IETF Logo Mail Archive

Re: [core] I-D Action: draft-ietf-core-stateless-02.txt

Thomas Fossati <Thomas.Fossati@arm.com> Tue, 22 October 2019 12:00 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CCFB120271 for <core@ietfa.amsl.com>; Tue, 22 Oct 2019 05:00:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=AVvhXo5Q; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=Exm8qPSO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6A1JaxylEnD for <core@ietfa.amsl.com>; Tue, 22 Oct 2019 05:00:56 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130040.outbound.protection.outlook.com [40.107.13.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBE251201C6 for <core@ietf.org>; Tue, 22 Oct 2019 05:00:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tCOIpKWpMsoe9BHXRKsQFFWTM7dOPJnn2rdfdQcrh2o=; b=AVvhXo5QvIbwR43l6q6UEyl0NOS2cl6+o+z/JWg5y67N0xLCC83+sMG5ncdPAACBzC5Oqa0JMdjxve3kC/89P9YHMMxNmLuGO3rHDUeudTGVW0dgJguuvA8PTmxyen1ArxtiT81v2phQMAiNfjf5npO0fNuzvHra9SakROfgP0A=
Received: from VI1PR0802CA0046.eurprd08.prod.outlook.com (2603:10a6:800:a9::32) by HE1PR0802MB2282.eurprd08.prod.outlook.com (2603:10a6:3:c9::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.21; Tue, 22 Oct 2019 12:00:51 +0000
Received: from DB5EUR03FT055.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::205) by VI1PR0802CA0046.outlook.office365.com (2603:10a6:800:a9::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2367.21 via Frontend Transport; Tue, 22 Oct 2019 12:00:51 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT055.mail.protection.outlook.com (10.152.21.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2367.23 via Frontend Transport; Tue, 22 Oct 2019 12:00:49 +0000
Received: ("Tessian outbound e4042aced47b:v33"); Tue, 22 Oct 2019 12:00:47 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 2501db0e65dc41a1
X-CR-MTA-TID: 64aa7808
Received: from cbcbc157d977.2 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.4.53]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 2EB8C64B-13C0-42D1-A848-BE5B65DE8CC1.1; Tue, 22 Oct 2019 12:00:42 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02lp2053.outbound.protection.outlook.com [104.47.4.53]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id cbcbc157d977.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 22 Oct 2019 12:00:42 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=imKTPUHZuJqV/GA2RTWBuqIXtu61r1JjX0mP9zikxINdlcLfys1ihKOAvoPNSgKF5JJsI9a2o1pDwrnk86Q/jewuL78Mc0LT0FkHNmo+SPmUUWDbuTLPIfS3L6GzUhghPNmIIRz6BuveVgoaVbITZPcz/c+sbKMTkxgURgD0WzL2UO8ESpt2OP1sssnUbXjIida1gRAeAg77HWoIgvT8lGYS+g4QXfdsggjrNBuxl6PxkEE7OYtd1FxV4Y/JIF1Us18CtWztBJW9uWaR8aYPUravJYvWbsOzQ+ccFoBDlrp6fNMzr4jbfPGC3P5uyqSBJFQSwOr0qdLJZkv/aNCRCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6RJxZxULmX04q9DIZVy+nIowgKun4rH4b8mZmzcEntk=; b=SyzLnXtn1Z4HSTvEuLIMChEK+fm2RPfx2ir2OCi+QQgYKyaWS3lxUz21z1BuK+hK1j7LoXsNVUTgX3WuMAlvJ8PdQguv2x0FycM+yh9LwwTzJxNPSV+kZVm1bCR1Kd6OM4Wuqx6QCzdY8opnRV526zhCqaM31gUBFuxuvjitPDYeuFRAa7jgdaKjFqhhbA21rL4TQ/mikhxnrclC54DgmyFmtpeLqqPDZ/aiFRPuH1qZtIvPyP+0WlZnexZpU8q1D4sNCYuiRx3QfrVuVZ/G5o4CvvmLjVc5ou0/UOTkirzNJTu7ImNrPa+MOBRzPqL72jd6N6qwUJ37ItcFTiZnqw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6RJxZxULmX04q9DIZVy+nIowgKun4rH4b8mZmzcEntk=; b=Exm8qPSOTk1XyztqJCLD9RROKr6N7g9TO5vZ0vRMWmWK0WYM08UrBh9M6BsE1FH0UP+Cqu4xLyxBbgObkCcTQK9iyvdw8ULRc4sOBjJMZt9A5bI29lW2MxK86NfXPhyKqLHCsLuw1YcvVmTmPTR4oqzU/6IHeeqGVSm5Zh0Y5EE=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB4376.eurprd08.prod.outlook.com (20.179.6.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16; Tue, 22 Oct 2019 12:00:41 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::8855:3670:214e:4791]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::8855:3670:214e:4791%6]) with mapi id 15.20.2367.022; Tue, 22 Oct 2019 12:00:39 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Klaus Hartke <hartke@projectcool.de>
CC: "core@ietf.org WG" <core@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [core] I-D Action: draft-ietf-core-stateless-02.txt
