IETF Logo Mail Archive

Re: [core] DTLS and Epochs

"weigengyu" <weigengyu@vip.sina.com> Fri, 09 June 2017 18:26 UTC

Return-Path: <weigengyu@vip.sina.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5257712871F for <core@ietfa.amsl.com>; Fri, 9 Jun 2017 11:26:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3sK8HY-maEDJ for <core@ietfa.amsl.com>; Fri, 9 Jun 2017 11:26:01 -0700 (PDT)
Received: from smtp-6-45.vip.sina.com.cn (r3-67.sinamail.sina.com.cn [202.108.3.67]) by ietfa.amsl.com (Postfix) with SMTP id 7199F12708C for <core@ietf.org>; Fri, 9 Jun 2017 11:25:59 -0700 (PDT)
Received: from unknown (HELO WeiGengyuPC)([114.246.137.206]) by vip.sina.com with ESMTP 10 Jun 2017 02:25:55 +0800 (CST)
X-Sender: weigengyu@vip.sina.com
X-Auth-ID: weigengyu@vip.sina.com
X-SMAIL-MID: 624005222411
Message-ID: <17939BECECE744D098EA88260AEDF9B4@WeiGengyuPC>
From: weigengyu <weigengyu@vip.sina.com>
To: Carsten Bormann <cabo@tzi.org>, "Kraus Achim (INST/ECS4)" <Achim.Kraus@bosch-si.com>, Simon Bernard <contact@simonbernard.eu>
Cc: core@ietf.org
References: <003501d2cd32$c4417a10$4cc46e30$@augustcellars.com> <CAAzbHvYb39cPMmw_S0eZ4RSwzzmcE7636tjyu=kyCbUtBOwb0g@mail.gmail.com> <005e01d2cd8f$ae548dc0$0afda940$@augustcellars.com> <BC45A96C78AE43AF896A65A184D287B5@WeiGengyuPC> <014601d2daf1$8f1865c0$ad493140$@augustcellars.com> <849AEC05-87E3-48A7-B5C6-E6B6C8DC98D5@tzi.org> <015501d2dafe$dc53e640$94fbb2c0$@augustcellars.com> <0EE7D28C4BD94A4BB8ACA70FF0182BFC@WeiGengyuPC> <000001d2db51$a7d31c30$f7795490$@augustcellars.com> <B6BE0059DC7749D6AA5621CAE49E5073@WeiGengyuPC> <000301d2db56$24df9ab0$6e9ed010$@augustcellars.com> <35046B0695F64F97ABE9E1965062E7FC@WeiGengyuPC> <83c2fca38c534509aa77241aa3105aad@FE-MBX1027.de.bosch.com> <4FC55496-308A-4FCA-8003-6E0B4BB92015@tzi.org> <88a7de1d-f9fe-3743-a58c-5cdd5ad7b82a@simonbernard.eu> <E76C28F9D5434CEAB7A9EB0C82011581@WeiGengyuPC> <33b06763-4315-dfb1-8551-988149d3d422@simonbernard.eu>
In-Reply-To: <33b06763-4315-dfb1-8551-988149d3d422@simonbernard.eu>
Date: Sat, 10 Jun 2017 02:25:55 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0189_01D2E190.E3AAFDA0"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/sVRF3QETCsEE4P0rlcOXBrOBvqs>
Subject: Re: [core] DTLS and Epochs
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 18:26:05 -0000

Hi, 

> The issue :  this time this is not the peer with the dynamic IP address which must initiate the relation. 

As the IP address change at any side will invoke to establish a new DTLS association, 
the CoAP Observe entity should handle One Observation over different DTLS associations.
In current Observe standard context, One Observation is implied to be delivered only over one-unchanged DTLS.

> Another issue :  NAT timeout is sometime around 60s so for some use case we need to re-established observe relation each time we receive a notification ? 
> This is not the spirit of the observe feature.

When the IP address is changed, it is Inevitable to establish a new DTLS association, the CoAP Observer entity have to handle this change to keep the observe relations,
something as mentioned the connection ID proposed by Fossati draft-fossati-tls-iot-optimizations-00.

Making the spirit of the observe feature available, the CoAP client and CoAP server needs to have some abilities: 
1. to handle to establish a new DTLS association when IP address is changed;
2. to keep and understand an Observe relationship by some Identities;
3. to deliver the same Observation (Notifications) over different DTLS associations. 

