Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 08 January 2021 12:30 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96D8C3A0C2A; Fri, 8 Jan 2021 04:30:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hb_vyQ0tHVja; Fri, 8 Jan 2021 04:30:43 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2069.outbound.protection.outlook.com [40.107.22.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDF663A0C29; Fri, 8 Jan 2021 04:30:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QEL/W4oLQuC6tetXOeRCFyfOlm4ftzzjnJtNnR8ucH6o6ytRXqGGeqLBc4nrQKWEJopCW5E65HaO2JWMGCRRlIrusHR9G25ZWNM0IcHqiDVWYcokR+kXtL6u+w6atwWvNRA6NHXUd3DXah26/rmSuW8VnCEazXai8kxCKzm9U8r+XHGJh+gy2iQwS28u6kB5UMH5+vvZZQuHH8e0rEhr/YQKDhqfFi2ukGTOF/kD4ZJ84DBdIRUNnrjp0OsJrd3PIpk2LBfE+/lmnRzXeXCu5hHcAqPEAlAFG4D8FC8M0SVmXwvQoKJi5Q4bRiNKZhyM1w7Ya9/IpnCaIImDNoI/Jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zY3zR955OxlOHuLU6CrPpmwVYYSQWTnP8kMiCqU2mxA=; b=PuMzFYU48/V4rolKx8wK1M6l2L6HcL4dlpivTMxqcq9r4+vGOA8Jv17U0aYoUNMcuLH0v2XwfexYtZjAo7IGwjYJPVeR6UQqCHA3ptW5AwQucCBh31mmdAxpDNkZzlQcNhNL8Ybh87Q9J4yUYrxbH2YBuqakZort8eAq1nU7spXZ+bh2pUYiIIaHDQJ4a+UKwkuoETLvKhxX68tbREy2nfrZHX/rcWVsLuY0jJ9wDwvoyrJUw1sZ98el22Yi861A9QofVsoTSaYnz7zx5e3hPRMbyNb7SKO1d7XjkjCip1xG3IBcgUcnzxMhNcUobW2Hbm9iB/e8Nc5c2z4tnBXYdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zY3zR955OxlOHuLU6CrPpmwVYYSQWTnP8kMiCqU2mxA=; b=RGRxaWE6MGdCVhLiArsRP73Wug+27aZ4g0jFft3iMcrHxLuQNbhMKFxwR5UDOZ0jh7UDRvKNwJoZLfntIFFNkE71E9pML7Ntu49whNV9VjutAFLHFw3DljIEUnKsfS4lMvCFxLiw0JSKHEYMBpD8XTjPdmqPI475mE4KJdMjNUg=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB2266.eurprd07.prod.outlook.com (2603:10a6:3:2c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.5; Fri, 8 Jan 2021 12:30:34 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace%6]) with mapi id 15.20.3742.006; Fri, 8 Jan 2021 12:30:34 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "iesg@ietf.org" <iesg@ietf.org>, "magnus.westerlund=40ericsson.com@dmarc.ietf.org" <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "supjps-ietf@jpshallow.com" <supjps-ietf@jpshallow.com>
CC: "valery@smyslov.net" <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "draft-ietf-dots-signal-call-home@ietf.org" <draft-ietf-dots-signal-call-home@ietf.org>
Thread-Topic: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)
Thread-Index: AQHW1IEMs9vsdNy1dUKXFtQUcezc5qn7Z94AgAAI8ICAABFlgIAACniAgABCigCAAM7vgIABuBMAgAMSigCAAAn2YIAcWGSA
Date: Fri, 8 Jan 2021 12:30:34 +0000
Message-ID: <c9b470ba8e7ed9899a767ff00f5d26999c205c33.camel@ericsson.com>
References: <160821536495.8335.5498062431481972966@ietfa.amsl.com> <26637_1608218552_5FDB77B8_26637_63_1_787AE7BB302AE849A7480A190F8B93303159F25D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <83fe6f11ec1cfcfd1f4c4493854c8ce6eaa542f4.camel@ericsson.com> <135d01d6d495$9b1b94e0$d152bea0$@jpshallow.com> <75351574777c1f8100f15474ff5c755f6334645a.camel@ericsson.com> <13d001d6d4bc$1c543870$54fca950$@jpshallow.com> <9a304e2ec6886de19ec54d2d56309442db652a02.camel@ericsson.com> <154a01d6d5ff$9d022ab0$d7068010$@jpshallow.com> <6d2f00810b5bc9ec3e8ab10fa7e75b824e0f9003.camel@ericsson.com> <14908_1608555829_5FE09D35_14908_286_4_787AE7BB302AE849A7480A190F8B9330315A056A@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <14908_1608555829_5FE09D35_14908_286_4_787AE7BB302AE849A7480A190F8B9330315A056A@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.130.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1fe38d0d-4f95-474f-a156-08d8b3d1327b
