[core] Review of draft-bormann-core-responses-01
Marco Tiloca <marco.tiloca@ri.se> Tue, 20 June 2023 17:34 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E42AC1519B0 for <core@ietfa.amsl.com>; Tue, 20 Jun 2023 10:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5JjPRC1WmLJ for <core@ietfa.amsl.com>; Tue, 20 Jun 2023 10:34:54 -0700 (PDT)
Received: from MM0P280CU005.outbound.protection.outlook.com (mail-swedensouthazon11011007.outbound.protection.outlook.com [52.101.76.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 125F8C151989 for <core@ietf.org>; Tue, 20 Jun 2023 10:34:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KuOpa9tDgRFAl7bGrpvn5Bm0oJuX67lVFBkK9E9Csas2bAUWC/Z5tILEumBo7mjqkNndDNmAXWkqyV1xoXfc08v+O5PCQrOMtuRgR2oUj1xNgfCeFstq4WFGQdv+MmrIb31VDG5UeKpAdaolTV1F0WLP8IpoX2IegfikNWFJmPZOpp5tnXK1AruokmDoSI6dirVik+EhDnsU/vujJMDtPUe3L4KEhl8IVJ1eej6WH1Wy7XnjY0QxVu4Vm3oqcnqRy7ITH/tDIDMkRf8doGVXcSsFPrKvEmqAcUfCgpbbYV9EuIDE/L/cVABtYNzX7CU0HJv2+7MrdOMpU5MPwD//tQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=o7ku+IRFrAzKMk75SYqANhMKBGMpeq8P8F9lRd2WWvk=; b=ARYz1P/mxK66lEZznOdySxI7wg+euFeRLyI5CAG63Pn9lsW2jmcTejjTto1U8wKGw7JNDdFqocV3kzAWXsNRK61e0BGQ9JLBwElGYxTZ99PRsmrc5EEFoDrPTpEEPeWRj1QPabLAqjjJ4AqLBBrcte/rh+Zn7JRvzR/04EQ8CeU0lgRMXgZZK8cFPW5taw0D0+nyts3gmNWDcnCoGzB+cC28V7le5SJeAYUa5hJ1Is56/phrZ+crDpLhv3W8n8Ae1UwydZ/z/ymQIYzYyZ/mKMOnOAmfMKl3y0cBq0UXHkp560/ThL5U4/dAEog0gUsehqmP/MqOoL3LgHXE5Iroag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=o7ku+IRFrAzKMk75SYqANhMKBGMpeq8P8F9lRd2WWvk=; b=Fqvre9TzQwWpgI40UC1k38dlUUD9WzNipSXIF7L2K3HcsPsAJlcbKo9Fm9JFR7fNMl6sHD9yz+HguVE1BHVPp6MjhPL0DXPUex+1o7JjL0Xo+4Nt41o579pi7OgtHu/aQplnkfq1njWIAA28ickGBAg9IKApNyYzBeAiYoBrZ/0=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:11::7) by GVYP280MB0909.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:ea::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.23; Tue, 20 Jun 2023 17:34:50 +0000
Received: from GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM ([fe80::4389:fa74:107e:d8a3]) by GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM ([fe80::4389:fa74:107e:d8a3%7]) with mapi id 15.20.6521.023; Tue, 20 Jun 2023 17:34:50 +0000
Message-ID: <448b8751-5823-a911-662a-bd9d1131261b@ri.se>
Date: Tue, 20 Jun 2023 19:34:48 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: "core@ietf.org" <core@ietf.org>
From: Marco Tiloca <marco.tiloca@ri.se>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------qNKxjs2HpxKGiFgSP12XOhAe"
X-ClientProxiedBy: FR0P281CA0182.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:ab::13) To GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:11::7)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GV3P280MB0450:EE_|GVYP280MB0909:EE_
X-MS-Office365-Filtering-Correlation-Id: 6cc4bc6a-51d4-4518-8f89-08db71b4a652
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: A3DNR/sNlaAffgMdKHU6AMSHCuc0pxBUcjI/HcrRQrO3vRzCpkueqmeAh90253URRZXIw7zF5+vyGUCNdQUwCgG7p1Y4zOXFOmSwhzUcq80F4YD/RNX2Nms8GemTJlOqLoj8wPHesiqw38vs//EpByDSbD7Sl1Vws15qxUezqw3OEaV67h8jXvYu6GveZ5wDzaem5qXlTFNF6B8FOra18Z8o7FfrAvwdsWaNkakX6vB/AUtSxYA2QCGG9aAJ9/DTmv5jdrlvbFJPv7NXFasqMiWLKRVhoXiAsAMBTPV/D8wqp47Vg+4At5/aXu1LgRnJAyQUgHO+BZwP+ay5RZkhmFNXz7XjpZDlztTszkbh7zDlzGIMwR9BOfvfavXTXhxg4govDyivg2K45Bjy/DL1u8qYhyFl2GALq4B4y78cACDISShv4AZEHh/0kCY0v2fkE0jhg/bqCFoGDsXizJbNwcqi7dP937rBGmNjU1xlQyW8/aUMrDNvo5KaPo34i+oLMNMDS+BVut39LcrL8k3Qgs7ZdkjeyZ4NRBcBDERkY7KtWN/ryOL/C0QpWxPV0bJadUD1zOgsW+z9aNtZaf6Y843ea3Sk48psfSSI3KbIGfbt83Ukk+to83aWzNxoG8dKZ8/c0qvaj2lvNHv4VqdAqw==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(39860400002)(346002)(396003)(366004)(376002)(451199021)(83380400001)(6512007)(8676002)(8936002)(41300700001)(235185007)(6916009)(5660300002)(66556008)(66476007)(66946007)(316002)(21480400003)(2616005)(31696002)(36756003)(86362001)(26005)(186003)(6506007)(31686004)(38100700002)(166002)(33964004)(478600001)(966005)(6486002)(2906002)(30864003)(44832011)(43740500002)(45980500001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: nF8N160HIgzIk7t4LWiiXk52GG+VxD3R1TrxVjVgd2Gu+IJUEFdA5qZv0WJHBPIIRfpPuXRP/pRi8y9kmNyJfUH0sEoUmlQfI7uot0knqqSWYFAuJm3+mnjv/g8Qmb6DrOO8i4l9GFy8GsU+1+OF1E6KC0UKy+UmPePjOeDfCnygNPAVzm3FmyFYN99/nJYyEhxvjxUKQfMsQ9C3MzuNuwmb2skeO1fBWOIG/IVSoWD9fy8PwyEkQh5frds5kC0HWQlPOLp55nbZSRY26fiUWr/g80+hCIQFgPpYd0zRCatyjj7Hiveh8MukFv2VLBbee6asg+0r/BSXMUUqWj6niNd2DNRQyuGwr5/7do7c910btlZQ5lRBnXEViw3K8E2h23VCT0c7z8tIgiheFE4KaxYuieU6FwXRmVCSuJh917EHdJYcAghid0d3LyzW7J9btVPo/PntKtAxBd52FxZIT2r+ncEPL4pld3ezr6U2kPmIJ28kKYnBl9rw2unGJUZy1Xrv0Eog0Ln1w7IW4SSjSAR/JUewXqWztypc6p13LattuxeWMkn9prjCEHLa97BYmECkxjFXOhE5hzkmky016Qdz3b5JhRJk3LsyFdNDhaoDGqbMqIdOF4rqgMna3xg19GK3xVXzkys7YYtmAv6wy5WlCRxMSlcvDvJp0+1Nug1pbnZiX7KU9Cwr+uphMYYgw+QRHG+k1ygBFLLigm8p9B6PTZmLVXApq1dO4cA1jkwPZFnMijO/6HkOhsPr8SHaAHC5rdFO/GbLWYnzeCoxYB0oYAEioqlw+RrLVft8891W/bR4p4/2NpmG3je+hl4DG+coMK3a+IJgCtfIpSd9swYPHpAFLOSMCFSZIryJi8z1jnKqwGpCJi6tLTH2H90dZRpMGoV/j6B5zqaTTdBEioIOTkKez0YUIf66FSEISxTUvYwcsvSnZ6byHnc9KKIDgohKzvSvbLpARWwFLE7WGjK9SpXaxJuoVIMMHy2AJyMp6pwpqKuCgjH2etdJ4uuUfNV3FGuH0YCNBZO4E/EXnRhgs/llJxdVIOOXPorUKEpv+0eUOkU+DUk0RZbNqHgc+NHEnPgiZhfleMY+odivU2lurVXQcSitnzEkEmjlc3E2Sc7mkh9RtQ5vvQ5mH9MH+HMbck7zqt1q+3GiaLzHee3/hvYasR8PYc0CIknRjsConoHXIEksJ8qIiASYJqB5ALKE4jhYCekK50NfN0zeCjP2p0LGMzX4T/PZXFzbWMIHbVbhDoC3F1mdhCZwhtkBWIsrW3AOqv/3p49D9n//a/RxhCNuAcqhcT5uSBXAGtSyFrj4OVjtyV1QMTWla1TBKgRNkZFf76jifStrG04AglJICV401wNjdQidPG4qEvs1otgcU9Ye9FQaI/JW95isWS6jEuT5KMs3UefCxbyCsvlK72RwsAZNMx+T/3V9DH7ye3g9Wxva9tTJ2/jb076NCtd74ce+o4yzmWHQ0DFFGRUARjEVILgioaStEz4wOE/IZW0c+piKDFpyxotypsc8IFQcqqwODhO2djHhj7EDcSb8dqrIuxsTHvw7luRoVSq6ViNsp+VczveLkFFJac2e
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 6cc4bc6a-51d4-4518-8f89-08db71b4a652
X-MS-Exchange-CrossTenant-AuthSource: GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jun 2023 17:34:50.3094 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: qklVrg8WB2gUj/dCYqJArCK9R8VrrLfozeiWuph67RVcpaT871ox4+ONdNJd30D7zdJCJ9f0vctKlWGVckhs+Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVYP280MB0909
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/l1g-AMbpVC2Mo7mZfiqw2niuu7M>
Subject: [core] Review of draft-bormann-core-responses-01
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2023 17:34:58 -0000
Hi all, Please find below some comments about this document. Best, /Marco --------------------------------- [General] * The reference [I-D.tiloca-core-observe-multicast-notifications] should be changed to [I-D.ietf-core-observe-multicast-notifications]. [Section 2] * The first paragraph looks like an alternative and complementary definition to what is defined in Section 1.1. Perhaps the two can be merged together already in Section 1.1? * "Where tokens are involved, all non-traditional responses use the request's token; in any case, they are bound to the original request" To cover all cases, it would help to expand the end of the sentence, e.g., "to the original transmitted or configured request". * "by using the same request_kid/request_piv pair in OSCORE [RFC8613]" This may be expanded by mentioning the use of the triple request_kid/request_kid_context/request_piv in Group OSCORE. * "Some established responses (observations defined in [RFC7641], and multicast responses in [I-D.ietf-core-groupcomm-bis]) match ..." I think you mean "and responses to multicast requests in [I-D.ietf-core-groupcomm-bis]) match ..." . Multicast responses are not part of that document and are rather used in -core-observe-multicast-notifications. [Section 2.2] * "One way to do that is to exchange a "phantom request", which is a request that client and server will agree to have sent and received, respectively, without it actually being sent between those endpoints." Basically, the "phantom request" referred here (and used in -core-observe-multicast-notifications) is an example of "configured request" as defined in this document. Correct? If so, it's worth mentioning. It is also consistent with the first paragraph of Section 4.2. * "As tokens are managed by the client, that request needs to be generated by the client, or in close collaboration