Re: [core] Updates to coap-tcp-tls
Christian Groves <Christian.Groves@nteczone.com> Tue, 16 August 2016 04:18 UTC
Return-Path: <Christian.Groves@nteczone.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36C7F12B00A for <core@ietfa.amsl.com>; Mon, 15 Aug 2016 21:18:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.79
X-Spam-Level:
X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=nteczone.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U3ZC_I5LSBv9 for <core@ietfa.amsl.com>; Mon, 15 Aug 2016 21:18:36 -0700 (PDT)
Received: from msh03.myshophosting.com (msh03.myshophosting.com [101.0.109.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03AB8126579 for <core@ietf.org>; Mon, 15 Aug 2016 21:18:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nteczone.com; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=52mN43Qmj5GtV/c4zeBL33lqMwMF9pkGdq0ampiFbjs=; b=siX6yqgU3d26R3UG3f+UfbdzDd Ti4n3FGMcR5XBztBayx1KPcYWZBx12j12MF9YIojeP6oToQtJByVWqHcQDlovVdcKTPtvLF4fhG8q T6CG4M56gs2XpWpOI/SABt5b+yGuxlALohWwblo0SjPuET4ngI2WkQVdozqcdloa4IkgY3sKcjV72 FJeZns8BgklhZIjIXY/XagQU5TvP7rB9fz0WoFvko/TOxyyKZC4hrRI5e62C3cFz1UevwswQDz8AE v/jbi5YIFKDQBvn9xLARwbeaDQER/J6V0Kc/Zm9n7ro98itNhzBIobKCXWGENk3yIpGkhGI2f8eDy MVH2Q1Xg==;
Received: from ppp118-209-188-70.lns20.mel8.internode.on.net ([118.209.188.70]:52356 helo=[192.168.1.22]) by msh03.myshophosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <Christian.Groves@nteczone.com>) id 1bZVpe-003var-2U; Tue, 16 Aug 2016 14:18:30 +1000
To: Carsten Bormann <cabo@tzi.org>, Brian Raymor <Brian.Raymor@microsoft.com>
References: <BN6PR03MB2724411ED7FF4BAB881E7BBB831E0@BN6PR03MB2724.namprd03.prod.outlook.com> <431663ac-271a-5250-7118-58a51aea067d@gmx.net> <BN6PR03MB272487B74FFE9EB54E7B1BD4831E0@BN6PR03MB2724.namprd03.prod.outlook.com> <254432a9-9048-6809-1bdf-dce3bb17cb12@nteczone.com> <BN6PR03MB27242BDE30D71E3934B2F44D831F0@BN6PR03MB2724.namprd03.prod.outlook.com> <57AE4652.7020306@tzi.org> <BN6PR03MB2724EC60CE22C94F18AE663683120@BN6PR03MB2724.namprd03.prod.outlook.com> <57B2139D.4030202@tzi.org>
From: Christian Groves <Christian.Groves@nteczone.com>
Message-ID: <ded1b937-240b-7666-6f14-a41fef346012@nteczone.com>
Date: Tue, 16 Aug 2016 14:18:27 +1000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <57B2139D.4030202@tzi.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - msh03.myshophosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - nteczone.com
X-Get-Message-Sender-Via: msh03.myshophosting.com: authenticated_id: christian.groves@nteczone.com
X-Authenticated-Sender: msh03.myshophosting.com: christian.groves@nteczone.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/oaMbzijaHAT3wnBFYXKOWoN8pps>
Cc: "core@ietf.org" <core@ietf.org>
Subject: Re: [core] Updates to coap-tcp-tls
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 04:18:38 -0000
"If the Application-Layer Protocol Negotiation Extension (ALPN) [RFC7301] is available in both the client and server TLS protocol stacks..." seems to me to imply there's some prior knowledge of whether ALPN is supported in both the client and server. A CoAP client (TLS Client) will know whether it supports ALPN but not necessarily what the TLS server supports. A Client will send a clientHello with APLN "CoAP" and if the TLS server doesn't support the "CoAP" ALPN value, RFC7301 specifies that it should respond with a fatal alert. In that case the fallback would be to use port number 5684. Regards, Christian On 16/08/2016 5:10 AM, Carsten Bormann wrote: > Brian Raymor wrote: >> If the Application-Layer Protocol Negotiation Extension (ALPN) [RFC7301] is available in both the client and server TLS protocol stacks, CoAP over TLS implementations MUST perform protocol negotiation in TLS using the "coap" protocol identifier defined in Section 8.7. The server MAY also offer CoAP over TLS only on port number 5684 for exceptional cases where ALPN is unavailable on the client or the server. > That works for me. With these interoperability mandates, I'm generally > in favor of being very specific about what an implementation is supposed > to do or not supposed to do. Let me try to summarize: > > -- A TLS server MAY offer a coaps+tcp endpoint on TCP port 5864 if it > doesn't support ALPN and/or to accommodate TLS clients that don't. A > TLS server MAY offer coaps+tcp endpoints on TCP ports different from > 5684 if it does support ALPN. > -- On TCP ports different from 5684, a coaps+tcp TLS client MUST offer > ALPN value 'coap', and the coaps+tcp TLS server only becomes active if > the TLS server selects the ALPN value 'coap'. (If a different ALPN > value is negotiated, or if the ALPN negotiation fails and thus causes a > fatal alert, the present specification does become active.) > -- On TCP port 5684, a TLS client MAY offer ALPN value 'coap' and a > coaps+tcp TLS server MAY then select ALPN value 'coap'. (If a different > ALPN value is negotiated, or if the ALPN negotiation fails and thus > causes a fatal alert, the present specification does not become active. > **) If the client does not send ALPN at all, coaps+tcp is assumed to be > selected on port 5684 only. If the client does send ALPN, and the > server does not support ALPN, the negotiation will result in no ALPN > value being explicitly selected [check this], and, again, coaps+tcp is > assumed to be selected on port 5684 only. > **) If a different ALPN is selected on port 5864, [define behavior here]. > > Phew. Are these all the cases we need to worry about? > > Should it be allowed to negotiation ALPN ≠ 'coap' on port 5684? > (Probably yes, to enable the negotiation of a 'coap2' etc.; we can't > really restrict what can be negotiated here without predicting the > future. Or we could completely disallow the use of ALPN on port 5684.) > > Grüße, Carsten >
- Re: [core] Updates to coap-tcp-tls Brian Raymor
- Re: [core] Updates to coap-tcp-tls Brian Raymor
- Re: [core] Updates to coap-tcp-tls Christian Groves
- Re: [core] Updates to coap-tcp-tls Carsten Bormann
- Re: [core] Updates to coap-tcp-tls Brian Raymor
- Re: [core] Updates to coap-tcp-tls Carsten Bormann
- Re: [core] Updates to coap-tcp-tls Brian Raymor
- Re: [core] Updates to coap-tcp-tls Christian Groves
- Re: [core] Updates to coap-tcp-tls Brian Raymor
- Re: [core] Updates to coap-tcp-tls Hannes Tschofenig
- [core] Updates to coap-tcp-tls Brian Raymor