IETF Logo Mail Archive

[core] I-D Action: draft-ietf-core-groupcomm-bis-09.txt

John Mattsson <john.mattsson@ericsson.com> Tue, 19 September 2023 08:43 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A782DC151075 for <core@ietfa.amsl.com>; Tue, 19 Sep 2023 01:43:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gyywomt1kwFQ for <core@ietfa.amsl.com>; Tue, 19 Sep 2023 01:43:52 -0700 (PDT)
Received: from EUR02-DB5-obe.outbound.protection.outlook.com (mail-db5eur02on2041.outbound.protection.outlook.com [40.107.249.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7B5EC14CE45 for <core@ietf.org>; Tue, 19 Sep 2023 01:43:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fB7Acl8gf3Fq6KJpJm2aweK4Z9NbDi5wlZ+DFCp9YDLBIV9Um9ks60RPklNyEVY48QQYY7CIyM1F9bw1lXsCbI2S8VjQmpV47XJyFH6tDiPcfxqDy/vNfmsq8YSvnYgNbgB38g6atoMW0Ezi0TXJ1Z+Oh//1rQoHIvzarqpUwclvmz9QQ51oKpNaP5zRk11iFC3aBOPMVHFHHQr77Vwa2k70DjOKf9ez/wJzwp+57s+ADGzhF2MVN//AVcIYyu6CymEUSjzMn/m/WkZGG7mjeXEE0vwEUn4RnOeGJDz7tyufKGdWR0ofCtzBiPCsmSKdOdNnf+VgEiYO1MmhAg3kHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=snwam03fGN4MVMIWSfb3tNKJjQ7WnPllYOVzmbERIlg=; b=VH1M31BTUNdshNmAw2bzmqPoZl5bNZhRR7ihz/84BTcoWKq4B53IsTlRS38OlLuJZEqqnQTwo+ZYAWJQHTzgNW4PNku6gHF+EPI80UVruodSa2IUCv0itJL1fWLahO3pJFV2Z9cSr4Y0HhF5w4U0VyOCLlmWVWy1yv0UzlscnOWsH6iepq9S8lJF9inn8wOlL7nYAHG/LzkiyxHQ1OwfmkH/7eQX9FM6DIwG+CEpX1+20fyo0xMB9cSArbWlbnvYerKr1grCsd4BHxEM93MEiIRuvUX1TR2ZbawHwJNkZhWEMWYcI3lKYLzmSapXWxl529xugQEmS6Rr5reOHauNOA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=snwam03fGN4MVMIWSfb3tNKJjQ7WnPllYOVzmbERIlg=; b=sNDI5duMDfvhSwwulRDc+862ncYBACVGX2RxEOJ9/9toZo2/3WERAHEa+xngSBSfjodzx/8F6HsXbMmlnNKv9YCeab5x4Lm/t4DHCaDk7HaE4AMlnWccvO6m73bmn9bU0BHjgtlCVXTS3rr0KTPht16hoQFzdtwVOg3h6oBnFgM=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by PAXPR07MB8579.eurprd07.prod.outlook.com (2603:10a6:102:24e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.27; Tue, 19 Sep 2023 08:43:47 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::cf5e:848b:9613:bfd]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::cf5e:848b:9613:bfd%7]) with mapi id 15.20.6792.026; Tue, 19 Sep 2023 08:43:47 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] I-D Action: draft-ietf-core-groupcomm-bis-09.txt
Thread-Index: AQHZ6tDM5Vs+EMGon0OmtHaX1MEVew==
Date: Tue, 19 Sep 2023 08:43:47 +0000
Message-ID: <GVXPR07MB967802DF6FD0CB37CD6EE9D389FAA@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|PAXPR07MB8579:EE_
x-ms-office365-filtering-correlation-id: 746f6b2b-bab0-4aea-72bb-08dbb8ec8a42
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wiUo4zhdX8VhKIrqllEXJkpU9TnBATob6D6WRLRhaK+GOHh8GafR5a2esAWAETDPDOGzDJz/+eZ0zJNHQUtlYBVUomVgOgRGHKzs0XuWBCjPqs+SqviHdqjML/Iy3TrFw/jFIachN0tX/uGicqvaI35/o/E19RNCPm6A4HRZyiWoMliJnZPTGIg5XLndt6LGkAtWLWl0Wy7gV8Q09K17uhIkW8/i6+z2rklpWFpZ8LoNkQaXV4iWAmjCISkzKJR9fs27v2+0VjEJyCgDAdE8+Yil4tIWe+THRp0NHvEr6TsbPg4pe1xkN0WRm5D5nHB6QGjICXHFtGEEsKW2QhMs+LStToDNB5PaKhzWywRioxbuR2Whl0QZ/OspZw/DSRhmq3oY+RMkc1I8sY3elE8qugltEJCotnFpTWgWtuUI5kpu0XHnII3mvo2mCt6oLHom2zce2/4sSkdHOFiH49LVYvH9QDzkoG1ZTPApxTFYDarQUM/0pP3Xughj+8N3U4M+FI2l1ssb0l2Inzy03q61FR8/v1F71um7PHEqb1KHO086XyrloHr3WgPMuL6dXMR/QQYQ/BNEWvRwJxH43PR+kWMBaGJ0MgS/+lCW3kEkgiVA5YATm7yyIkwS6dqUu1j4J1VtFuA+uWcGpLBGCx5y7JYSAcytOF6n5xbiCEo1f9Y=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(366004)(39860400002)(136003)(346002)(376002)(1800799009)(451199024)(186009)(6506007)(7696005)(41300700001)(33656002)(38070700005)(122000001)(82960400001)(55016003)(38100700002)(86362001)(26005)(2906002)(66574015)(71200400001)(9686003)(8676002)(478600001)(83380400001)(52536014)(5660300002)(8936002)(44832011)(76116006)(66556008)(66476007)(66446008)(66946007)(6916009)(316002)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: r8VDkPYRnKLxhn5Lw3SAWykujJkfhtS2bBlN44Dto57KsQrOSe8SyRWYLurQkMmRTklz0RgWu7XhwH86OEGZQqHDJj6ij4q5iVCh/dpo8hGhbsLhn7sElyFXzH8w90SSx44BtEFTRn1hwXGfdNwvURItUBfVyGDhKsIx4CNZ3KdefiDb78zhVjn/N+1Hh01e8fEjW/4K4LtEjV7qbpsCdKYLGDiaIVcQWErZoS9T8Z33sotzOtmj83ZV5cUPhGpJgb2dAqpa7VKX59gRO0b5JgyNDb5pdW2wXQnvlRBpVvAxCjURGFXI8uD5VhvFQ8w7mn4i89+b0B3N36NycVImNL/oUrvU6VtPaIjR0w69gM69dL+Dw7UIz5/La+VtEQC5a9cg08zCu+8BkALiiC8ySNf3Q/HO2dlg43HTuw5EYxTav0we6ap9Q1UGEBcgw+Dc88j+PL7WYN/eY+I3+WlrOnzXfXO67+H0RBYZ9rvWqTI1wMXYyL5uQ30oFyEew+OqsAVq8skY2O+IOlaJqnui/SVsRQLIrz6hQBrd0IOSmK5BFCB/oSE1zRek9NyNgKnBlzWilgeqNGWAdbGIZZFyVOL3iFXPn3Oshz3XVDh26rX9NC1wrt3rH+EwoXLYFrzt/MVAY5bKHq/EO6ziZtT0eAhhWjSAUil8iB4e65RVusfUNMkl4b20iWEu+vbdrzpnxlY82YJ4MiYsxz1Z84L1kHmz4FgXoam8I1tROYW2YmC4AE3DRJABUTivCtrHG8VJN82aTkrNBhT3fC/8+vjzAWCPmi2sU9qTdwhu0gxUHfJXRHa8kzkuDjc9Pv1Ox2MTZzugqi3MHhoyVRDeg4C+mwd5jeX4Xikn3Vem0BBlifZ+MO6Hmy5lPecjCAf/9od7MWnxdI1RIuwKRljGQCd7Tiz+8CLd3Ew7EZlwUCmGkjKRYuwnyJqXHmLFt2M+Bh5mAXYp+Nj2jdtQC2ywLZmz2ghMjShLRNWrJq92irciYvcUwXHDmtZVIvjwZ50BgKX0hskVKCcTVqMkHqH/VfwIWwqDM07KaxLksux/oEhpPctsPOOGZ1o/54EVbvLXAIUhoIv9ep1xm8yC+J37xfkgAHElm++/KuEEv4Z8WD4aGn7Pd5zgjfIoHwaP7VFWeEjZhE5k+JkZ/rou5q35nSHndo3pWc6zAyClTcwUtqq4l8eSELFrYDfuhP6Bx8v/6lg+vTLzeAadUmO2egNykoNb7peKBgC6FLWusoDZ1vngt09XiS/UGUiVvFQeaGtH3s30iCoEg1mPdz/Ku4ooWLYtAhCZW7ty+eqc6R/x/QoWbvMEjz2ybbm7bIcLZTlt5/uZ6Nv6m1E8yK8q9a8tSNkVaQKDaNgnIB2FH5n+BcJZoknPQFM5uG6Rk+roeTA1UD/SAm3gZ3+iFIJqHG7wGvwWxuCjx5LE+Pv8lZHnRxvH6X3zvlZ9NfuoCdZDRJCsk+mpNdBXsFw1Ad4JPMX6EXJqnJVrBGAK14LIR43MkC/k6Orl67xd4+sP+sDoID3CScTG+MLgmY6Uxx7jeI+xaIinZn45Qh90vLTfOMicQif40Ju1jv0WNGNRxNKOhGt28f+8NvyW9bwypmFtDnu6u8IyELYJeYxSHPye0kevk3Bued8=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB967802DF6FD0CB37CD6EE9D389FAAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 746f6b2b-bab0-4aea-72bb-08dbb8ec8a42
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2023 08:43:47.4371 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ogq7/BL993srQvr7Sp6Trl7TmSmoZq8Q64LTkw3DMioyjO86WE6gqEs3+mHA5R+TVTaMdIXU+qALWngPpwVShlR41J5koRojCbQy39FjTyI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR07MB8579
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/Xa9l_GzsT7inpRyOlOayZYTRDME>
Subject: [core] I-D Action: draft-ietf-core-groupcomm-bis-09.txt
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2023 08:43:56 -0000

Review of draft-ietf-core-groupcomm-bis-09

Hi,

Below is my review of draft-ietf-core-groupcomm-bis-09. The document seems “ready with issues”.


  *   Abstract says, "replaces RFC 7390". Replaces is not a formal IETF term, maybe change to obsoletes or "replaces and obsoletes" as in the introduction.



  *   Figure 1 and Section 2.2.1.1 seems to be saying different things.

2.2.1.1 states that host subcomponent is mandatory and that IP multicast address and UDP port number are optional. Figure 1 states that IP multicast address and UDP port number are mandatory.



  *   group1.com and alias.com are real domain names in use and not suitable for examples. I think you should use one of the example domains example.com, example.net, example.org, xample.edu, or .example



  *   ”However, using such experimental protocol is not a recommended approach.”

I don’t think something is not recommended just because it is an experimental RFC. What would the alternative be? To use something proprietary that is not even documented publicly.


  *   “It has to be separately enforced by leveraging the resource properties or through dedicated access control credentials assessed by separate means.” feels a bit strong. For a very simple system with a single resource, I think it is ok to use group membership. “It should be separately enforced” is probably better.


  *   "GROUPNAME" does not seem like a good name for the application group name as you define three types of groups with all might have “names". I suggest changing to APPNAME or something. In general, it might be good to use the work “group” less and the terms “CoAP group”, “multicast group”, “application group”, and “security group” more.


  *   The beginning “A security group is identified by a stable and invariant string used as a group name”.
How to identity the group in the management system is probably best left for implementation, or do you mean something Group OSCORE specific here? Is having a group name mandatory in general? Maybe I want to use an integer?



  *   The figures in Appendix D would look a lot nicer with aasvg.


  *   “For example, early discovery of devices and resources is a typical use case where the NoSec mode is relevant” seems like something people say to move the hard problem of secure credential management somewhere out of scope. Is there any _concrete_ examples of any secure actual deployments where this message flow makes sense? Otherwise, I think this part should be removed.



  *   ”For sensitive and mission-critical applications”. I think the current IETF view should be at least ”Unless proven to be not sensitive”. Zero trust mandates encryption everywhere without exceptions and modern protocols like QUIC delivers that.


  *   ”Group policies should”

”That is, it may”

Should these be capital MAY and SHOULD? Agree that rekeying policies is best left for the applications. Section 6.2.1 should mention that the security requirements can vary between applications and also depending on ”who” is joining or leaving the group.


  *   ”source authentication”

“SHOULD NOT accept group requests that can not be authenticated in some way”

“is indeed reachable at the claimed source address”

I think it would be good to explain better to the reader that there are two difference “source”. Group OSCORE does not give any guarantees about the source address, and ECHO does not give source authentication.



  *   I think it should be stated that NoSec servers MUST NOT be accessible through the public Internet due to amplification attacks. A group of multicast servers may otherwise be accessible via a gateway from the Internet.

Editorial
----------------


  *   Several abbreviations like UML, HVAC should be spelled out.


  *   "TCP, TLS and WebSockets"
            "named, created, discovered and maintained"
            "manages, renews and provides "
            "specific, narrow and well"
            "GET, FETCH or POST"
            ... and more

IETF uses the Oxford comma.


  *   OLD "commmunication"
            NEW "communication"


  *   OLD "Different types of group"
            NEW "Different types of groups"


  *   OLD "can not"
            NEW "cannot"


  *   OLD "amplication"
            NEW "amplification"


  *   OLD "interecting"
            NEW "interacting"


  *   OLD "i.e,"
            NEW "i.e.,"


  *   OLD "e.g,"
            NEW "e.g.,"

Cheers,
John

v2.23.0 | Report a Bug | By Email