thanks for tackling this. I'm only skimming over it in a first round, but a few things have come up: * Multicast-Signaling: Is this a CBOR unsigned integer or a CoAP uint? [GP] Yes, that was indeed an oversight. We will change it to uint as it is totally fine for our scope. * Response-Forwarding: Is this expected to be extensible to any other CoAP transport that may come up that supports multicast? The use of CBOR tags seems to imply that, but then there's the question of how the client would arrive at a URI for follow-up unicast communication. Have you considered just using values that'd go into Uri-Host in a follow-up request? [GP] The use of CBOR tags was not on purpose to be prepared for future transports. It was more re-using a convention that was already there. But by doing it this way we are prepared for potential future transports, in which something else than an IPv4 or IPv6 or MAC address needs to be sent back to the client. The current encoding is expected to be more efficient than providing an IP address as a Uri-Host string. The current encoding can also be re-used in a Uri-Host or Uri-Proxy Option sent towards a proxy, although the client needs to do some transcoding to get it into the string format used by CoAP. If the client uses a direct unicast connection to reach the server (maybe this use case is less common?) then it doesn't use the returned IP address in the CoAP request; it will only use it in the destination IP address of the IP packet that is sent and then having it in a byte-by-byte format is quite useful. * Why is the information about the client being behind a proxy forwarded? We don't to this in other proxying cases, and it just puts an additional burden on the origin server I don't see a compelling need for. From reading up to 5.3, I'd have expected that the proxy strip Multicast-Signaling when doing the actual multicast, and put back the Response-Forwarding option. [GP] Yes, that can also work - the Multicast-Signaling only goes up to the Proxy ; and the Proxy adds the IP address information to the response that's forwarded back to the client. We opted for the current end-to-end solution to have the extra information (in both ways) secured so the Proxy can't tamper with it. (This works in combination with OSCORE.) We see some pros and cons for both options. It would take some more analysis and discussion to decide which is best! * At some point, as a WG we will need to think of whether we really want to have another option with Observe-like multiresponses; Block-wise and Observe being the two extensions so early everyone knew from RFC7252 they would come does put them into a special position. I do see the benefits of doing things this way -- it is way more efficient than anything I could think of that works across unaware proxies. If we see this as general enough to be one of the few ways to have longer-lived tokens, all is fine, and I am fine with that outcome, but would like to hear some WG discussion on whether we are as a group. In particular, that process should come up with some criterion of whether a mechanism is special enough to be another Observe. Otherwise, one option is to define a single one more generalized longlived-token mechanism that'd go along any option that starts an observationish process (and tells the proxy the eventual-consistency semantics of the request). Observe doesn't need that because it's been known all along, but if it weren't, it could be expressed in terms of that one option (plus its own option). If even that doesn't fly, the whole protocol would need to look very different (but I hope it won't come to that). [GP] The concept of multiple responses (by the Proxy) to a client's request is already defined in RFC 7252 so it is not 'new' in that sense. The use of the Options as we define it, doesn't change that behavior. Also in draft-ietf-core-groupcomm-bis we discuss the longer-lived Tokens issue; so that's inherently present in multicast situations (proxied or not). Maybe we could use draft-ietf-core-groupcomm-bis to define the more general long-lived-token mechanisms? (Not sure yet what these would be, in general.) This would require more discussion. Further input is welcome on what this generalized mechanism would look like. * The proxy needs to authenticate the client, that's a sane requirement. In a situation where I alerady deploy OSCORE for E2E, it would be convenient to use OSCORE to protect the leg to the proxy as well. OSCORE rules that out per specification, but to my understanding that's not for technical reasons, but primarily due to how to everything is phrased as protecting and unprotecting a complete message rather than accessing options before and after unprotection. This would make a convincing use case for nested OSCORE, so I'd suggest thinking about this. It may help to describe it in terms of sending a message to a forward proxy; option classes might change in the course of that. (In particular, Uri-Host and OSCORE become Class E for that purpose). [GP] Yes, we agree this looks like a very interesting use case for nested OSCORE protection. It appears to be feasible; we started doing some more analysis on this. Best regards, and thanks for working on that document Christian [GP] Thanks again for this good feedback! Best regards Esko & Marco IoTconsultancy.nl | Email/Skype: esko.dijk@iotconsultancy.nl -- I shouldn't have written all those tank programs. -- Kevin Flynn
- [core] New draft-tiloca-core-groupcomm-proxy on p… Esko Dijk
- Re: [core] New draft-tiloca-core-groupcomm-proxy … Christian Amsüss
- Re: [core] New draft-tiloca-core-groupcomm-proxy … Esko Dijk
- Re: [core] New draft-tiloca-core-groupcomm-proxy … Christian Amsüss