Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS) Sat, 19 December 2020 12:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B1C643A0FF2 for <>; Sat, 19 Dec 2020 04:08:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zrGw8ED0fPst for <>; Sat, 19 Dec 2020 04:08:24 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C3CD43A0F35 for <>; Sat, 19 Dec 2020 04:08:24 -0800 (PST)
Received: from ([] helo=N01332) by with esmtp (Exim 4.92.3) (envelope-from <>) id 1kqb25-0004iJ-Aq; Sat, 19 Dec 2020 12:08:21 +0000
From: <>
To: "'Magnus Westerlund'" <>, <>, <>, <>
Cc: <>, <>, <>, <>
References: <> <26637_1608218552_5FDB77B8_26637_63_1_787AE7BB302AE849A7480A190F8B93303159F25D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <> <135d01d6d495$9b1b94e0$d152bea0$> <> <13d001d6d4bc$1c543870$54fca950$> <>
In-Reply-To: <>
Date: Sat, 19 Dec 2020 12:08:08 -0000
Message-ID: <154a01d6d5ff$9d022ab0$d7068010$>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJ2bnsKEk4cVClsqjQj7jfeJ0e02wFsH/eMAmTmvDoCv3IYJgJfyZeWApvKKO4BrKO4XKhT8zCQ
Content-Language: en-gb
Archived-At: <>
Subject: Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 19 Dec 2020 12:08:28 -0000

Hi Magnus,

Please see inline.



> -----Original Message-----
> From: Magnus Westerlund []
> Sent: 18 December 2020 09:53
> To:;; supjps-
> Cc:;;; draft-ietf-dots-
> Subject: Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-
> home-11: (with DISCUSS)
> > > So I think there are several possible implementation paths for this. I see
> > > at least
> > > two.
> > >
> > > First, do a 5-tuple connect on UDP to filter that particular UDP flow,
> > > process the
> > > DTLS handshake for this socket and then based on ALPN decide on target
> > > process and then hand over the socket and the DTLS state to the right
> > > process.
> >
> > [Jon] UDP has no concept of accept().  If you do a connect() on a socket that
> > you have just received data on, then that updates the 5 tuple and then only
> > receives traffic matching the tuple as expected. However, it appears not
> > possible to leave the original socket ready for the next packet (from
> > different IP etc.) and set up a new socket to specifically handle the stream
> > matching the packet just received, bind(same_port), do the connect() on it
> > etc. (the bind(same_port)fails in my test).
> So I don't have a code exmample for this available, but I thought you can make
> it work with so_reuseport/so_reuseaddr. There are some downside in that the
> new
> socket can receive packets prior to the connect that just arrive.
[Jon] I was using SO_REUSEADDR, but have found a bug in my test code so I now able to bind(same_port).  While a new socket and connect() can be done to match a new UDP client, it needs to be thought through when this is done - the arrival of the first UDP packet, when the DTLS APLN is known, or when the DTLS handshake is complete.  The DOTS stack we have is Figure 3


[Jon] It is unclear to me as to how you can hand off a DTLS context to a different, non identical process along with its socket (this may be possible with OpenSSL, not sure about other TLS libraries - there is limited kernel AF_KTLS support which may help).  DTLS session resumption then also gets a lot more complicated.

[Jon] Then there is the challenge of how the received DTLS context + socket are integrated into the CoAP & DTLS stack on the receiving application so that things keep working.  In my port, it is the CoAP library that handles the sockets, not the DOTS application which would mean having customized code for the CoAP library - not ideal for maintenance long term.

[Jon] My surmise would be that implementors would say "forget this complexity with its inherent risks and just use a non-standard port"

> >
> > >
> > > Secondly, is to run some type of front end dispatcher that processes the
> > > packets
> > > and tracks all the different DTLS connection and have secure message
> passing
> > > between the front end dispatcher and the different servers. But this do
> > > requie
> > > another security model and trust relationship between the dispatcher and
> the
> > > servers.
> >
> > [Jon] This does complicate things.  The DOTS signal channel requires mutual
> > authentication of the agents and introducing some sort of man-in-middle that
> > changes the network flow IP addresses etc. and potentially changes encryption
> > characteristics breaks this mutual authentication.  It is not easy to change
> > how the base DOTS signal works.
> Sorry, I don't understand why you bring in changes to network flow IP address. I
> said secure communication here, and I mean internal to the server software
> between processes.

[Jon] I latched on to "different servers" as possibly having different backend IPs.  Here, we actually have a DOTS server (sends responses) and a DOTS client (generates requests) that traffic needs to be steered to.

> Basic interprocess communication here. Also, it might be
> that
> you can start the DTLS processing in the dispatcher and then hand over the DTLS
> state and only have encrypted UDP payloads being dispatached.

[Jon] As above, it is unclear to me as to how you can hand off a DTLS context to a different, non identical, process along with its socket and then integrate the received DTLS context into the different application.

> I would note that I think a lot of this dicsussion comes from that the
> implementation you made so far has been done based on the assumption that
> there
> would be a new port and separation rather than designing for coloaction. If we
> take the step beyond your current implenentation from a protocol perspective in
> an implementation built for co-location is there really any significant issues
> here?

[Jon] I am the sort of person that needs to implement something to prove something is practically feasible, find what the issues are and what needs to be changed based on a specification and then debate how the spec needs to be updated to make it usable.

[Jon] DOTS call home did come later to the table after the initial DOTS was done which created the DOTS client and DOTS server as different applications in the implementations done to date.  Adding in the DOTS call home logic was very simple (with different port) - simple addition of accepting new connections on the call home DOTS client which triggered the client logic start up and initiating connections on the call home DOTS server and associated configuration logic. 

[Jon] While it is only software and hence not impossible, it is significant work to merge the client and server into a single application as well as having to maintain separate applications for running on limited resource devices.  We do not want to put in barriers to implementation of this draft by making it complex to implement.  Hence using a different port for the client service and the server service.

> Cheers
> Magnus Westerlund