IETF Logo Mail Archive

Re: [core] DNS-SD service types for CoRE-RD (Re: AD review of draft-ietf-core-resource-directory-23)

Ted Lemon <mellon@fugue.com> Mon, 02 March 2020 16:21 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4FD43A0A24 for <core@ietfa.amsl.com>; Mon, 2 Mar 2020 08:21:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hi_nJRvwyYuv for <core@ietfa.amsl.com>; Mon, 2 Mar 2020 08:21:43 -0800 (PST)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 031EB3A0A23 for <core@ietf.org>; Mon, 2 Mar 2020 08:21:43 -0800 (PST)
Received: by mail-qv1-xf2e.google.com with SMTP id eb12so112948qvb.10 for <core@ietf.org>; Mon, 02 Mar 2020 08:21:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=55fHFsQ74jKQpscgr6JMGc7CURWs633m2ghb+aLqG4k=; b=aoWO9bVLI4du+Mcmo5IHKgdCdnPdixynX7giJ8OhoPi93vnMobMMdI+s0y7XTimWtT d5B1/q/h7tJrFiXeXX0D0BT8G+kCHMPoYcbgGvf0gjxNXzLH328+nGap1ovnzliGfk2k 77Oco0uFeTt6T6F9ESPEygbo/jPngsr1qVjB7b/mbBC38LmdfAhbj7abM+GK+r7SNtrI l9369350ZAJ483tSNirrSqLy8JrAKeGojR5ZtOwWicDF2GILQ5N5B+pTT0KH/e+1c9W/ nXdFBd//MF1gyr+ijHrLHPvwi+T45gvJeS0u/wwPeUZYPfMCGKRCQofa6HUhIaEfjrjq vj5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=55fHFsQ74jKQpscgr6JMGc7CURWs633m2ghb+aLqG4k=; b=acejWOhYMidz8qANODCfd91i13evoOjXXLYl8g/uluTMao6cYlDkG7QIUpTwit0CQC lKis03DGARxxf6RvwvvOKnJOu31JxlZcRthVlm1Mb+VpM+fG0N2RV4EzTdd+aPqDGd00 tA3+FNZC8I88srlhrl0M4B4uzKu3h3hHQHgXHiXa/zQcTqPMUBccavmUz3AQ3DrgVZ1a 4qQC6IRxJ0njBVBkh5REMuFz0P2QzC1LEc3Bkd6yzsI4RUgocra6X3lyYpJ4b4wUrLYS /V6aLlbnA46E2DZZPcI1FSu0StCz5/ox+hWUdA5u2lP01Dx6sV6/KTZAHQ1PYMOwx5A3 iYVA==
X-Gm-Message-State: ANhLgQ0G4CBMQhoRBoMrFY5bvkUQSMUrQGLG/JGJ1uXi5eHP9BhyOPEb jrllAIdGlCil4UpMF/+AT/vQj0XpMUEkLQ==
X-Google-Smtp-Source: ADFU+vvLJcOQrRClCEBHRYzcwdCNZfNo85xKJzvR0btL6ImWiF+sxEb+7gmt+IGQa76zSkHgNQaMxA==
X-Received: by 2002:a05:6214:192f:: with SMTP id es15mr149207qvb.219.1583166101990; Mon, 02 Mar 2020 08:21:41 -0800 (PST)
Received: from ?IPv6:2601:18b:300:36ee:c461:a4d:14f9:1444? ([2601:18b:300:36ee:c461:a4d:14f9:1444]) by smtp.gmail.com with ESMTPSA id e130sm10384674qkb.72.2020.03.02.08.21.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Mar 2020 08:21:41 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <A3B3F66A-821C-4101-877B-DD87990DE87D@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_149A8AE2-7ACB-4370-884C-FBB7B4C1C33D"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3622.0.6\))
Date: Mon, 02 Mar 2020 11:21:39 -0500
In-Reply-To: <F0CB7B96-4872-4EC4-A874-C110DC5AF2EA@tzi.org>
Cc: Christian Amsüss <christian@amsuess.com>, "core@ietf.org" <core@ietf.org>
To: Carsten Bormann <cabo@tzi.org>
References: <481f9820-bcea-af6a-d5c4-d713be24d43d@isode.com> <20191119125733.GA8007@hephaistos.amsuess.com> <c29e70d4-7d81-4c89-ad81-62a6132fb3df@www.fastmail.com> <4C059F03-BB42-498D-9B75-A08BEA274416@tzi.org> <20200302145539.GA568382@hephaistos.amsuess.com> <F0CB7B96-4872-4EC4-A874-C110DC5AF2EA@tzi.org>
X-Mailer: Apple Mail (2.3622.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/aGxTovjD2-y5GvgdPOTImRj-K9w>
Subject: Re: [core] DNS-SD service types for CoRE-RD (Re: AD review of draft-ietf-core-resource-directory-23)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 16:21:45 -0000

On Mar 2, 2020, at 10:54 AM, Carsten Bormann <cabo@tzi.org> wrote:
> One assumption that is used in many TLS-based applications is that TLS is used to authenticate the server as the holder of the domain name that the client specified upon connection setup (e.g., after taking that domain name out of an https:// URI as the only information that is available for authorizing that server).

That’s what DNSSEC is for, so you definitely shouldn’t use it exactly this way.   The correct way to do something like this, if you want to, is to trust the “AD” bit returned by the resolver.  In order to do this, you would want to use DTLS to validate your trust relationship with the resolver.  You could also use TSIG or SIG(0) for that, however, at a substantially lower cost.   Although it might be worth it to use DTLS just because it’s one less hunk of code to include if you’re already using DTLS for something else.

> (Since DNS-SD is about domain names, this assumption might seem more appropriate for DNS-SD based usage than it is in other ways of using CoAP, but then DNS-SD may just be in use for an initial RD discovery phase.)

Yup.

>> If the client is configured to register at any RD in the current domain,
>> it'd receive a
>> 
>> _core-rd-dtls._udp.example.com <http://udp.example.com/> IN SRV 1 1 5683 rd1.example.com <http://rd1.example.com/>
>> 
>> When it connects, the server would present a certificate for
>> rd1.example.com <http://rd1.example.com/>
> 
> Would it?  It might be using PSK.

You have a choice: you can either use a PSK, or you can use PKI+configured trust relationship based on name.   The trust relationship is implicit with PSK.   PSK should still be asymmetric, so that you don’t create a fertile ground for attacks.

>> without any indication that it's a legitimate
>> _core-rd-dtls._udp.example.com <http://udp.example.com/>.
> 
> There must be another source of that authorization (as a resource directory that this client is authorized to use — not with respect to the resource directory allowing access, but with respect to the overseeing principal of the client allowing that to rely on using it).

Yup.

> 
>> Is there a document that bridges that gap in a usable manner that we can
>> point to for security considerations? Otherwise I'd rather leave the
>> TLSs out of here. (Alternatively, we could describe them as opportunistic
>> encryption.)
> 
> This situation is as open to different authorization strategies as any other use of CoAPS is, so I don’t see why we need to make this a special case.

While this is true in principle, I don’t think we want a million different authorization strategies to choose from.

v2.23.0 | Report a Bug | By Email