IETF Logo Mail Archive

Re: [Dots] TLS APLN extension

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 29 May 2018 07:09 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D44D12E878 for <dots@ietfa.amsl.com>; Tue, 29 May 2018 00:09:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iVHpoYXIcfmZ for <dots@ietfa.amsl.com>; Tue, 29 May 2018 00:09:46 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEC9012E888 for <dots@ietf.org>; Tue, 29 May 2018 00:09:45 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1527577774; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-exchange-antispam-report-test:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Office365-Filtering-Correlation-Id:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=i DGLjQBNJoBFKVKX7AwuH0h7EpwjqY9KrjIpPzRJgv Y=; b=b7eQe7Gee3cUqS9GMKfZvr35JORQNxQ94dBADDN4w35i ybwEpuz4FOYGqrsonshKlQr7SorWGwwfLr/MvMDcqHJnh6Yt8J xZY7+8Vmuai9L/m3aUOjdP6Yw9o+HsEuIBt1IBAU3nzcD0hPxp cNtf2AGFTGMFECvF33um5SRQDWE=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (DNVEXAPP1N05.corpzone.internalzone.com [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 4a35_a7c9_13eb4f6d_fad1_4790_aea7_a0503ade69ff; Tue, 29 May 2018 02:09:34 -0500
Received: from DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 29 May 2018 01:09:19 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Tue, 29 May 2018 01:09:19 -0600
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 29 May 2018 01:09:19 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1537.namprd16.prod.outlook.com (10.172.208.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.797.11; Tue, 29 May 2018 07:09:17 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::601e:a909:b9fe:31bd]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::601e:a909:b9fe:31bd%8]) with mapi id 15.20.0797.018; Tue, 29 May 2018 07:09:17 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>, Benjamin Kaduk <kaduk@mit.edu>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] TLS APLN extension
Thread-Index: AdPw2PQOXpzyKiqHQ7+v5FEn8F2ThwAyFv1gACMjQgAAEIhhgAD2J+BAAAW7tYAAASl3AAABoyIAAABIZbAACaBhAAAiXQEg
Date: Tue, 29 May 2018 07:09:16 +0000
Message-ID: <BN6PR16MB1425A7BC48FD29D05B88E2B6EA6D0@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <13d301d3f0d8$f66f7c60$e34e7520$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93302DF1E28F@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <20180523003451.GG10597@kduck.kaduk.org> <15bc01d3f26f$fecf3380$fc6d9a80$@jpshallow.com> <BN6PR16MB142569E727B738DA81844E73EA6E0@BN6PR16MB1425.namprd16.prod.outlook.com> <18b001d3f65f$8d47df20$a7d79d60$@jpshallow.com> <BN6PR16MB14254F55D58FD5EE301C6CADEA6E0@BN6PR16MB1425.namprd16.prod.outlook.com> <18d701d3f66a$bfd2dcf0$3f7896d0$@jpshallow.com> <BN6PR16MB1425C4A5A36C10D3F2961038EA6E0@BN6PR16MB1425.namprd16.prod.outlook.com> <192201d3f692$62c4a930$284dfb90$@jpshallow.com>
In-Reply-To: <192201d3f692$62c4a930$284dfb90$@jpshallow.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.300.84
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1537; 7:T5Jgvs3/waUSnLGcau9U6f8JERg6/pipN6mA+lxeNLf1vGYbAPQiGObD0go3SFFa/864DQSC6MUp7iWaDRvQTzWP+pEu68yBuxe8cRxZl5i+K0he/igzbtMGPE7+IQXp/Tcg25U171w5T1VGX8Blf1laWSGt3cJMwMaAl859jH0mgMyeVy4hG0aDQaMkjDuvFfIpazhrlNVU3cT3YErIBNANJ+XH/3g+T9M2yhl6fPPAcabSRZ1vmibNeSFWhKUN
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1537;
x-ms-traffictypediagnostic: BN6PR16MB1537:
x-microsoft-antispam-prvs: <BN6PR16MB1537AEF3F4EDFDDA6F6B9811EA6D0@BN6PR16MB1537.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(18271650672692)(240460790083961)(123452027830198);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231254)(944501410)(52105095)(10201501046)(149027)(150027)(6041310)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:BN6PR16MB1537; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1537;
x-forefront-prvs: 0687389FB0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(39860400002)(366004)(396003)(376002)(346002)(32952001)(189003)(199004)(57704003)(13464003)(6246003)(2171002)(3280700002)(316002)(3660700001)(2201001)(186003)(26005)(7736002)(2906002)(53546011)(6506007)(74316002)(102836004)(305945005)(5890100001)(5250100002)(86362001)(5660300001)(93886005)(6436002)(110136005)(2501003)(33656002)(99286004)(72206003)(6116002)(3846002)(966005)(59450400001)(76176011)(7696005)(53936002)(446003)(97736004)(11346002)(478600001)(2900100001)(6306002)(476003)(80792005)(8676002)(81156014)(81166006)(8936002)(106356001)(229853002)(14454004)(25786009)(55016002)(486006)(66066001)(68736007)(105586002)(9686003)(85282002)(217873001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1537; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: XERxw9D83tXu6qljoDd2seYlDr6ge5v/pWPpw9byw5isJte6IqKXjbMtVw2Uh30m1gEvHEGGHnX9NE/1gfFMx5Y1KefnUhpshveXgLhvuuBv+L2/U1ITo7uU2FfzP1nJOBFHviS70ukT7KHIWwsAWf9s4yJQi0oH9XfTwu6uELmXtHofydm+o+lLDI0943kLw1p3rhdSixxAsIiGH5IKwA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 90858fcb-0bf3-4c40-2985-08d5c53317ab
X-MS-Exchange-CrossTenant-Network-Message-Id: 90858fcb-0bf3-4c40-2985-08d5c53317ab
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 May 2018 07:09:17.0921 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1537
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6295> : inlines <6663> : streams <1788117> : uri <2649017>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/HmvEIXXKg-GixmVdsB0B7u4JHGY>
Subject: Re: [Dots] TLS APLN extension
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 07:09:49 -0000

