IETF Logo Mail Archive

Re: [core] Endpoint Client Name / Endpoint Name in RD draft

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 23 April 2018 03:11 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057B7124B0A for <core@ietfa.amsl.com>; Sun, 22 Apr 2018 20:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NTFADb2fkXzo for <core@ietfa.amsl.com>; Sun, 22 Apr 2018 20:11:53 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0083.outbound.protection.outlook.com [104.47.2.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12E431243FE for <core@ietf.org>; Sun, 22 Apr 2018 20:11:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=o0ZNlYSjLrtibqni0+I3G0ANmWJuq5WoZKsmw5X6OvM=; b=dW1nnAesMcu3I8QqGhNThmszfI0x4w+7XJDRatYS5sAMnz5Pj2CBG7iU/i640dtjPm3/7yNxt6fTvi1zo5+f/Gdfbxdpir+zVPOPXG9aPjJMSrydAP5JWJ/4YK7nFDaFemnGQ1m+6olpNKJFXoAtEotDgV7QStoSjg2HV1ns0wg=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1341.eurprd08.prod.outlook.com (10.167.197.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.696.13; Mon, 23 Apr 2018 03:11:50 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::35fb:6e2c:e118:5644]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::35fb:6e2c:e118:5644%17]) with mapi id 15.20.0696.017; Mon, 23 Apr 2018 03:11:50 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, Jim Schaad <ietf@augustcellars.com>, 'Christian Amsüss' <christian@amsuess.com>, "consultancy@vanderstok.org" <consultancy@vanderstok.org>, 'Carsten Bormann' <cabo@tzi.org>
CC: "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] Endpoint Client Name / Endpoint Name in RD draft
Thread-Index: AQHT0zm23rcsFhLKykKKsIPwEtlWPKQCOhQAgAec7ACAA+NkwA==
Date: Mon, 23 Apr 2018 03:11:49 +0000
Message-ID: <VI1PR0801MB2112D28860DD3E048518C10AFA890@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <CB28DFEA-5F9E-4C35-BD86-A37AC5C122C9@tzi.org> <ca2b6038e911d93e15e57763836a1d09@xs4all.nl> <20180413151121.GC20765@hephaistos.amsuess.com> <011701d3d4f0$46255e50$d2701af0$@augustcellars.com> <4EBB3DDD0FBF694CA2A87838DF129B3C01EF5D0D@DEFTHW99EL4MSX.ww902.siemens.net>
In-Reply-To: <4EBB3DDD0FBF694CA2A87838DF129B3C01EF5D0D@DEFTHW99EL4MSX.ww902.siemens.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: siemens.com; dkim=none (message not signed) header.d=none;siemens.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [103.40.135.62]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1341; 7:fF9YZc8SlOioVBEr9U9pzID7sVH8ELuNMdqB/AZIWaW3xU5pnOt0xs4Qc/iY5hVJNDoBXfQSJZkswslukYMRtPw9YUW2s6yrIytkCw1KgTYLV6KsEZ0TTEbFqI+V+sIGuooF1LKrxDOZyaMysPIxJMjM2IR5pp6cOOapKeADh9rCBBO+Yqc7XFHEFIeUCzQ830xm1wdER/I5tqWIDtzpDV+Frit30ZAMsRJlScetYjg/6xSvMKBjvGFZg3Gh2PV2
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1341;
x-ms-traffictypediagnostic: VI1PR0801MB1341:
x-microsoft-antispam-prvs: <VI1PR0801MB1341E9A1D696CC4A7D067153FA890@VI1PR0801MB1341.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(278428928389397)(192374486261705)(126837547833334);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231232)(944501410)(52105095)(3002001)(93006095)(93001095)(6055026)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123560045)(20161123558120)(6072148)(201708071742011); SRVR:VI1PR0801MB1341; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1341;
x-forefront-prvs: 06515DA04B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(39380400002)(346002)(39850400004)(396003)(13464003)(316002)(6306002)(9686003)(5890100001)(55016002)(26005)(110136005)(5250100002)(2501003)(33656002)(8936002)(59450400001)(76176011)(93886005)(7696005)(5660300001)(8676002)(102836004)(81166006)(6436002)(66066001)(3846002)(7736002)(6506007)(53546011)(6116002)(229853002)(74316002)(3660700001)(2900100001)(966005)(53936002)(6246003)(3280700002)(305945005)(186003)(72206003)(4326008)(446003)(86362001)(11346002)(478600001)(2906002)(25786009)(476003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1341; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; MLV:sfv;
x-microsoft-antispam-message-info: KyvZYHpOLzQe+Sb4Hrjx5flpbBOjD5hkgN2dmj9rs0zdMVtsS5wEB+qFEUTJ5Kepcr4xyRBW/6+rKnBiFJfHIkQlt+UPAuts/ZgU5NcJfv+s9vxlqhzyr4cAMWf2USSCZgqbCDr28kJykJQMAmJOP5jDhHZhtYRjmUKR8rivtds9EDUHjn0oEENyqlIKgNZk
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: f5163659-e586-4423-12dd-08d5a8c7f4be
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5163659-e586-4423-12dd-08d5a8c7f4be
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2018 03:11:49.9911 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1341
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/xTfuPiu4QO5tgYmvl3snwQJ6R1M>
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 03:11:57 -0000

