Re: [core] No-Response option and OSCORE
Jim Schaad <ietf@augustcellars.com> Fri, 11 May 2018 15:39 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D285124205; Fri, 11 May 2018 08:39:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QI1ACHbU45vY; Fri, 11 May 2018 08:39:14 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B91F31241F8; Fri, 11 May 2018 08:39:13 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 11 May 2018 08:36:31 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Christian Amsüss' <christian@amsuess.com>
CC: 'Francesca Palombini' <francesca.palombini@ericsson.com>, draft-tcs-coap-no-response-option@ietf.org, core@ietf.org, 'Klaus Hartke' <hartke@projectcool.de>
References: <HE1PR07MB152939003ACA6963256A8E8498160@HE1PR07MB1529.eurprd07.prod.outlook.com> <CAAzbHvbgG-a9yY_k8zkpmzek7qp2Hs5P1=qMN=Zz77meLsqSRw@mail.gmail.com> <HE1PR07MB152949ADA4799F15E2630D5498EB0@HE1PR07MB1529.eurprd07.prod.outlook.com> <20180510114100.GA9530@hephaistos.amsuess.com> <00c001d3e88b$96722ec0$c3568c40$@augustcellars.com> <20180511103744.GF23148@hephaistos.amsuess.com>
In-Reply-To: <20180511103744.GF23148@hephaistos.amsuess.com>
Date: Fri, 11 May 2018 08:39:04 -0700
Message-ID: <015601d3e93e$334a2e20$99de8a60$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKwyqfVoRTetNOnQR/pQa3rkbPo4gBcLc3EAuIqgv4CWeyUtQFRSVzxAlt6aMKiJr6voA==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/VW8aPoAGAHlOrc0bfWR7M1fRxsQ>
Subject: Re: [core] No-Response option and OSCORE
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 15:39:16 -0000
I believe that this is correct. I am agnostic as to which solution is chosen. Jim > -----Original Message----- > From: 'Christian Amsüss' <christian@amsuess.com> > Sent: Friday, May 11, 2018 3:38 AM > To: Jim Schaad <ietf@augustcellars.com> > Cc: 'Francesca Palombini' <francesca.palombini@ericsson.com>; draft-tcs- > coap-no-response-option@ietf.org; core@ietf.org; 'Klaus Hartke' > <hartke@projectcool.de> > Subject: Re: [core] No-Response option and OSCORE > > Hi jim and OSCORE developers, > > On Thu, May 10, 2018 at 11:20:31AM -0700, Jim Schaad wrote: > > > If I, as prescribed, set No-Response:2.xx both outer and inner, then > > > if the server answers protected-4.04 (which is outer-2.01), then the > > > server may know to ignore the outer No-Response, but a surprised > > > proxy would not and swallow the 4.04. > > > > This is a huge problem and needs to be solved. > > Glad I did not just miss an old solution. > > > > If only an inner No-Response:2.xx is were sent, the proxy expects an > > > unconditional response, and might respond late with a 5.04 Gateway > > > Timeout. (That's also bad but not as bad as the above). > > > > I am not sure that I worry about this. First I think that the proxy > > in this case is being overly helpful. Given that we are looking at a > > NON request, it makes sense that there is no response ever coming back > > from anybody. It would be different if this were a CON request. > > The proxy might have forwarded it as a CON, or over reliable transport. > > > You are going to get the exact same behavior from a proxy which does > > not implement the No-Response option so this is not going to be new. > > I don't think so. No-Response is unsafe-to-forward, so it "lead[s] to > 4.02 Bad Option" per RFC7252 Section 5.7.1. > > > > I'd suggest picking an outer value that is not specified yet (say, > > > "1", and call it "at the origin's disretion"). [...] > > > > If you are going to do this, it might be better to say that you are > > not interested in 8.xx messages which could be defined as being - no > > proxies are to generate responses. > > Indeed, expressing the code as 0x80 is better; there can never be 8.xx codes > so this is obviously magic, while someone could still define 1.xx codes to be > ignored. > > > Bringing this to concrete proposals: > > A: the simple one > > "No-Response is an inner and outer option; the inner option always reflects > the intention of the operation, and an OSCORE server ignores the outer. A > client usually sets only the inner No-Response option, but MAY set the outer > to 26 ('ignore all known codes') if the inner is set to 26. The client MUST be > prepared to receive and discard 5.04 errors from intermediaries." > > B: extend No-Response > > "We define a new No-Response value, 128, described as 'Not interested in > some responses'. A server receiving that option decides based on some > context (eg. other options like OSCORE) whether or not the client is > interested in the response; if it has no such context, it SHOULD respond with > 4.02 Bad Option. A proxy processing the option must forward response > messages it receives, but never sends a 5.04 error if it receives no response. > (It may still send a 5.04 if it forwards the request over a secure or reliable > connection that can not be established, or if it forwards the request as a CON > and receives no > ACK.) > > No-Response is an inner and outer option; [... as above]. If a client sets the > inner option, itSHOULD set the outer option to 128 ('Not interested in some > responses'), or be prepared to receive and discard > 5.04 errors from intermediaries." > > > Best regards > Christian > > -- > To use raw power is to make yourself infinitely vulnerable to greater powers. > -- Bene Gesserit axiom
- [core] No-Response option and OSCORE Francesca Palombini
- Re: [core] No-Response option and OSCORE Klaus Hartke
- Re: [core] No-Response option and OSCORE Francesca Palombini
- Re: [core] No-Response option and OSCORE Esko Dijk
- Re: [core] No-Response option and OSCORE Christian Amsüss
- Re: [core] No-Response option and OSCORE Jim Schaad
- Re: [core] No-Response option and OSCORE 'Christian Amsüss'
- Re: [core] No-Response option and OSCORE Jim Schaad