[core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)

Benjamin Kaduk via Datatracker <noreply@ietf.org> Thu, 13 August 2020 08:12 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: core@ietf.org
Delivered-To: core@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AA8993A0859; Thu, 13 Aug 2020 01:12:00 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-core-resource-directory@ietf.org, core-chairs@ietf.org, core@ietf.org, jaime@iki.fi, jaime.jimenez@ericsson.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.13.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <159730632066.12379.5174560093789503034@ietfa.amsl.com>
Date: Thu, 13 Aug 2020 01:12:00 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/OHIHAjtfs_OqrNjn9_q1DktMFKU>
Subject: [core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 08:12:01 -0000

Benjamin Kaduk has entered the following ballot position for
draft-ietf-core-resource-directory-25: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-core-resource-directory/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

I agree with Roman that the authorization model seems under-developed.
While I recognize that there is need for flexibility across various
deployments, I think that we should be providing a default model (and
procedures for it) that will apply in many cases, and let
deployments specify alternate models if needed.  This stuff is hard
enough to get right that we should have a secure option that people can
use if they don't need to have customized details.  (To be clear, I
agree with the change of focus from -24 to -25 on the properties that a
security policy needs to provide and/or consider, as that is
fundamentally the important thing.  I just want a fallback/default
option that "does something reasonable in most cases" in addition.
Doing that by reference to some other existing thing would be fine, if
such a thing exists.)

In particular, the current text seems to rely on the authorization
model including:

(1) the RD knowing how clients will be using it (and thus what
properties the RD needs to enforce), which in the general case cannot be
known (though for static networks it could be), yet I don't see any
discussion that indicates this as a prerequisite; and

(2) the client either knowing out-of-band that an entity is authorized
to act as a RD or just blindly trusting any of the unauthenticated (*)
advertisement mechanisms.  (* Yes, there may be some protection in the
network on subscribing to the relevant multicast address, DNS-SD, etc.,
but the client cannot a priori know that such protections are in place.)

Relatedly, the naming model and naming authority should have some
clearer discussion.  We do mention in Section 7 the possibility for a
weak naming model where the RD is responsible for enforcing uniqueness
of names but otherwise link attributes are the primary authorization
criteria (vs. a traditional scheme with a naming authority and naming
hierarchy), but with naming as a fundamental prerequisite of any
authentication/authorization scheme, I think clearer discussion of how a
naming model is to be selected (and, perhaps more importantly, that it
must be fixed as part of a given deployment) for a given network is
needed.

If I understand correctly, we have some codepoint squatting going on in
the examples (e.g., for resource types).

We should talk about the security properties of the various RD discovery
mechanisms that are defined.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

My apologies for where these comments diverge off into rambling
incoherency, or where I'm misunderstanding something that's clearly laid
out; this document had the misfortune of being the last one I got to
this week.

Section 1

   [RFC6690] only describes how to discover resources from the web
   server that hosts them by querying "/.well-known/core".  In many
   constrained scenarios, direct discovery of resources is not practical
   due to sleeping nodes, disperse networks, or networks where multicast
   traffic is inefficient.  These problems can be solved by employing an
   entity called a Resource Directory (RD), which contains information
   about resources held on other servers, allowing lookups to be
   performed for those resources.

nit(?): I'd consider specifying that the RD is "a trusted entity".
(Even when the resources themselves are authenticated, a hostile RD can
still deny existence of a given resource, so by choosing to use an RD
there is some level of trust involved.)

Section 2

   Resource Directory (RD)
      A web entity that stores information about web resources and
      implements the REST interfaces defined in this specification for
      discovery, for the creation, the maintenance and the removal of
      registrations, and for lookup of the registered resources.

nit: the list structure is not parallel here.  Maybe "for discovery,
creation, maintenance, and removal of registrations, and for lookup of
the registered resources"?

   Commissioning Tool
      Commissioning Tool (CT) is a device that assists during the
      installation of the network by assigning values to parameters,
      naming endpoints and groups, or adapting the installation to the
      needs of the applications.

Is "the installation of the network" a one-time event?   (Might a CT be
involved when adding a new device to a network at a later time?)

Section 3.1

   Information SHOULD only be stored in the RD if it can be obtained by
   querying the described device's /.well-known/core resource directly.

When might that not be the case?

Section 3.2

   The RD architecture is illustrated in Figure 1.  An RD is used as a
   repository of registrations describing resources hosted on other web
   servers, also called endpoints (EP).  An endpoint is a web server
   associated with a scheme, IP address and port.  A physical node may

(side note) hmm, I feel like in the HTTP world an endpoint is more
likely to be associated with a DNS name than an IP address, in common
usage.  Also, we later go on to assert that the endpoint's name has
primacy and that the IP address/port can be ephemeral.

