IETF Logo Mail Archive

Re: [core] I-D Action: draft-ietf-core-echo-request-tag-07.txt

John Mattsson <john.mattsson@ericsson.com> Thu, 19 September 2019 11:08 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C02871200B7; Thu, 19 Sep 2019 04:08:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWphf1PlMj4A; Thu, 19 Sep 2019 04:08:07 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150087.outbound.protection.outlook.com [40.107.15.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B89612006D; Thu, 19 Sep 2019 04:08:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dXCfKT7B4KqoIBRtsq/gsqE9yJa9e9fTIcXWF3Izvp85Uo2WDxAqqThs9Z9WJsl20abe6+bJcp3cvbm+JACZejewAe/wOrdE0o2fE1bHHMFTX8LlI8r3/Ha8M5+Z9v25U8/HwMXWRe71WviZ3fTy9tbEfMhtEfGlkwsJ4fg/c/QBpGLpksEGKui4leWAbCyLjKfvBni7RMACDav6pRQI464TM9k5NI1QPXkBzOnJjHr5pvOLlEqWHSH1zyNkldvBKvzT2841zb10dT0YfWf73a3ZXUWbKokt9UwmUgycHXq0z2M9OgbhbCkku4bffpl/OUkmkUffW/9jMGUE9uroHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SQjnywer1T8IH3CKom4inIDsCCWP2S2e8AIKh/1DPN8=; b=LUMZ9WkmNnVTcRmHSIgKDTmNtqSBSCrap4mzt3iCEFAhFc5RK7Wp0yTvZhH8LbBZ6oOPvW2XoiX0Z3e0h5eKCn9HuVCj5UB9wrkS5AMtYL3ddRF3Y7VFPPfKrTmCKdhbJrvdE9FydkLjUjhf4HdEWmCPCNT4G+ay3e4NtkP2AZSNIo1jsykYOEnaFgNjO2JXjztIweCicsuD9NDbEDkihCySKPLyXSAmAZ8IXopDbMV44wJFSEnDFcW1a31rMpRTFdz1AcHM87T5lWcj9+yh5J42vcUR3itwmIM+WKrMfngrb4j7pxtgk8g9tqMtk7y/yjlB1M/0hLNUjy3yDcXKsQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SQjnywer1T8IH3CKom4inIDsCCWP2S2e8AIKh/1DPN8=; b=Z7sZu1+cnXQCKg7kE5eFoslqScylomByEXVHpVGZEiDT0mYI1OPVWbMYjHgbl3eH6ELLr5siNk7DegfM8rZxKZBNcllPw1R69LGTDuyxuyL4HUGlKWfQjlGlV4DrhuZ27BXXDinrp+ADlUapZlSP8Hyv263sru4j5gAtG+jUypo=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB4185.eurprd07.prod.outlook.com (20.176.161.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.17; Thu, 19 Sep 2019 11:08:05 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2284.009; Thu, 19 Sep 2019 11:08:05 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "core@ietf.org" <core@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Thread-Topic: [core] I-D Action: draft-ietf-core-echo-request-tag-07.txt
Thread-Index: AQHVbtkm26RQh6x1EEGuH6Wgf/KzBqcy+NgA
Date: Thu, 19 Sep 2019 11:08:05 +0000
Message-ID: <8805B78A-ED00-490B-9C12-BCEF517C4FFB@ericsson.com>
References: <156889064894.4496.2783460595184209676@ietfa.amsl.com>
In-Reply-To: <156889064894.4496.2783460595184209676@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8f51d6fc-94b3-4db3-2294-08d73cf1a541
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB4185;
x-ms-traffictypediagnostic: HE1PR07MB4185:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <HE1PR07MB41852945691B0FCF34A416C289890@HE1PR07MB4185.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 016572D96D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(396003)(366004)(39860400002)(376002)(189003)(13464003)(199004)(186003)(44832011)(478600001)(256004)(110136005)(14444005)(316002)(66946007)(8676002)(33656002)(66446008)(64756008)(66556008)(66476007)(81156014)(81166006)(11346002)(26005)(966005)(486006)(446003)(6436002)(58126008)(305945005)(450100002)(6486002)(229853002)(102836004)(86362001)(2616005)(71200400001)(76116006)(71190400001)(7736002)(25786009)(66066001)(476003)(66574012)(91956017)(76176011)(6246003)(6306002)(2906002)(6512007)(99286004)(2501003)(36756003)(6506007)(14454004)(8936002)(6116002)(5660300002)(3846002)(574754004); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4185; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: eSOoJeiftf9XOziw0NPihOCRloREQkvuu7Kvpm/5xMiAWADyp+8RkBGMTk42nOUn/GxFDg1oy+tbU6T6pY7PwCpEsh5I8nxIIc3jY/XvK49d0YLnU2d5HUoUD/AGWx0eCrLZsibI7RQsBOAxB5WkD4zwXpuXJEiQ6iSJ1kilfbtM/fjrC2RwfkzDZEkAh82G6LcYA7cBVrHGf/+ctfS149kgECcNsYxyXoexM8hlh9jOuqjee5KBp56pgFCDIZpq2EjwrM82J6YDqvsQ5ACKr91nbRfTwf4IMVR1qsMPeRr06hc6mM3mmSdoMgmHO1ZOEJbi409znmSwKBRXCEr+J2BRnIXdSSpwVoREPEqtSWIHPxDEXPvHpwG/jZ7HjN/CySyFKKOvFCTauTxLGWrnO3esQaqGfcLtzdIp4yYY7gU=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <42ECA101B0DBBF4183F6599594701705@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f51d6fc-94b3-4db3-2294-08d73cf1a541
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2019 11:08:05.2019 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K1QEaiZDutkwHhRzANIQ98fiHV0d/bCA2D9Ws6wNKM0VD6df0PFm9DHnu+qLl+9+NCRGAKSFf6HW6BbXEuopVANaAFntDTkH5NLc/e6XlFs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4185
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/gUTVrCvbY_kFa2wgGBlyu-fct78>
Subject: Re: [core] I-D Action: draft-ietf-core-echo-request-tag-07.txt
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 11:08:11 -0000

Hi,

-07 was uploaded to address an editorial errata in -06 (I comment was visible by mistake).

The changes since -05 are listed below. We think that -07 addresses the comments from Jim Schaad. In addition, we made a few other clarifications, and added more privacy and security considerations. In particular security consideration for reuse of Tokens as discussed high level on the list before the WGLC.

   o  Changes since draft-ietf-core-echo-request-tag-06:

      *  Removed visible comment that should not be visible in Token
         reuse considerations.

   o  Changes since draft-ietf-core-echo-request-tag-05:

      *  Add privacy considerations on cookie-style use of Echo values

      *  Add security considerations for token reuse

      *  Add note in security considerations on use of nonvolatile
         memory when dealing with pseudorandom numbers

      *  Appendix on echo generation: add a few words on up- and
         downsides of the encrypted timestamp alternative

      *  Clarifications around Outer Echo:

         +  Could be generated by the origin server to prove network
            reachability (but for most applications it MUST be inner)

         +  Could be generated by intermediaries

         +  Is answered by the client to the endpoint from which it
            received it (ie.  Outer if received as Outer)

      *  Clarification that a server can send Echo preemtively

      *  Refer to stateless to explain what "more information than just
         the sequence number" could be

      *  Remove explanations around 0.00 empty messags

      *  Rewordings:

         +  the attack: from "forging" to "guessing"

         +  "freshness tokens" to "freshness indicators" (to avoid
            confusion with the Token)

      *  Editorial fixes:

         +  Abstract and introduction mention what is updated in RFC7252

         +  Reference updates

         +  Capitalization, spelling, terms from other documents

Cheers,
John

-----Original Message-----
From: core <core-bounces@ietf.org> on behalf of "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Reply to: "core@ietf.org" <core@ietf.org>
Date: Thursday, 19 September 2019 at 12:58
To: "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Cc: "core@ietf.org" <core@ietf.org>
Subject: [core] I-D Action: draft-ietf-core-echo-request-tag-07.txt

    
    A New Internet-Draft is available from the on-line Internet-Drafts directories.
    This draft is a work item of the Constrained RESTful Environments WG of the IETF.
    
            Title           : CoAP: Echo, Request-Tag, and Token Processing
            Authors         : Christian Amsüss
                              John Preuß Mattsson
                              Göran Selander
    	Filename        : draft-ietf-core-echo-request-tag-07.txt
    	Pages           : 27
    	Date            : 2019-09-19
    
    Abstract:
       This document specifies enhancements to the Constrained Application
       Protocol (CoAP) that mitigate security issues in particular use
       cases.  The Echo option enables a CoAP server to verify the freshness
       of a request or to force a client to demonstrate reachability at its
       claimed network address.  The Request-Tag option allows the CoAP
       server to match block-wise message fragments belonging to the same
       request.  The update to the client Token processing requirements of
       RFC 7252 forbids non-secure reuse of Tokens to ensure binding of
       responses to requests when CoAP is used with security.
    
    
    The IETF datatracker status page for this draft is:
    https://datatracker.ietf.org/doc/draft-ietf-core-echo-request-tag/
    
    There are also htmlized versions available at:
    https://tools.ietf.org/html/draft-ietf-core-echo-request-tag-07
    https://datatracker.ietf.org/doc/html/draft-ietf-core-echo-request-tag-07
    
    A diff from the previous version is available at:
    https://www.ietf.org/rfcdiff?url2=draft-ietf-core-echo-request-tag-07
    
    
    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org.
    
    Internet-Drafts are also available by anonymous FTP at:
    ftp://ftp.ietf.org/internet-drafts/
    
    _______________________________________________
    core mailing list
    core@ietf.org
    https://www.ietf.org/mailman/listinfo/core

v2.23.0 | Report a Bug | By Email