> -----Original Message-----
> From: Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> Sent: Monday, May 28, 2018 8:15 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> Benjamin Kaduk <kaduk@mit.edu>; mohamed.boucadair@orange.com;
> dots@ietf.org
> Subject: RE: [Dots] TLS APLN extension
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> -----Original Message-----
> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar
> Reddy
> Sent: 28 May 2018 14:28
> To: Jon Shallow; Benjamin Kaduk; mohamed.boucadair@orange.com;
> dots@ietf.org
> Subject: Re: [Dots] TLS APLN extension
> 
> > -----Original Message-----
> > From: Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> > Sent: Monday, May 28, 2018 3:31 PM
> > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> > Benjamin Kaduk <kaduk@mit.edu>; mohamed.boucadair@orange.com;
> > dots@ietf.org
> > Subject: RE: [Dots] TLS APLN extension
> >
> > This email originated from outside of the organization. Do not click
> > links or open attachments unless you recognize the sender and know the
> content is safe.
> >
> > Hi Tiru,
> >
> > I agree the DOTS server has to send back a "coap" if it receives a
> > ALPN request over TCP.  Do we need to state this in the Draft?
> 
> No, but I think https://tools.ietf.org/html/draft-ietf-dots-signal-channel-
> 19#section-3 needs to point to both
> RFC7252 and RFC8323.
> 
> [Jon] Agreed.  Are you able to do this with some suitable wrapper text?

Proposed text:
DOTS signal channel uses the "coaps" URI scheme defined in Section 6 of RFC7252 and "coaps+tcp" URI scheme defined in 
section 8.2 of RFC 8323 to identify DOTS server resources accessible using CoAP over UDP secured with DTLS and
CoAP over TCP secured with TLS.