Hi Matthias,

I am not suggesting that the endpoint client name/endpoint name is generated by the RD. In fact, I believe the identifier used for identifying the IoT device will be selected outside the RD protocol.

> Applications will use the application-defined identifier, not a handle generated by the RD, not the security context.

Who says that? If applications make security decisions based on unauthenticated parameters then they will be toast.

Ciao
Hannes


-----Original Message-----
From: Kovatsch, Matthias [mailto:matthias.kovatsch@siemens.com]
Sent: 20 April 2018 22:46
To: Jim Schaad; 'Christian Amsüss'; consultancy@vanderstok.org; 'Carsten Bormann'
Cc: Hannes Tschofenig; core@ietf.org
Subject: AW: [core] Endpoint Client Name / Endpoint Name in RD draft

Dear list


"ep" is an application-defined identifier for the registered endpoint. It is a parameter for registration, but also a target attribute that will have the same value. The RD must store the "ep" parameter for each registered endpoint and attach it as target attribute to all the corresponding links it returns. As Peter stated, when "ep" is not unique, the client must also provide "d", which must be processed similarly by the RD.

As target parameter, it is used during lookup. Applications will use the application-defined identifier, not a handle generated by the RD, not the security context. When a commissioning tool is registering an endpoint, the security context is also different from the endpoint's security context, and hence it cannot be used as endpoint identifier.

As a result, "ep" must not be removed.

I think "ep", just like the other registration parameters that are also target attributes, should receive its own sub-section with a proper definition and explanation.


Related to this is the proper definition of "ins", which unfortunately was moved over to the core-rd-dns-sd draft. "ins" is used to distinguish resources with the same "rt". Originally, it was used for resource within the same device (e.g., </t1>;rt=temperature;ins=indoor,</t2>;rt=temperature;ins=outdoor). By now, it often is assumed to require global uniqueness. I claim that this is not required when "ep" is used correctly. Using a hierarchy of "d" -> "ep" -> "ins" provides more flexibility than making "ins" globally unique. "ins" can still have a global meaning (cf. indoor vs outdoor), but it should be re-usable for all resources with similar instance semantics. Uniqueness is achieved through "d" and "ep".

I think "ins" should become part of the RD draft again to be defined together with "d" and "ep", as they are part of a larger discovery framework.