Thread-Index: AQHViDTVJLShyaOWOk2o+GoePQIliqdlWkIAgAEWowCAAABggIAAF1YA///4u4CAAB+ogA==
Date: Tue, 22 Oct 2019 12:00:39 +0000
Message-ID: <FB53EFF9-092D-4814-87C0-92EA50599155@arm.com>
References: <157167881320.31820.15335648329568633649@ietfa.amsl.com> <CAAzbHvZB4ZUEhgVujwHOE3fum0JLQUu8vYyiBVhGDH5KfsEuxA@mail.gmail.com> <32E81F88-6171-4EBB-AA6E-886CF5F59548@arm.com> <CAAzbHva-v_EWGSbYWnio=7oNn=sAvQADRj4zTV5E7sYYMxdU0g@mail.gmail.com> <38629887-0795-4F7F-B6AB-E446B63489CF@arm.com> <CAAzbHvYGk_DrAn5gyoO5-TSqwRR4B107u7szdRNXjKycRSt0_Q@mail.gmail.com>
In-Reply-To: <CAAzbHvYGk_DrAn5gyoO5-TSqwRR4B107u7szdRNXjKycRSt0_Q@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [217.140.106.53]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: f60da8e1-580f-4ea7-7f7e-08d756e77b2e
X-MS-TrafficTypeDiagnostic: AM6PR08MB4376:|AM6PR08MB4376:|HE1PR0802MB2282:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <HE1PR0802MB2282081E04895D17DB6AE2859C680@HE1PR0802MB2282.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 01986AE76B
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(366004)(376002)(346002)(136003)(189003)(199004)(5660300002)(2616005)(6512007)(446003)(6436002)(229853002)(6486002)(2906002)(25786009)(102836004)(66066001)(486006)(26005)(4326008)(11346002)(6916009)(186003)(6246003)(476003)(36756003)(91956017)(66446008)(64756008)(66556008)(66476007)(14444005)(8676002)(58126008)(256004)(71200400001)(71190400001)(99286004)(54906003)(76176011)(7736002)(66946007)(3846002)(86362001)(81166006)(316002)(305945005)(81156014)(8936002)(6506007)(53546011)(76116006)(478600001)(33656002)(14454004)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4376; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: zaNdFkD9M6mbf6f3ItkWe89m5TIVaW/+tQNKbweRpP/DABLq/vgTpjRsF8TtfYgeVCxXV3HiPhezpwjTaBHCYLDklSEf56nKuBvsoNCCOMCDBn7WnUw0cTJG4EzYNCHU5iYLDmCpiTdfdwqV8xLVHZxWNs5nDi96pdKVtcNPDJmSMPNqs3t/YMwxVIblR5HSbLg6UKmH0bvtW9FneG9Gazkf9J3RPEGJvtUC09Ri2wSfaFrhn2gAbxEbUW0yD/hnfoRMm3wq/bYczH0PBF3XvcvyJn2nprLbq938bM1rq3kTEnlSrnVZ2J4vuL4Dd2U8shbgyYXH9eploPeeYxIf5df15kP5fyD4VSWq/OSH7oNSJGHOUWbVOkiv4HsHWze32KF/xHEA3tU06pr8n7fcFg1dVcUNz1nHlXWd0jbTb4A6UB8wLhJGTFIjGrQF3/MN
Content-Type: text/plain; charset="utf-8"
Content-ID: <D414F298D7A25543973B6E3D8EA044E6@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4376
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT055.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(39860400002)(136003)(376002)(189003)(199004)(40434004)(23676004)(26005)(8936002)(2486003)(36756003)(22756006)(76176011)(476003)(2906002)(126002)(99286004)(436003)(446003)(8676002)(11346002)(81166006)(81156014)(102836004)(336012)(63350400001)(53546011)(186003)(6116002)(14444005)(305945005)(2616005)(6506007)(486006)(7736002)(3846002)(5024004)(50466002)(86362001)(54906003)(5660300002)(6246003)(316002)(58126008)(356004)(478600001)(14454004)(26826003)(76130400001)(6862004)(25786009)(66066001)(6512007)(70206006)(70586007)(4326008)(6486002)(33656002)(47776003)(229853002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0802MB2282; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 96c933f9-7086-4624-af41-08d756e77505
X-Forefront-PRVS: 01986AE76B
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +019VjWQkkC86UfOY8P8bJr1ayDHwai/RmcFc+uWtN5EW4374QMgwmvOVIEqV9ygfwnwxzYnS299MPIgRULXFlrP9RwlZJgoPGuDwK6RBDcC/jeGivw3i7sLZ4Wchwyp+RK2vxAMCC6Zc3Y79V94LHFhke9KptuutI0gBHzsula1mz6fStZM/fzpqPJ6sDh48MVD6ApR+GADPgzVGof6MKpfGuNxizsBHlQPgvM3SM86A2/r0bfu3GejUnQzVCWe3nMrgNPvyKsGW390wF55MtfrTuRS+kaYutzywRXlriTfNncCVMHG80Jna+Y4hKHpLCZrNYK8Bn4GXsO4B2t2zOZ6WZJCqQNCn4VYM5YAps0wceHgYR7hMRpDL+kkZE9pRNi2mypLFglTa6/axVYJ1Wl1kEEFXTceeL5sc+y38kyXoKnkWcPem0/Wz6Oze/rI
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2019 12:00:49.9763 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f60da8e1-580f-4ea7-7f7e-08d756e77b2e
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2282
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/tVZJ7iCUTtn1sSLeFcicagCB4eg>
Subject: Re: [core] I-D Action: draft-ietf-core-stateless-02.txt
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 12:00:59 -0000

