IETF Logo Mail Archive

Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Jim Schaad <ietf@augustcellars.com> Thu, 02 April 2020 16:01 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 107A73A16E4 for <core@ietfa.amsl.com>; Thu, 2 Apr 2020 09:01:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id auzqa62WjYlP for <core@ietfa.amsl.com>; Thu, 2 Apr 2020 09:01:39 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AA023A16E2 for <core@ietf.org>; Thu, 2 Apr 2020 09:01:38 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 2 Apr 2020 09:01:31 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Esko Dijk' <esko.dijk@iotconsultancy.nl>, 'Achim Kraus' <achimkraus@gmx.net>, 'Thomas Fossati' <tho.ietf@gmail.com>, 'Klaus Hartke' <hartke@projectcool.de>
CC: core@ietf.org
References: <580bb0f4-89c4-2d11-b17b-520ddfe89c33@gmx.net> <000501d60452$c96cfa00$5c46ee00$@augustcellars.com> <1e74313a-d258-622f-d43e-ff1fa8f7d06d@gmx.net> <AM5P190MB027536259A44102F7AB9E058FDC80@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAAzbHvbeEyws+wVchovoVTK=WutWoHCNcfv8LrpxmshLxJ_w+Q@mail.gmail.com> <011301d6077c$b5d347b0$2179d710$@augustcellars.com> <AM5P190MB0275218BA7C801E50C8353F0FDC90@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM> <CAObGJnOscTtyeQ+qvD0N0w_TD2JfV8h9+=zf=bz-jrr7LWhD2Q@mail.gmail.com> <CAAzbHvaJy9WfMOzzKhczreuZBcbA5TDQ5ThtGMT7eVj2Jf83gQ@mail.gmail.com> <CAObGJnOcP_FxNuORqAvpBE-P+nRdPjxcXVdb-VTN5in5obanmw@mail.gmail.com> <02ec5628-3f7d-ff5d-620c-c0a90a4b89b0@gmx.net> <AM5P190MB02755F6BA4AFF11C3BFC5F18FDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <AM5P190MB02755F6BA4AFF11C3BFC5F18FDC60@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
Date: Thu, 02 Apr 2020 09:01:30 -0700
Message-ID: <020701d60907$fb3ba720$f1b2f560$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIXVeiVC1e4HIxpxUNqDgp/ppWwxwLeBdy3AlRjDEICXv5oEAIsRnhBAgGYZE4CNTatAQF2e0MvAkUv4JkCiP5R4AEu4xDAAWkjoBWnLNcFQA==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/kOwX0t8xtTb8RT0kp_TZUiS4t7s>
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2020 16:01:41 -0000

Esko,

That idea strikes me as a very bad idea.   If you build your code on this basis you will fall over the first time you come across a multicast channel which uses the same port as the unicast server.   The IP address is different for a multicast vs a unicast message received at the server.  This needs to be the distinction as well as the fact that some resources may only want to be on a single multicast address even if the server is listening on multiple unicast addresses.

Jim


-----Original Message-----
From: core <core-bounces@ietf.org> On Behalf Of Esko Dijk
Sent: Thursday, April 2, 2020 1:23 AM
To: Achim Kraus <achimkraus@gmx.net>; Thomas Fossati <tho.ietf@gmail.com>; Klaus Hartke <hartke@projectcool.de>
Cc: core@ietf.org
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Hello Achim,

(see also my response to Jim)
Using the UDP port number to detect a multicast request vs a unicast request sounds like a good use case. Just curious - I assume the security aspect requirements of RFC 7252 are taken care of in this use case?

That is, a proper client sends its multicast requests always to port :9999 and the server treats these as multicast requests (e.g. only allow the request for specific resources).
A malicious client may sends its multicast request to port :5683 to bypass the above checks. I assume the server doesn't respond to this request, because the multicast address is not bound to port 5683 but to say 9999 only.
If the CoAP server at port 5683 cannot distinguish between unicast/multicast that would be a bad situation and the security requirements of RFC 7252 are not met.

Esko

-----Original Message-----
From: core <core-bounces@ietf.org> On Behalf Of Achim Kraus
Sent: Wednesday, April 1, 2020 22:28
To: Thomas Fossati <tho.ietf@gmail.com>; Klaus Hartke <hartke@projectcool.de>
Cc: core@ietf.org
Subject: Re: [core] RFC 7252 - 8.2 - Multicast - Request / Response Layer, page 67, top

Hi,

>> +---------------+                +-----------------+
>> |               |    request    _|_                |
>> |               |        .---> /   \   224.0.1.187 |
>> |              _|_      /      \___/ --.   :9999   |
>> | 192.168.0.1 /   \ ---´         |      \          |
>> |   :54321    \___/ <---.       _|_     /  rewrite |
>> |               |        \     /   \ <-´           |
>> |               |         `--- \___/ 192.168.0.100 |
>> |               |    response    |         :5683   |
>> +---------------+                +-----------------+
>>        Client                           Server

Nice diagram.

> Not sure why you would also want to rewrite the transport endpoint?

I tried to follow the discussion.
The idea to change the port as well enables java (and I guess some more) to differentiate between multicast and unicast requests. Jim also mentioned, that it enables the use of multiple servers on the same host.
I have not enough experience with multicast in different environments to see, if that may cause more trouble (e.g. firewall etc.). I would guess, that some  implementations will just offer that variant, at least as configurable option (I would try do so for Californium).
So my favorite for now is just implement it and see, what the user's feedback will be.

If that idea gets declined (may be by negative feedback of users), I still think, that there is a demand for other means to distinguish between multicast and unicast requests. Maybe, either the usage of the uri-host option or a new option will help.

This maybe considered as "too pragmatically", but on the other side I also don't see the "great benefit" in insist not to change the port.

best regards
Achim

_______________________________________________
core mailing list
core@ietf.org
https://www.ietf.org/mailman/listinfo/core
_______________________________________________
core mailing list
core@ietf.org
https://www.ietf.org/mailman/listinfo/core

v2.23.0 | Report a Bug | By Email