[core] No-Response option and OSCORE
Francesca Palombini <francesca.palombini@ericsson.com> Thu, 11 January 2018 14:59 UTC
Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 069791270AE; Thu, 11 Jan 2018 06:59:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.219
X-Spam-Level:
X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UtxJEXBgDOkp; Thu, 11 Jan 2018 06:59:15 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACBD81204DA; Thu, 11 Jan 2018 06:59:14 -0800 (PST)
X-AuditID: c1b4fb2d-b4dff70000007932-13-5a577bc0d59c
Received: from ESESSHC014.ericsson.se (Unknown_Domain [153.88.183.60]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id D0.7B.31026.0CB775A5; Thu, 11 Jan 2018 15:59:13 +0100 (CET)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.60) with Microsoft SMTP Server (TLS) id 14.3.352.0; Thu, 11 Jan 2018 15:59:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=J73BSaTJtVClcqWsN17xzvB83XxeMpvi9vbevaXbkvc=; b=YsHihyUSM0ewDnMSH4Ds7PTId4QarHFTIAaESA9cLEZirbgfBer865hFeLsADrdExf2NvOIFSZD2QYM2YKW5dNiWduy1VpSLM/xorUaMI21V3HZLPJ4gYbhEu+GH5ZMxeYUfkj/afOkjv63HDK7zYeeoGtrjlTUwn0is+SdRa5w=
Received: from HE1PR07MB1529.eurprd07.prod.outlook.com (10.169.122.151) by HE1PR07MB0779.eurprd07.prod.outlook.com (10.162.24.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.407.1; Thu, 11 Jan 2018 14:59:09 +0000
Received: from HE1PR07MB1529.eurprd07.prod.outlook.com ([fe80::e13d:a647:66bf:d87e]) by HE1PR07MB1529.eurprd07.prod.outlook.com ([fe80::e13d:a647:66bf:d87e%14]) with mapi id 15.20.0407.009; Thu, 11 Jan 2018 14:59:09 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: "core@ietf.org" <core@ietf.org>
CC: "Klaus Hartke (hartke@tzi.org)" <hartke@tzi.org>, "esko.dijk@philips.com" <esko.dijk@philips.com>, "draft-tcs-coap-no-response-option@ietf.org" <draft-tcs-coap-no-response-option@ietf.org>
Thread-Topic: No-Response option and OSCORE
Thread-Index: AdOK3iozLEG/idB4QryGW7NQYtdPuA==
Date: Thu, 11 Jan 2018 14:59:08 +0000
Message-ID: <HE1PR07MB152939003ACA6963256A8E8498160@HE1PR07MB1529.eurprd07.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=francesca.palombini@ericsson.com;
x-originating-ip: [192.176.1.87]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB0779; 7:rvt04N7UyFhccTHeO7LanJfAWEwoQYG+XZV+XN1GCwZSFunaqU0UsUCYaJtB3ChJdtEXhhfhVNFvUrc0JRHiPWS7+QucAsaeUOKY1q9ceTNycVehr53i4TQk4Tg9Ndd69jMwo9ZmV/BN3mZTCWXMlHGXhpskxuIz9goJxuSwQymFZPiMGQlxSA9B0qBO39TUZ8QK8AyvK5ErHiHoF2y8I5B1GWAv6xLRlB/XXLv81Dv3NP3aae47Q5+X928WVlO1
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 0a1ddf3a-204a-4fbf-a00a-08d55903de49
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:HE1PR07MB0779;
x-ms-traffictypediagnostic: HE1PR07MB0779:
x-microsoft-antispam-prvs: <HE1PR07MB0779BF5DD74A001C07F0088D98160@HE1PR07MB0779.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(5005006)(8121501046)(3231023)(944501075)(10201501046)(93006095)(93001095)(3002001)(6041268)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(6072148)(201708071742011); SRVR:HE1PR07MB0779; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:HE1PR07MB0779;
x-forefront-prvs: 0549E6FD50
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(39380400002)(366004)(396003)(346002)(53754006)(199004)(189003)(7696005)(2351001)(3480700004)(8936002)(1730700003)(8676002)(2501003)(5250100002)(66066001)(68736007)(3280700002)(6306002)(97736004)(81166006)(81156014)(4326008)(19609705001)(5630700001)(54896002)(9686003)(3660700001)(55016002)(105586002)(478600001)(5640700003)(7736002)(2900100001)(6436002)(74316002)(3846002)(6506007)(25786009)(6116002)(106356001)(966005)(86362001)(102836004)(6916009)(316002)(14454004)(5660300001)(99286004)(33656002)(59450400001)(2906002)(790700001)(53936002)(54906003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB0779; H:HE1PR07MB1529.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 1l6hrpC46sIq9XElVBhdyuCdj97e51RTySSwb68h/wg7+tF92Sh3OWA183Hj6qMEDHSKSAFFErSE4ZD7j6u/6A==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB152939003ACA6963256A8E8498160HE1PR07MB1529eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a1ddf3a-204a-4fbf-a00a-08d55903de49
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2018 14:59:09.0059 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0779
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTURzHOffhrsvBcSn+zIxYFKW2yiJGWtY/YYRRhGkz0JW3udQtd5dZ QRgakb2MqMhKV82pWVg+0lqYT9KaunwEZuVk9lzrRaS1XG27E/rv8/s+fpxzOAwpbqJnMSq1 jtWqFVkSPyF1KbkxdnHroST50isvkazZUUPKSocqKFm/sQzJ7p37SKyl4g2GX0R8S4uJiL9w XbWZlAtj09ksVS6rXbImTZhhsHTSe09tzLO/N1H5yBVXhPwZwCugxPoUFSEhI8btCCyPnTQ/ dCF42VJMegYKnyKha8BG8c5FApqv6X2DDUHt5CjpWeaHY8Ey9oX2cBCeB3Vmu3cxiTsQnDQ+ JzzGTLwArF1VBB+KhGeVlW4WuFkKnXs8KoXnw63GcuRhEd4B9cdqvesRDocfR6q9TOIQeDFe RvB3wGB42EfyHAwfbC6az++CwZHTgiLEuPW5YJgK5SPh0F92wnsywPUE1Lz+4+tKoeGsA/Gc AL3WcxQfeoSgZ8rqMyJg8O2gr5AJQwNOH6dAgWnCjy9Uk/CzwUjxxmw3lxK8MUlDj8PkbYgx CxW3j6JiFFXy34141kD/heOCEu8LBEL3pXGK16NAb/rux3MkGK/ZyWk2t9iI/3U9EtxEwRzL cdnK6OVSVqvaxXEatVTN6mqR+z+11jsXN6Fq+7o2hBkkCRBF706Si2lFLncguw0BQ0qCRDe2 bJOLRemKAwdZrSZVuy+L5dpQGENJQkTdG0RyMVYqdGwmy+5ltdMuwfjPykfsm9GcxBnCne0x BXE7ExfZXj9ZqJq6f1h5wpKSM2I6//tQarlO+/eyJZkOcK76ZDbTHSe/zum9MxRXd9U1/PX6 VmHE/dK80b5X38bG96dtj5LpnYGb1rsmTo/FrA4tvLzyQfQZ2QyhuTAQCz47jLXvlAmahJi7 CXnGJ2HFw+lPqxolFJehWBZBajnFP0aDgHBLAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/gLf2OaInWlGh9YTCa0edercPm0Q>
Subject: [core] No-Response option and OSCORE
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2018 14:59:23 -0000
Hi all, In order to add the processing of the No-Response in the OSCORE document, as requested by a few people, I was reading RFC7967 and previous conversations [1] in the mailing list, regarding proxies behavior when using No-Response. RFC7967 specifies No-Response as an Unsafe-to-forward option (and therefore not part of the cache key). Because of that, proxies are allowed to legitimately discard this option. Moreover, even when the server receives this option, it might legitimately decide to respond to the request anyway. We have three choices as of OSCORE processing: we can treat the No-Response as an unprotected only option (outer), as an encrypted only (inner), or as a both encrypted/inner (to the server) and unprotected/outer (for any intermediaries) option. This is a question for No-Response users, such as the authors of RFC7967 and Esko: We assume having an inner No-Response is convenient, since we are guaranteed that it reaches the server unchanged. Is this assumption correct, does your use case profits from a protected client-to-server No-Response option? To anybody, particularly the authors of RFC7967: We think it is necessary to send the option as an outer option too, to keep the functionality of No-Response-aware proxies. This means that we should allow inner and outer No-Response at the same time (where we recommend the outer value to be the same as the inner value). The only problem is, since No-Response is Unsafe to forward, No-Responses-unaware proxies might be waiting on the responses while the server, having received the inner No-Response might not respond. Is this a reasonable tradeoff? Finally, I have a question non concerning OSCORE but [1] and the document in general, for the authors and for Klaus, on anyone that has an opinion. My question concerns the decision to make this option Unsafe-to-forward. In my opinion, to deal with cacheability, it would have been enough to make the option Safe-to-forward, and part of the cache-key. In [1] Klaus said: If a server returns a 4.04 response (or any other cacheable error response) with Max-Age != 0, then a cache will return that response as long as Max-Age has not elapsed instead of making a request towards the origin server. So the caching of error responses protects a server a bit from clients repeatedly triggering the same error. The No-Response option destroys this protection. To limit the damage, I would say that intermediaries MUST NOT include the No-Response option in their requests. Question: Having No-Response safe-to-forward and part of the cache key would work, since the requests would hit the cache in that case, right? Why was the option specifically defined to unsafe-to-forward? I'd like to know because if I have missed something in the proxy processing I could get the OSCORE processing wrong. Thanks, Francesca [1] http://mailarchive.ietf.org/arch/msg/core/X00OZOjL8mcnyzZy6dSqlGO2LuQ
- [core] No-Response option and OSCORE Francesca Palombini
- Re: [core] No-Response option and OSCORE Klaus Hartke
- Re: [core] No-Response option and OSCORE Francesca Palombini
- Re: [core] No-Response option and OSCORE Esko Dijk
- Re: [core] No-Response option and OSCORE Christian Amsüss
- Re: [core] No-Response option and OSCORE Jim Schaad
- Re: [core] No-Response option and OSCORE 'Christian Amsüss'
- Re: [core] No-Response option and OSCORE Jim Schaad