IETF Logo Mail Archive

Re: [core] [Anima] ANIMA constrained-join proxy revision to use CoAP

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 01 November 2022 17:14 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3391C1522C1; Tue, 1 Nov 2022 10:14:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNJp64Aol2O0; Tue, 1 Nov 2022 10:14:30 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2096.outbound.protection.outlook.com [40.107.21.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56C02C1522B6; Tue, 1 Nov 2022 10:14:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SFyKAOIJWaXY/wj0urnmSi1g5k3P+x8rwV+vQXgTv5DAN3T9VAS2hfy23BEYOmhD+71u0dm5nN4Z76W/PmhUJc0Q7peOyAwO5QXasH3QlV8AIow3ajP4kVODXIEsuY4bNCw7DoV3534mz7PL01ieP5RNPmJ7OKC2InkCrDDppNOogul5ggIhmLGu8e928QLuXa0tqp8d+nfTQuELD6xypJF/XltJIoguKCv/CFJFmU7Y4N/se+X1UFlKoptP0ZbJOiM4bz4l2Q1GmfD//FAgB2Pe7a45SIo2e9HmnFbxiGmmjNmgRheMIASwumgcQsjXR0a7EaVyHd4+Zo+Yft+j/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FUmeCd4b4tL+PHr+NjxTlZT4GF5FzrLY3pjoMYA4C6k=; b=K6FUrrh1K40brV6aU04fXpo4eypttv8YpLa0skPrGFZhYhdgEiRS6KIL2VUFbYZ/YM6NirOZiQN7AqqN+g1VFCGM3BdG55KKSqUSsFRRUwoRnbCT3+zrhUaNBTuQtg2BEppim20kePvr0dIMeHHsww7rJb7j62xug9w9jjR9FGH6JlvLvrS5azu0azH2tSjzelUQAx87hfjsQ5ZUDnmuY2nPYDQsa4h4gDyvQi7AgzSQW+EGdGOl1wHU5dNOfNaTyDVxsjRcc0bUID/O9oss4SHowvdsuU7Iggg+AlXLCkYijeDHuc3pLfz1QiF9Sxebf3ZEGcHByAkJ+LrhbRPXSw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FUmeCd4b4tL+PHr+NjxTlZT4GF5FzrLY3pjoMYA4C6k=; b=QT/f814GqG7BO6NCqKoYFN1kS2ANFTpgE0k9i1iEV35Fhn3KDTReXVpHpM70bw+6Ess27uGQ8c3U3i6pfyW6iJP2pVOdJGiuAdV0VMp96vUg2rXIoy/HdPUWvho/38QhjRzj9TsixPzkwCHA8/zyuESc4EuI79wzpwm249x0C7M=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by DU0P190MB1907.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3bd::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5769.19; Tue, 1 Nov 2022 17:14:23 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::1de:9807:7495:454e]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::1de:9807:7495:454e%2]) with mapi id 15.20.5769.019; Tue, 1 Nov 2022 17:14:23 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr@sandelman.ca>
CC: "anima@ietf.org" <anima@ietf.org>, "core@ietf.org" <core@ietf.org>
Thread-Topic: [Anima] [core] ANIMA constrained-join proxy revision to use CoAP
Thread-Index: AQHY50wUjMK+iRHYYEy+QT1W7X9AfK4gVbBAgABw9gCAAABUcIAALd4AgAGXxICABg9agIABoJ6AgAAbV7A=
Date: Tue, 01 Nov 2022 17:14:23 +0000
Message-ID: <DU0P190MB19789BA139FF7805182ADDF2FD369@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <Yxd/oBl0dmbmUI8L@faui48e.informatik.uni-erlangen.de> <DU0P190MB1978F420D478B93CE29F36D3FD4C9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <1069641.1666559668@dyas> <1135706.1666576680@dyas> <DU0P190MB1978CB28B49E74237A238646FD309@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <12548.1666795972@dyas> <DU0P190MB197834901144617C0B1D3DC1FD309@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <25950.1666805892@dyas> <Y1rGkxZSzSI4TkWb@faui48e.informatik.uni-erlangen.de> <402818.1667226609@dyas> <Y2E5bX5hovIYT2m6@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <Y2E5bX5hovIYT2m6@faui48e.informatik.uni-erlangen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|DU0P190MB1907:EE_
