Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)

supjps-ietf@jpshallow.com Thu, 17 December 2020 16:57 UTC

Return-Path: <jon.shallow@jpshallow.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E36D3A0DBC for <dots@ietfa.amsl.com>; Thu, 17 Dec 2020 08:57:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lD4Rixw9Leli for <dots@ietfa.amsl.com>; Thu, 17 Dec 2020 08:57:01 -0800 (PST)
Received: from mail.jpshallow.com (mail.jpshallow.com [217.40.240.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7155A3A0D9B for <dots@ietf.org>; Thu, 17 Dec 2020 08:57:01 -0800 (PST)
Received: from mail2.jpshallow.com ([192.168.0.3] helo=N01332) by mail.jpshallow.com with esmtp (Exim 4.92.3) (envelope-from <jon.shallow@jpshallow.com>) id 1kpwaI-0003Gv-QP; Thu, 17 Dec 2020 16:56:58 +0000
From: <supjps-ietf@jpshallow.com>
To: "'Magnus Westerlund'" <magnus.westerlund@ericsson.com>, <iesg@ietf.org>, <mohamed.boucadair@orange.com>
Cc: <dots@ietf.org>, <valery@smyslov.net>, <dots-chairs@ietf.org>, <draft-ietf-dots-signal-call-home@ietf.org>
References: <160821536495.8335.5498062431481972966@ietfa.amsl.com> <26637_1608218552_5FDB77B8_26637_63_1_787AE7BB302AE849A7480A190F8B93303159F25D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <83fe6f11ec1cfcfd1f4c4493854c8ce6eaa542f4.camel@ericsson.com>
In-Reply-To: <83fe6f11ec1cfcfd1f4c4493854c8ce6eaa542f4.camel@ericsson.com>
Date: Thu, 17 Dec 2020 16:56:47 -0000
Message-ID: <135d01d6d495$9b1b94e0$d152bea0$@jpshallow.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJ2bnsKEk4cVClsqjQj7jfeJ0e02wFsH/eMAmTmvDqonb1HQA==
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/W8c-VL6bYqR84q5Dgf3yxtSzxu4>
Subject: Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2020 16:57:04 -0000

Hi Magnus,

We had considered using ALPN.

While DOTS signal channel can use TLS, given that this DOTS protocol has to be robust in an Distribute Denial of Service attack environment, its primary use will be DTLS using UDP.

> Based on what you write in your email to my understanding ALPN in (D)TLS
> would work fairly well to dispatch the secured connection to the individual
> implementation of DOTS-signal and Dots-call home if that is needed.

When using TCP, it is relatively easy to dispatch a secured connection and attach it to, say a forked copy of the appropriate application or a new thread in the application which then does all the network i/o over that secured connection.

However, for UDP from an implementation perspective, I cannot see how this can be done so the network stack can itself steer each input packet to the appropriate application when the traffic arrives on the same IP and port (only one application can receive traffic on a specific udp port).  I welcome any wisdom on how to do this.

There is also a minor concern in about exposing the protocol as https://tools.ietf.org/html/rfc7301#section-5  which states

   Implementers and document editors who intend to extend the protocol
   identifier registry by adding new protocol identifiers should
   consider that in TLS versions 1.2 and below the client sends these
   identifiers in the clear.  They should also consider that, for at
   least the next decade, it is expected that browsers would normally
   use these earlier versions of TLS in the initial ClientHello.

   Care must be taken when such identifiers may leak personally
   identifiable information, or when such leakage may lead to profiling
   or to leaking of sensitive information.  If any of these apply to
   this new protocol identifier, the identifier SHOULD NOT be used in
   TLS configurations where it would be visible in the clear, and
   documents specifying such protocol identifiers SHOULD recommend
   against such unsafe use.

Even though it is possible to derive things from the fact that a particular port being used.

Regards

Jon

> -----Original Message-----
> From: Magnus Westerlund [mailto:ietf-supjps-
> magnus.westerlund@ericsson.com]
> Sent: 17 December 2020 15:55
> To: iesg@ietf.org; mohamed.boucadair@orange.com
> Cc: dots@ietf.org; valery@smyslov.net; dots-chairs@ietf.org; draft-ietf-dots-
> signal-call-home@ietf.org
> Subject: Re: Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-
> 11: (with DISCUSS)
> 
> Hi,
> 
> I hadn't read this before. But I have now read it and it don't really change my
> perspective. I think there are several options here that should work for you.
> 
> Based on what you write in your email to my understanding ALPN in (D)TLS
> would
> work fairly well to dispatch the secured connection to the individual
> implementation of DOTS-signal and Dots-call home if that is needed. And future
> implementation that are combined can simply use that ALPN signal as a basic
> indication on behavior in common code paths.
> 
> Cheers
> 
> Magnus Westerlund
> 
> 
> 
> 
> 
> On Thu, 2020-12-17 at 15:22 +0000, mohamed.boucadair@orange.com wrote:
> > Hi Magnus,
> >
> > I wonder whether you had a chance to read this message where explain why
> this
> > is a new service, not a variant of an existing service:
> > https://mailarchive.ietf.org/arch/msg/dots/GQP-QCmC-
> 4XtJHPmsPR_quuyO0c/
> >
> > Thank you.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Magnus Westerlund via Datatracker [mailto:noreply@ietf.org]
> > > Envoyé : jeudi 17 décembre 2020 15:29
> > > À : The IESG <iesg@ietf.org>
> > > Cc : draft-ietf-dots-signal-call-home@ietf.org; dots-
> > > chairs@ietf.org; dots@ietf.org; Valery Smyslov <valery@smyslov.net>et>;
> > > valery@smyslov.net
> > > Objet : Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-
> > > home-11: (with DISCUSS)
> > >
> > > Magnus Westerlund has entered the following ballot position for
> > > draft-ietf-dots-signal-call-home-11: Discuss
> > >
> > > When responding, please keep the subject line intact and reply to
> > > all email addresses included in the To and CC lines. (Feel free to
> > > cut this introductory paragraph, however.)
> > >
> > >
> > > Please refer to https://www.ietf.org/iesg/statement/discuss-
> > > criteria.html
> > > for more information about IESG DISCUSS and COMMENT positions.
> > >
> > >
> > > The document, along with other ballot positions, can be found here:
> > > https://datatracker.ietf.org/doc/draft-ietf-dots-signal-call-home/
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > --
> > > DISCUSS:
> > > --------------------------------------------------------------------
> > > --
> > >
> > > Section 7.1: Port request for DOTS signal for home.
> > >
> > > I think the WG has failed to take the assignment principles in RFC
> > > 6335 to
> > > heart:
> > >
> > > > From Section 7:
> > >
> > >    "The basic principle of service name and port number registry
> > >    management is to conserve use of the port space where possible."
> > >
> > >    o  IANA strives to assign only one assigned port number per
> > > service
> > >       or application.
> > >
> > >       Note: At the time of writing of this document, there is no
> > > IETF
> > >       consensus on when it is appropriate to use a second port for
> > > an
> > >       insecure version of a protocol.
> > >
> > >    o  IANA strives to assign only one assigned port number for all
> > >       variants of a service (e.g., for updated versions of a
> > > service).
> > >
> > >    o  IANA strives to encourage the deployment of secure protocols.
> > >
> > >    o  IANA strives to assign only one assigned port number for all
> > >       different types of devices using or participating in the same
> > >       service.
> > >
> > >    o  IANA strives to assign port numbers only for the transport
> > >       protocol(s) explicitly named in an assignment request.
> > >
> > >    o  IANA may recover unused port numbers, via the new procedures
> > > of
> > >       de-assignment, revocation, and transfer.
> > >
> > > After having reviewed Appendix A I think the WG has made the wrong
> > > choice and also not considered all the available choices for
> > > enabling DOTS signal and call home to be colocated on the same port.
> > > Several options exists:
> > >
> > >         - URI name space so that it is the same protocol just making
> > > requests
> > >         with different URIs depending on mode - Use the already
> > > existing
> > >         settings negotiation to determine the mode of operation. -
> > > Using ALPN
> > >         on (D)TLS connection establishment
> > >
> > > > From my perspective the DOTS WG have multiple choices that are
> > >
> > > quite
> > > > simple to
> > >
> > > solve there colocation issue that would not incur significnat cost
> > > or overhead.
> > > Using an additional port do incur a cost of consuming a resource
> > > that is endless and not easily recoverable. I do share the IANA port
> > > experts team's verdict that this port assignment should be denied
> > > and alternative solution found as the motivation appears very weak.
> > >
> > >
> > >
> > >
> >
> >
> >
> _________________________________________________________________
> _____________
> > ___________________________________________
> >
> > Ce message et ses pieces jointes peuvent contenir des informations
> > confidentielles ou privilegiees et ne doivent donc
> > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
> > message par erreur, veuillez le signaler
> > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
> > electroniques etant susceptibles d'alteration,
> > Orange decline toute responsabilite si ce message a ete altere, deforme ou
> > falsifie. Merci.
> >
> > This message and its attachments may contain confidential or privileged
> > information that may be protected by law;
> > they should not be distributed, used or copied without authorisation.
> > If you have received this email in error, please notify the sender and delete
> > this message and its attachments.
> > As emails may be altered, Orange is not liable for messages that have been
> > modified, changed or falsified.
> > Thank you.
> >