IETF Logo Mail Archive

Re: [Dots] TLS APLN extension

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 28 May 2018 13:28 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DAAF127078 for <dots@ietfa.amsl.com>; Mon, 28 May 2018 06:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4CH-DycmfkU for <dots@ietfa.amsl.com>; Mon, 28 May 2018 06:28:26 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5DFA124E15 for <dots@ietf.org>; Mon, 28 May 2018 06:28:25 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1527514100; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-exchange-antispam-report-test:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Office365-Filtering-Correlation-Id:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=q +BJGE/+80CAnW2WAnNtmTJvgf9U/6F8acl48+2FiJ k=; b=PBxhXkqFv9VK9qZBISP/3Tqxfo7ycuSEyERqfMc2ya+r Yq3qSLwBtJSXDD7O07wPFAxMPDo3eb+RcnFWBvauDyn4+V/TG5 ui41+/BA+2qG8NXfPueLRASv/8QwUTHeEsd50KyfeumaLancai XuIh16UMZNJZiNMbNAEBoOW2kqM=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 0cbe_8dfb_d03eb9ab_7e82_4aaa_ac1f_50572c33c3cc; Mon, 28 May 2018 08:28:19 -0500
Received: from DNVEXUSR1N11.corpzone.internalzone.com (10.44.48.84) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 28 May 2018 07:28:14 -0600
Received: from DNVEXUSR1N10.corpzone.internalzone.com (10.44.48.83) by DNVEXUSR1N11.corpzone.internalzone.com (10.44.48.84) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 28 May 2018 07:28:14 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXUSR1N10.corpzone.internalzone.com (10.44.48.83) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Mon, 28 May 2018 07:28:14 -0600
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 28 May 2018 07:28:11 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1777.namprd16.prod.outlook.com (10.172.28.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.797.11; Mon, 28 May 2018 13:28:12 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::601e:a909:b9fe:31bd]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::601e:a909:b9fe:31bd%8]) with mapi id 15.20.0797.017; Mon, 28 May 2018 13:28:12 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>, Benjamin Kaduk <kaduk@mit.edu>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] TLS APLN extension
Thread-Index: AdPw2PQOXpzyKiqHQ7+v5FEn8F2ThwAyFv1gACMjQgAAEIhhgAD2J+BAAAW7tYAAASl3AAABoyIAAABIZbA=
Date: Mon, 28 May 2018 13:28:12 +0000
Message-ID: <BN6PR16MB1425C4A5A36C10D3F2961038EA6E0@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <13d301d3f0d8$f66f7c60$e34e7520$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93302DF1E28F@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <20180523003451.GG10597@kduck.kaduk.org> <15bc01d3f26f$fecf3380$fc6d9a80$@jpshallow.com> <BN6PR16MB142569E727B738DA81844E73EA6E0@BN6PR16MB1425.namprd16.prod.outlook.com> <18b001d3f65f$8d47df20$a7d79d60$@jpshallow.com> <BN6PR16MB14254F55D58FD5EE301C6CADEA6E0@BN6PR16MB1425.namprd16.prod.outlook.com> <18d701d3f66a$bfd2dcf0$3f7896d0$@jpshallow.com>
In-Reply-To: <18d701d3f66a$bfd2dcf0$3f7896d0$@jpshallow.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.300.84
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [122.171.30.86]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1777; 7:F3LU0RHVqpL+mGqy59z2R7TkpNYVDf+D8tXxBzsmVGh/kOUBrSG2XQ0lM0/2VzfGC/vxHin8w7QOUHY2aEmJfAvK+ojiIv7Rwd1AEp/oBaOOPn5hDjrBuLybE3lSROxSg5ID8JppltJzQExgSIHB2DYSplwHzedf77vx8P2m+xLEGHOegr4hjXVG8PTAWoGStiK3AlZDzuStOaEPnJKzYdDzze8V1QSged0A8xsqy6AeuNF2s+KC344C8jjF4/UY
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1777;
x-ms-traffictypediagnostic: BN6PR16MB1777:
x-microsoft-antispam-prvs: <BN6PR16MB1777B9155B3C8103F8916297EA6E0@BN6PR16MB1777.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(18271650672692)(240460790083961)(123452027830198);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3002001)(3231254)(944501410)(52105095)(93006095)(93001095)(10201501046)(149027)(150027)(6041310)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:BN6PR16MB1777; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1777;
x-forefront-prvs: 06860EDC7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(366004)(346002)(39380400002)(376002)(189003)(199004)(57704003)(13464003)(32952001)(476003)(74316002)(9686003)(3846002)(93886005)(486006)(53936002)(6116002)(33656002)(446003)(3280700002)(3660700001)(966005)(2906002)(97736004)(7736002)(53546011)(2501003)(186003)(55016002)(5890100001)(102836004)(110136005)(8936002)(5250100002)(2201001)(86362001)(76176011)(6436002)(68736007)(6506007)(26005)(6306002)(59450400001)(6246003)(81156014)(80792005)(2171002)(8676002)(105586002)(81166006)(7696005)(66066001)(305945005)(106356001)(11346002)(478600001)(2900100001)(5660300001)(99286004)(229853002)(14454004)(25786009)(72206003)(316002)(217873001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1777; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: GWpwu6XBHm5PqnM/l1ltiBQYYfP/wxHha70ZYF8fQuQaoc/NrtbwnhPEfYVkMkB/aaipu76eCFV/dZRde+ShbH0tj9rq03IgLv1JJtfVMbev9/yrprYefu3sPcblAUkn64+3MdDMNuX3+4owpvpMGXQi1l15Sj9Eg3pfhOGPYC1dYi7qWJvKBx0mwbYOEtkVaNA3yP/QNiKMTKmPSRET1Q==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: fcc7c3af-af68-49c2-2f5c-08d5c49edc51
X-MS-Exchange-CrossTenant-Network-Message-Id: fcc7c3af-af68-49c2-2f5c-08d5c49edc51
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2018 13:28:12.1571 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1777
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6295> : inlines <6661> : streams <1788047> : uri <2648627>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/6kx-C15ze2_h12pJLyUW5zFfQTA>
Subject: Re: [Dots] TLS APLN extension
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 May 2018 13:28:28 -0000