   An endpoint uses specific interfaces to register, update and remove a
   registration.  It is also possible for an RD to fetch Web Links from
   endpoints and add their contents to its registrations.

   At the first registration of an endpoint, a "registration resource"
   is created, the location of which is returned to the registering
   endpoint.  The registering endpoint uses this registration resource
   to manage the contents of registrations.

Does the "RD fetches links unilaterally" case count as a "first
registration of an endpoint"?  I'm having a hard time seeing how these
two statements are consistent with each other, and a naive reading
admits the possibility that a given endpoint could be "locked out" of
the ability to manage the contents of its registrations.

Section 4

   REST clients (registrant-EPs and CTs during registration and
   maintenance, lookup clients, RD servers during simple registrations)
   MUST be prepared to receive any unsuccessful code and act upon it
   according to its definition, options and/or payload to the best of
   their capabilities, falling back to failing the operation if recovery
   is not possible.  In particular, they should retry the request upon

"MUST be prepared [...] to the best of their abilities" seems
non-actionable.  The stuff after "In particular", on the other hand, is
actual concrete guidance that could be mandated using normative
language.

Section 4.1

   1.  In a 6LoWPAN, just assume the Border Router (6LBR) can act as an
       RD (using the ABRO option to find that [RFC6775]).  Confirmation
       can be obtained by sending a Unicast to "coap://[6LBR]/.well-
       known/core?rt=core.rd*".

nit(?): I was unaware that "Unicast" was a proper noun.

Section 4.3

   "core.rd" in the query string.  Likewise, a Resource Type parameter
   value of "core.rd-lookup*" is used to discover the URIs for RD Lookup
   operations, core.rd* is used to discover all URI paths for RD
   operations.  [...]

Is the distinction between URIs (for RD Lookup) and URI paths (for RD)
important here?

   While the link targets in this discovery step are often expressed in
   path-absolute form, this is not a requirement.  Clients of the RD
   SHOULD therefore accept URIs of all schemes they support, both as
   URIs and relative references, and not limit the set of discovered
   URIs to those hosted at the address used for URI discovery.

I'm not sure I see how the "not limit [...] to those hosted at the
address used for URI discovery" follows from the non-requirement for
expression of the link-targets from discovery in path-absolute form.
(Given the ability to send the discovery query to a multicast address,
the guidance seems okay; it's just the "therefore" that is puzzling me.)

   It would typically be stored in an implementation information link
   (as described in [I-D.bormann-t2trg-rel-impl]):

   Req: GET /.well-known/core?rel=impl-info

This seems to be depicting a link-relation type that is not registered
at https://www.iana.org/assignments/link-relations/link-relations.xhtml
, i.e., codepoint squatting.  Please put in a stronger disclaimer that
this is an example link relation type, not just an example exchange.

Section 5

These first few paragraphs give the impression that this is
first-come-first-served with minimal authentication or authorization
checking.  Mentioning that there are authorization checks, with a
forward-reference, might be helpful.

   further parameters (see Section 9.3).  The RD then creates a new
   registration resource in the RD and returns its location.  The

Is this returned "registration resource" expected to function as a
"capability URL" (https://www.w3.org/TR/capability-urls/) that would
need to contain an appropriate amount of entropy to be reasonably
unguessable by parties other than the registrant-ep/CT responsible for
it?

   The registration request interface is specified as follows:

   Interaction:  EP -> RD

I thought that the CT could be a requestor as well as the EP.

         well.  The endpoint name and sector name are not set when one
         or both are set in an accompanying authorization token.

What should the RD do if they are set but also present in the
accompanying authorization token?

   Req: POST coap://rd.example.com/rd?ep=node1
   Content-Format: 40
   Payload:
   </sensors/temp>;ct=41;rt="temperature-c";if="sensor",

(side note) XML for the sensors, not SenML?  With Carsten as an author,
even? ;)

   An RD may optionally support HTTP.  Here is an example of almost the
   same registration operation above, when done using HTTP.

   Req:
   POST /rd?ep=node1&base=http://[2001:db8:1::1] HTTP/1.1
   Host: example.com

Wouldn't "Host: rd.example.com" be closer to "almost the same
registration"?

Section 5.1

I'm a little uneasy about specifying new behavior for POST to the
existin /.well-known/core that was defined by RFC 6690 for other uses.
What factors go into using the same well-known URI vs. defining a new
one for this usage?

   The sequence of fetching the registration content before sending a
   successful response was chosen to make responses reliable, and the
   caching item was chosen to still allow very constrained registrants.

