Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Jim Schaad <ietf@augustcellars.com> Fri, 03 April 2020 17:54 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B57F63A097D for <core@ietfa.amsl.com>; Fri, 3 Apr 2020 10:54:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1I0L8NeUK-CU for <core@ietfa.amsl.com>; Fri, 3 Apr 2020 10:54:15 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAABD3A0979 for <core@ietf.org>; Fri, 3 Apr 2020 10:54:14 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 3 Apr 2020 10:54:08 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Esko Dijk' <esko.dijk@iotconsultancy.nl>
CC: <core@ietf.org>
References: <580bb0f4-89c4-2d11-b17b-520ddfe89c33@gmx.net> <000501d60452$c96cfa00$5c46ee00$@augustcellars.com> <1e74313a-d258-622f-d43e-ff1fa8f7d06d@gmx.net> <AM5P190MB027536259A44102F7AB9E058FDC80@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAAzbHvbeEyws+wVchovoVTK=WutWoHCNcfv8LrpxmshLxJ_w+Q@mail.gmail.com> <011301d6077c$b5d347b0$2179d710$@augustcellars.com> <AM5P190MB0275218BA7C801E50C8353F0FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAObGJnOscTtyeQ+qvD0N0w_TD2JfV8h9+=zf=bz-jrr7LWhD2Q@mail.gmail.com> <CAAzbHvaJy9WfMOzzKhczreuZBcbA5TDQ5ThtGMT7eVj2Jf83gQ@mail.gmail.com> <CAObGJnOcP_FxNuORqAvpBE-P+nRdPjxcXVdb-VTN5in5obanmw@mail.gmail.com> <02ec5628-3f7d-ff5d-620c-c0a90a4b89b0@gmx.net> <AM5P190MB02755F6BA4AFF11C3BFC5F18FDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <020701d60907$fb3ba720$f1b2f560$@augustcellars.com> <AM5P190MB02756F537F757941D123AF17FDC70@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <AM5P190MB02756F537F757941D123AF17FDC70@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
Date: Fri, 3 Apr 2020 10:54:07 -0700
Message-ID: <02c601d609e0$e0afcbf0$a20f63d0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIXVeiVC1e4HIxpxUNqDgp/ppWwxwLeBdy3AlRjDEICXv5oEAIsRnhBAgGYZE4CNTatAQF2e0MvAkUv4JkCiP5R4AEu4xDAAWkjoBUCf5lrcgGypwu/pwzydmA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/h7mFZ7L7YZbcXKb_QqMz0k5yjJc>
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 17:54:18 -0000


-----Original Message-----
From: Esko Dijk <esko.dijk@iotconsultancy.nl> 
Sent: Friday, April 3, 2020 5:38 AM
To: Jim Schaad <ietf@augustcellars.com>om>; 'Achim Kraus' <achimkraus@gmx.net>et>; 'Thomas Fossati' <tho.ietf@gmail.com>om>; 'Klaus Hartke' <hartke@projectcool.de>
Cc: core@ietf.org
Subject: RE: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Hello Jim,

Could you clarify your point further? 
- what is a bad idea - having a dedicated port with dedicated for handling multicast requests?  Or the subsequent "internal routing" of the request to the unicast server at a different port? Or both?
[JLS] I think it is a bad idea to use the port number as a means of distinguishing multicast and unicast message.    If you do something like this completely internal to your own code, then it is an implementation detail but would not map to any type of text for an IETF document.

- what is a "multicast channel" , do you mean an endpoint bound to a multicast address ?
[JLS] I use the word channel because it maps from my code base in many ways.  A "multicast channel" would map to an endpoint bound to a <multicast address, port> pair.  An analogy for those of us who are really old would be to consider UHF and VHF on your TV to be different multicast addresses, but you still need to choose the channel number (port number) in order to get a flow of information that is usable. The analogy of course breaks down because you cannot send information back to the TV stations.

> some resources may only want to be on a single multicast address even 
> if the server is listening on multiple unicast addresses

Sure, you can also have a dedicated server on say port :9999 that listens to multicast destination addresses only, because it is bound only to a multicast address not a unicast address. This dedicated server can then handle resources that only are to be accessed via multicast.
But in this case, there's no "internal routing" needed to another server inside the node because the resource is only hosted at say port :9999.
[JLS] You can have a dedicated server on say <address, port=9999> that lists for multicast traffic.  You always have the address and port as a pair.  

> The IP address is different for a multicast vs a unicast message 
> received at the server.  This needs to be the distinction

But the case the Achim indicated is that the server may not be able to detect whether a request came in via unicast of multicast. So this cannot be the distinction, e.g. in the following case:
1) CoAP server at port 5683 is bound to unicast address U
2) at same node, same CoAP server at port 5683 is bound to multicast address M
[JLS]  If this is really true, and I am not sure that I believe that to be the case, then the JAVA library is completely broken and needs to get fixed.    The fast look that I had at the JAVA library looks like you need to create a distinct socket for every <address, port> pair that you are dealing with.  I think that should give you all of the info that you need, but like I said, I have not done the JAVA programming itself.

Now in this case if a request comes in via multicast group M destined  to port 5683, the server handling this cannot tell whether it was unicast or multicast. And if a unicast request comes in to destination address U and port 5683, the server cannot tell also whether that was unicast or multicast.
[JLS] What is the address that is associated with the port number?  You cannot have a bare port number you also must have an IP address.  The IP address is how you distinguish unicast/multicast.

[JLS]  Jim

By setting it up like this instead that problem is avoided:
1) CoAP server at port 5683 is bound to unicast address U
2) at same node, same CoAP server at port 9999 is bound to multicast address M Then the server at port 5683 treats everything as unicast. (Because it is not bound to a multicast address, it won't receive any multicast requests directly.) And the server at port 9999 treats everything as multicast. (And this endpoint 9999 handles most requests by internally redirecting to server :5683, but only for those resources where multicast is allowed. Some request for multicast-only resources it can handle itself directly.)

So the above "workaround" seems handy for cases where a server at one specific UDP cannot itself determine the endpoint the request came in from (could be either multicast like M or unicast like U).

@Achim maybe you could comment if I've understood your use case properly.  To me the above seems more secure than trusting that a client will include a "This is multicast" CoAP Option in an honest way, which could easily be misused.

thanks
Esko

-----Original Message-----
From: Jim Schaad <ietf@augustcellars.com>
Sent: Thursday, April 2, 2020 18:02
To: Esko Dijk <esko.dijk@iotconsultancy.nl>nl>; 'Achim Kraus' <achimkraus@gmx.net>et>; 'Thomas Fossati' <tho.ietf@gmail.com>om>; 'Klaus Hartke' <hartke@projectcool.de>
Cc: core@ietf.org
Subject: RE: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Esko,

That idea strikes me as a very bad idea.   If you build your code on this basis you will fall over the first time you come across a multicast channel which uses the same port as the unicast server.   The IP address is different for a multicast vs a unicast message received at the server.  This needs to be the distinction as well as the fact that some resources may only want to be on a single multicast address even if the server is listening on multiple unicast addresses.

Jim


-----Original Message-----
From: core <core-bounces@ietf.org> On Behalf Of Esko Dijk
Sent: Thursday, April 2, 2020 1:23 AM
To: Achim Kraus <achimkraus@gmx.net>et>; Thomas Fossati <tho.ietf@gmail.com>om>; Klaus Hartke <hartke@projectcool.de>
Cc: core@ietf.org
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Hello Achim,

(see also my response to Jim)
Using the UDP port number to detect a multicast request vs a unicast request sounds like a good use case. Just curious - I assume the security aspect requirements of RFC 7252 are taken care of in this use case?

That is, a proper client sends its multicast requests always to port :9999 and the server treats these as multicast requests (e.g. only allow the request for specific resources).
A malicious client may sends its multicast request to port :5683 to bypass the above checks. I assume the server doesn't respond to this request, because the multicast address is not bound to port 5683 but to say 9999 only.
If the CoAP server at port 5683 cannot distinguish between unicast/multicast that would be a bad situation and the security requirements of RFC 7252 are not met.

Esko

-----Original Message-----
From: core <core-bounces@ietf.org> On Behalf Of Achim Kraus
Sent: Wednesday, April 1, 2020 22:28
To: Thomas Fossati <tho.ietf@gmail.com>om>; Klaus Hartke <hartke@projectcool.de>
Cc: core@ietf.org
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Hi,

>> +---------------+                +-----------------+
>> |               |    request    _|_                |
>> |               |        .---> /   \   224.0.1.187 |
>> |              _|_      /      \___/ --.   :9999   |
>> | 192.168.0.1 /   \ ---´         |      \          |
>> |   :54321    \___/ <---.       _|_     /  rewrite |
>> |               |        \     /   \ <-´           |
>> |               |         `--- \___/ 192.168.0.100 |
>> |               |    response    |         :5683   |
>> +---------------+                +-----------------+
>>        Client                           Server

Nice diagram.

> Not sure why you would also want to rewrite the transport endpoint?

I tried to follow the discussion.
The idea to change the port as well enables java (and I guess some more) to differentiate between multicast and unicast requests. Jim also mentioned, that it enables the use of multiple servers on the same host.
I have not enough experience with multicast in different environments to see, if that may cause more trouble (e.g. firewall etc.). I would guess, that some  implementations will just offer that variant, at least as configurable option (I would try do so for Californium).
So my favorite for now is just implement it and see, what the user's feedback will be.

If that idea gets declined (may be by negative feedback of users), I still think, that there is a demand for other means to distinguish between multicast and unicast requests. Maybe, either the usage of the uri-host option or a new option will help.

This maybe considered as "too pragmatically", but on the other side I also don't see the "great benefit" in insist not to change the port.

best regards
Achim

_______________________________________________
core mailing list
core@ietf.org
https://www.ietf.org/mailman/listinfo/core
_______________________________________________
core mailing list
core@ietf.org
https://www.ietf.org/mailman/listinfo/core