> -----Original Message-----
> From: Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> Sent: Monday, May 28, 2018 3:31 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> Benjamin Kaduk <kaduk@mit.edu>; mohamed.boucadair@orange.com;
> dots@ietf.org
> Subject: RE: [Dots] TLS APLN extension
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> Hi Tiru,
> 
> I agree the DOTS server has to send back a "coap" if it receives a ALPN request
> over TCP.  Do we need to state this in the Draft?

No, but I think https://tools.ietf.org/html/draft-ietf-dots-signal-channel-19#section-3 needs to point to both 
RFC7252 and RFC8323.

Cheers,
-Tiru

> 
> Regards
> 
> Jon
> 
> -----Original Message-----
> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar
> Reddy
> Sent: 28 May 2018 10:49
> To: Jon Shallow; Benjamin Kaduk; mohamed.boucadair@orange.com;
> dots@ietf.org
> Subject: Re: [Dots] TLS APLN extension
> 
> > -----Original Message-----
> > From: Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> > Sent: Monday, May 28, 2018 2:11 PM
> > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> > Benjamin Kaduk <kaduk@mit.edu>; mohamed.boucadair@orange.com;
> > dots@ietf.org
> > Subject: RE: [Dots] TLS APLN extension
> >
> >
> >
> > Hi Tiru,
> >
> > I agree that it makes no sense to have our own ALPN - "coap" is fine
> > as that is describing the next protocol layer up.  However, I did
> > raise the question in case the DOTS Server needs to respond to a DOTS
> > client that is correctly following RFC 8323 and expecting to see back a ALPN
> response.
> 
> The DOTS server will not be running on 5684. If the DOTS server is correctly
> following RFC8323, it should respond with ALPN response "coap".
> 
> -Tiru
> 
> >
> > "If the TLS server either does not negotiate the ALPN extension or
> > returns a no_application_protocol alert, the TLS client MUST close the
> connection."
> >
> > Regards
> >
> > Jon
> >
> > -----Original Message-----
> > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda,
> > Tirumaleswar Reddy
> > Sent: 28 May 2018 07:03
> > To: Jon Shallow; 'Benjamin Kaduk'; mohamed.boucadair@orange.com;
> > dots@ietf.org
> > Subject: Re: [Dots] TLS APLN extension
> >
> > Although coaps+tcp URI scheme is used by DOTS signal channel, we have
> > not yet seen any requirement where multiple protocols will be run on
> > the DOTS server port number 4646.
> > I don't see the need to define a new ALPN for DOTS signal channel.
> >
> > Cheers
> > -Tiru
> >
> > > -----Original Message-----
> > > From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Jon Shallow
> > > Sent: Wednesday, May 23, 2018 1:58 PM
> > > To: 'Benjamin Kaduk' <kaduk@mit.edu>; mohamed.boucadair@orange.com;
> > > dots@ietf.org
> > > Subject: Re: [Dots] TLS APLN extension
> > >
> > >
> > >
> > > Hi Ben,
> > >
> > > The DOTS signal spec calls for CoAP secured by running over (D)TLS
> > > (either UDP and/or TCP), and CoAP over TLS is coaps+tcp.  So, yes,
> > > both coaps and
> > > coaps+tcp have to be supported.
> > >
