Re: [core] Proxies and observations: "All options MUST be identical"
Klaus Hartke <hartke@projectcool.de> Mon, 13 November 2017 18:40 UTC
Return-Path: <hartke@projectcool.de>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F52129B2C; Mon, 13 Nov 2017 10:40:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_FAIL=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_gG6Ld5-bZN; Mon, 13 Nov 2017 10:40:49 -0800 (PST)
Received: from wp382.webpack.hosteurope.de (wp382.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8597::]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35B2F129B3F; Mon, 13 Nov 2017 10:40:49 -0800 (PST)
Received: from mail-lf0-f46.google.com ([209.85.215.46]); authenticated by wp382.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) id 1eEJf4-0001cZ-E5; Mon, 13 Nov 2017 19:40:46 +0100
Received: by mail-lf0-f46.google.com with SMTP id a132so19492763lfa.7; Mon, 13 Nov 2017 10:40:46 -0800 (PST)
X-Gm-Message-State: AJaThX49ocyKmY7AQ4O0czMQmByIMVsBWSCqRZEMwgSuMlo6OsSrZDjm c1/yPOOVbIXlNC2vp160pY7H+rZbBNs6KRF/VW0=
X-Google-Smtp-Source: AGs4zMaEz2JARn5k+AgIwV7w1ilRUWxXeOlqPbE4KyDWTfww9qPdwzfrMtm9RbZqLjfrQ6BkE3j81/j6UDLDJPqNShA=
X-Received: by 10.46.101.17 with SMTP id z17mr3822124ljb.35.1510598445987; Mon, 13 Nov 2017 10:40:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.79.21 with HTTP; Mon, 13 Nov 2017 10:40:05 -0800 (PST)
In-Reply-To: <20171113174314.7ohihr724xaxrp7l@hephaistos.amsuess.com>
References: <20171113165421.d23nmwklwjfwxaem@hephaistos.amsuess.com> <CAAzbHvaNvodqVfu+cD3K2JijSn=4nQB2mZRnRSV81bq+r0AFsw@mail.gmail.com> <20171113174314.7ohihr724xaxrp7l@hephaistos.amsuess.com>
From: Klaus Hartke <hartke@projectcool.de>
Date: Mon, 13 Nov 2017 19:40:05 +0100
X-Gmail-Original-Message-ID: <CAAzbHvYhdHxZKM_O3xcbj2O4b_mLZaSMmU10W9TXNeee4m+81g@mail.gmail.com>
Message-ID: <CAAzbHvYhdHxZKM_O3xcbj2O4b_mLZaSMmU10W9TXNeee4m+81g@mail.gmail.com>
To: Christian Amsüss <c.amsuess@energyharvesting.at>
Cc: lwip@ietf.org, "core@ietf.org WG" <core@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-bounce-key: webpack.hosteurope.de; hartke@projectcool.de; 1510598449; 34b39601;
X-HE-SMSGID: 1eEJf4-0001cZ-E5
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/cu9dJRegsQtZX_HVJ-zHUVPWG4Q>
Subject: Re: [core] Proxies and observations: "All options MUST be identical"
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 18:40:51 -0000
Christian Amsüss wrote: >> The client SHOULD generate tokens in such a way that tokens currently >> in use for a given source/destination endpoint pair are unique. > > My hypothetical client was using the "but I already cancelled, it's not > in use any more, didn't you get the NON?" defense -- but fair point. It's not the client alone who decides when a token is no longer in use. > Hmpf, that would mean that a correct proxy would treat an OSCORE > re-registration with new (encrypted) ETag set as a new observation. It > would determine that the old observation is over, cancel its observation > to the origin server and start a new one, presumably (under the > abovementioned) using a new token. Should work, but it's a new > observation at the origin. Right. > A very smart proxy might even notice that rather than cancelling the > observation, it can start the new one on the same token and thus do both > cancellation and new registration in a single packet (making things > magically smoother), but that might be considered smart to the extent of > specification abusal. If the proxy finds that the new observation request from the client is (almost) identical to the previous observation request from the client, then this behavior is exactly the one intended. The proxy could also try to do it when the requests are not identical, but this would violate the "MUST be identical" client requirement, although it might technically work due to the "MUST replace or update the existing" server requirement. I wouldn't assume that any proxy does it in this case. > Do you think there is a practical way around this that is not "OSCORE > observations can never be renewed (can never have a bit different, thus > no new nonce, no new freshness and no new ETags), and to renew an OSCORE > observation you have to cancel the old one and register a new one"? At first glance, I don't see any. Klaus
- [core] Proxies and observations: "All options MUS… Christian Amsüss
- Re: [core] [Lwip] Proxies and observations: "All … Carsten Bormann
- Re: [core] Proxies and observations: "All options… Klaus Hartke
- Re: [core] Proxies and observations: "All options… Christian Amsüss
- Re: [core] Proxies and observations: "All options… Klaus Hartke