[core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Thu, 13 August 2020 08:12 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: core@ietf.org
Delivered-To: core@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AA8993A0859; Thu, 13 Aug 2020 01:12:00 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-core-resource-directory@ietf.org, core-chairs@ietf.org, core@ietf.org, jaime@iki.fi, jaime.jimenez@ericsson.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.13.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <159730632066.12379.5174560093789503034@ietfa.amsl.com>
Date: Thu, 13 Aug 2020 01:12:00 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/OHIHAjtfs_OqrNjn9_q1DktMFKU>
Subject: [core] Benjamin Kaduk's Discuss on draft-ietf-core-resource-directory-25: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 08:12:01 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-core-resource-directory-25: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-core-resource-directory/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I agree with Roman that the authorization model seems under-developed. While I recognize that there is need for flexibility across various deployments, I think that we should be providing a default model (and procedures for it) that will apply in many cases, and let deployments specify alternate models if needed. This stuff is hard enough to get right that we should have a secure option that people can use if they don't need to have customized details. (To be clear, I agree with the change of focus from -24 to -25 on the properties that a security policy needs to provide and/or consider, as that is fundamentally the important thing. I just want a fallback/default option that "does something reasonable in most cases" in addition. Doing that by reference to some other existing thing would be fine, if such a thing exists.) In particular, the current text seems to rely on the authorization model including: (1) the RD knowing how clients will be using it (and thus what properties the RD needs to enforce), which in the general case cannot be known (though for static networks it could be), yet I don't see any discussion that indicates this as a prerequisite; and (2) the client either knowing out-of-band that an entity is authorized to act as a RD or just blindly trusting any of the unauthenticated (*) advertisement mechanisms. (* Yes, there may be some protection in the network on subscribing to the relevant multicast address, DNS-SD, etc., but the client cannot a priori know that such protections are in place.) Relatedly, the naming model and naming authority should have some clearer discussion. We do mention in Section 7 the possibility for a weak naming model where the RD is responsible for enforcing uniqueness of names but otherwise link attributes are the primary authorization criteria (vs. a traditional scheme with a naming authority and naming hierarchy), but with naming as a fundamental prerequisite of any authentication/authorization scheme, I think clearer discussion of how a naming model is to be selected (and, perhaps more importantly, that it must be fixed as part of a given deployment) for a given network is needed. If I understand correctly, we have some codepoint squatting going on in the examples (e.g., for resource types). We should talk about the security properties of the various RD discovery mechanisms that are defined. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- My apologies for where these comments diverge off into rambling incoherency, or where I'm misunderstanding something that's clearly laid out; this document had the misfortune of being the last one I got to this week. Section 1 [RFC6690] only describes how to discover resources from the web server that hosts them by querying "/.well-known/core". In many constrained scenarios, direct discovery of resources is not practical due to sleeping nodes, disperse networks, or networks where multicast traffic is inefficient. These problems can be solved by employing an entity called a Resource Directory (RD), which contains information about resources held on other servers, allowing lookups to be performed for those resources. nit(?): I'd consider specifying that the RD is "a trusted entity". (Even when the resources themselves are authenticated, a hostile RD can still deny existence of a given resource, so by choosing to use an RD there is some level of trust involved.) Section 2 Resource Directory (RD) A web entity that stores information about web resources and implements the REST interfaces defined in this specification for discovery, for the creation, the maintenance and the removal of registrations, and for lookup of the registered resources. nit: the list structure is not parallel here. Maybe "for discovery, creation, maintenance, and removal of registrations, and for lookup of the registered resources"? Commissioning Tool Commissioning Tool (CT) is a device that assists during the installation of the network by assigning values to parameters, naming endpoints and groups, or adapting the installation to the needs of the applications. Is "the installation of the network" a one-time event? (Might a CT be involved when adding a new device to a network at a later time?) Section 3.1 Information SHOULD only be stored in the RD if it can be obtained by querying the described device's /.well-known/core resource directly. When might that not be the case? Section 3.2 The RD architecture is illustrated in Figure 1. An RD is used as a repository of registrations describing resources hosted on other