Re: [Dots] TLS APLN extension
"Jon Shallow" <supjps-ietf@jpshallow.com> Wed, 23 May 2018 08:28 UTC
Return-Path: <supjps-ietf@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4289A12DA0D for <dots@ietfa.amsl.com>; Wed, 23 May 2018 01:28:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1NiRWnwlF8Bd for <dots@ietfa.amsl.com>; Wed, 23 May 2018 01:28:16 -0700 (PDT)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0EDF12DA45 for <dots@ietf.org>; Wed, 23 May 2018 01:28:15 -0700 (PDT)
Received: from [127.0.0.1] (helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.90_1) (envelope-from <jon.shallow@jpshallow.com>) id 1fLP80-0000Ex-IZ; Wed, 23 May 2018 09:28:12 +0100
From: Jon Shallow <supjps-ietf@jpshallow.com>
To: 'Benjamin Kaduk' <kaduk@mit.edu>, mohamed.boucadair@orange.com, dots@ietf.org
References: <13d301d3f0d8$f66f7c60$e34e7520$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93302DF1E28F@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <20180523003451.GG10597@kduck.kaduk.org>
In-Reply-To: <20180523003451.GG10597@kduck.kaduk.org>
Date: Wed, 23 May 2018 09:28:15 +0100
Message-ID: <15bc01d3f26f$fecf3380$fc6d9a80$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQF7fY0SEnbbzScVHebrKQTjRWAcaAIi09JrAU1FL/Ck0l7HYA==
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/9eGDIiG8vuSxYzVmvfvxXxkyyGg>
Subject: Re: [Dots] TLS APLN extension
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 08:28:21 -0000
Hi Ben, The DOTS signal spec calls for CoAP secured by running over (D)TLS (either UDP and/or TCP), and CoAP over TLS is coaps+tcp. So, yes, both coaps and coaps+tcp have to be supported. For example, I can use the github libcoap coap-client (Pull Request #176 installed) and do "coap-client -c cert.pem coaps+tcp://127.0.0.1:4646/.well-known/dots/v1/config" against my DOTS server and get back binary data (it is CBOR encoded). Regards Jon -----Original Message----- From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Benjamin Kaduk Sent: 23 May 2018 01:35 To: mohamed.boucadair@orange.com Cc: Jon Shallow; dots@ietf.org Subject: Re: [Dots] TLS APLN extension The dedicated port number is only somewhat relevant, I think -- the main question is whether the coaps+tcp URI scheme is in use. The RFC 8323 requirements only come into play for that URI scheme. -Ben On Tue, May 22, 2018 at 07:54:39AM +0000, mohamed.boucadair@orange.com wrote: > Re-, > > Do we need this given that DOTS is using a dedicated port number? > > Cheers, > Med > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon Shallow > Envoyé : lundi 21 mai 2018 09:55 > À : dots@ietf.org > Objet : [Dots] TLS APLN extension > > Hi there, > > As per RFC 8323: 8.2. coaps+tcp URI Scheme > > .... > > o If a TLS server does not support the Application-Layer Protocol > Negotiation (ALPN) extension [RFC7301] or wishes to accommodate > TLS clients that do not support ALPN, it MAY offer a coaps+tcp > endpoint on TCP port 5684. This endpoint MAY also be ALPN > enabled. A TLS server MAY offer coaps+tcp endpoints on ports > other than TCP port 5684, which MUST be ALPN enabled. > > o For TCP ports other than port 5684, the TLS client MUST use the > ALPN extension to advertise the "coap" protocol identifier (see > Section 11.7) in the list of protocols in its ClientHello. If the > TCP server selects and returns the "coap" protocol identifier > using the ALPN extension in its ServerHello, then the connection > succeeds. If the TLS server either does not negotiate the ALPN > extension or returns a no_application_protocol alert, the TLS > client MUST close the connection. > > Do we need to refer to the requirement for ALPN as we are not hosting on port 5684? > > Regards > > Jon > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots _______________________________________________ Dots mailing list Dots@ietf.org https://www.ietf.org/mailman/listinfo/dots
- [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension mohamed.boucadair
- Re: [Dots] TLS APLN extension Benjamin Kaduk
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension Konda, Tirumaleswar Reddy
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension Konda, Tirumaleswar Reddy
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension Konda, Tirumaleswar Reddy
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension Konda, Tirumaleswar Reddy
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension mohamed.boucadair