> > > For example, I can use the github libcoap coap-client (Pull Request
> > > #176
> > > installed) and do "coap-client -c cert.pem
> > > coaps+tcp://127.0.0.1:4646/.well-known/dots/v1/config" against my
> > > coaps+DOTS
> > > server and get back binary data (it is CBOR encoded).
> > >
> > > Regards
> > >
> > > Jon
> > >
> > > -----Original Message-----
> > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Benjamin
> > > Kaduk
> > > Sent: 23 May 2018 01:35
> > > To: mohamed.boucadair@orange.com
> > > Cc: Jon Shallow; dots@ietf.org
> > > Subject: Re: [Dots] TLS APLN extension
> > >
> > > The dedicated port number is only somewhat relevant, I think -- the
> > > main question is whether the coaps+tcp URI scheme is in use.  The
> > > RFC
> > > 8323 requirements only come into play for that URI scheme.
> > >
> > > -Ben
> > >
> > > On Tue, May 22, 2018 at 07:54:39AM +0000,
> > mohamed.boucadair@orange.com
> > > wrote:
> > > > Re-,
> > > >
> > > > Do we need this given that DOTS is using a dedicated port number?
> > > >
> > > > Cheers,
> > > > Med
> > > >
> > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon Shallow
> > > > Envoyé : lundi 21 mai 2018 09:55 À : dots@ietf.org Objet : [Dots]
> > > > TLS APLN extension
> > > >
> > > > Hi there,
> > > >
> > > > As per RFC 8323: 8.2.  coaps+tcp URI Scheme
> > > >
> > > > ....
> > > >
> > > >    o  If a TLS server does not support the Application-Layer Protocol
> > > >       Negotiation (ALPN) extension [RFC7301] or wishes to accommodate
> > > >       TLS clients that do not support ALPN, it MAY offer a coaps+tcp
> > > >       endpoint on TCP port 5684.  This endpoint MAY also be ALPN
> > > >       enabled.  A TLS server MAY offer coaps+tcp endpoints on ports
> > > >       other than TCP port 5684, which MUST be ALPN enabled.
> > > >
> > > >    o  For TCP ports other than port 5684, the TLS client MUST use the
> > > >       ALPN extension to advertise the "coap" protocol identifier (see
> > > >       Section 11.7) in the list of protocols in its ClientHello.  If the
> > > >       TCP server selects and returns the "coap" protocol identifier
> > > >       using the ALPN extension in its ServerHello, then the connection
> > > >       succeeds.  If the TLS server either does not negotiate the ALPN
> > > >       extension or returns a no_application_protocol alert, the TLS
> > > >       client MUST close the connection.
> > > >
> > > > Do we need to refer to the requirement for ALPN as we are not
> > > > hosting on
> > > port 5684?
> > > >
> > > > Regards
> > > >
> > > > Jon
> > >
> > > > _______________________________________________
> > > > Dots mailing list
> > > > Dots@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/dots
> > >
> > > _______________________________________________
> > > Dots mailing list
> > > Dots@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dots
> > >
> > > _______________________________________________
> > > Dots mailing list
> > > Dots@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dots
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email