IETF Logo Mail Archive

Re: [core] Updates to coap-tcp-tls

Carsten Bormann <cabo@tzi.org> Mon, 15 August 2016 19:10 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECD5F12D0D1 for <core@ietfa.amsl.com>; Mon, 15 Aug 2016 12:10:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7AXLapPywAkl for <core@ietfa.amsl.com>; Mon, 15 Aug 2016 12:10:32 -0700 (PDT)
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [IPv6:2001:4b98:c:538::197]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B76412B053 for <core@ietf.org>; Mon, 15 Aug 2016 12:10:32 -0700 (PDT)
Received: from mfilter14-d.gandi.net (mfilter14-d.gandi.net [217.70.178.142]) by relay5-d.mail.gandi.net (Postfix) with ESMTP id CEA8C41C091; Mon, 15 Aug 2016 21:10:30 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter14-d.gandi.net
Received: from relay5-d.mail.gandi.net ([IPv6:::ffff:217.70.183.197]) by mfilter14-d.gandi.net (mfilter14-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id AcT7pJTFMLtz; Mon, 15 Aug 2016 21:10:29 +0200 (CEST)
X-Originating-IP: 93.199.227.76
Received: from nar-4.local (p5DC7E34C.dip0.t-ipconnect.de [93.199.227.76]) (Authenticated sender: cabo@cabo.im) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id B4BA941C093; Mon, 15 Aug 2016 21:10:22 +0200 (CEST)
Message-ID: <57B2139D.4030202@tzi.org>
Date: Mon, 15 Aug 2016 21:10:21 +0200
From: Carsten Bormann <cabo@tzi.org>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: Brian Raymor <Brian.Raymor@microsoft.com>
References: <BN6PR03MB2724411ED7FF4BAB881E7BBB831E0@BN6PR03MB2724.namprd03.prod.outlook.com> <431663ac-271a-5250-7118-58a51aea067d@gmx.net> <BN6PR03MB272487B74FFE9EB54E7B1BD4831E0@BN6PR03MB2724.namprd03.prod.outlook.com> <254432a9-9048-6809-1bdf-dce3bb17cb12@nteczone.com> <BN6PR03MB27242BDE30D71E3934B2F44D831F0@BN6PR03MB2724.namprd03.prod.outlook.com> <57AE4652.7020306@tzi.org> <BN6PR03MB2724EC60CE22C94F18AE663683120@BN6PR03MB2724.namprd03.prod.outlook.com>
In-Reply-To: <BN6PR03MB2724EC60CE22C94F18AE663683120@BN6PR03MB2724.namprd03.prod.outlook.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/w-kI2iYR9tX9T0furh08lQt7lqU>
Cc: "core@ietf.org" <core@ietf.org>
Subject: Re: [core] Updates to coap-tcp-tls
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 19:10:34 -0000

Brian Raymor wrote:
> If the Application-Layer Protocol Negotiation Extension (ALPN) [RFC7301] is available in both the client and server TLS protocol stacks, CoAP over TLS implementations MUST perform protocol negotiation in TLS using the "coap" protocol identifier defined in Section 8.7. The server MAY also offer CoAP over TLS only on port number 5684 for exceptional cases where ALPN is unavailable on the client or the server.

That works for me.  With these interoperability mandates, I'm generally
in favor of being very specific about what an implementation is supposed
to do or not supposed to do.  Let me try to summarize:

-- A TLS server MAY offer a coaps+tcp endpoint on TCP port 5864 if it
doesn't support ALPN and/or to accommodate TLS clients that don't.  A
TLS server MAY offer coaps+tcp endpoints on TCP ports different from
5684 if it does support ALPN.
-- On TCP ports different from 5684, a coaps+tcp TLS client MUST offer
ALPN value 'coap', and the coaps+tcp TLS server only becomes active if
the TLS server selects the ALPN value 'coap'.  (If a different ALPN
value is negotiated, or if the ALPN negotiation fails and thus causes a
fatal alert, the present specification does become active.)
-- On TCP port 5684, a TLS client MAY offer ALPN value 'coap' and a
coaps+tcp TLS server MAY then select ALPN value 'coap'.  (If a different
ALPN value is negotiated, or if the ALPN negotiation fails and thus
causes a fatal alert, the present specification does not become active.
**)  If the client does not send ALPN at all, coaps+tcp is assumed to be
selected on port 5684 only.  If the client does send ALPN, and the
server does not support ALPN, the negotiation will result in no ALPN
value being explicitly selected [check this], and, again, coaps+tcp is
assumed to be selected on port 5684 only.
**) If a different ALPN is selected on port 5864, [define behavior here].

Phew.  Are these all the cases we need to worry about?

Should it be allowed to negotiation ALPN ≠ 'coap' on port 5684?
(Probably yes, to enable the negotiation of a 'coap2' etc.; we can't
really restrict what can be negotiated here without predicting the
future.  Or we could completely disallow the use of ALPN on port 5684.)

Grüße, Carsten

v2.23.0 | Report a Bug | By Email