web servers, also called endpoints (EP). An endpoint is a web server associated with a scheme, IP address and port. A physical node may (side note) hmm, I feel like in the HTTP world an endpoint is more likely to be associated with a DNS name than an IP address, in common usage. Also, we later go on to assert that the endpoint's name has primacy and that the IP address/port can be ephemeral. An endpoint uses specific interfaces to register, update and remove a registration. It is also possible for an RD to fetch Web Links from endpoints and add their contents to its registrations. At the first registration of an endpoint, a "registration resource" is created, the location of which is returned to the registering endpoint. The registering endpoint uses this registration resource to manage the contents of registrations. Does the "RD fetches links unilaterally" case count as a "first registration of an endpoint"? I'm having a hard time seeing how these two statements are consistent with each other, and a naive reading admits the possibility that a given endpoint could be "locked out" of the ability to manage the contents of its registrations. Section 4 REST clients (registrant-EPs and CTs during registration and maintenance, lookup clients, RD servers during simple registrations) MUST be prepared to receive any unsuccessful code and act upon it according to its definition, options and/or payload to the best of their capabilities, falling back to failing the operation if recovery is not possible. In particular, they should retry the request upon "MUST be prepared [...] to the best of their abilities" seems non-actionable. The stuff after "In particular", on the other hand, is actual concrete guidance that could be mandated using normative language. Section 4.1 1. In a 6LoWPAN, just assume the Border Router (6LBR) can act as an RD (using the ABRO option to find that [RFC6775]). Confirmation can be obtained by sending a Unicast to "coap://[6LBR]/.well- known/core?rt=core.rd*". nit(?): I was unaware that "Unicast" was a proper noun. Section 4.3 "core.rd" in the query string. Likewise, a Resource Type parameter value of "core.rd-lookup*" is used to discover the URIs for RD Lookup operations, core.rd* is used to discover all URI paths for RD operations. [...] Is the distinction between URIs (for RD Lookup) and URI paths (for RD) important here? While the link targets in this discovery step are often expressed in path-absolute form, this is not a requirement. Clients of the RD SHOULD therefore accept URIs of all schemes they support, both as URIs and relative references, and not limit the set of discovered URIs to those hosted at the address used for URI discovery. I'm not sure I see how the "not limit [...] to those hosted at the address used for URI discovery" follows from the non-requirement for expression of the link-targets from discovery in path-absolute form. (Given the ability to send the discovery query to a multicast address, the guidance seems okay; it's just the "therefore" that is puzzling me.) It would typically be stored in an implementation information link (as described in [I-D.bormann-t2trg-rel-impl]): Req: GET /.well-known/core?rel=impl-info This seems to be depicting a link-relation type that is not registered at https://www.iana.org/assignments/link-relations/link-relations.xhtml , i.e., codepoint squatting. Please put in a stronger disclaimer that this is an example link relation type, not just an example exchange. Section 5 These first few paragraphs give the impression that this is first-come-first-served with minimal authentication or authorization checking. Mentioning that there are authorization checks, with a forward-reference, might be helpful. further parameters (see Section 9.3). The RD then creates a new registration resource in the RD and returns its location. The Is this returned "registration resource" expected to function as a "capability URL" (https://www.w3.org/TR/capability-urls/) that would need to contain an appropriate amount of entropy to be reasonably unguessable by parties other than the registrant-ep/CT responsible for it? The registration request interface is specified as follows: Interaction: EP -> RD I thought that the CT could be a requestor as well as the EP. well. The endpoint name and sector name are not set when one or both are set in an accompanying authorization token. What should the RD do if they are set but also present in the accompanying authorization token? Req: POST coap://rd.example.com/rd?ep=node1 Content-Format: 40 Payload: </sensors/temp>;ct=41;rt="temperature-c";if="sensor", (side note) XML for the sensors, not SenML? With Carsten as an author, even? ;) An RD may optionally support HTTP. Here is an example of almost the same registration operation above, when done using HTTP. Req: POST /rd?ep=node1&base=http://[2001:db8:1::1] HTTP/1.1 Host: example.com Wouldn't "Host: rd.example.com" be closer to "almost the same registration"? Section 5.1 I'm a little uneasy about specifying new behavior for POST to the existin /.well-known/core that was defined by RFC 6690 for other uses. What factors go into using the same well-known URI vs. defining a new one for this usage? The sequence of fetching the registration content before sending a successful response was chosen to make responses reliable, and the caching item was chosen to still allow very constrained registrants. I'm not sure what "the caching item" is supposed to be (if it's not a typo/misordering of words). Section 5.3 queries concerning this endpoint. The RD SHOULD continue to provide access to the