Re: [core] I-D Action: draft-ietf-core-stateless-02.txt
Klaus Hartke <hartke@projectcool.de> Tue, 22 October 2019 10:10 UTC
Return-Path: <hartke@projectcool.de>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38157120169 for <core@ietfa.amsl.com>; Tue, 22 Oct 2019 03:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sNJ5P_PMsf4I for <core@ietfa.amsl.com>; Tue, 22 Oct 2019 03:10:31 -0700 (PDT)
Received: from wp382.webpack.hosteurope.de (wp382.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8597::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5EBB120143 for <core@ietf.org>; Tue, 22 Oct 2019 03:10:31 -0700 (PDT)
Received: from mail-qt1-f169.google.com ([209.85.160.169]); authenticated by wp382.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) id 1iMr7U-00010F-MM; Tue, 22 Oct 2019 12:10:28 +0200
Received: by mail-qt1-f169.google.com with SMTP id t8so8331423qtc.6 for <core@ietf.org>; Tue, 22 Oct 2019 03:10:28 -0700 (PDT)
X-Gm-Message-State: APjAAAX07n7pEhkKKBq0aB3rEuHvldvhAXDWBrmyFGmCU5uIf26pEKzw MOtVYzsA0ANqcJ2I0NyKlEvYygqXfjJ2qq9q8OE=
X-Google-Smtp-Source: APXvYqwfBcyH9Mmi5gb57o0SWbG0qgX4C1dcxK7uItZpNqXwOKWv9yGtR9Qx3V7y67IByvpjBvk1tbrP/datcWP75Pk=
X-Received: by 2002:ac8:711a:: with SMTP id z26mr2447954qto.283.1571739027398; Tue, 22 Oct 2019 03:10:27 -0700 (PDT)
MIME-Version: 1.0
References: <157167881320.31820.15335648329568633649@ietfa.amsl.com> <CAAzbHvZB4ZUEhgVujwHOE3fum0JLQUu8vYyiBVhGDH5KfsEuxA@mail.gmail.com> <32E81F88-6171-4EBB-AA6E-886CF5F59548@arm.com>
In-Reply-To: <32E81F88-6171-4EBB-AA6E-886CF5F59548@arm.com>
From: Klaus Hartke <hartke@projectcool.de>
Date: Tue, 22 Oct 2019 12:09:51 +0200
X-Gmail-Original-Message-ID: <CAAzbHva-v_EWGSbYWnio=7oNn=sAvQADRj4zTV5E7sYYMxdU0g@mail.gmail.com>
Message-ID: <CAAzbHva-v_EWGSbYWnio=7oNn=sAvQADRj4zTV5E7sYYMxdU0g@mail.gmail.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>
Cc: "core@ietf.org WG" <core@ietf.org>
Content-Type: text/plain; charset="UTF-8"
X-bounce-key: webpack.hosteurope.de; hartke@projectcool.de; 1571739031; 596cb1dd;
X-HE-SMSGID: 1iMr7U-00010F-MM
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/Rr5UNE-Gal9lL-lEN92GmHdrvxw>
Subject: Re: [core] I-D Action: draft-ietf-core-stateless-02.txt
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 10:10:34 -0000
Hi Thomas, thanks a lot for your review! > Section 3 of this document provides considerations clients opting > into becoming "stateless" in this way. > > This sentence doesn't parse right; it looks like it's missing a "for" > just before "clients"? Fixed. > The maximum token length that sender and > recipient implementations support may be more limited > > s/more limited/shorter/ Done. > The active value of the Extended-Token-Length Option is replaced each > time the option is sent with a modified value. > > s/replaced/updated/ > s/is sent with a modified value/is received/ > > Its starting value is its base value > > The starting value is the Option's base value. This wording is copied from https://tools.ietf.org/html/rfc8323#section-5.3.1 > When an option value outside this range is received, the value MUST be > clamped to be within this range. > > I find this sentence slightly difficult to action: it doesn't say which > value should the receiver pick in case of {over,under}flow -- is it one > of RANGE_MAX / RANGE_MIN (whatever the closest) or some arbitrary value > within [RANGE_MIN, RANGE_MAX] ? A bit more clarity would help. The intention was to say: If the value is less than 8, then it shall be set to 8. If it's greater than 65804, then it shall be set to 65804. I though that's what clamping means, no? > Tangentially, I don't see a good reason why the receiver should silently > accept out-of-range values from the peer? I appreciate that the > effective TKL is constrained anyway, but my preference would be to fail > with an explicit signal. The rationale is different for the two cases: If the server indicates it can handle tokens up to 5 MiB, then the client