Re: [core] Endpoint Client Name / Endpoint Name in RD draft
peter van der Stok <stokcons@xs4all.nl> Tue, 24 April 2018 14:15 UTC
Return-Path: <stokcons@xs4all.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 610CF124239 for <core@ietfa.amsl.com>; Tue, 24 Apr 2018 07:15:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUBygDMQGjvU for <core@ietfa.amsl.com>; Tue, 24 Apr 2018 07:15:29 -0700 (PDT)
Received: from lb3-smtp-cloud8.xs4all.net (lb3-smtp-cloud8.xs4all.net [194.109.24.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27B8D124C27 for <core@ietf.org>; Tue, 24 Apr 2018 07:15:29 -0700 (PDT)
Received: from webmail.xs4all.nl ([IPv6:2001:888:0:22:194:109:20:213]) by smtp-cloud8.xs4all.net with ESMTPA id Ayj6fMQkcopELAyj6f3ohX; Tue, 24 Apr 2018 16:15:27 +0200
Received: from 2001:983:a264:1:4123:29d5:1021:5b46 by webmail.xs4all.nl with HTTP (HTTP/1.1 POST); Tue, 24 Apr 2018 16:15:24 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Tue, 24 Apr 2018 16:15:24 +0200
From: peter van der Stok <stokcons@xs4all.nl>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: consultancy@vanderstok.org, Jaime Jiménez <jaime.jimenez@ericsson.com>, core@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <VI1PR0801MB2112642D9A946BD12625E80AFA880@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <VI1PR0801MB2112B52094B182F5D44C4F64FAA40@VI1PR0801MB2112.eurprd08.prod.outlook.com> <A484D917-677C-4B29-BBAD-DDDE34B50303@ericsson.com> <VI1PR0801MB21128EA2B70DEEE7C5775A62FAA40@VI1PR0801MB2112.eurprd08.prod.outlook.com> <070801d3cc3f$8d59e0c0$a80da240$@augustcellars.com>, <VI1PR0801MB2112FB25797DCB8F546C148DFAA40@VI1PR0801MB2112.eurprd08.prod.outlook.com> <7BA9B091-F489-4ED4-B6EC-5AD7D971D6F7@ericsson.com> <VI1PR0801MB2112A692CB307D213A89DFC8FABB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <ca2b6038e911d93e15e57763836a1d09@xs4all.nl> <VI1PR0801MB21126DE7C4287563D1598E86FA890@VI1PR0801MB2112.eurprd08.prod.outlook.com> <c13edc71f916954978b3468d9f5de9c5@xs4all.nl> <VI1PR0801MB2112642D9A946BD12625E80AFA880@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Message-ID: <65097d58ae30b8823b206001fffc8d91@xs4all.nl>
X-Sender: stokcons@xs4all.nl
User-Agent: XS4ALL Webmail
X-CMAE-Envelope: MS4wfBIgPd9LFsFtgFjt0nu93l/0qh3KtsPFmngJ7cp2wyiKdiXywFZuhMN4z1yuR2rj2e6Bb2Qd7R85nqyYZla8QNZXIBusORdrlrArN5DGHx9CeY8h5ip3 yUAWU3fuBDkUhG55hVsyFSu69c8F/1Fic07Qmo18VhuOMR+3uohInC93M4T8jzHj40awAJ/hKoQRvuxws5UDm9wRaVf72Uk0INJ2UuSPlDPGyQUpcwYoefnE Io8hIEznyN9tX2FtdepZbkje876j5U6/04ZiUjDmy/U=
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/Q71-Y9m89QMb1Q2MkEQ6L8SEQ8U>
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 14:15:38 -0000
Hannes Tschofenig schreef op 2018-04-24 12:38: > Hi Peter, > > The problem is actually documented in the security consideration > section of the RD draft and I modified it slightly. > > Consider the following threat: two devices A and B are managed by a > single server. Both devices have unique, per-device credentials for > use with DTLS (or any other security protocol since there is nothing > DTLS specific here). > > Now, imagine that device A wants to sabotage device B. Device A uses > its own credentials during the DTLS exchange. Then, device A puts the > endpoint name of device B into the registration message. > > If the RD server does not check whether the identifier provided in the > DTLS handshake matches the endpoint name used at the CoAP layer in the > registration message and if the server uses the endpoint name then > device A can impersonate device B. > > Does this concern make sense? Hi Hannes, thanks for the example. I think a more simple and as unnerving example is the following. Assume the RD has no registrations yet. Device A registers multiple times with different ep and d values covering a large spectrum of the ep, d value space. No other device will be able to register any more; all ep and d values are taken. Same problem, correct? Suppose A registers without ep and d values Suppose the RD returns an encrypted identifier. The encrypted identifier remains private to A. Somewhere there should be a lookup identifier, for example an IP address, to be filled into the registration by A. lookup identifier is needed because for example B wants to discover registrations with given attributes, B needs the identifier to send requests to the associated discovered device. And still A can create many registrations with as many