Re: [core] I-D Action: draft-ietf-core-attacks-on-coap-01.txt
mohamed.boucadair@orange.com Tue, 15 November 2022 07:00 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1447C14CE4F for <core@ietfa.amsl.com>; Mon, 14 Nov 2022 23:00:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vkCMtRqHjOp7 for <core@ietfa.amsl.com>; Mon, 14 Nov 2022 23:00:25 -0800 (PST)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.34]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C314C14F6E7 for <core@ietf.org>; Mon, 14 Nov 2022 23:00:24 -0800 (PST)
Received: from opfednr03.francetelecom.fr (unknown [xx.xx.xx.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr26.francetelecom.fr (ESMTP service) with ESMTPS id 4NBHBG4KNXz10JM; Tue, 15 Nov 2022 08:00:22 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1668495622; bh=VzkwR8Mj4j+ohL3Je6jRhYWL2R6H2ynofLYZkZVdr5o=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=w4jOOi59r39Miha3CqpEswlwj5kh2oytf0RDY7aupmxS0cMG+is3xngKdaGiB5Uy3 hD7FCyja+vi0HklRhofYUmolaNa2rhgdn5d5m3ZbrM19/NydU5qVsncuws1G1BXQAx SvIKHIPxEI3+Jhb2IYwswm3O/IP8JQOgFs7kI7CDyMNaX2xQP9KQzTc6mT8WXuPFLg op1r3y6fhGR0+NELLEeyksbx+iSUIFYYI5FLl6npwmuUOliSMz2lJ2VqJg17pg2V3+ PlAe/3DSf1gWPgqPipCpb9GLCdIZOtDr/8HJmQfnkBB0JUGqcAHfxr2ZB+UcUnif3D MciMjfL+q3s3g==
From: mohamed.boucadair@orange.com
To: John Mattsson <john.mattsson@ericsson.com>, "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] I-D Action: draft-ietf-core-attacks-on-coap-01.txt
Thread-Index: AQHY9PLQT3tZ+Eu9MEqD76mvhxmqMa43/IOUgACmJDCAAR9+1YAF0g2Q
Content-Class:
Date: Tue, 15 Nov 2022 07:00:22 +0000
Message-ID: <27642_1668495622_63733906_27642_24_13_5bc96d73870541d78da82520e6d2b256@orange.com>
References: <166807759799.8377.8307043275662656195@ietfa.amsl.com> <HE1PR0701MB3050A78DE4E8CFCD55EAE47D89019@HE1PR0701MB3050.eurprd07.prod.outlook.com> <13070_1668113712_636D6530_13070_454_1_7cc773597af9463b98bd7bf9257a7c91@orange.com> <HE1PR0701MB305028F7F8A1086828B76BD889009@HE1PR0701MB3050.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB305028F7F8A1086828B76BD889009@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-11-15T06:54:09Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=325140d3-c5f7-4866-bfd3-92a757fafe15; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.27.51]
Content-Type: multipart/alternative; boundary="_000_5bc96d73870541d78da82520e6d2b256orangecom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/pMrd8HBNYROZVobAvCze14HcMJ0>
Subject: Re: [core] I-D Action: draft-ietf-core-attacks-on-coap-01.txt
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2022 07:00:28 -0000
Hi John, Thanks for the update. (I was confused by the WGLC mention in your initial message. It seems that you are referring to the comments received during the call for adoption). Cheers, Med De : John Mattsson <john.mattsson@ericsson.com> Envoyé : vendredi 11 novembre 2022 15:08 À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>; core@ietf.org Objet : Re: [core] I-D Action: draft-ietf-core-attacks-on-coap-01.txt Hi Mohamed, As I wrote none of the WGLS comments related to the "Request Fragment Rearrangement Attack" has been addressed. There was also comments from Jon Shallow and Achim Kraus regarding this section. We will address that in the next update. Your comment has been captured as a GitHub issue and will not be forgotten. We agree that discussion that considers RFC9177 is needed. https://github.com/core-wg/attacks-on-coap/issues Cheers, John From: core <core-bounces@ietf.org<mailto:core-bounces@ietf.org>> on behalf of mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> Date: Thursday, 10 November 2022 at 20:55 To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:john.mattsson=40ericsson.com@dmarc.ietf.org>>, core@ietf.org<mailto:core@ietf.org> <core@ietf.org<mailto:core@ietf.org>> Subject: Re: [core] I-D Action: draft-ietf-core-attacks-on-coap-01.txt Hi John, It is long time since I read this draft. It seems that this version still does not address https://mailarchive.ietf.org/arch/msg/core/GNnRO4-iE_jRb5X2HfRtV3c8Sew/. I was at least expecting to see a discussion that also considers RFC9177. Apologies if I missed any follow-up since then. Cheers, Med De : core <core-bounces@ietf.org<mailto:core-bounces@ietf.org>> De la part de John Mattsson Envoyé : jeudi 10 novembre 2022 11:05 À : core@ietf.org<mailto:core@ietf.org> Objet : Re: [core] I-D Action: draft-ietf-core-attacks-on-coap-01.txt Hi, This update tries to address many but not all of the WGLC comments: * "block attack" renamed "blocking attack" * Added "availability" to list of required properties * Added that the freshness definition comes from RFC 9175 * Several changes to abstract and introduction based on Achim's comment Left to do of WGLC comments: * All the comments related to the Request Fragment Rearrangement Attack * Maybe more changes based on Achim's comment Cheers, John From: core <core-bounces@ietf.org<mailto:core-bounces@ietf.org>> on behalf of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> Date: Thursday, 10 November 2022 at 10:54 To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org> <i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>> Cc: core@ietf.org<mailto:core@ietf.org> <core@ietf.org<mailto:core@ietf.org>> Subject: [core] I-D Action: draft-ietf-core-attacks-on-coap-01.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Constrained RESTful Environments WG of the IETF. Title : Attacks on the Constrained Application Protocol (CoAP) Authors : John Preuß Mattsson John Fornehed Göran Selander Francesca Palombini Christian Amsüss Filename : draft-ietf-core-attacks-on-coap-01.txt Pages : 19 Date : 2022-11-10 Abstract: Being able to securely read information from sensors, to securely control actuators, and to not enable distributed denial-of-service attacks are essential in a world of connected and networking things interacting with the physical world. Using a security protocol such as DTLS, TLS, or OSCORE to protect CoAP is a requirement for secure operation and protects against many attacks. This document summarizes a number of known attacks on CoAP deployments and show that just using CoAP with a security protocol like DTLS, TLS, or OSCORE is not enough for secure operation. Several of the discussed attacks can be mitigated with the solutions in RFC 9175. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-core-attacks-on-coap/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-core-attacks-on-coap-01.html A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-core-attacks-on-coap-01 Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts _______________________________________________ core mailing list core@ietf.org<mailto:core@ietf.org> https://www.ietf.org/mailman/listinfo/core _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [core] I-D Action: draft-ietf-core-attacks-on-coa… internet-drafts
- Re: [core] I-D Action: draft-ietf-core-attacks-on… John Mattsson
- Re: [core] I-D Action: draft-ietf-core-attacks-on… mohamed.boucadair
- Re: [core] I-D Action: draft-ietf-core-attacks-on… Achim Kraus
- Re: [core] I-D Action: draft-ietf-core-attacks-on… John Mattsson
- Re: [core] I-D Action: draft-ietf-core-attacks-on… mohamed.boucadair