Regards,

Gengyu WEI
Network Technology Center
School of Computer 
Beijing University of Posts and Telecommunications

From: Simon Bernard 
Sent: Saturday, June 10, 2017 1:22 AM
To: weigengyu ; Carsten Bormann ; Kraus Achim (INST/ECS4) 
Cc: core@ietf.org 
Subject: Re: [core] DTLS and Epochs

This is the point. We agree that a new DTLS association must be established. It's ok as generally this is the peer which has a dynamic IP which will initiate this handshake. This is not optimal but this is ok (some solution is explored to optimize that like the connection ID proposed by Fossati draft-fossati-tls-iot-optimizations-00)


Let's suppose a peer with dynamic IP address is observed and send notification. When its IP address changes a new observe relation should also be established to respect the same epoch/same connection constraint. If we don't, observe notifications should be dropped. The issue :  this time this is not the peer with the dynamic IP address which must initiate the relation. Another issue :  NAT timeout is sometime around 60s so for some use case we need to re-established observe relation each time we receive a notification ? This is not the spirit of the observe feature.


Le 09/06/2017 à 18:23, weigengyu a écrit :

  Hi all,

  In DTLS there is a formal to calculate a cookie: 
        Cookie = HMAC(Secret, Client-IP, Client-Parameters)
  Cookie is related to the Client-IP address and used during DTLS handshakes. 

  If the IP address is changed just during handshanke stage, the handshake will not continue.  
  Then it must start a new DTLS shandshake with the new IP address.

  If the IP address is changed during DTLS record delivery after a successfule handshake, 
  the DTLS record carried in a new IP address would be treated to belong to a different DTLS association. 
  In a receiving side with an unchanged IP address, the DTLS record would be regarded as an invalide one to be discarded according to RFC6347. 

  So, for CoAP Observe if the IP address is changed, a new DTLS association must be establishied. 


  Regards,

  Gengyu WEI
  Network Technology Center
  School of Computer 
  Beijing University of Posts and Telecommunications

  From: Simon Bernard 
  Sent: Friday, June 09, 2017 6:35 PM
  To: Carsten Bormann ; Kraus Achim (INST/ECS4) 
  Cc: core@ietf.org 
  Subject: Re: [core] DTLS and Epochs

  Hi,

    We faced this issue when we tried to make observe work behind NAT in a LWM2M context.

    My understanding is  "same epoch" means implicitly "same DTLS connection too" which is a real issue in dynamic IP address environment (as DTLS connection is identified by IP address). "same epoch" means "no TLS renegociation".


    IMHO, "same epoch/connection" should be replaced by "same identity" (PSK identity for PSK, public key for RPK, CN for certificate) for authenticated peer or "same session" for non-authenticated. In case you want to allow TLS renegotiation you should add "same cipher" too. But TLS renegotiation seems to be not advisable for DTLS 1.2 : https://tools.ietf.org/html/rfc7925#section-17 and removed to DTLS 1.3 last time I looked at it.

    I initially think about that for observe request, but maybe it can be generalized to all request/response correlation.


    Here some discussion about this idea :
       - https://www.ietf.org/mail-archive/web/core/current/msg08019.html
       - https://www.ietf.org/mail-archive/web/core/current/msg08004.html

  Simon


  Le 08/06/2017 à 11:08, Carsten Bormann a écrit :

On Jun 8, 2017, at 10:17, Kraus Achim (INST/ECS4) mailto:Achim.Kraus@bosch-si.com wrote:
It's still unclear to me, if this should be considered to be the "same epoch" in the meaning of RFC7252.   

I pointed to that last summer (https://www.ietf.org/mail-archive/web/core/current/msg07816.html), but I could get clarification on that.
I think that we can agree that the current definition is
— not fully clear
— unrealistic in certain implementation environments (so it may not actually be implemented)
— unnecessarily restrictive.

Now the next question is what definition would
— make sense from an implementers’ point of view
— not be unnecessarily restrictive
— retain the desirable security properties of the current restrictive definition
- be clear
- maybe also make sense for DTLS 1.3 (which isn’t fully baked yet).

(And then we have to figure out the process for fixing it — that is not too hard once we know the extent of the change that needs to me made.  E.g., an RFC updating RFC 7252.)

Grüße, Carsten

_______________________________________________
core mailing list
core@ietf.org
https://www.ietf.org/mailman/listinfo/core


------------------------------------------------------------------------------
  _______________________________________________
  core mailing list
  core@ietf.org
  https://www.ietf.org/mailman/listinfo/core

v2.23.0 | Report a Bug | By Email