possible IP addresses. Do you agree, with the examples? Do you have a remedy? I need to think a bit about it. Peter > > Ciao > Hannes > > > -----Original Message----- > From: peter van der Stok [mailto:stokcons@xs4all.nl] > Sent: 24 April 2018 16:28 > To: Hannes Tschofenig > Cc: consultancy@vanderstok.org; Jaime Jiménez; core@ietf.org > Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft > > > > Hannes Tschofenig schreef op 2018-04-23 05:08: >> Hi Peter, >> >> The mailing list discussion reconfirms my worry that people will get >> this wrong and will introduce security vulnerabilities. > > Well, I'm one of those getting it wrong, because I did not understand > the worry. > >> >> I am saying that the security protocol used to protect the >> communication will have an authenticated identifier and this >> identifier then has to be used for identification of the IoT device. >> This identifier will then also be used for lookups . > > This I understand. If I do clearly follow, guidelines must be produced > about the use of authorized RD accesses. > Assume authorized access to the RD, using oauth-authz. > I do surmise that the registration may then return an signed > identifier instead the path name of the registration. > The signed identifier can be used for updates. > The payload will be encrypted, and thus the actual use of ep, and d > can be maintained as specified in the lookup, but are hidden to > others. > > Is that a correct extrapolated suggestion of your comments? probably > there is a caveat I don't see. > >> >> I am furthermore arguing that the multiple IoT device cannot share the >> same identifier. > > sorry, what is a multiple IoT device? one with multiple registrations > in the RD, or one with multiple links? or.... > > I agree with Jim that for third party registrations >> we cannot completely get rid of the endpoint client name/endpoint name >> functionality but for the third party registration you are most likely >> using a different approach anyway. I am not sure anyone using the RD >> specification for commissioning tool functionality today since the >> main purpose of the RD document is for something entirely different. > > I do not agree with your conclusion. The use of RD is still being > discussed as far as I know, and each SDO seems to have its own > approach and use cases. The use of a CT is completely within scope to > my knowledge. > > > Thanks hannes for your comments. > Looking forward to getting things more precise and understandable for > me. > > Peter > >> >> Ciao >> Hannes >> >> -----Original Message----- >> From: peter van der Stok [mailto:stokcons@xs4all.nl] >> Sent: 09 April 2018 15:04 >> To: Hannes Tschofenig >> Cc: Jaime Jiménez; core@ietf.org >> Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft >> >>> >>> I am curious what we lose if we remove this identifier altogether. >>> The only thing that comes to my mind is a debugging capability where >>> you might want to test your system without any security protocol. >> Hi Hannes, >> >> Probably, I completely misunderstand your suggestion. >> Registrations in the RD need identification so that they can be >> changed, removed , updated, etc... >> Registrations are identified by the (ep, d) pair, unique within a >> given RD. >> Removing ep identifier will force you to find another identifier for a >> registration......... >> and you are back to square 1 it seems. >> >> >> Peter >> IMPORTANT NOTICE: The contents of this email and any attachments are >> confidential and may also be privileged. If you are not the intended >> recipient, please notify the sender immediately and do not disclose >> the contents to any other person, use it for any purpose, or store or >> copy the information in any medium. Thank you. > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you.
- [core] Endpoint Client Name / Endpoint Name in RD… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jaime Jiménez
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jaime Jiménez
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Carsten Bormann
- Re: [core] Endpoint Client Name / Endpoint Name i… Christian Amsüss
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… Kovatsch, Matthias
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Kovatsch, Matthias
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Kovatsch, Matthias
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig