Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 21 December 2020 11:03 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A2AB3A10B3; Mon, 21 Dec 2020 03:03:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rin-SSBCCkVR; Mon, 21 Dec 2020 03:03:24 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2069.outbound.protection.outlook.com [40.107.21.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1C783A10B0; Mon, 21 Dec 2020 03:03:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f77O8CXxLPJ7p+95TsiLnlQZG32oEm9tC9yCa5LRuKUtxXs+mGODBPCalwUKAbFv3Cj4McBO6/Dz1p+VlBu+b8XGXkw8n+nr7gp2mclfWbNrK7qFSc7OADNUaPS4l3cY3hRO7NWrvHPB86PVnVU2R8Rlo/CAYcBC0ksyEYj84MgjB5JyPdeCHZTujd1TDlXUS9zbB0NrzVWDm6MZ5UpGI9OTF3NnBx8ULuwzdUgs69m3k0pFVZzKdzRLa2/q88evcu8XRjmZWXTMg3ADX2VPb1c6BR8axWYJYxroQ5HP6Rw7V+6aJllBI4dhsOOw/NMUlRCs8S1aCVwtplqN9v976A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3u/3fdwWp41gQQoMFlbtnFvDGVCT1LBb6QL+7A5M5qY=; b=PmKEXn8JlwdSflRzlS6Y2SsOm8FhpmD3iLjggSnAJbikkPFX9qMX4BMEX12tExQnvI0R22MsK/+oY63/WSYGDZBeuumwBpiNxX5wbpGgUKGJrzO3+u6uLGigsWxjFyF4FTY0v6oyGbg/Xw2zM+Yzz5b+uFlM6MXxnrzgJdoBillYEBQu5F30dkJVCeOmON6wr4XLAG7bFg7jWqEgHa5ei8Mc4g5l9CzUBQe0WBqqfXeVOUfDAodCIe6gT37SwSGsxf1cy0I0t9BNyNc76t0Cv98pyxP7chhMR2kI9Y8xBIVNbea+mgOZHlOj8kHaLwfP0VFRnRRdlFcUNsTuMWGp4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3u/3fdwWp41gQQoMFlbtnFvDGVCT1LBb6QL+7A5M5qY=; b=Epgd7zLmUwvUHc48TOEZsTxDLY6uG/2N4vylvc+6PJ0CQ57uIvU3FRf49bNFT0qe3hgx5c9pMpEAMTSo6S9KH4V5z2w4ZOQXzJIQ4cDHVXu+FkQWGMOwws6ZJp+j41VVWZSQqcNZw1tN1VFREx8jU4K5Ed3LoEyx/IKixODFmcs=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR07MB4219.eurprd07.prod.outlook.com (2603:10a6:7:9f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3700.26; Mon, 21 Dec 2020 11:03:18 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace%6]) with mapi id 15.20.3676.011; Mon, 21 Dec 2020 11:03:18 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "iesg@ietf.org" <iesg@ietf.org>, "magnus.westerlund=40ericsson.com@dmarc.ietf.org" <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "supjps-ietf@jpshallow.com" <supjps-ietf@jpshallow.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
CC: "valery@smyslov.net" <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "draft-ietf-dots-signal-call-home@ietf.org" <draft-ietf-dots-signal-call-home@ietf.org>
Thread-Topic: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)
Thread-Index: AQHW1IEMs9vsdNy1dUKXFtQUcezc5qn7Z94AgAAI8ICAABFlgIAACniAgABCigCAAM7vgIABuBMAgAMSigA=
Date: Mon, 21 Dec 2020 11:03:18 +0000
Message-ID: <6d2f00810b5bc9ec3e8ab10fa7e75b824e0f9003.camel@ericsson.com>
References: <160821536495.8335.5498062431481972966@ietfa.amsl.com> <26637_1608218552_5FDB77B8_26637_63_1_787AE7BB302AE849A7480A190F8B93303159F25D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <83fe6f11ec1cfcfd1f4c4493854c8ce6eaa542f4.camel@ericsson.com> <135d01d6d495$9b1b94e0$d152bea0$@jpshallow.com> <75351574777c1f8100f15474ff5c755f6334645a.camel@ericsson.com> <13d001d6d4bc$1c543870$54fca950$@jpshallow.com> <9a304e2ec6886de19ec54d2d56309442db652a02.camel@ericsson.com> <154a01d6d5ff$9d022ab0$d7068010$@jpshallow.com>
In-Reply-To: <154a01d6d5ff$9d022ab0$d7068010$@jpshallow.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.81]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0f1f800e-68d1-44fa-3309-08d8a5a005d4
x-ms-traffictypediagnostic: HE1PR07MB4219:
x-microsoft-antispam-prvs: <HE1PR07MB42192D62D40A51396174436695C00@HE1PR07MB4219.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: v8dthAUsM8AMSY7npPMuryMNTeVWbYVIdJ8A5/ojP/XpiWa9pYZ5L6zjgWrPPlmhzyPdnv33dtDNcfHK4EqxSeJIYonglJuz9S8UOt+BAPg1pxh76Ll2bJMZFoMHRaRKhWqY4f6R9zOSfgck4abx3VyZBvdO10UPiGmKBYxfIyOnodo5Xp60Ttsv0q3xzSe7fRZL7QTemd5tnhmeXbFzAv9C6wRPFj+VqAddcT57Pit2c87n9+euVfUMlO/mxc5JO4aznW2g1lQNH4GBssFwfIS3Nt99jQhPbnm1s5RTe6PsIJBBHOTT3LUe6UNNl28lWvQeaKEWqiqEIiLd8XLFgjviBmCx94m51J0w+0j2mQBnkDG4oczOef5Z0I8ZAjb9xg2acYkfpkE+d7Sj4sEgEZhQxnYTioLNcPtdLTMIY7fscWXmDpd91zODVKEnyXDlDuFhXK7AnmWAEiixxS027ljzhDCKm8OmABFNMN3xI0E1qoZh2BA7mQJ+qD1cNnpypg0eihNqtvRrzn/SKmjFeQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(136003)(39860400002)(366004)(396003)(186003)(99936003)(66476007)(66946007)(6506007)(478600001)(6512007)(66556008)(66616009)(64756008)(66446008)(53546011)(83380400001)(71200400001)(6486002)(26005)(316002)(2906002)(54906003)(110136005)(8936002)(86362001)(4001150100001)(36756003)(76116006)(8676002)(5660300002)(44832011)(4326008)(2616005)(966005)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?eng0WTRDaVQ1KzRpenpjNGN4MHJiMjNMZUZsbVZ5VXJxL2txaUR6cjc5RFR2?= =?utf-8?B?TTJzWnVRaENpRktwelFVcXh1TWxSc3RmNFJnNTdMRjhGdVhrYXhzNjFuLysw?= =?utf-8?B?MEtFZlVuRVpYcEMwcUlxQ0Y1ZnpVSjEzcCt5c2pMNmhLeWFnRTl4RHl1VENP?= =?utf-8?B?aEhWV0Z0MzM2a1VpOWJTUTlTSkg2aHZ0UjJyeU9XM2tYMVZSM0hzTUx5RXFM?= =?utf-8?B?STNSdDgycTdlOHU3KzJ0SXR2c2grMS9rTE1kMHlxUjRZWGVuOU5TaENIY1Ez?= =?utf-8?B?ZzJHS2xzVDRTVFBYVDVIeXp0TkJhSzQ5aXpxVGR0b2RGYkRqZVJzOVJhWUNX?= =?utf-8?B?WFBheFBxSzFySHk0cS9tTjdMencvL3dDMmRFOXlsUmMyRjM5SHE5bG4yNXBa?= =?utf-8?B?dVNDVU40RXVLcWpmdVVNenNGa1YvOWl0SkpBNEo0NlU4enZUU3JINnhGbnJn?= =?utf-8?B?TGxzakZwSi9KcC95b1lNc0FyQUFidno5c0FVaERVZ1RkOExGVXBLY2hZWC81?= =?utf-8?B?em5yVWl3L25pbDZlZWwyTmxiSEpqTkhWdXFaeUhNeG9VSGppNFJSc2lHSzds?= =?utf-8?B?WGNCUjBLV1htUTFNUE8wT1FablJlaGVxOWZmeUNiTGRQRkcxWEFOSjU4amds?= =?utf-8?B?eHhuTmsraVJ5NDUvS3pZSFVtcGJtL0RiTDFmUlM5bmVacFJlVGJXaWU5OStO?= =?utf-8?B?bHdzd3F5bklDTDNVREJEZFVaSUk4WURrVlRmdVBCa1RIU2pxMHdla0dxdzM2?= =?utf-8?B?cUhYWGFtckNnWHNkOTdzalV5SHZqcVJWdzVyOUFlSHVaYU5WT3FHajNDOERj?= =?utf-8?B?ck5pRWNwU3VxSkd6enBSZjNIUGgzeU4yaGl5SVh1clpHWUxPb0lieERUT1ln?= =?utf-8?B?c0UxREdtN1ZzMld3aktPNGgyQlhUcm5RY0Y5MXlwc3pGd0VSSm9UMmV1Qmdo?= =?utf-8?B?TGgyNWhQbTBOSWd0a1p3Q3QxOTc1ZllELzh4bU91amNaUTU5bjdBTDRqcFd6?= =?utf-8?B?M2dYcXZPa0lIcjJRcDRKMXNBcDdvK2J3MjB1ZFlmNDRVb2EzRk8yZDVZLzUx?= =?utf-8?B?Z0NQWWI5ZWx3Mk9VR01jQlRUZDdnNlZuem1wa01ad0NZSFdzK1hqVG0zYXAr?= =?utf-8?B?cENIckdoM2FMdVBONjNqYlFhSzZZUUVETk1xbVA2ZU05Uzl3dVZuTkRtM2Q0?= =?utf-8?B?K0RrYStKMlJVQmJGWFVOR1RDbVlrM3lsTE1aSUloWlRlZWlNbW1BUVBtNmJS?= =?utf-8?B?MmdWc0I2M2JHMW9QTCtNbk4weElMbVNrdGJVQkNTdEVSa1E0Qnd4ek5SQmxH?= =?utf-8?Q?6A4+yz9SKnayEj72DPeA2oitJjkUMZ5oJn?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-BXSMWlizRCiW6QBxdMpa"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f1f800e-68d1-44fa-3309-08d8a5a005d4
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2020 11:03:18.2649 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Qvj8pPluzsWKlnGGeM5ej5TCDI5sIZY4Wcm1BO2Vyylj+ZrrKrgEt1h8Bu1rAQCntljwZVXMgFoKQtRoE7I1aYU5f9+BcX8npKHoSFJfdw0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4219
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/Sp9c2WWt7rgZqqptqDIHzi6g4ZM>
Subject: Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2020 11:03:26 -0000

Hi,

I will start my Christmas vacation tomorrow, so don't expect any more responses
until after the 7th of December. 

I am hearing what you are saying about implementability. However, I have the
feeling that the WG design process have failed to take into account some
relevant aspects here.

1. You are using COAP which do share high level semantics with HTTP. Thus,
different functionalites can easily be defined to work in parallel on a server.
Thus it could have been easy to ensure that individual or coloated dots-signal
and dots-call-home could be co-locate. Especially as you do have it part of what
is considered. 

2. You got a port for dots-signal to enable firewalls and routers etc to
identify and handle this traffic, otherwise I think dots-signal would have been
leaned hard on using the default COAP port. Expecting to consume another port
just because you didn't consider the constraints, which RFC6335 is clear with I
think is tough for me to swallow. 

3. You have several ways of designing yourself out of these issues that has been
raised. I understand this might be considered a late surprise, but it shouldn't
if you had read the in force BCP. 

My next question, do you actually need a fixed port at all for this. The service
name enables you to do SRV look ups to find port and IP address for the service.
Isn't that sufficient if you still want to run it on dedicated port compared to
DOTS-signal? 

Cheers

Magnus Westerlund



On Sat, 2020-12-19 at 12:08 +0000, supjps-ietf@jpshallow.com wrote:
> Hi Magnus,
> 
> Please see inline.
> 
> Regards
> 
> Jon
> 
> > -----Original Message-----
> > From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com]
> > Sent: 18 December 2020 09:53
> > To: iesg@ietf.org; magnus.westerlund=40ericsson.com@dmarc.ietf.org; supjps-
> > ietf@jpshallow.com; mohamed.boucadair@orange.com
> > Cc: valery@smyslov.net; dots@ietf.org; dots-chairs@ietf.org; draft-ietf-
> > dots-
> > signal-call-home@ietf.org
> > Subject: Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-
> > call-
> > home-11: (with DISCUSS)
> > 
> 
> ...
> > > > So I think there are several possible implementation paths for this. I
> > > > see
> > > > at least
> > > > two.
> > > > 
> > > > First, do a 5-tuple connect on UDP to filter that particular UDP flow,
> > > > process the
> > > > DTLS handshake for this socket and then based on ALPN decide on target
> > > > process and then hand over the socket and the DTLS state to the right
> > > > process.
> > > 
> > > [Jon] UDP has no concept of accept().  If you do a connect() on a socket
> > > that
> > > you have just received data on, then that updates the 5 tuple and then
> > > only
> > > receives traffic matching the tuple as expected. However, it appears not
> > > possible to leave the original socket ready for the next packet (from
> > > different IP etc.) and set up a new socket to specifically handle the
> > > stream
> > > matching the packet just received, bind(same_port), do the connect() on it
> > > etc. (the bind(same_port)fails in my test).
> > 
> > So I don't have a code exmample for this available, but I thought you can
> > make
> > it work with so_reuseport/so_reuseaddr. There are some downside in that the
> > new
> > socket can receive packets prior to the connect that just arrive.
> > 
> 
> [Jon] I was using SO_REUSEADDR, but have found a bug in my test code so I now
> able to bind(same_port).  While a new socket and connect() can be done to
> match a new UDP client, it needs to be thought through when this is done - the
> arrival of the first UDP packet, when the DTLS APLN is known, or when the DTLS
> handshake is complete.  The DOTS stack we have is 
> https://tools.ietf.org/html/rfc8782#section-3 Figure 3
> 
> DOTS
> CoAP
> DTLS
> UDP
> IP
> 
> [Jon] It is unclear to me as to how you can hand off a DTLS context to a
> different, non identical process along with its socket (this may be possible
> with OpenSSL, not sure about other TLS libraries - there is limited kernel
> AF_KTLS support which may help).  DTLS session resumption then also gets a lot
> more complicated.
> 
> [Jon] Then there is the challenge of how the received DTLS context + socket
> are integrated into the CoAP & DTLS stack on the receiving application so that
> things keep working.  In my port, it is the CoAP library that handles the
> sockets, not the DOTS application which would mean having customized code for
> the CoAP library - not ideal for maintenance long term.
> 
> [Jon] My surmise would be that implementors would say "forget this complexity
> with its inherent risks and just use a non-standard port"
> 
> > > 
> > > > 
> > > > Secondly, is to run some type of front end dispatcher that processes the
> > > > packets
> > > > and tracks all the different DTLS connection and have secure message
> > 
> > passing
> > > > between the front end dispatcher and the different servers. But this do
> > > > requie
> > > > another security model and trust relationship between the dispatcher and
> > 
> > the
> > > > servers.
> > > 
> > > [Jon] This does complicate things.  The DOTS signal channel requires
> > > mutual
> > > authentication of the agents and introducing some sort of man-in-middle
> > > that
> > > changes the network flow IP addresses etc. and potentially changes
> > > encryption
> > > characteristics breaks this mutual authentication.  It is not easy to
> > > change
> > > how the base DOTS signal works.
> > 
> > Sorry, I don't understand why you bring in changes to network flow IP
> > address. I
> > said secure communication here, and I mean internal to the server software
> > between processes.
> 
> [Jon] I latched on to "different servers" as possibly having different backend
> IPs.  Here, we actually have a DOTS server (sends responses) and a DOTS client
> (generates requests) that traffic needs to be steered to.
> 
> > Basic interprocess communication here. Also, it might be
> > that
> > you can start the DTLS processing in the dispatcher and then hand over the
> > DTLS
> > state and only have encrypted UDP payloads being dispatached.
> 
> [Jon] As above, it is unclear to me as to how you can hand off a DTLS context
> to a different, non identical, process along with its socket and then
> integrate the received DTLS context into the different application.
> 
> > 
> > I would note that I think a lot of this dicsussion comes from that the
> > implementation you made so far has been done based on the assumption that
> > there
> > would be a new port and separation rather than designing for coloaction. If
> > we
> > take the step beyond your current implenentation from a protocol perspective
> > in
> > an implementation built for co-location is there really any significant
> > issues
> > here?
> 
> [Jon] I am the sort of person that needs to implement something to prove
> something is practically feasible, find what the issues are and what needs to
> be changed based on a specification and then debate how the spec needs to be
> updated to make it usable.
> 
> [Jon] DOTS call home did come later to the table after the initial DOTS was
> done which created the DOTS client and DOTS server as different applications
> in the implementations done to date.  Adding in the DOTS call home logic was
> very simple (with different port) - simple addition of accepting new
> connections on the call home DOTS client which triggered the client logic
> start up and initiating connections on the call home DOTS server and
> associated configuration logic. 
> 
> [Jon] While it is only software and hence not impossible, it is significant
> work to merge the client and server into a single application as well as
> having to maintain separate applications for running on limited resource
> devices.  We do not want to put in barriers to implementation of this draft by
> making it complex to implement.  Hence using a different port for the client
> service and the server service.
> 
> > 
> > 
> > Cheers
> > 
> > Magnus Westerlund
> 
>