x-ms-office365-filtering-correlation-id: 760ccd29-b937-47e4-b4a6-08dabc2c859c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qD3jbFVnNORqOlKIAtS8Vo6jiTA05mPD0XjEIpwZ1B2EQqYP3VcdaOlkI7fgqtlEUInr0nvFvXvmvFkcKg7gcX2PoW9Uq2PRCOnuP9ZsM7VAwKalpqMgFU7wASKwCtGVfkGlxX5WdWJ1AWwPrJJySWL/V3WaqfVAGUK2yRFrhH5wlnD6t+1bCwu/jAJuwGBpu01hofAzL+zmtXntkAJHGa9tWG1YJRQyJa2tGBJb1RNKsucWgF7QBlGZAP3gCUWN7446naWmaGXnTfY7tWy7qP2cpqAF+pWxst2Wd/DaH52SKb9OYQITZFEjgpRPihKp7K4IwwV/Ey1RMgcl9pKhMEn3lppkbyM7ubSGSWt08RWuNXtMlJaIImeDJbqdHzhEobGLKm3bUzw642tjJ0BzB6FFBDOkZA492E6haUxhmLbTECFnLhMhDJsSHJrqVGsiJh/IQm3Es0mR93NEXQSqQj95AeUejf0wfdlLeo/3E3Kl1tRwip4py98qtWv1Pl6u1xq19rjsPfrTmUbfla+A86UYy3K2xt/KJmrshs+5xo3N1pCwkk0rTMWOhV1Q6d24lWJLjc9afvDp1Zhb5rPc/ZhR8X9IA122nckkiTQL3XqXFV739ip3DE9npSR/ThLZbYCFgBExCkf2P+gWk32N5OF3O8sRsCHjH6LIpjsk1bF34P9k3HYjiZFQSigHwgiORxliztybDAmESyT9hviVBRpkwsGHHO2dYp3aWPIVclXUaXLZgWlS6GCtntQeangieMRvsTImxr7cdk+HwlgA9e3G68eo+YEFHJ5/UCYwHqY=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(39830400003)(396003)(136003)(346002)(376002)(451199015)(53546011)(38070700005)(186003)(66446008)(8676002)(4326008)(66556008)(76116006)(55016003)(66946007)(66476007)(7696005)(64756008)(6506007)(5660300002)(110136005)(33656002)(44832011)(8936002)(52536014)(9686003)(966005)(86362001)(41300700001)(54906003)(316002)(83380400001)(66899015)(71200400001)(38100700002)(2906002)(122000001)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0rdycCXwGhc0yJcfN1pxhyVYUt6FcIU/YgOmK1RonTG4BSx5QVNMA9MwRa5OIUzScsvtReKwfGaxdcycRChxA+15IrL2syGqWxgP7SuVU4AlhNbzRVkeEtXTDX3w/nLm4sOZC9aUox1TWa8zxz9Dz5UI3imx0u0jiJ/BhSXT78s0Hvj69k042oZIEm/xTH5FgXXi7DA6hkYHb9YISbVa6wfrTRCLS5FVVG51i04us28IugRxkALToS7nCPNtrYn8hBp02LZsbz0z50IZh/uZJSA45aF+13kA+5H4k43CShBlaw5ia9eIiJAVouLSOkBMTQlc0VEosEhl1/OX4dy9qmqdT2rV2Mmm+IxTQ4xd++u9h7bg6wScQOkHbRKIveZJGyUGMglTEjB4JQZTCe0t9W0zTMD0GoAbWJinST63n8dOxxYFZ5OyI0vuAxFCLcU9l6l0ZPmc0CiJJuEeorA14ZDCFeZY/HfIDt8Je1aatzht1DW+ZRQkmjn/ogQTy44N7qP+mSBFbuZd46X3549bIi3Wp1gXJ7SUDlQUq+zbI/G5DWbSwG/HuHRy9bVTSsngmIYHVGj6PsuQcJP8e+x7dmW+r6KJCeFc8biWxAjhEbW+PLr/gNI8fmhQfHFK1VcYbvSKPd//1DQvgDB/7AQpFdgFs+TMuOryZa7oONKH9KXvLlbVie2MZdB9RYRqhYVCC9ZTyTRXMDPjhGg6rf/7W+1Q2IDLuob38eEUq3qWoY2rjH4pLvMkzgiSlg9+GMje99KkN0pK1JiaZuH9DTXt4TKyVTl3UToeMDloTsu4rHPycdpX52MpIHQnvk6qyHRFDu/1MvgRCOylU2w+wXPUlMEySaAgdvOHz7fj9sFlno/6LlslfdzxdztxDIdkztGxC1k44+mNeDloQrKAFGgYlg7Hf/qblAlbObj+92EDzMZ09+oUOS89vpXqio8EcSsdlHZ9zmdNLnMX2xw13y9oJSCcLj+h57CA5ilJ1xCvdw2MorbPdd+9PXAbamOSzmb77deSczMguyG+sXGXERb68AXvxu6hu2SlI2L721V5mjH46HMaDgJ2Tse5m8op5oMy/eaBagwCd2/hMVfeWeblLuLqmGgIWIqN9a/YssPK90Gi42kIf1oEqG66H1J7GfRPN68Z8ef1gBBLYe1U6HaNZg0wItshcOoxdaDJSbiylKfj5v3lbfTBcHXnaAtB0W8aKDAcbL4AzphTjV4HIVLRa3SoNafevUGpmfRv+RBKosyta8JL2Ne+ieNIp8isRY63Wy/PhWkY9Dacq9LF/ygIw1kxngSw9y0fXDMxQDPglVBOPJgGeEl4rgA66hCG9Mx726vVB/DjB8gF5o9TiyTFTHscZem2hTjKKwY3F/iLiuHh/U9cWDYBS1A3cKQKcD4K1TOBviUkvKxJOzwswbddpTYZNmwqfvbikFUuGL+bdIqDBb6qzYBXm2pJHdfopcEn+9/CPaEOo9aNs5o4F5pjpqvRFUole8FiwkoIj9VHR1afNc01w/TBE9y1YjD/cMMogbH9IdszZWKXS7QVQrah5fzIqD9fo5Ztp41TCstw4swwxN0ze1BHgP3siEJ8rGRtjc9nViALUxvsM6KwPj3AWR9V03jF1b4Ue3CwIwXZSMsvcz39QhFOYEbuRyYLXUBcmFl8DaxurEsA23fVisSaDQ==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 760ccd29-b937-47e4-b4a6-08dabc2c859c
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Nov 2022 17:14:23.1944 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UiEKh0r9qcZonpeVWRPw3uhZ6t68Px/gknPNtDCafV/0Zf/OHKnN18GgEIAar957E17ohPFOsPkrDX0wiPO59amI7Zn2/DqPvKg459DEtsU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0P190MB1907
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/yWZLCE-M8YGBHG0iVb11Ysda1Ck>
Subject: Re: [core] [Anima] ANIMA constrained-join proxy revision to use CoAP
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2022 17:14:34 -0000