Registration Resource after a registration time-out occurs in order to enable the registering endpoint to eventually refresh the registration. The RD MAY eventually remove the registration resource for the purpose of garbage collection. If the Registration Resource is removed, the corresponding endpoint will need to be re-registered. (This MAY is actually a MUST for the simple registration case, per §5.1, right?) Section 5.3.1 An update MAY update the lifetime or the base URI registration parameters "lt", "base" as in Section 5. Parameters that are not What about the "extra-attrs"; are they inherently forbidden from updates? base := Base URI (optional). This parameter updates the Base URI established in the original registration to a new value. If the parameter is set in an update, it is stored by the RD as the new Base URI under which to interpret the relative links present in the payload of the original registration, following the same restrictions as in the registration. If the parameter is not set in the request nit: is it the interpretation of relative links that is following the same restrictions as in the registration, or the new value of the parameter being supplied in the update? The following example shows how the registering endpoint updates its registration resource at an RD using this interface with the example location value: /rd/4521. The path component "4521" contains a worryingly small amount of unpredictableness; I would prefer examples that used longer random locations, as for capability URLs. (Throughout the document, of course.) See also draft-gont-numeric-ids-sec-considerations, that I'm AD sponsoring, though I do not see any clear issues on first glance. (Also, it might be worth another sentence that this update is serving just to reset the lifetime, making no other changes, since this might be expected to be a common usage.) Section 6 With "Resource Lookup" and "Endpoint Lookup" as (apparent) top-level siblings, would it make sense to put 6.2, or at least 6.3, as subsections under 6.1? Section 6.1 Resource lookup results in links that are semantically equivalent to the links submitted to the RD. The links and link parameters returned by the lookup are equal to the submitted ones, except that the target and anchor references are fully resolved. Are the "submitted ones" the submissions at registration time, or during the lookup query itself? (I assume registration-time, but being explicit costs little.) If the base URI of a registration contains a link-local address, the RD MUST NOT show its links unless the lookup was made from the same link. The RD MUST NOT include zone identifiers in the resolved URIs. Same link as what? Section 6.2 The page and count parameters are used to obtain lookup results in specified increments using pagination, where count specifies how many (We haven't introduced the page and count parameters yet.) operator as in Section 4.1 of [RFC6690]. Attributes that are defined as "link-type" match if the search value matches any of their values Where is it specified how an attribute might be "defined as 'link-type'"? This is the only instance of the string "link-type" in this document, and it does not appear in RFC 6690 at all... references) and are matched against a resolved link target. Queries for endpoints SHOULD be expressed in path-absolute form if possible and MUST be expressed in URI form otherwise; the RD SHOULD recognize either. The "anchor" attribute is usable for resource lookups, and, if queried, MUST be for in URI form as well. I don't see how it can be only a SHOULD to recognize either given these generation criteria. Section 6.3 The following example shows a client performing a lookup of all resources of all endpoints of a given endpoint type. It assumes that two endpoints (with endpoint names "sensor1" and "sensor2") have previously registered with their respective addresses "coap://sensor1.example.com" and "coap://sensor2.example.com", and posted the very payload of the 6th request of section 5 of [RFC6690]. Er, the 6th request is a GET; do we mean to say the response to the 6th request? Section 6.4 The endpoint lookup returns registration resources which can only be manipulated by the registering endpoint. This seems to leave it unclear whether the endpoint lookup is expected to return resources that the requestor will not have permission to manipulate (in addition to those it does have permission for). While Endpoint Lookup does expose the registration resources, the RD does not need to make them accessible to clients. Clients SHOULD NOT attempt to dereference or manipulate them. But why expose them at all if they're not going to be accessible? An RD can report endpoints in lookup that are not hosted at the same address. [...] The "same address" as what? Section 7.1 Whenever an RD needs to provide trustworthy results to clients doing endpoint lookup, or resource lookup with filtering on the endpoint How will the RD know whether the client is expecting trustworthy results? (When would a client *not* expect trustworthy results?) name, the RD must ensure that the registrant is authorized to use the given endpoint name. This applies both to registration and later to operations on the registration resource. It is immaterial there whether the client is the registrant-ep itself or a CT is doing the registration: The RD can not tell the difference, and CTs may use I suppose there might be plausible authorization models where a return-routability check to a given address constitutes authorization to use that address as an endpoint name, in which case the