IETF Logo Mail Archive

Re: [core] Implications of IP address / port changes for CoAP & Co

Lauri Piikivi <Lauri.Piikivi@arm.com> Tue, 06 September 2016 09:28 UTC

Return-Path: <lauri.piikivi@arm.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CD8512B2B9 for <core@ietfa.amsl.com>; Tue, 6 Sep 2016 02:28:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.111
X-Spam-Level:
X-Spam-Status: No, score=-4.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GHZoAsdKjk4C for <core@ietfa.amsl.com>; Tue, 6 Sep 2016 02:28:27 -0700 (PDT)
Received: from eu-smtp-delivery-143.mimecast.com (eu-smtp-delivery-143.mimecast.com [146.101.78.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0007C12B2B3 for <core@ietf.org>; Tue, 6 Sep 2016 02:28:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dCxB7bbNPPBSOu+RmCz1wwvfP2zSVMOVAX+8QTTrum8=; b=h/4nKqWBXKZQCLpqdCAET2rfPtv6CyO/sESgUba2J4ThW7rVNq8XhwIhXh5FBMozPy04b5gRt9cfUxzn4Igi7S7LKZdRSBSI5rlaunNdt4tV7TBrxHHEG3fHiNC2EXeHrbyuOCJpcz9u2v1fQ28tbrI5rDv3hnupdahu1hcsOUI=
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01lp0184.outbound.protection.outlook.com [213.199.154.184]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-29-iMRQA4qDOPGNxfRNIpb-BQ-1; Tue, 06 Sep 2016 10:28:22 +0100
Received: from VI1PR0802MB2383.eurprd08.prod.outlook.com (10.172.14.135) by VI1PR0802MB2383.eurprd08.prod.outlook.com (10.172.14.135) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.587.13; Tue, 6 Sep 2016 09:28:21 +0000
Received: from VI1PR0802MB2383.eurprd08.prod.outlook.com ([10.172.14.135]) by VI1PR0802MB2383.eurprd08.prod.outlook.com ([10.172.14.135]) with mapi id 15.01.0587.019; Tue, 6 Sep 2016 09:28:21 +0000
From: Lauri Piikivi <Lauri.Piikivi@arm.com>
To: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>
Thread-Topic: [core] Implications of IP address / port changes for CoAP & Co
Thread-Index: AQHSA3Oa+qpxuGHVNUiouf4gU9RG7qBsGC2AgAAZoQCAAAlNAA==
Date: Tue, 06 Sep 2016 09:28:21 +0000
Message-ID: <F9AF4832-535E-454E-AE96-A7D934463685@arm.com>
References: <4a70a2b1-b998-b0c1-c42a-2ceb634b9945@gmx.net> <1473146574.5588.23.camel@bosch-si.com> <D3F4414F.705BE%thomas.fossati@alcatel-lucent.com>
In-Reply-To: <D3F4414F.705BE%thomas.fossati@alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [217.140.96.140]
x-ms-office365-filtering-correlation-id: 6d3880ef-ff3e-4976-9128-08d3d63824ce
x-microsoft-exchange-diagnostics: 1; VI1PR0802MB2383; 20:RepK7X55UKEZTwoU0c8rmMaRD/b2/ekjPXC5qp3RbmPbD3QmU1MMHAtr0z44jnT5JjmC+ZVhvJIRmCI8ti6LwmAaJiRVSeSHWfwVMJRLTbh8AEIEdD7IpjX5AbmGHpr9kmKwV3bcZ8lHKvOP+Xlq+65FEQWIY1cWqbzKt+lMn0I=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR0802MB2383;
x-microsoft-antispam-prvs: <VI1PR0802MB2383F5E0228C4C011BB7730BEBF90@VI1PR0802MB2383.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(190756311086443)(158342451672863)(278428928389397)(192374486261705)(82608151540597)(155532106045638);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:VI1PR0802MB2383; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0802MB2383;
x-forefront-prvs: 0057EE387C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(40434004)(189002)(53754006)(24454002)(77096005)(36756003)(10400500002)(68736007)(7736002)(7846002)(561944003)(97736004)(105586002)(2950100001)(106116001)(3280700002)(92566002)(122556002)(81166006)(81156014)(8676002)(86362001)(189998001)(2900100001)(3846002)(586003)(6116002)(8936002)(19580405001)(110136002)(54356999)(76176999)(50986999)(3660700001)(4326007)(5002640100001)(106356001)(82746002)(101416001)(102836003)(87936001)(11100500001)(33656002)(66066001)(19580395003)(5660300001)(305945005)(15975445007)(2906002)(5890100001)(83716003)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0802MB2383; H:VI1PR0802MB2383.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <25175BBD8B27C747ACB01EC5A57377CF@eurprd08.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2016 09:28:21.2361 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2383
X-MC-Unique: iMRQA4qDOPGNxfRNIpb-BQ-1
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/TinO3Kvk_8B7x8eNdpJ89oF9z0A>
Cc: "core@ietf.org" <core@ietf.org>
Subject: Re: [core] Implications of IP address / port changes for CoAP & Co
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2016 09:28:29 -0000