Best wishes,
Matthias



> -----Ursprüngliche Nachricht-----
> Von: core [mailto:core-bounces@ietf.org] Im Auftrag von Jim Schaad
> Gesendet: Sonntag, 15. April 2018 21:31
> An: 'Christian Amsüss'; consultancy@vanderstok.org; 'Carsten Bormann'
> Cc: 'Hannes Tschofenig'; core@ietf.org
> Betreff: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
>
>
>
> > -----Original Message-----
> > From: core <core-bounces@ietf.org> On Behalf Of Christian Amsüss
> > Sent: Friday, April 13, 2018 8:11 AM
> > To: consultancy@vanderstok.org; Carsten Bormann <cabo@tzi.org>
> > Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; core@ietf.org
> > Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
> >
> > On Mon, Apr 09, 2018 at 10:04:07AM +0200, peter van der Stok wrote:
> > > > I am curious what we lose if we remove this identifier altogether.
> > > > The only thing that comes to my mind is a debugging capability
> > > > where you might want to test your system without any security protocol.
> > >
> > > Probably, I completely misunderstand your suggestion.
> > > Registrations in the RD need identification so that they can be
> > > changed, removed , updated, etc...
> >
> > Well, the manipulation (change, removal, update) already happens
> > independently of the endpoint name or domain; that is just bound to
> > the registration resource.
> >
> > In the current text, we allow that the endpoint name is not given at
> > registration time if it is explicitly configured and the RD can
> > recognize the endpoint by its security context.
> >
> > > Registrations are identified by the (ep, d) pair, unique within a given RD.
> > > Removing ep identifier will force you to find another identifier
> > > for a registration.........
> > > and you are back to square 1 it seems.
> >
> > In any authenticated context, that can identifier can be the security context.
> > How that can be expressed at lookup is an open question.
> > An endpoint name string can be what glues those together.
> >
> > On Mon, Apr 09, 2018 at 10:14:54AM +0200, Carsten Bormann wrote:
> > > The argument seems to be that if a client holds an authorization
> > > to register at an RD, that authorization may imply a specific
> > > endpoint name.  (I’m not sure that is always true, as the
> > > authorization may be based on a claim that does not happen to
> > > provide an obvious candidate for that.)
> > >
> > > To discuss this further, we’ll need to discuss authorization
> > > models for RD access.  Maybe high time in any case…
> >
> >
> > Could everybody maybe sketch how they'd express the permissions they
> > would like to set on their RDs?
> >
> >
> > I'll start with some arbitrary ones that might be useful (at least
> > with some help from Cunningham's Law):
> >
> > TrustTheWebCAs: "This RD accepts any registration, provided who
> > registers can present a X509 certificate chain to my system
> > certificates that carries a Common Name or Subject Alternative Name
> > that matches the host name they give in their con".
>
> TrustTheWebCAs + GodBit: This RD accepts any registration, provided
> who registers can present an X509 certificate chain to my system certificates that carries a common or alternative name (or maybe an EKU) that matches to the God criteria.
>
> >
> > RequireEKU: "Like TrustTheWebCAs, and if it wants to set an endpoint
> > type (et=), that must be justified by an Extended Key Usage in the certificate."
>
> I would probably generalize this rule to - The RD may extract
> additional information from the certificate beyond the naming to either enforce or supplement attributes set such as endpoint types or domains.
>
> >
> > EPFromACE: "This RD uses /reg/${domain}/${endpoint} as registration URIs.
> > An endpoint can only register if it holds an ACE-AIF token to POST
> > to that resource issued by my Authorization Server (AS)."
>
> EPFromACE2:  This RD uses /reg?ep=${endpoint}&d=${domain} as
> registration URIs.  An endpoint can only register if it holds an ACE-
> AIF token to POST to that resource issued by my Authorization Server (AS).  The token may contain values for fields in the URI-queries which are to be either enforced, or set if not present in the registration request.  Examples are ep, d, et.
>
> >
> > PNFromACE: "This RD allows registration of arbitrary endpoints, but
> > advertising an at=... (registration) or ol=... (link) attribute (see
> > core-protocol-negotiation) requires that that value is contained in
> > an ACE token from my AS."
>
> RSFromACE: This RD allows registration of endpoints, but restricts the
> resources that can be registered.  All resources registered must be filtered by matching one of a number of patterns potentially with values that can be defaulted in.
>
> Jim
>
> >
> >
> > Best regards
> > Christian
> >
> > --
> > To use raw power is to make yourself infinitely vulnerable to greater powers.
> >   -- Bene Gesserit axiom
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email