Re: [core] No-Response option and OSCORE
'Christian Amsüss' <christian@amsuess.com> Fri, 11 May 2018 10:37 UTC
Return-Path: <christian@amsuess.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA457127078; Fri, 11 May 2018 03:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QOauJFhPcp8i; Fri, 11 May 2018 03:37:50 -0700 (PDT)
Received: from prometheus.amsuess.com (prometheus.amsuess.com [5.9.147.112]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B80241241F3; Fri, 11 May 2018 03:37:50 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by prometheus.amsuess.com (Postfix) with ESMTPS id A064F49AE8; Fri, 11 May 2018 12:37:48 +0200 (CEST)
Received: from poseidon-mailbox.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bf]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id F0F956F; Fri, 11 May 2018 12:37:46 +0200 (CEST)
Received: from hephaistos.amsuess.com (hephaistos.amsuess.com [IPv6:2a02:b18:c13b:8010::db8]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 99E9C5A; Fri, 11 May 2018 12:37:46 +0200 (CEST)
Received: (nullmailer pid 13107 invoked by uid 1000); Fri, 11 May 2018 10:37:45 -0000
Date: Fri, 11 May 2018 12:37:45 +0200
From: 'Christian Amsüss' <christian@amsuess.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: 'Francesca Palombini' <francesca.palombini@ericsson.com>, draft-tcs-coap-no-response-option@ietf.org, core@ietf.org, 'Klaus Hartke' <hartke@projectcool.de>
Message-ID: <20180511103744.GF23148@hephaistos.amsuess.com>
References: <HE1PR07MB152939003ACA6963256A8E8498160@HE1PR07MB1529.eurprd07.prod.outlook.com> <CAAzbHvbgG-a9yY_k8zkpmzek7qp2Hs5P1=qMN=Zz77meLsqSRw@mail.gmail.com> <HE1PR07MB152949ADA4799F15E2630D5498EB0@HE1PR07MB1529.eurprd07.prod.outlook.com> <20180510114100.GA9530@hephaistos.amsuess.com> <00c001d3e88b$96722ec0$c3568c40$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="I3tAPq1Rm2pUxvsp"
Content-Disposition: inline
In-Reply-To: <00c001d3e88b$96722ec0$c3568c40$@augustcellars.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/M-PgHVib-flvAdqV9JXe8cYLJvo>
Subject: Re: [core] No-Response option and OSCORE
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 10:37:53 -0000
Hi jim and OSCORE developers,
On Thu, May 10, 2018 at 11:20:31AM -0700, Jim Schaad wrote:
> > If I, as prescribed, set No-Response:2.xx both outer and inner, then
> > if the server answers protected-4.04 (which is outer-2.01), then the
> > server may know to ignore the outer No-Response, but a surprised
> > proxy would not and swallow the 4.04.
>
> This is a huge problem and needs to be solved.
Glad I did not just miss an old solution.
> > If only an inner No-Response:2.xx is were sent, the proxy expects an
> > unconditional response, and might respond late with a 5.04 Gateway
> > Timeout. (That's also bad but not as bad as the above).
>
> I am not sure that I worry about this. First I think that the proxy in this
> case is being overly helpful. Given that we are looking at a NON request,
> it makes sense that there is no response ever coming back from anybody. It
> would be different if this were a CON request.
The proxy might have forwarded it as a CON, or over reliable transport.
> You are going to get the exact same behavior from a proxy which does
> not implement the No-Response option so this is not going to be new.
I don't think so. No-Response is unsafe-to-forward, so it "lead[s] to
4.02 Bad Option" per RFC7252 Section 5.7.1.
> > I'd suggest picking an outer value that is not specified yet (say,
> > "1", and call it "at the origin's disretion"). [...]
>
> If you are going to do this, it might be better to say that you are not
> interested in 8.xx messages which could be defined as being - no proxies are
> to generate responses.
Indeed, expressing the code as 0x80 is better; there can never be 8.xx
codes so this is obviously magic, while someone could still define 1.xx
codes to be ignored.
Bringing this to concrete proposals:
A: the simple one
"No-Response is an inner and outer option; the inner option always
reflects the intention of the operation, and an OSCORE server ignores
the outer. A client usually sets only the inner No-Response option, but
MAY set the outer to 26 ('ignore all known codes') if the inner is set
to 26. The client MUST be prepared to receive and discard 5.04 errors
from intermediaries."
B: extend No-Response
"We define a new No-Response value, 128, described as 'Not interested in
some responses'. A server receiving that option decides based on some
context (eg. other options like OSCORE) whether or not the client is
interested in the response; if it has no such context, it SHOULD respond
with 4.02 Bad Option. A proxy processing the option must forward
response messages it receives, but never sends a 5.04 error if it
receives no response. (It may still send a 5.04 if it forwards the
request over a secure or reliable connection that can not be
established, or if it forwards the request as a CON and receives no
ACK.)
No-Response is an inner and outer option; [... as above]. If a client
sets the inner option, itSHOULD set the outer option to 128 ('Not
interested in some responses'), or be prepared to receive and discard
5.04 errors from intermediaries."
Best regards
Christian
--
To use raw power is to make yourself infinitely vulnerable to greater powers.
-- Bene Gesserit axiom
- [core] No-Response option and OSCORE Francesca Palombini
- Re: [core] No-Response option and OSCORE Klaus Hartke
- Re: [core] No-Response option and OSCORE Francesca Palombini
- Re: [core] No-Response option and OSCORE Esko Dijk
- Re: [core] No-Response option and OSCORE Christian Amsüss
- Re: [core] No-Response option and OSCORE Jim Schaad
- Re: [core] No-Response option and OSCORE 'Christian Amsüss'
- Re: [core] No-Response option and OSCORE Jim Schaad