-Tiru

> ~Jon
> 
> Cheers,
> -Tiru
> 
> >
> > Regards
> >
> > Jon
> >
> > -----Original Message-----
> > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda,
> > Tirumaleswar Reddy
> > Sent: 28 May 2018 10:49
> > To: Jon Shallow; Benjamin Kaduk; mohamed.boucadair@orange.com;
> > dots@ietf.org
> > Subject: Re: [Dots] TLS APLN extension
> >
> > > -----Original Message-----
> > > From: Jon Shallow [mailto:supjps-ietf@jpshallow.com]
> > > Sent: Monday, May 28, 2018 2:11 PM
> > > To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>;
> > > Benjamin Kaduk <kaduk@mit.edu>; mohamed.boucadair@orange.com;
> > > dots@ietf.org
> > > Subject: RE: [Dots] TLS APLN extension
> > >
> > >
> > >
> > > Hi Tiru,
> > >
> > > I agree that it makes no sense to have our own ALPN - "coap" is fine
> > > as that is describing the next protocol layer up.  However, I did
> > > raise the question in case the DOTS Server needs to respond to a
> > > DOTS client that is correctly following RFC 8323 and expecting to
> > > see back a ALPN
> > response.
> >
> > The DOTS server will not be running on 5684. If the DOTS server is
> > correctly following RFC8323, it should respond with ALPN response "coap".
> >
> > -Tiru
> >
> > >
> > > "If the TLS server either does not negotiate the ALPN extension or
> > > returns a no_application_protocol alert, the TLS client MUST close
> > > the
> > connection."
> > >
> > > Regards
> > >
> > > Jon
> > >
> > > -----Original Message-----
> > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda,
> > > Tirumaleswar Reddy
> > > Sent: 28 May 2018 07:03
> > > To: Jon Shallow; 'Benjamin Kaduk'; mohamed.boucadair@orange.com;
> > > dots@ietf.org
> > > Subject: Re: [Dots] TLS APLN extension
> > >
> > > Although coaps+tcp URI scheme is used by DOTS signal channel, we
> > > have not yet seen any requirement where multiple protocols will be
> > > run on the DOTS server port number 4646.
> > > I don't see the need to define a new ALPN for DOTS signal channel.
> > >
> > > Cheers
> > > -Tiru
> > >
> > > > -----Original Message-----
> > > > From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Jon Shallow
> > > > Sent: Wednesday, May 23, 2018 1:58 PM
> > > > To: 'Benjamin Kaduk' <kaduk@mit.edu>;
> > > > mohamed.boucadair@orange.com; dots@ietf.org
> > > > Subject: Re: [Dots] TLS APLN extension
> > > >
> > > >
> > > >
> > > > Hi Ben,
> > > >
> > > > The DOTS signal spec calls for CoAP secured by running over (D)TLS
> > > > (either UDP and/or TCP), and CoAP over TLS is coaps+tcp.  So, yes,
> > > > both coaps and
> > > > coaps+tcp have to be supported.
> > > >
> > > > For example, I can use the github libcoap coap-client (Pull
> > > > Request
> > > > #176
> > > > installed) and do "coap-client -c cert.pem
> > > > coaps+tcp://127.0.0.1:4646/.well-known/dots/v1/config" against my
> > > > coaps+DOTS
> > > > server and get back binary data (it is CBOR encoded).
> > > >
> > > > Regards
> > > >
> > > > Jon
> > > >
> > > > -----Original Message-----
> > > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Benjamin
> > > > Kaduk
> > > > Sent: 23 May 2018 01:35
> > > > To: mohamed.boucadair@orange.com
> > > > Cc: Jon Shallow; dots@ietf.org
> > > > Subject: Re: [Dots] TLS APLN extension
> > > >
> > > > The dedicated port number is only somewhat relevant, I think --
> > > > the main question is whether the coaps+tcp URI scheme is in use.
> > > > The RFC
> > > > 8323 requirements only come into play for that URI scheme.
> > > >
> > > > -Ben
> > > >
> > > > On Tue, May 22, 2018 at 07:54:39AM +0000,
> > > mohamed.boucadair@orange.com
> > > > wrote:
> > > > > Re-,
> > > > >
> > > > > Do we need this given that DOTS is using a dedicated port number?
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon
> > > > > Shallow Envoyé : lundi 21 mai 2018 09:55 À : dots@ietf.org Objet
> > > > > : [Dots] TLS APLN extension
> > > > >
> > > > > Hi there,
> > > > >
> > > > > As per RFC 8323: 8.2.  coaps+tcp URI Scheme
> > > > >
> > > > > ....
> > > > >
> > > > >    o  If a TLS server does not support the Application-Layer Protocol
> > > > >       Negotiation (ALPN) extension [RFC7301] or wishes to accommodate
> > > > >       TLS clients that do not support ALPN, it MAY offer a coaps+tcp
> > > > >       endpoint on TCP port 5684.  This endpoint MAY also be ALPN
> > > > >       enabled.  A TLS server MAY offer coaps+tcp endpoints on ports
> > > > >       other than TCP port 5684, which MUST be ALPN enabled.
> > > > >
> > > > >    o  For TCP ports other than port 5684, the TLS client MUST use the
> > > > >       ALPN extension to advertise the "coap" protocol identifier (see
> > > > >       Section 11.7) in the list of protocols in its ClientHello.  If the
> > > > >       TCP server selects and returns the "coap" protocol identifier
> > > > >       using the ALPN extension in its ServerHello, then the connection
> > > > >       succeeds.  If the TLS server either does not negotiate the ALPN
> > > > >       extension or returns a no_application_protocol alert, the TLS
> > > > >       client MUST close the connection.
> > > > >
> > > > > Do we need to refer to the requirement for ALPN as we are not
> > > > > hosting on
> > > > port 5684?
> > > > >
> > > > > Regards
> > > > >
> > > > > Jon
> > > >
> > > > > _______________________________________________
> > > > > Dots mailing list
> > > > > Dots@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/dots
> > > >
> > > > _______________________________________________
> > > > Dots mailing list
> > > > Dots@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/dots
> > > >
> > > > _______________________________________________
> > > > Dots mailing list
> > > > Dots@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/dots
> > > _______________________________________________
> > > Dots mailing list
> > > Dots@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dots
> >
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email