IETF Logo Mail Archive

Re: [core] [ALU] Re: Question reg. draft-fossati-tls-iot-optimizations-00

"Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com> Wed, 02 November 2016 16:52 UTC

Return-Path: <thomas.fossati@nokia.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 088D0128B37 for <core@ietfa.amsl.com>; Wed, 2 Nov 2016 09:52:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfKBJqa4QJgs for <core@ietfa.amsl.com>; Wed, 2 Nov 2016 09:52:49 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85D24129486 for <core@ietf.org>; Wed, 2 Nov 2016 09:52:49 -0700 (PDT)
Received: from fr712umx3.dmz.alcatel-lucent.com (unknown [135.245.210.42]) by Websense Email Security Gateway with ESMTPS id 61E5BD141939D; Wed, 2 Nov 2016 16:52:44 +0000 (GMT)
Received: from fr711usmtp1.zeu.alcatel-lucent.com (fr711usmtp1.zeu.alcatel-lucent.com [135.239.2.122]) by fr712umx3.dmz.alcatel-lucent.com (GMO-o) with ESMTP id uA2GqlPt018897 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 2 Nov 2016 16:52:47 GMT
Received: from FR712WXCHHUB03.zeu.alcatel-lucent.com (fr712wxchhub03.zeu.alcatel-lucent.com [135.239.2.74]) by fr711usmtp1.zeu.alcatel-lucent.com (GMO) with ESMTP id uA2Gqlmk022089 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 2 Nov 2016 17:52:47 +0100
Received: from FR711WXCHMBA08.zeu.alcatel-lucent.com ([169.254.4.52]) by FR712WXCHHUB03.zeu.alcatel-lucent.com ([135.239.2.74]) with mapi id 14.03.0301.000; Wed, 2 Nov 2016 17:52:47 +0100
From: "Fossati, Thomas (Nokia - GB)" <thomas.fossati@nokia.com>
To: Simon Bernard <contact@simonbernard.eu>, "Kraus Achim (INST/ESY1)" <Achim.Kraus@bosch-si.com>, "core@ietf.org" <core@ietf.org>
Thread-Topic: [ALU] Re: [core] Question reg. draft-fossati-tls-iot-optimizations-00
Thread-Index: AQHSNOxftrDwnBm7nkS6PSjsWoQnz6DFc/4wgABYHgCAAAxRgA==
Date: Wed, 02 Nov 2016 16:52:46 +0000
Message-ID: <D43FC498.74BA7%thomas.fossati@alcatel-lucent.com>
References: <D43F60A9.74AFB%thomas.fossati@alcatel-lucent.com> <BC36447FF5C62E46BEF3F124D3C1E8925E1F5F6B@imbpw2exd01.bosch-si.com> <607f8720-8e86-90f6-83fd-299939c298ae@simonbernard.eu>
In-Reply-To: <607f8720-8e86-90f6-83fd-299939c298ae@simonbernard.eu>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.9.160926
x-originating-ip: [135.239.27.40]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D454DA14546E4940A07F061FF86D2C44@exchange.lucent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/cn1iiMl05Olv8RwBdXvBbpahvYo>
Subject: Re: [core] [ALU] Re: Question reg. draft-fossati-tls-iot-optimizations-00
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 16:52:51 -0000

Hi Simon,

On 02/11/2016 16:08, "core on behalf of Simon Bernard"
<core-bounces@ietf.org on behalf of contact@simonbernard.eu> wrote:
>Hi all,
>
>    I'm not sure to understand the point here.
>    *   The "draft-fossati-tls-iot-optimizations-00" says "The privacy
>issue associated with the use of a long-term identifier
>    must be taken into consideration."
>    *   Thomas says "I think privacy preservation should be a goal".

>    I would like to understand which privacy concern we would like to
>achieve exactly ? With TLS we have end to end encryption. You want to
>add a kind of  anonymity ? or maybe protect ourself from connectionid
>spoofing ?

The issue is that something like CID will make tracking a device activity
across different transports very easy.  (Personally, I think NAT rebinding
is a bit different because it usually happens without client awareness,
and therefore already exposes correlation information to a possible
tracker.)

In any case, if we make this an extension of the general TLS protocol we
need to make sure we design it in a way that a) is fit for the purpose
from a functional and security perspective, and b) takes into
consideration the tracking aspects for clients that want to have finer
control on their privacy.


>    From my point of view, the connection id is just a way to replace
>the IP address by a connection identifier for use-cases where IP address
>is not fixed. So we have the same security level with connection id than
>fixed IP. We are maybe a bit more exposed to spoofing as connectionid
>spoofing is probably more simple than UDP IP address spoofing, but not
>so much. I mean connectionid is just another way to retrieve security
>context needed to decrypt Application Data.

ISTM that if CID has enough randomness and is integrity-protected, then
spoofing is not an issue (or it is less an issue than security context
lookup based on a fully tamperable 5-tuple).  But certainly this is a
dimension to explore further (e.g. depending on the way CID is
synchronised on the two sides, there might be opportunities for an
attacker that can selectively drop packets from the network to do
different things, I guess).

Cheers, t

v2.23.0 | Report a Bug | By Email