IETF Logo Mail Archive

Re: [core] DNS-SD service types for CoRE-RD (Re: AD review of draft-ietf-core-resource-directory-23)

Carsten Bormann <cabo@tzi.org> Mon, 02 March 2020 15:55 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92AB03A097A for <core@ietfa.amsl.com>; Mon, 2 Mar 2020 07:55:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0TB6uplWptK for <core@ietfa.amsl.com>; Mon, 2 Mar 2020 07:55:23 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2B313A0982 for <core@ietf.org>; Mon, 2 Mar 2020 07:54:33 -0800 (PST)
Received: from [192.168.217.147] (p5089AC90.dip0.t-ipconnect.de [80.137.172.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 48WPpW4BTQzyxT; Mon, 2 Mar 2020 16:54:27 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <20200302145539.GA568382@hephaistos.amsuess.com>
Date: Mon, 02 Mar 2020 16:54:27 +0100
Cc: "core@ietf.org" <core@ietf.org>
X-Mao-Original-Outgoing-Id: 604857266.982865-1b3f8573d70dfc76d6a92a04f5c4da92
Content-Transfer-Encoding: quoted-printable
Message-Id: <F0CB7B96-4872-4EC4-A874-C110DC5AF2EA@tzi.org>
References: <481f9820-bcea-af6a-d5c4-d713be24d43d@isode.com> <20191119125733.GA8007@hephaistos.amsuess.com> <c29e70d4-7d81-4c89-ad81-62a6132fb3df@www.fastmail.com> <4C059F03-BB42-498D-9B75-A08BEA274416@tzi.org> <20200302145539.GA568382@hephaistos.amsuess.com>
To: Christian Amsüss <christian@amsuess.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/TGY9SYDP-Zq7YBP3pktBnNHuctU>
Subject: Re: [core] DNS-SD service types for CoRE-RD (Re: AD review of draft-ietf-core-resource-directory-23)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 15:55:35 -0000

On 2020-03-02, at 15:55, Christian Amsüss <christian@amsuess.com> wrote:
> 
> Hello group,
> hello Carsten,
> 
> On Mon, Dec 09, 2019 at 09:34:29PM +0100, Carsten Bormann wrote:
>> In the meeting, I gave the three examples _core-rd._udp,
>> _core-rd-tls._udp, and _core-rd._tcp — noting that while core-rd is a
>> proper RD service type, core-rd-tls isn’t.  To cover the six
>> transports we have for CoAP today (coap, coaps, coap+tcp, coaps+tcp,
>> coap+ws, coaps+ws), we would need four service types on top of _tcp
>> and could use two of them over _udp?
> 
> Do we have a meaningful way to deal with (D)TLS in DNS-SD at all? I'm
> only superficially familiar with the verification steps done on the host
> name, but as I understand, TLS typically authenticates the host name.

One assumption that is used in many TLS-based applications is that TLS is used to authenticate the server as the holder of the domain name that the client specified upon connection setup (e.g., after taking that domain name out of an https:// URI as the only information that is available for authorizing that server).
(Since DNS-SD is about domain names, this assumption might seem more appropriate for DNS-SD based usage than it is in other ways of using CoAP, but then DNS-SD may just be in use for an initial RD discovery phase.)

> If the client is configured to register at any RD in the current domain,
> it'd receive a
> 
> _core-rd-dtls._udp.example.com IN SRV 1 1 5683 rd1.example.com
> 
> When it connects, the server would present a certificate for
> rd1.example.com

Would it?  It might be using PSK.

> without any indication that it's a legitimate
> _core-rd-dtls._udp.example.com.

There must be another source of that authorization (as a resource directory that this client is authorized to use — not with respect to the resource directory allowing access, but with respect to the overseeing principal of the client allowing that to rely on using it).

> Is there a document that bridges that gap in a usable manner that we can
> point to for security considerations? Otherwise I'd rather leave the
> TLSs out of here. (Alternatively, we could describe them as opportunistic
> encryption.)

This situation is as open to different authorization strategies as any other use of CoAPS is, so I don’t see why we need to make this a special case.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email