Re: [core] [ALU] Re: Question reg. draft-fossati-tls-iot-optimizations-00
"Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com> Wed, 02 November 2016 16:52 UTC
Return-Path: <thomas.fossati@nokia.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 088D0128B37 for <core@ietfa.amsl.com>; Wed, 2 Nov 2016 09:52:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfKBJqa4QJgs for <core@ietfa.amsl.com>; Wed, 2 Nov 2016 09:52:49 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85D24129486 for <core@ietf.org>; Wed, 2 Nov 2016 09:52:49 -0700 (PDT)
Received: from fr712umx3.dmz.alcatel-lucent.com (unknown [135.245.210.42]) by Websense Email Security Gateway with ESMTPS id 61E5BD141939D; Wed, 2 Nov 2016 16:52:44 +0000 (GMT)
Received: from fr711usmtp1.zeu.alcatel-lucent.com (fr711usmtp1.zeu.alcatel-lucent.com [135.239.2.122]) by fr712umx3.dmz.alcatel-lucent.com (GMO-o) with ESMTP id uA2GqlPt018897 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 2 Nov 2016 16:52:47 GMT
Received: from FR712WXCHHUB03.zeu.alcatel-lucent.com (fr712wxchhub03.zeu.alcatel-lucent.com [135.239.2.74]) by fr711usmtp1.zeu.alcatel-lucent.com (GMO) with ESMTP id uA2Gqlmk022089 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 2 Nov 2016 17:52:47 +0100
Received: from FR711WXCHMBA08.zeu.alcatel-lucent.com ([169.254.4.52]) by FR712WXCHHUB03.zeu.alcatel-lucent.com ([135.239.2.74]) with mapi id 14.03.0301.000; Wed, 2 Nov 2016 17:52:47 +0100
From: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>
To: Simon Bernard <contact@simonbernard.eu>, "Kraus Achim (INST/ESY1)" <Achim.Kraus@bosch-si.com>, "core@ietf.org" <core@ietf.org>
Thread-Topic: [ALU] Re: [core] Question reg. draft-fossati-tls-iot-optimizations-00
Thread-Index: AQHSNOxftrDwnBm7nkS6PSjsWoQnz6DFc/4wgABYHgCAAAxRgA==
Date: Wed, 02 Nov 2016 16:52:46 +0000
Message-ID: <D43FC498.74BA7%thomas.fossati@alcatel-lucent.com>
References: <D43F60A9.74AFB%thomas.fossati@alcatel-lucent.com> <BC36447FF5C62E46BEF3F124D3C1E8925E1F5F6B@imbpw2exd01.bosch-si.com> <607f8720-8e86-90f6-83fd-299939c298ae@simonbernard.eu>
In-Reply-To: <607f8720-8e86-90f6-83fd-299939c298ae@simonbernard.eu>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.9.160926
x-originating-ip: [135.239.27.40]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D454DA14546E4940A07F061FF86D2C44@exchange.lucent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/cn1iiMl05Olv8RwBdXvBbpahvYo>
Subject: Re: [core] [ALU] Re: Question reg. draft-fossati-tls-iot-optimizations-00
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 16:52:51 -0000
Hi Simon, On 02/11/2016 16:08, "core on behalf of Simon Bernard" <core-bounces@ietf.org on behalf of contact@simonbernard.eu> wrote: >Hi all, > > I'm not sure to understand the point here. > * The "draft-fossati-tls-iot-optimizations-00" says "The privacy >issue associated with the use of a long-term identifier > must be taken into consideration." > * Thomas says "I think privacy preservation should be a goal". > I would like to understand which privacy concern we would like to >achieve exactly ? With TLS we have end to end encryption. You want to >add a kind of anonymity ? or maybe protect ourself from connectionid >spoofing ? The issue is that something like CID will make tracking a device activity across different transports very easy. (Personally, I think NAT rebinding is a bit different because it usually happens without client awareness, and therefore already exposes correlation information to a possible tracker.) In any case, if we make this an extension of the general TLS protocol we need to make sure we design it in a way that a) is fit for the purpose from a functional and security perspective, and b) takes into consideration the tracking aspects for clients that want to have finer control on their privacy. > From my point of view, the connection id is just a way to replace >the IP address by a connection identifier for use-cases where IP address >is not fixed. So we have the same security level with connection id than >fixed IP. We are maybe a bit more exposed to spoofing as connectionid >spoofing is probably more simple than UDP IP address spoofing, but not >so much. I mean connectionid is just another way to retrieve security >context needed to decrypt Application Data. ISTM that if CID has enough randomness and is integrity-protected, then spoofing is not an issue (or it is less an issue than security context lookup based on a fully tamperable 5-tuple). But certainly this is a dimension to explore further (e.g. depending on the way CID is synchronised on the two sides, there might be opportunities for an attacker that can selectively drop packets from the network to do different things, I guess). Cheers, t
- [core] Question reg. draft-fossati-tls-iot-optimi… Hudalla Kai (INST/ESY1)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Kraus Achim (INST/ESY1)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Fossati, Thomas (Nokia - GB)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Hudalla Kai (INST/ESY1)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Simon Bernard
- Re: [core] Question reg. draft-fossati-tls-iot-op… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Fossati, Thomas (Nokia - GB)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Simon Bernard
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Simon Bernard
- Re: [core] Question reg. draft-fossati-tls-iot-op… Hannes Tschofenig
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Fossati, Thomas (Nokia - GB)
- Re: [core] Question reg. draft-fossati-tls-iot-op… Simon Bernard
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Simon Bernard
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: [ALU] Re: Question… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: Question reg. draft-fossati-… Pascal Thubert (pthubert)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Carsten Bormann
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Carsten Bormann
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Kraus Achim (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Fossati, Thomas (Nokia - GB)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Simon Bernard
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Simon Bernard
- Re: [core] [ALU] Re: [ALU] Re: Question reg.draft… Hudalla Kai (INST/ESY1)