The Pledge here is not using unsecured CoAP towards the Join Proxy - the Join Proxy is using unsecured CoAP towards the "Registrar-Proxy" that is situated on a specific port on the Registrar host.
So there should be no big security issues for rogue Pledges. We could of course explain in the Security Considerations section that the "Registrar-Proxy" needs to (or must) support only one CoAP resource for the Registrar-Proxy functionality and not accept requests to arbitrary other resources. Just to be complete.

Suppose that a Pledge would try to send unsecured CoAP to a Join Proxy: 
* if sent to the Join Proxy port (i.e. the DTLS port), the Join Proxy would just forward this as a data blob as usual and eventually the Registrar will try to parse the CoAP message as "DTLS" and fail.
* if sent to any other port, the Join Proxy must discard the data since it is not using the proper encryption of the (mesh) network.  The JP only has a port "open to the outside world" to relay DTLS data blobs and other ports are not open.

On the one hand if we decide to use CoAP for a particular function then we may expect implementers need to know CoAP as well and e.g. read RFC 7252. Including thinking about security issues of unsecured-CoAP. The benefit or re-use comes with that responsibility as well as the CoAP protocol is far more rich/complex than what we actually need.
But if we fear that implementers not versed in CoAP are going to mess things up, we may want to write some additional guidance. Like how to deal with the various options the client may include.

The forward/reverse proxy we tried to explain in https://datatracker.ietf.org/doc/html/draft-ietf-core-groupcomm-bis-07#section-3.5  (in the context of CoAP group communication). No pictures there unfortunately.

Esko

-----Original Message-----
From: Toerless Eckert <tte@cs.fau.de> 
Sent: Tuesday, November 1, 2022 16:21
To: Michael Richardson <mcr@sandelman.ca>
Cc: Esko Dijk <esko.dijk@iotconsultancy.nl>; anima@ietf.org; core@ietf.org
Subject: Re: [Anima] [core] ANIMA constrained-join proxy revision to use CoAP

Our proxy is an application using CoAP. In that respect it is IMHO not a bad
idea to be explicit in what options are and what options are not to be included
in the CoAP headers, and not expect that implementers should/could figure this
all out by themselves. Especially, when there are options whose inclusion and
reaction to could create a security risk.

I guess i do not understand CoAP well enough, but the wy it sounds to me,
unclusion of the Uri option would be a security risk, because it would
allow the Pledge to indicate to the constrained proxy which registrar/proxy to
connect to, right ? Which a pledge shuoldn't be able to know anyhow, but if it
was including it, it could make the proxy select a registrar proxy that it 
shouldn't use.

If we do not document this, how would an implementer be supposed to come to
the conclusion of what E.g.: Esko wrote in his reply, e.g.: that an error
would be raised (which seems what we should do).

Whats even all this terminology - forward/reverse proxy... Is there a simple
picture anyhwere in any of the RFC references explaining this ?

Thanks!
    Toerless

On Mon, Oct 31, 2022 at 03:30:09PM +0100, Michael Richardson wrote:
> Toerless Eckert <tte@cs.fau.de> wrote:
>     > Can we make sure that the text does explain why the field is not
>     > inclueded, and explain that the packet MUST be rejected if it was
>     > included ?
> 
> Why should we reject if it is included?
> 
>     > Seems like:
> 
>     > Field is not included and would cause rejection of the packet if it was
>     > present, because it is inappropriate for the initiator to choose the
>     > next hop after the proxy not only because the Pledge would not know it,
>     > but because it is also not appropriate for security purposes for the
>     > Pledge to choose it.
> 
>     > Do i correctly understand this ?
> 
> I don't think it's about the initiator choosing the next proxy.

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email