Hi alls,

When the IP / port changes, the DTLS will fail as it can not map the received message to a session. DTLS says (https://tools.ietf.org/html/rfc6347#page-8)
"Note that unlike IPsec, DTLS records do not contain any association
   identifiers.  Applications must arrange to multiplex between
   associations.  With UDP, this is presumably done with the host/port
   number.”
I assume that a DTLS alert is sent back.

Often the load balancers will already fail similarly, they direct the message to wrong server in the server pool based on the ip / port.

BR,
- Lauri






> On 06 Sep 2016, at 11:55, Fossati, Thomas (Nokia - GB) <thomas.fossati@nokia.com> wrote:
>
> Hi Kai,
>
> On 06/09/2016 08:23, "core on behalf of Hudalla Kai (INST/ESY1)"
> <core-bounces@ietf.org on behalf of Kai.Hudalla@bosch-si.com> wrote:
>>> In any case, when DTLS is used an IP address / port change at the
>>> client
>>> will prevent the CoAP server from finding the right security context
>>> and
>>> a new (hopefully abbreviated) handshake has to be run.
>>>
>> The client could indeed use an abbreviated handshake, i.e. resume the
>> DTLS session, if it were aware of the fact that its IP address or port
>> had changed during its last sleep cycle. However, for that the client
>> would probably need to use something like STUN first ...
>
> Yep.
>
>> The more interesting problem is how we deal with a changed IP
>> address/port on the CoAP server side, i.e. when a client has started to
>> observe a resource on the server and now expects notifications coming
>> in from that server. When the server's (the constrained device's) IP
>> address or port changes, it sends out notifications (CoAP responses)
>> with a different source endpoint than what the client expects.
>>
>> The CoAP specs states in section 9.1.2:
>>
>> "The following rules are added for matching a response to a request:
>> The DTLS session MUST be the same, and the epoch MUST be the same.
>>
>> This means the response to a DTLS secured request MUST always be DTLS
>> secured using the same security session and epoch.  Any attempt to
>> supply a NoSec response to a DTLS request simply does not match the
>> request and therefore MUST be rejected (unless it does match an
>> unrelated NoSec request)."
>>
>> my understanding of this paragraph is that any notification received
>> from a server after its IP address or port has changed must be
>> discarded/rejected by the client. However, this is based on the
>> assumption that the "identifying characteristics" of an endpoint (using
>> DTLS) are still the IP address and port, hence "rules are _ADDED_ for
>> matching a response to a request".
>>
>> Maybe the authors of the CoAP spec could provide some insight whether
>> this is indeed what they wanted to imply or whether they simply forgot
>> to add some more information regarding the "identifying
>> characteristics" of an endpoint when using one of the non-NoSec
>> security modes with DTLS.
>
> The "Transport Agnostic SAs" proposal in the following draft might
> probably help:
>
> https://tools.ietf.org/html/draft-fossati-tls-iot-optimizations-00#section-
> 4
>
> Cheers, t
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email