with the client (for example by the client allowing a third party to use a subset of its token values in order to set up non-traditional responses)." It's worth mentioning how this happens in core-observe-multicast-notifications, i.e., in that case there is no third party. As potential group observers, the clients entrust the server to manage the Token space used for phantom requests generated by that server, against which multicast notifications will match. [Section 3] * "The option "Response-For" contains a request packaged as in Section 5.3 of [RFC8613]." I suppose that, unlike in RFC 8613, the request packaging should actually consider all the CoAP options of the embedded request, and not only its Class E options. That is, with reference to Figure 9 of RFC 8613, it should be "Options (if any) ..." instead of "Class E options (if any) ...". * Is the Response-For Option of class E for OSCORE? * If OSCORE is used, which peer is the encryptor of the embedded request encoded as value of the Response-For option? Is it the server or the client? In particular, what is used as request_kid and request_piv for the external_aad, when protecting both the response and the embedded request? [Section 4.0] * Like for a previous comment, this is different in core-observe-multicast-notifications. That is, the clients entrust the server to manage the Token space used for phantom requests generated by that server, against which multicast notifications will match. [Section 4.2] * "Note that, as the originator of a multicast response is a unicast address, the relaxation of matching rules described in Section 8.2 of [RFC7252] does not apply." Is this actually relevant here? The configured request is typically crafted as targeting a unicast address as its destination address. It would be relevant if the same configured request was configured at multiple servers, and crafted as targeting a multicast destination address that all those servers listen to. * "all nodes joined to that multicast address" Perhaps clarify that this means listening to the same multicast address, regardless the exact way that the nodes used to gain knowledge of it. * "The congestion control considerations for non-confirmable multicast messages apply unchanged." Actually, Section 4.4 of core-observe-multicast-notifications provides further guidelines and considerations about that. [Section 4.3] * "If a single client wants to request a server to send the response to a specific multicast address ..." Does it make sense to consider this also for non-multicast addresses? * This contains an opaque string with the port number as a 16-bit number (in network byte order), followed by the IP address (4-byte IPv4 or 16-byte IPv6). As also suggested for the current Response-Forwarding option in core-groupcomm-proxy, the value of this option can instead be a CRI without local part. * If this option of class U and E for OSCORE? [Section 4.4] * "It allows the server to send that number of non-traditional response messages in addition to the requested response." Exactly that number? At most that number? If combined with Observe, would this option still influence the (maximum) number of notifications that are delivered back to the client? * The whole discussion about using this option in the presence of proxies suggests that the option would be both inner and outer for OSCORE, right? That is, an outer option should also be added if a proxy is involved, and overall the same inclusion rules as for the Observe option should be followed. [Appendix A.2] * "When the destination address of a CoAP request is a multicast address, that token is valid for any member of that group (which, for the purpose of the client, is any server at all) on any port." Thinking of the terminology of draft-ietf-core-groupcomm-bis, I think you mean "CoAP group" here. However, there the definition of CoAP groups does take into account also the port number, i.e.: "A CoAP group is defined as a set of CoAP endpoints, where each endpoint is configured to receive CoAP group messages that are sent to the group's associated IP multicast address and UDP port." * "it might be seen as a template for creating a phantom request to any endpoint" Could you expand on this and on where this template would be used? Is this, for instance, an abstractions model for multiple servers fabricating a same phantom request? * "plus the application's timeout (in proxy situations, this needs to be communicated explicitly in the Multicast-Signaling option of [I-D.tiloca-core-groupcomm-proxy])." Yes, and that option was renamed to "Multicast-Timeout" as suggested by Carsten :-) [Appendix A.3] * "The Response-To option" I guess you mean the Respond-To option and not yet another different option. Correct? * "make it into a CoAP-over-UDP request with that particular address as a source and any address of yours as a response, and treat that as a phantom request." I can't fully parse this sentence. What do you mean with "and any address of yours as a response"? Do you mean "and any address of yours as source address of a follow-up response"? [Appendix A.4] * "[I-D.tiloca-core-observe-multicast-notifications] is a straightforward application of the phantom requests (the concept was developed there)" Yes, although, based on the terminology of this document, it feels more about an application of the "configured requests". * "Leisure-For-Responses could help it around the topic of joining a multicast group securely through a proxy." Can you elaborate more on that? Would this specifically help the proxy? How? I guess you have in mind the case where Group OSCORE is used (but without deterministic requests), and thus each and every client has to perform one more exchange with the proxy to provide it with the phantom request (see Section 12 of core-observe-multicast-notifications) Section 5.4 of core-observe-multicast-notifications is defining that a client would just silently forget about a grup observation if not interested anymore. The same would apply at the proxy when acting as client towards the origin server. * "[I-D.tiloca-core-groupcomm-proxy] seems to fit well with the concepts here as well, and might be simplified by it both in terminology and by replacing Response-Forwarding with Response-For(Proxy-Scheme, Uri- Host)." When you say "in terminology", do you think about emphasizing that the responses received and forwarded back by the proxy, as well as ultimately received by the client are non-traditional responses? As to an alternative to Response-Forwarding, the current option content is the serialization of the following CBOR array tp_info = [ tp_id : 1, ; UDP as transport protocol srv_host : #6.260(bstr), ; IP address where to reach the server ? srv_port : uint / null ; Port number where to reach the server ] We discussed that at some point it would be good to change this format to rather consider a CRI, specifying only scheme and authority. Actually, this would first apply to the definition of tp_info in core-observe-multicast-notifications , and then be inherited from there in -core-groupcomm-proxy. Thinking of rather using Response-For(Proxy-Scheme, Uri-Host) as above, would that still be aligned with the Response-For format defined in Section 3? That seems intended to pack the "whole" request with which the response is associated, including its options and payload. Instead, the intent of the Response-Forwarding option is to specify only addressing information. Even if Response-For could be used to specify only the options (Proxy-Scheme, Uri-Host) (or, better, the options (Proxy-Scheme, Uri-Host, Uri-Port)), wouldn't that result in additional overhead compared to a single option such as Response-Forwarding conveying a CRI without local part? -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se
- [core] Review of draft-bormann-core-responses-01 Marco Tiloca
- Re: [core] Review of draft-bormann-core-responses… Christian Amsüss
- Re: [core] Review of draft-bormann-core-responses… Marco Tiloca
- Re: [core] Review of draft-bormann-core-responses… Carsten Bormann