RD can tell the difference between a registrant-ep and a CT attempting to act on its behalf. When certificates are used as authorization credentials, the sector(s) and endpoint name(s) can be transported in the subject. In an ACE context, those are typically transported in a scope claim. As Russ noted in the Gen-ART review, "transported in the subject" is sufficiently vague to not really be actionable. It might be better to say that the holder of the private key corresponding to the public key certified in the certificate is generally considered authorized to act on behalf of any identities (including endpoint names) contained in the certificate's subject name. Section 7.1.1 Conversely, in applications where the RD does not check the endpoint name, the authorized registering endpoint can generate a random number (or string) that identifies the endpoint. The RD should then How much entropy/randomness in the random name? Does a CSPRNG need to be used? (I do see the follow-up about doubling the length in case of failure or starting with a UUID if that's not possible, but some guidance on where to start still seems appropriate.) Section 7.2 When lookup clients expect that certain types of links can only originate from certain endpoints, then the RD needs to apply filtering to the links an endpoint may register. As before, how will the RD know what behavior clients are relying on? An RD may also require that only links are registered on whose anchor (or even target) the RD recognizes as authoritative of. One way to I don't think I can parse this sentence (especially "the RD recognizes as authoritative of"). Section 8 In contexts where we discuss DTLS and TLS as being generally comparable, we typically will state that DTLS replay protection is required in order to provide equivalent levels of protection. We might also want to reiterate or refer back to the previous discussion of the potential for attributes or resource/endpoint names, link relations, etc. that may need to be confidential, the relevant access control/filtering, and the avenues by which disclosure of resource names can occur even when access to those resources will not be permitted. (I think some of this overlaps with 8288 and 6690, but don't mind repeating it.) Section 8.1 It's probably worth reiterating that all name comparisons must be done at sector scope (since failing to do so can lead to attacks). Endpoint authentication needs to be checked independently of whether there are configured requirements on the credentials for a given endpoint name (Section 7.1) or whether arbitrary names are accepted (Section 7.1.1). I think this is more properly authorization than authentication. Section 8.3 attacks. There is also a danger that NTP Servers could become implicated in denial-of-service (DoS) attacks since they run on unprotected UDP, there is no return routability check, and they can have a large amplification factor. The responses from the NTP server were found to be 19 times larger than the request. An RD which (It's not clear to me why the specific discussion of NTP numbers is relevant here, since RD is not NTP.) Section 9.3 Should we also include "rt" in the initial entries? I see it is used as a query parameter for resource lookup in the examples in Section 6.3. * indication of whether it can be passed as a query parameter at registration of endpoints, as a query parameter in lookups, or be expressed as a target attribute, (Since this text does not clarify about lookup of endpoints vs. resources... Review" as described in [RFC8126]. The evaluation should consider formal criteria, duplication of functionality (Is the new entry redundant with an existing one?), topical suitability (E.g. is the described property actually a property of the endpoint and not a property of a particular resource, in which case it should go into the payload of the registration and need not be registered?), and the ... and this text suggests that query parameters for *resource* lookups need not be registered.) potential for conflict with commonly used target attributes (For example, "if" could be used as a parameter for conditional registration if it were not to be used in lookup or attributes, but would make a bad parameter for lookup, because a resource lookup with an "if" query parameter could ambiguously filter by the registered endpoint property or the [RFC6690] target attribute). Then why do we use it as an example of lookup filtering in Section 6.2? Section 10.1.2 Should we really be using unregistered resource types (i.e., codepoint squatting) in the examples? After the filling of the RD by the CT, the application in the luminaries can learn to which groups they belong, and enable their interface for the multicast address. Just to check: the luminaries are learning their own group membership by querying the resource directory? Section 10.2.2 Please expand MSISDN. Section 13.2 I think RFC 7252 should probably be normative. Likewise for RFC 8288 ("the query parameter MUST be [...] a token as used in [RFC8288]").
- [core] Benjamin Kaduk's Discuss on draft-ietf-cor… Benjamin Kaduk via Datatracker
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Barry Leiba
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Christian M. Amsüss
- Re: [core] The various positions on draft-ietf-co… Christian Amsüss
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Christian Amsüss
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Barry Leiba
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Barry Leiba
- Re: [core] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk