[core] Review of draft-ietf-core-groupcomm-bis-03

John Mattsson <john.mattsson@ericsson.com> Wed, 24 February 2021 23:27 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EF943A1D4F for <core@ietfa.amsl.com>; Wed, 24 Feb 2021 15:27:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.671
X-Spam-Level:
X-Spam-Status: No, score=-2.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QzVyZ-kdYsFf for <core@ietfa.amsl.com>; Wed, 24 Feb 2021 15:27:53 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2089.outbound.protection.outlook.com [40.107.22.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0EC73A1D56 for <core@ietf.org>; Wed, 24 Feb 2021 15:27:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cxdEzP5M7HI5zsXqrMhFKOjnW5r5Lk62GwAK6H8TFCSMPPEz1LL4FoDSkIErM+1fzkL9QtNr35h/K6vRa5TqPJwq9YAfSBuDanYhA3lCN1rvQLYr2cYBXGpqT7kR/lSeXcjrwHsS6eaSnzLf08DIH7QdnKR7VubvcfSlYjk/KahNGcWmbXIQXzKLlhWm6W6gv/qgGVCoO1ZwN5up5ECMuF/0/9UCH7L3a6Pry9/J/6XVHYMu+oJdZtvQUp9ivW4cfBYSm7XO/cyDoZDZv4xf8aj3sBtpI2jvH7H3QvEPZEEFj8L4TFSEtbscPwCLt18ZNjhqxG7ZM//jkxzFhutdjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mgoeLG5tqg9/pXopKvJaDKZMEtMZuaDBm1rpabZuOec=; b=FeXePb5n59DkeogYrZ5v/9PxnMVGLu5PsC++FeGlNBVSrtJnRgwcbxuOOXIX4J3cL7T2SHIEpeOvQCZ8AX6AhMntw4HnoiVBHkJQIvjvYeQrEkhthX1lEXLNkv8v00z35mTcAdL8mIDVR9YBNkyG9MRjSfIHwYjVktHwSJVuSaSw9UzdBr6UVLC/GAlFY0hqk9yNW5CFjBkBMK+t4bLA+M5E5qfAt2dkAX5JyW+Stgdd7ujORDphdLIR6qhwd5/3Wr6/X9huEfHiRHpp1zmFBkps/E0JvNRSlj3Fj24HTyLmHJTh3+v3CUL7gfDh6ZfiQ8Lz0GxrlLO/BpyEF4Bq3A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mgoeLG5tqg9/pXopKvJaDKZMEtMZuaDBm1rpabZuOec=; b=J6tnIqt8H4/1J923fkSUqkzaQhcwfzCQZDcVS34RV5A3G/gs2WSJErThp+wqOzW+X+TMBddHS2fwe7E7ZHTEzkSapluRfG9WBWN5obNzMHVfQtUHan6J8A+FQxHZGNUoki+0qP7m9bov3+hk4eGFdwDeJqwzgD9gEVQ4156hD+Y=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR07MB3434.eurprd07.prod.outlook.com (2603:10a6:7:2c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19; Wed, 24 Feb 2021 23:27:50 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536%4]) with mapi id 15.20.3912.009; Wed, 24 Feb 2021 23:27:50 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "core@ietf.org" <core@ietf.org>
Thread-Topic: Review of draft-ietf-core-groupcomm-bis-03
Thread-Index: AQHXCwSqc4rdNewjlUGtn83ROTnvRQ==
Date: Wed, 24 Feb 2021 23:27:50 +0000
Message-ID: <E0959F68-0966-4628-94D3-F9B64F47A84C@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 21bf6dc0-0159-4cc7-1f83-08d8d91bcd3e
x-ms-traffictypediagnostic: HE1PR07MB3434:
x-microsoft-antispam-prvs: <HE1PR07MB34340B431405061E42075720899F9@HE1PR07MB3434.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8cdvA5ojCuPjtCLjscKgBNfimTtGQnH2ptW0nsd1XVwotTS5or8y3FHrnA1yXcRAJmyqtcD/iWHgXQLACAB4ar8og36zTXNY93bTmUVQVuecfuWBiO6vDgba0Z7A1bnMSEH02zY55GvCwhGAMx/rWJiM+k7B+aMPvHBlJUWQWazr2SLqsPEvgz7T26LF/jShT9Li61LECSGlKiIWtJFALMlaiU/EKhahitZe0WbHFMZbhXsLv0q1cvKdk16KrDHMg3Wgf+cvEoxL27TZEa3UTMxLJmb2ofOHGu5J2Ca1RJcDbkKv9mXDiNYA8hKQAIxnvQvHZwT6fui4ZoLvsnKFE57dJtR8krQpPWDUD4RNNOp/FLcXnwLeny1jR+/sv7XzRj9PL4EIPkH6JpCr1+pvbKvetbHAEk/blB8GVm98KwGxq4MO4WWrN/mcCdiHxbMw5fSG37x+U6X5QCPIUbClwwWNwo573+TcNQ8x0CRYZ2V/qcT9xtr3a6BNzNyXJEiEB+Z+QrPOBSa/JRcYW+kKZTqWtmwbmFssaVlLzg3gdWOt3SCfwzW8HtNA1PXoJvoePvKwgc8CoFiLVj2q1P23pLGN/i+4+dQisCXs6mTruzizekaHJG/P/QAwT82ZAIz5AKQej6Du4gnVQV98+IEWSg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(136003)(396003)(39860400002)(366004)(33656002)(316002)(5660300002)(6916009)(2906002)(44832011)(2616005)(8936002)(71200400001)(8676002)(6506007)(66446008)(76116006)(86362001)(6512007)(66556008)(6486002)(64756008)(66946007)(966005)(36756003)(66574015)(478600001)(83380400001)(66476007)(186003)(26005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?Qkx6Snd2cHgvNHN5ZWV1Zi9QRnFmRUw0ZHMvOE04ZjFTWHZKVU4rZWdLeHhM?= =?utf-8?B?Yy9VKzgrTkFjSTh5ZUZNb2hUQjRzS1dQVksrM04ybHZvMEpRQ21DSHc1WDdF?= =?utf-8?B?OGRzMUZUZmFIUnV6T1NSK1RQNmZhR2ZEYWJXcVB1NHFsbVJMOTFBeGRaclBt?= =?utf-8?B?eVc5VFBwKzFyYXJPSDQ5ekJzaWJSa2JOMlV2SkU0cHQyOXNDMGcwem9zbktC?= =?utf-8?B?TjU4Y041WGlwTEZwTlVURnkyc1hNMldQaFlXR2IwcnFFSDR5ZFZDV1RKdmFK?= =?utf-8?B?VVl6b01rbzIzakF3b3NKMFhsbDZpeGkwMmpUNU4rVGxWUVR2M1kyMTNBdDRY?= =?utf-8?B?cEVHMXROMHRYdTE5SFdDZmpMZUVkWWNMMzByUWtDekxNMmJYd3dlakNkTGJI?= =?utf-8?B?ZnlDWTBVb3VpNE95emszUzc2dnpBUFJlZktSOUNCeGlqaUdtazd2Sjk1V3hw?= =?utf-8?B?TWtpOXpNT09idWxnTS9RUms2bnpnNzc0TmJ5SkdCbTc0V29KWkczK2Zma01T?= =?utf-8?B?MjJzK0c1c3IrekJ5UEVORS9keEg1SW9MNXZ3cTBBSXliSjRtRUtBVkQzUWFl?= =?utf-8?B?Q3Y0TzRXZFJDTlVXMk1USkN6MGlObVhCd3pMNXYvVWhoS3FJVzFNYzlTVHVI?= =?utf-8?B?NFVycklsOXg4dGQzOGRxTXFVSy9FTnVSU3FsTzRQQis1N1FINmpTQklNNFpk?= =?utf-8?B?d0F6L2tjUmxvQy9aSS9xQ2JLUWROUHJBcTdZcndaT29HMnZldEhCNFJOTVZk?= =?utf-8?B?UGJHdHpSV3VPekduQTg3VWx6ZjNZZStCVkpGcWF6dUZoZWVVcms5VjE2aktl?= =?utf-8?B?aGZrTll1Skg4VmMwNVpJVnUxVkptdFZsVGs4WUw5dzBoYldYMUVUK2xIVUxE?= =?utf-8?B?U202VVRMVE9aNjRPd0I3NGtNdkVid1c5WkR1WnVPb2xaU3ZjN3dqMk84bno0?= =?utf-8?B?WVdHOWRCb1d3WkhVVytUL0E1TVBSQkRiT1lIeDR6T0Y2K0ZiS3NNbEhNSVRL?= =?utf-8?B?N3hjNlN1OFV6OVJKRlVWdVgzTWFRZVk3Y0NYYyswSjYxVzYrSkpTY0VScDhT?= =?utf-8?B?N1hiRys0dHdBOUxRM25qemlNTVNkUENFdjNqQ0FkcTFxek9SYlUreUF4a2RB?= =?utf-8?B?bjhncnFIOHVDd1VBaStXbE53emRqSGdnNEEybnNGUjI4YS90Q3NnK203R3RM?= =?utf-8?B?dGordytlckVSelVlcnNYd0pmWmIzV0N3YXJOblZUT0dvMXBDMHgzZlZRQjJC?= =?utf-8?B?MGR5dWtXUVNoaVg3NTlqNFIvc21GOWJ1cXNnU1pCUWxMcENDaFBjREx1TlhS?= =?utf-8?B?cUdleXM4N2Q3dEkyYmNoNkdOSHNPdnoyUlJkZjhtb3VISUF2S0hLTUVDNENa?= =?utf-8?B?UFoveVJCNURuelRQUGw4ZGZ2Rkp5dlVwNjdxTFpTZmxkQjRNMHBoN0xrY0R5?= =?utf-8?B?YjdzZHE0TUNhdlJUTFM3d0RqMStnZUpyNXFVbGxiM1FzbmFiV3ZrL0hJR1d3?= =?utf-8?B?SzRUcUFPSzUxSkxsb0xCQTExSTFsbzIzUUxaUFl1eW52SWNNZ29XSXFhYStY?= =?utf-8?B?MjlWMzRYUm9SeVo5MkRVVkRicWVJYjN0cWlGYzNrZmE0amErTStEZDVBcTdS?= =?utf-8?B?Y1FscVpXUVdEY2kwWGdHZUlwNk5oekJZVkZZQzBMWGhndncvdis3NXlSbDVP?= =?utf-8?B?YWVybFZibVE5SHB1bGdtL2VzeW9DbGNScWxMWjZKalR2WGt3N21WTkFYNk1k?= =?utf-8?B?NW5nZ3MzSmsyUHdCTUFNYjVLSnE2cUZrTytGVlVQS25uM3NrVmpHd0JkNzVa?= =?utf-8?B?YnRHVmhReFUzbHV6VmJFUT09?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2E1EC2C72D96B746943AE6BB9B0E5E90@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 21bf6dc0-0159-4cc7-1f83-08d8d91bcd3e
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Feb 2021 23:27:50.2550 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2LPKxqOTKfheluTAIlX9bRCuX/30MrBrgL6hE/Cf1v1mrxs9vcWY8NWc5ayAFP7zUSW09jEV4kcK3Yj1fvrzbsu4A7tkV6vqPO+j+6c5r6E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3434
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/xy3ImeWkbqziBhqs4NCGwNP6R7U>
Subject: [core] Review of draft-ietf-core-groupcomm-bis-03
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 23:27:55 -0000

Review of draft-ietf-core-groupcomm-bis-03

I think this looks very well-written. I read through most of the document quickly and found very little to comment about.

- It seems unclear to me exactly how this updates RFC 7252. Do everything in RFC 7252 still apply, or are some multicast parts replaced? In such case which parts?

- The document seems a bit too locked to "UDP/IP multicast" for my taste. RFC 7252 left things much more open with statements like "by default, are transported over UDP". CoAP is now popular in many environment without UDP/IP and the same will/is true for Group CoAP. I don't see any reason why most of the things in the document could not easily be used with broadcast, geocast, unicast, and non-IP multicast. Maybe you could soften it down a bit so people wanting to use Group CoAP over Foo can still claim they are doing group CoAP draft-ietf-core-groupcomm-bis.

- I think group CoAP needs quite a bit more text on aplification attacks and DoS. There has been several negative articles regarding CoAP and DDoS in the last years. Group CoAP with it's 1 requests and N responses is a amplification in itself. Multicast Observe is even worse, 1 requests and N^2 responses. Multicast can however not be used on the public Internet which limits any attacks. The current document only mention amplification in some specific cases. I think the draft needs to expand on the text in RFC 7252:

 "This specification attempts to reduce the
   amplification effects of multicast requests by limiting when a
   response is returned.  To limit the possibility of malicious use,
   CoAP servers SHOULD NOT accept multicast requests that can not be
   authenticated in some way, cryptographically or by some multicast
   boundary limiting the potential sources.  If possible, a CoAP server
   SHOULD limit the support for multicast requests to the specific
   resources where the feature is required."

A reader of draft-ietf-core-groupcomm-bis might think that Group OSCORE and Echo is enough to stop amplification, which is not the case. Echo only helps a bit by limiting the size of the responses but not the number of responses. An attacker can spoof the source IP of the request and a smart attacker would send it to a resource that supports multicast requests. Not sure Group OSCORE helps much at all as an attacker can take an existing group request and change the source IP. 

Cheers,
John

-----Original Message-----
From: core <core-bounces@ietf.org> on behalf of "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Reply to: "core@ietf.org" <core@ietf.org>
Date: Monday, 22 February 2021 at 17:51
To: "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Cc: "core@ietf.org" <core@ietf.org>
Subject: [core] I-D Action: draft-ietf-core-groupcomm-bis-03.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Constrained RESTful Environments WG of the IETF.

        Title           : Group Communication for the Constrained Application Protocol (CoAP)
        Authors         : Esko Dijk
                          Chonggang Wang
                          Marco Tiloca
	Filename        : draft-ietf-core-groupcomm-bis-03.txt
	Pages           : 58
	Date            : 2021-02-22

Abstract:
   This document specifies the use of the Constrained Application
   Protocol (CoAP) for group communication, using UDP/IP multicast as
   the underlying data transport.  Both unsecured and secured CoAP group
   communication are specified.  Security is achieved by use of the
   Group Object Security for Constrained RESTful Environments (Group
   OSCORE) protocol.  The target application area of this specification
   is any group communication use cases that involve resource-
   constrained devices or networks.  This document replaces RFC7390,
   while it updates RFC7252 and RFC7641.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-core-groupcomm-bis/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-core-groupcomm-bis-03
https://datatracker.ietf.org/doc/html/draft-ietf-core-groupcomm-bis-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-core-groupcomm-bis-03


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


_______________________________________________
core mailing list
core@ietf.org
https://www.ietf.org/mailman/listinfo/core