IETF Logo Mail Archive

Re: [core] CoAP observation in NATed environment using DTLS

Lauri Piikivi <Lauri.Piikivi@arm.com> Tue, 08 November 2016 09:26 UTC

Return-Path: <Lauri.Piikivi@arm.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA7561294CA for <core@ietfa.amsl.com>; Tue, 8 Nov 2016 01:26:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Level:
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4eSg5T5GXIM for <core@ietfa.amsl.com>; Tue, 8 Nov 2016 01:26:07 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0069.outbound.protection.outlook.com [104.47.1.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16175129698 for <core@ietf.org>; Tue, 8 Nov 2016 01:26:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ng/jgMRNHld+sALUbvb6XRcS8LeYUp1nMo6q677gLO0=; b=EUsEVcpTWO0qPJy8440Q2vCjeiwOZ1uDqXlhoKWrl3Myg3WDYIoH7xv/U28Llt3Jh6Te8EX+wD3kL6XT/XFrPAR4fQYRVnUu8SylFmdWnZqjo+BX9wKjoco33/J21soru04pkT0L6H8t5mathgihWRzM7GPXqR3VIj+pfa/a/YA=
Received: from VI1PR0802MB2383.eurprd08.prod.outlook.com (10.172.14.135) by VI1PR0802MB2382.eurprd08.prod.outlook.com (10.172.14.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.693.12; Tue, 8 Nov 2016 09:26:04 +0000
Received: from VI1PR0802MB2383.eurprd08.prod.outlook.com ([10.172.14.135]) by VI1PR0802MB2383.eurprd08.prod.outlook.com ([10.172.14.135]) with mapi id 15.01.0693.016; Tue, 8 Nov 2016 09:26:04 +0000
From: Lauri Piikivi <Lauri.Piikivi@arm.com>
To: Simon Bernard <contact@simonbernard.eu>
Thread-Topic: [core] CoAP observation in NATed environment using DTLS
Thread-Index: AQHSNfyk76+wNVHFqkuHuLzqhykyqqDIfJYAgAAojQCABjMjgA==
Date: Tue, 08 Nov 2016 09:26:04 +0000
Message-ID: <CF7A3A40-8D15-4B40-850D-0BAA1BC1674D@arm.com>
References: <ef7b578b-0882-bcc9-b95d-57fc5a7d3d65@simonbernard.eu> <249DA03B-E96F-4DA1-A023-C862F5B75D32@arm.com> <d8f29d59-19a8-6a37-e037-fd59e1215134@simonbernard.eu>
In-Reply-To: <d8f29d59-19a8-6a37-e037-fd59e1215134@simonbernard.eu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Lauri.Piikivi@arm.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [217.140.96.140]
x-ms-office365-filtering-correlation-id: 7be61ae9-3429-43e8-a397-08d407b94344
x-microsoft-exchange-diagnostics: 1; VI1PR0802MB2382; 7:E5mYFwXxzMLk0ioFHYrgv7cBZ8BBmTsXZEvb3mFnhSGj+UhPErkN3RPoRu+ncWT0KScxIHdqCn5i5Ezo2f19sf3MswlAxw1CVh9obxk4MtXsbtHTRf8wcgZ7xo3JdgkXzMirNRVYB9oCt+QUnkseqDirJc8o81uald7ns9baYfLOC4fWt1AtCfwb/1UNFg6yfnkbfXnTO1VSDz2nWqaZ1NUE1IyTjYrFUIeRSH3Y2KABPa4DvuTgThWfbIgkMbPbN/Ou79mHsfklpGd6oR26gcIXaYtHD4aAkFBWYobR1bWOqo1ZPB9MpXP0KaXYATHrO1gQ6a2UMoYub8NKm+OiobyJTzbxNeDf9wDDMztVKHQ=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR0802MB2382;
x-microsoft-antispam-prvs: <VI1PR0802MB2382C08E51A83FA924B75821EBA60@VI1PR0802MB2382.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(190756311086443)(158342451672863)(192374486261705)(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:VI1PR0802MB2382; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0802MB2382;
x-forefront-prvs: 01208B1E18
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(40434004)(189002)(24454002)(586003)(66066001)(305945005)(122556002)(2906002)(2900100001)(6916009)(68736007)(2950100002)(5660300001)(106356001)(86362001)(8676002)(83716003)(4326007)(3660700001)(97736004)(87936001)(82746002)(81166006)(7736002)(189998001)(3280700002)(81156014)(36756003)(101416001)(3846002)(77096005)(106116001)(6116002)(110136003)(76176999)(102836003)(54356999)(33656002)(5890100001)(105586002)(7846002)(8936002)(50986999)(92566002)(557034004)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0802MB2382; H:VI1PR0802MB2383.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E2461EF7BF04694F9DB4868FF87134E3@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2016 09:26:04.2766 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2382
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/PAfxDqcfH2LW5cXC1MoYj5HrNE0>
Cc: "core@ietf.org" <core@ietf.org>
Subject: Re: [core] CoAP observation in NATed environment using DTLS
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 09:26:11 -0000

Hi,

In the approach you describe “same DTLS identity or same session” I see the problem that this ends at the front end server (of a web service) or at a proxy. Modern web services are distributed, and I think we would need a way to add device identity information to coap messages propagating deeper in a system. So even when DTLS is sued to verify the endpoint, we need mechanism to carry that information in the message itself.

I am sure you know JWT (https://tools.ietf.org/html/rfc7519) which is in good use at front ends, to add trusted authentication and authorisation tokens to the HTTP requests. It is used for front end server tokens that end servers can verify and trust, and also used for client authentication by giving it in the user authentication and adding to all subsequent method calls to a service. Should we define something similar?

Host for unauthenticated DTLS (or no sec) is sufficient to me, in addition to a good token, as described in the coap spec. If the risk analysis is such that this is acceptable in that system. But as stated above, I think might need a better option as well.

- Lauri



> On 04 Nov 2016, at 12:45, Simon Bernard <contact@simonbernard.eu> wrote:
>
> You're right both issue is not directly linked to observation.
>
> 1)About using host option, How does it works for DTLS session without authentication? I still prefer just adding the constraint "same DTLS identity or same session is there is no DTLS authentication" and let more flexibility to application on top of CoAP to handle this information. Each part of the stack have its own responsibility:
> - DTLS provides authentication + encryption.
> - CoAP ensure that request/response exchange are done for the same Identity. (when there is no authentication we just warranty exchange is done in the same session, this is the best we can do)
> - Application layer authorize request based on this identity.
>
> 2) it's seems we head for a consensus about connectionID (draft-fossati-tls-iot-optimizations-00). The privacy concern could be handle by hash chain but would not be mandatory.
> (https://mailarchive.ietf.org/arch/msg/core/a_cZN9nTkHoeETLXhBJAQWfYlp4)
>
>
> Le 04/11/2016 à 09:20, Lauri Piikivi a écrit :
>> Hi,
>>
>> I have battled with these issue a while. I think there are 2 very separate issues: COAP identity and DTLS connection ID, neither of which is only an observation issue
>>
>> = COAP identity =
>>> 1) Define a long term identifier for CoAP instead of limited CoAP interaction to the same DTLS connection. At CoAP level users would like to know from which or to which they send data.
>> With the strong focus on security, COAP starts with  the DTLS certificate or raw public key  information
>> “9.1.3.3.  X.509 Certificates
>> The discovery process used in the system
>>    would build up the mapping between IP addresses of the given devices
>>    and the subject for each device.”
>>
>> COAP is based on URLs. And the URL must have a host part. Host can be IP address (with problems when IP changes) or a DNS name (that needs to be mapped and maintained in DNS registry) or some other long term identifier like certificate subject name.
>> “   6.1.  coap URI Scheme
>>    If host is a registered name, then that name is considered an indirect identifier
>>    and the endpoint might use a name resolution service, such as DNS, to
>>    find the address of that host.  The host MUST NOT be empty”
>>
>> So there is mechanisms to define a long lasting name or identifier for the host and the resources it publishes.
>>