I'm not sure what "the caching item" is supposed to be (if it's not a
typo/misordering of words).

Section 5.3

   queries concerning this endpoint.  The RD SHOULD continue to provide
   access to the Registration Resource after a registration time-out
   occurs in order to enable the registering endpoint to eventually
   refresh the registration.  The RD MAY eventually remove the
   registration resource for the purpose of garbage collection.  If the
   Registration Resource is removed, the corresponding endpoint will
   need to be re-registered.

(This MAY is actually a MUST for the simple registration case, per §5.1,
right?)

Section 5.3.1

   An update MAY update the lifetime or the base URI registration
   parameters "lt", "base" as in Section 5.  Parameters that are not

What about the "extra-attrs"; are they inherently forbidden from
updates?

                            base :=  Base URI (optional).  This
         parameter updates the Base URI established in the original
         registration to a new value.  If the parameter is set in an
         update, it is stored by the RD as the new Base URI under which
         to interpret the relative links present in the payload of the
         original registration, following the same restrictions as in
         the registration.  If the parameter is not set in the request

nit: is it the interpretation of relative links that is following the
same restrictions as in the registration, or the new value of the
parameter being supplied in the update?

   The following example shows how the registering endpoint updates its
   registration resource at an RD using this interface with the example
   location value: /rd/4521.

The path component "4521" contains a worryingly small amount of
unpredictableness; I would prefer examples that used longer random
locations, as for capability URLs.  (Throughout the document, of
course.)  See also draft-gont-numeric-ids-sec-considerations, that I'm
AD sponsoring, though I do not see any clear issues on first glance.

(Also, it might be worth another sentence that this update is serving
just to reset the lifetime, making no other changes, since this might be
expected to be a common usage.)

Section 6

With "Resource Lookup" and "Endpoint Lookup" as (apparent) top-level
siblings, would it make sense to put 6.2, or at least 6.3, as
subsections under 6.1?

Section 6.1

   Resource lookup results in links that are semantically equivalent to
   the links submitted to the RD.  The links and link parameters
   returned by the lookup are equal to the submitted ones, except that
   the target and anchor references are fully resolved.

Are the "submitted ones" the submissions at registration time, or during
the lookup query itself?  (I assume registration-time, but being
explicit costs little.)

   If the base URI of a registration contains a link-local address, the
   RD MUST NOT show its links unless the lookup was made from the same
   link.  The RD MUST NOT include zone identifiers in the resolved URIs.

Same link as what?

Section 6.2

   The page and count parameters are used to obtain lookup results in
   specified increments using pagination, where count specifies how many

(We haven't introduced the page and count parameters yet.)

   operator as in Section 4.1 of [RFC6690].  Attributes that are defined
   as "link-type" match if the search value matches any of their values

Where is it specified how an attribute might be "defined as
'link-type'"?  This is the only instance of the string "link-type" in
this document, and it does not appear in RFC 6690 at all...

   references) and are matched against a resolved link target.  Queries
   for endpoints SHOULD be expressed in path-absolute form if possible
   and MUST be expressed in URI form otherwise; the RD SHOULD recognize
   either.  The "anchor" attribute is usable for resource lookups, and,
   if queried, MUST be for in URI form as well.

I don't see how it can be only a SHOULD to recognize either given these
generation criteria.

Section 6.3

   The following example shows a client performing a lookup of all
   resources of all endpoints of a given endpoint type.  It assumes that
   two endpoints (with endpoint names "sensor1" and "sensor2") have
   previously registered with their respective addresses
   "coap://sensor1.example.com" and "coap://sensor2.example.com", and
   posted the very payload of the 6th request of section 5 of [RFC6690].

Er, the 6th request is a GET; do we mean to say the response to the 6th
request?

Section 6.4

   The endpoint lookup returns registration resources which can only be
   manipulated by the registering endpoint.

This seems to leave it unclear whether the endpoint lookup is expected
to return resources that the requestor will not have permission to
manipulate (in addition to those it does have permission for).

   While Endpoint Lookup does expose the registration resources, the RD
   does not need to make them accessible to clients.  Clients SHOULD NOT
   attempt to dereference or manipulate them.

But why expose them at all if they're not going to be accessible?

   An RD can report endpoints in lookup that are not hosted at the same
   address.  [...]

The "same address" as what?

Section 7.1

   Whenever an RD needs to provide trustworthy results to clients doing
   endpoint lookup, or resource lookup with filtering on the endpoint

How will the RD know whether the client is expecting trustworthy
results?  (When would a client *not* expect trustworthy results?)

   name, the RD must ensure that the registrant is authorized to use the
   given endpoint name.  This applies both to registration and later to
   operations on the registration resource.  It is immaterial there
   whether the client is the registrant-ep itself or a CT is doing the
   registration: The RD can not tell the difference, and CTs may use

I suppose there might be plausible authorization models where a
return-routability check to a given address constitutes authorization to
use that address as an endpoint name, in which case the RD can tell the
difference between a registrant-ep and a CT attempting to act on its
behalf.

   When certificates are used as authorization credentials, the
   sector(s) and endpoint name(s) can be transported in the subject.  In
   an ACE context, those are typically transported in a scope claim.

As Russ noted in the Gen-ART review, "transported in the subject" is
sufficiently vague to not really be actionable.  It might be better to
say that the holder of the private key corresponding to the public key
certified in the certificate is generally considered authorized to act
on behalf of any identities (including endpoint names) contained in the
certificate's subject name.

Section 7.1.1

   Conversely, in applications where the RD does not check the endpoint
   name, the authorized registering endpoint can generate a random
   number (or string) that identifies the endpoint.  The RD should then

How much entropy/randomness in the random name?  Does a CSPRNG need to
be used?  (I do see the follow-up about doubling the length in case of
failure or starting with a UUID if that's not possible, but some
guidance on where to start still seems appropriate.)

Section 7.2

   When lookup clients expect that certain types of links can only
   originate from certain endpoints, then the RD needs to apply
   filtering to the links an endpoint may register.

As before, how will the RD know what behavior clients are relying on?

   An RD may also require that only links are registered on whose anchor
   (or even target) the RD recognizes as authoritative of.  One way to

I don't think I can parse this sentence (especially "the RD recognizes
as authoritative of").

Section 8

In contexts where we discuss DTLS and TLS as being generally comparable,
we typically will state that DTLS replay protection is required in order
to provide equivalent levels of protection.

We might also want to reiterate or refer back to the previous discussion
of the potential for attributes or resource/endpoint names, link
relations, etc. that may need to be confidential, the relevant access
control/filtering, and the avenues by which disclosure of resource names
can occur even when access to those resources will not be permitted.  (I
think some of this overlaps with 8288 and 6690, but don't mind repeating
it.)

Section 8.1

It's probably worth reiterating that all name comparisons must be done
at sector scope (since failing to do so can lead to attacks).

   Endpoint authentication needs to be checked independently of whether
   there are configured requirements on the credentials for a given
   endpoint name (Section 7.1) or whether arbitrary names are accepted
   (Section 7.1.1).

I think this is more properly authorization than authentication.

Section 8.3

   attacks.  There is also a danger that NTP Servers could become
   implicated in denial-of-service (DoS) attacks since they run on
   unprotected UDP, there is no return routability check, and they can
   have a large amplification factor.  The responses from the NTP server
   were found to be 19 times larger than the request.  An RD which

(It's not clear to me why the specific discussion of NTP numbers is
relevant here, since RD is not NTP.)

Section 9.3

Should we also include "rt" in the initial entries?  I see it is used as
a query parameter for resource lookup in the examples in Section 6.3.

   *  indication of whether it can be passed as a query parameter at
      registration of endpoints, as a query parameter in lookups, or be
      expressed as a target attribute,

(Since this text does not clarify about lookup of endpoints vs.
resources...

   Review" as described in [RFC8126].  The evaluation should consider
   formal criteria, duplication of functionality (Is the new entry
   redundant with an existing one?), topical suitability (E.g. is the
   described property actually a property of the endpoint and not a
   property of a particular resource, in which case it should go into
   the payload of the registration and need not be registered?), and the

... and this text suggests that query parameters for *resource* lookups
need not be registered.)

   potential for conflict with commonly used target attributes (For
   example, "if" could be used as a parameter for conditional
   registration if it were not to be used in lookup or attributes, but
   would make a bad parameter for lookup, because a resource lookup with
   an "if" query parameter could ambiguously filter by the registered
   endpoint property or the [RFC6690] target attribute).

Then why do we use it as an example of lookup filtering in Section 6.2?

Section 10.1.2

Should we really be using unregistered resource types (i.e., codepoint
squatting) in the examples?

   After the filling of the RD by the CT, the application in the
   luminaries can learn to which groups they belong, and enable their
   interface for the multicast address.

Just to check: the luminaries are learning their own group membership by
querying the resource directory?

Section 10.2.2

Please expand MSISDN.

Section 13.2

I think RFC 7252 should probably be normative.

Likewise for RFC 8288 ("the query parameter MUST be [...] a token as
used in [RFC8288]").