cannot send a 5 MiB token, because the maximum length supported by the message format is 65804. But if a server can handle tokens up to 5 MiB, then it clearly also can handle tokens up to 65804 bytes, right? So there's not really an error if a server indicates a value greater than what can actually be sent. If the server can only handle tokens of some length that is less than 8 bytes, then it's clearly not implementing RFCs 7252 and 8323 correctly. This will never happen, so I think a client implementation shouldn't bother spending any more cycles than on a comparison and a conditional move. > to indicate the maximum length of a token in bytes that it accepts in > requests. > > Maybe: "to indicate the maximum acceptable length of the token (in bytes)" Maybe this? A server can use the elective Extended-Token-Length Capability Option to indicate the maximum token length it can accept in requests. > support by a server does not oblige a client to actually make use of > token lengths greater than 8. > > s/oblige/force/ This wording is copied from https://tools.ietf.org/html/rfc8323#section-5.3.2 > AES-CCM with a 64 bit tag is recommended > > CCM (and the tag choice) looks fine given that a) we need to buffer the > whole header anyway, and b) we want to limit the amount of tag bits as > much as possible while keeping the whole auth-enc machinery secure. > Maybe we should stick the usual note about nonce reuse / misuse > (especially for clients with low-quality entropy sources) and key > rotation strategies (since proxies potentially need to route a > considerable amount of messages). Would you like to propose some text? > Discovery needs to be performed for each pair of hops. > > s/each pair of hops/each hop/ Done. > If a server supports extended token lengths but receives a request > with a token of a length it is unwilling or unable to handle, it MUST > NOT reject the message. Instead, it SHOULD return a 5.03 (Service > Unavailable) response. (Returning this response requires that the > server implementation is able to return a token of any length, even > if it otherwise cannot handle tokens of that length.) > > This para is a tad dense. In particular, the use of "unable" seems to > contradict the MUST NOT: if I'm unable to handle this how can I not > reject it, what should I do? Handling a request usually goes through multiple steps from receiving the message to handing it over to application logic. The intention here was to say that a server implementing the document at least needs to support large tokens in the first few steps (enough to return an error response rather than a Reset message -- which is how we distinguish between "server does not support extended tokens" and "server temporarily does not have enough memory for this extended token"). > I'm probably not up-to-speed with the > related discussion, but I don't understand why we moved from 4.xx to > 5.xx? Now that you're mentioning it... It seems this needs a bit more thinking. There's the case where the server temporarily doesn't have enough memory to handle a request with a large token (so nothing that the client can do about -> 5.xx). And there's the case where the client chose a large token that the server will never be able to handle after the initial steps (so not something the client should try again -> 4.xx? 5.xx?). What do you think? Klaus
- [core] I-D Action: draft-ietf-core-stateless-02.t… internet-drafts
- Re: [core] I-D Action: draft-ietf-core-stateless-… Klaus Hartke
- Re: [core] I-D Action: draft-ietf-core-stateless-… Thomas Fossati
- Re: [core] I-D Action: draft-ietf-core-stateless-… Klaus Hartke
- Re: [core] I-D Action: draft-ietf-core-stateless-… Thomas Fossati
- Re: [core] I-D Action: draft-ietf-core-stateless-… Klaus Hartke
- Re: [core] I-D Action: draft-ietf-core-stateless-… Thomas Fossati
- Re: [core] I-D Action: draft-ietf-core-stateless-… Carsten Bormann
- Re: [core] I-D Action: draft-ietf-core-stateless-… Thomas Fossati