>> I would suggest for the observation problem that the responses have the URI-Host option with the long lasting identifier of the device? The spec needs changing so that the DTLS session can change. If the DTLS session changes, but is accepted on DTLS layer, the application layer gets the new information that it maps using  it’s own mechanism of URI-host. Additional checking can be done that the host id matches the certificate subject for example. Newest IP and port is then known
>>
>> Having the URI-host in responses supports the nosec mode, which is still mandatory in 7252.
>>
>> This is a minor issue for the draft https://tools.ietf.org/html/draft-ietf-core-resource-directory-09. For registry (publishing COAP URLs) there might be need to define more structure to the host part, is it a DNS resolvable name or is a mapping that is understood in the registry itself? How is a client of the registry to know? Should there be a service that maps the non-DNS identity to IP?
>>
>> = (D)TLS Connection ID =
>>> 2) Be able to use DTLS with dynamic IP address (e.g. NAT) without the need to redo full handshake or resume handshake.
>> This is not tied to observation, any long lasting session where there is very little data sent will fail due to NAT in the path. I think the problem is most in DTLS, since there the NAT's ip/port mapping timeout is more aggressive and the devices usually communicate only  seldomly. It is almost guaranteed that the DTLS connection will not stay alive in NAT.  RFC5382 for TCP talks of 2-hours, and RFC4787 for UDP NAT behaviour talks of 4-minutes
>>
>> So to map the sent DTLS records at receiver, even if a NAT mapping changes along the way, the record would need the connection ID so that the servers find the correct DTLS context for the record. Now the spec says the context is found with ip/port information.
>>
>> I understand the privacy concerns for IoP (internet of people), but could there be something easy for IoT — if privacy is not an issue? Mechanism that allows t meet both concerns.
>>
>> BR
>> - Lauri
>>
>>
>>
>>> On 03 Nov 2016, at 20:03, Simon Bernard <contact@simonbernard.eu> wrote:
>>>
>>> Hi list,
>>>
>>> I have attended meeting of the T2T RG in Ludwigsburg, there is a discussion around CoAP observation in NATed environment using DTLS (1.2).
>>>
>>> I would like to share my thought here about that:
>>>
>>>    The problem :
>>> Currently the CoAP spec say :
>>> "All notifications resulting from a GET request with an Observe Option MUST be returned within the same epoch of the same connection as the request."
>>> Currently, in TLS, a connection is identified by its IP/Port address.
>>> So when your IP address changed because of the NAT expiration, you must create a new TLS connection and so create a new CoAP observation relation.
>>>
>>>    Behind this practical problem, I understand there is 2 separated issue :
>>> 1) Define a long term identifier for CoAP instead of limited CoAP interaction to the same DTLS connection. At CoAP level users would like to know from which or to which they send data.
>>> 2) Be able to use DTLS with dynamic IP address (e.g. NAT) without the need to redo full handshake or resume handshake.
>>>
>>>    Possible Solutions ?
>>> 1) Using the DTLS identity (PSK identity for PSK, public key for RPK, CN for certificate, ...) and only if there is no authentication the DTLS Session as constraint for CoAP exchange. (we remove the same epoch/same connection constraint)
>>> 2) Using the "connectionId" extension proposed in the draft-fossati-tls-iot-optimizations-00.
>>>
>>> Does it make sense  ?
>>>
>>> Simon
>>>
>>> _______________________________________________
>>> core mailing list
>>> core@ietf.org
>>> https://www.ietf.org/mailman/listinfo/core
>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email