Hi Klaus,

On 22/10/2019, 12:08, "Klaus Hartke" <hartke@projectcool.de> wrote:
> Thomas Fossati wrote:
> > > The intention was to say: If the value is less than 8, then it shall
> > > be set to 8. If it's greater than 65804, then it shall be set to
> > > 65804. I though that's what clamping means, no?
> >
> > Sure, it's not "clamp" but the following "to be *within* this range"
> > that creates the ambiguity.
>
> So maybe just this?
>
>             The option value MUST NOT be less than 8 or greater than
>             65804.  When an option value outside this range is
>             received, the value MUST be clamped to this range.
>
> (I'm not a native speaker; help is appreciated.)

The poor soul version:

The option value MUST NOT be less than 8 or greater than 65804.  If
the received option has a value greater than 65804, then it MUST be
set to 65804.  If the received option has a value less than 8,
then it MUST be set to 8.

> > Thanks.  This is exactly what I meant by "dense": it looks like there is
> > an interesting amount of relevant information that is left implicit.  I
> > think articulating the assumptions as you just did will make it easier
> > on future readers.
> >
> > [...]
> >
> > The latter looks like a 4.xx to me.
>
> Like so?
>
>    If a server supports extended token lengths but receives a request
>    with a token of a length it is unwilling or unable to handle, it MUST
>    NOT reject the message, as that would imply that extended token
>    lengths are not supported at all.  Instead, if the condition is
>    temporary, it SHOULD return a 5.03 (Service Unavailable) response.
>    If the condition is permanent,

     such as when the client is sending a large token that the server
     will never be able to handle,

>    it SHOULD return a 4.00 (Bad Request)
>    response.
>
>    Design Note:  The requirement to return an error response when a
>       request cannot be handled might seem somewhat contradictory.
>       However, handling a request usually involves a number of steps
>       from receiving the message to handing it over to application
>       logic.  The idea is that a server implementing this document at
>       least should support large tokens in the first few steps (enough
>       to return an error response rather than a Reset message).

Looks great, thanks.

Cheers, t

PS: I couldn't find the Github repo, so I'm sticking here what I'd have
    written there:

Unfortunately, it is easy to misuse counter mode.  If counter block
values are ever used for more than one encryption operation with the
same key then the same key stream will be used to encrypt both
plaintexts and the confidentiality guarantees are voided. Devices with
low-entropy sources -- as is typical with constrained devices, which
incidentally happen to be a natural candidate for the stateless
mechanism described in this document -- need to carefully pick a nonce
generation mechanism that provides the above uniqueness guarantee.
Besides, since it can be extremely difficult to use AES-CCM securely
when using statically configured keys, implementations SHOULD use
automated key management [BCP107].

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email