x-ms-traffictypediagnostic: HE1PR0701MB2266:
x-microsoft-antispam-prvs: <HE1PR0701MB226646201227D4ECCB0973C795AE0@HE1PR0701MB2266.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bdboSd8o3NiK+nhR5kYzXYYtwPr2V3yEtFdESF3DdcpstknqoOosQR+9vgPgIYzeaoK4K5k6xCaKawCV1asKhv5ZiERj0hSq9053LmNp7v1Qmw7GWO1lQTPzWUcEmMBDFdWfqCS1A9y+94HYt/Pi4AbWmZNZ6yu8Jw0/VEr+WzpG26wMJ3ZGjAGKI+fAMwOfPckwYAL21jauprru/iSo4iTMVKUXgrIMFZoyaaT+wznPuxnjO+E5n2bEtLz01OsyBeaShNMNg2WMfZXagAEtr/x/nQh0K8KR6ol0rmtoygMUcYkntV97UbkAnIszTzXnay4XlGLhRIcj1fzDvm0l0wz7NxNU3ypgC/6EVGugb/DHFGS/oIvxhIP24nG7kYOWQrQP4nbDF+j9CadIaPOjky0rrIL4r6UmWdFkN+gbZ/pewy5z6KjPx4UR/xdN5L52xStbNKLDTpgNaXbp5iOWsautbuLaVUwqedPJQtiJXJqtwhcmOFlXfXFwNfC+r5ksfEJKGiG+ZVmt14QwCoLHrA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(136003)(396003)(346002)(39860400002)(110136005)(316002)(6512007)(86362001)(54906003)(53546011)(66574015)(30864003)(4001150100001)(966005)(83380400001)(64756008)(44832011)(478600001)(6486002)(6506007)(36756003)(66616009)(186003)(66556008)(8936002)(66946007)(2906002)(2616005)(66476007)(8676002)(4326008)(26005)(99936003)(5660300002)(71200400001)(66446008)(76116006)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?SmtPRW81eGdDOHRYM3l5OFVScjdDTWZ1OXROeGlFY1JkR3RKNGRXWHc5UW1j?= =?utf-8?B?eFVkaEhyeWtwam54blV5QWlveXgzUTdqT1ErZlNNeitOQ2wzaWJvRkVqdVlk?= =?utf-8?B?SUJHR0xxUXh0b25nZFlCdW9YcHVxUEFIcHVXbG5aR0tYb3dTcUwzTFlsQUhy?= =?utf-8?B?TjNaTEZwVmZqOHJlZzBBSWVrNW9UQzR2MWF3aENmYktTVWVqN0VwRit3ckU1?= =?utf-8?B?Y3lrN2doZkpvV2VHQ3IwK3Q0MjhzRUdiZXM3RTNSR2VpS0lWTTFRQnRuMzdM?= =?utf-8?B?Qm93S1JTSWNBcmx1dXQ2dWZjTmZiTmNuZlNzSTZkZnBCczAyeEFHUktzc1ZI?= =?utf-8?B?c1A5SHBjMlVyNVYwbERQdnQ0cGZuRHZ5WWNnaUs5aWdSYjZSSGMzUGRSdk40?= =?utf-8?B?S0FCM0Q0aUpRUFhPb0pzOE4xLzFhSXpGaTJKNktRcHhEOS9kT0hlYjJPeXlz?= =?utf-8?B?MTBqeTBaYWtGbmhTZ1R0NmpJRGRRVkpobmtOZHlWbEVXTnVEM3lKaXhFWmY5?= =?utf-8?B?TG1hQUNTMGZKZzNIbE1YYWgyRU9YL0tsVVlGSGx4WWJpbm4zNWdzRjJVRU10?= =?utf-8?B?L0ZXOVJVVTdhcENKbGpHdmZaY2p6SXR4RnNQalMzVkVWNlZrME1ZMnFqaEdh?= =?utf-8?B?N1FuaG1MWTYrVzlpT3dndU5JUzBzSXdSSzZ0ampHUXNTOWptOExUMDFsUjUz?= =?utf-8?B?YUVjYVdKc2QwaEMwbUl2UjN1ek14UjZTamVxTURSWVFGbWczNkU0aTdSNktv?= =?utf-8?B?Rjc1RTNJeTcwSGpCVDZyZ1ZPZ2dFNzF1eUNJaWVpTThPVjZsUnA3S01vYW5X?= =?utf-8?B?WEFWR1VyS3BwYXIrTDM0VUJ2SHYvZDFJQkdBTFdvckgxcGR3Szkxd0lYTit6?= =?utf-8?B?SnhVM25ZWEk5ODg1Z2E5Ym5Yc0pPaDI3VXZnRG5RTklrK2U0SmMrU09GdTdh?= =?utf-8?B?WjhiTjBqSEpUcFFsM2VjR1FuRzN0RGhNTXVxL2x5dFVTckIrSHhrZWhGcDFO?= =?utf-8?B?U1Q5ckJxVlE0MmFGTjlRU21XTTNOcEVJS0VKcW1BZjZlemxSbmZpbFpqWEJ2?= =?utf-8?B?OCtldWRGTmVhL2FyRXoxdDcvUEl6ZmFaSkNrTjdJL2lVU21UdUtmN3I1UlBi?= =?utf-8?B?bTJuNWVsWlMvYzFleldiNy9NajR6NmduY0hPanJUSC8wdW1GNjdSRFpsaSsr?= =?utf-8?B?SW85eVBCenRaZFFXY0RvWTRvaEVoWGo2Vkt1eHdlWC9leXhnWGJsQ1ZIVU5q?= =?utf-8?B?YlZ3Sm4wdWx0Qlc3NFN1bSs3WnJqQVdPOWtZT2h2UGNXeTV0MVhhVGUrbGJE?= =?utf-8?Q?2AQZSm52fBiRlJshCEETanvUzvS8txOqN2?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-jXMWW1XVZntAf+jNIS+t"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1fe38d0d-4f95-474f-a156-08d8b3d1327b
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jan 2021 12:30:34.8045 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: E37GqtqDd7fpJR3hHTh9fyM5ZuV4fjtmGzQGEQLNvWrgJCxKt6W/ThZUP4MoiGFJhjUyXBzhtf08NYSzcrhV77fooUYEsroL2uUoz1U7iqY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2266
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/_8xjDX2n68FnJm3D_bE0jESNvP0>
Subject: Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2021 12:30:48 -0000

Hi,

I don't think restconf/netconf is particular relevant precedences for
assignment. These are older protocols, they are not based on COAP and don't have
the same facilities that would make additional port assignments unnecessary.

If you had designed how Dots signal call home from the start with the assumption
that they would share port, I don't think you would have had any issues. There
are sufficient mechanism in DTLS/COAP to ensure that this would not have been an
issue. We are where we are based on decisions the WG made along the way, and
also the implementation choices done in the current implementations. 

When it comes to guidance, I do think more should be written on the options to
avoid the need for additional ports and what to think about such designs in the
beginning. I might spend some cycles on this after my AD term is over. 

I do understand to make co-location easy you should have designed the name space
differently so that one would separate the call home usages in for example the
URI namespace. Or used a header field etc. 

So we are in an sort of impasse here. You don't want to change your protocol and
your implementations. I would prefer to not approve this assignment as it isn't
a necessary one and it sends a very wrong message to the community. 

Note, I am supportive in that DOTS in general got its first port, based on the
potential need for in network identification of the DOTS flow based on 5-tuple.
Which in itself is a double-edged sword as an attacker that is smart will use
the DOTS ports for its attack traffic. 

I intended to discuss this with the other ADs next Thursday. I think from my
perspective the main issue is how we reduce the number of unencessary port
request from IETF protocol work in the future. 

So what would you have needed to make the right choice earlier? Would a better
document about things to consider around ports and their usage in protocol
design helped you?

Yes. I will go to an abstain. 

Regards

Magnus




On Mon, 2020-12-21 at 13:03 +0000, mohamed.boucadair@orange.com wrote:
> Hi Magnus,
> 
> Thank you for sharing your thoughts. 
> 
> We considered seriously the use of a distinct port vs. using the one that is
> already assigned to dots-signal. We documented the rationale in an appendix
> and also provided a detailed answer to why we think reusing the existing port
> is not that straightforward. We already answered why SRV records are not
> sufficient. Please refer to the message we shared with you early in this
> thread: 
> https://mailarchive.ietf.org/arch/msg/dots/GQP-QCmC-4XtJHPmsPR_quuyO0c/ ((4)
> Why not using a dynamic port number following, e.g., draft-ietf-dots-server-
> discovery?). 
> 
> Also, we are familiar with existing BCPs. Please trust me, if dots-call-home
> was the same service as dots-signal, we wouldn't make the request. "DOTS
> server" and "DOTS client" are distinct and fully decoupled services. 
> dots-call-home is a distinct service vs dots-signal in the same way
> netconf/restconf-call-home is a distinct service vs netconf/restocnf. As a
> reminder, *** three (3) *** additional port numbers were assigned in
> rfc8071#section-6 for the call-home in addition to the already assigned ***
> four (4) *** port numbers for NETCONF.
> 
> The proposal to define a (DTLS) dispatcher and the internal machinery to steer
> the traffic to a specific service is, if it works, a ** new service ** per se,
> that it is worth to be assigned a dedicated port on it owns: "One service, one
> port". Yet, we don't have evidence that service is feasible/works. What would
> be helpful for the community in the future, is that tsv area provides a spec
> of such service and evidence that it works without side effects. With that
> service defined, protocols running on DTLS can be muxed on that port number.
> Nevertheless, we need to remind that the dispatcher service might be similar
> in its goals to TCPMUX, which is *** obsoleted *** for reasons documented in
> RFC7805.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Magnus Westerlund [mailto:magnus.westerlund@ericsson.com]
> > Envoyé : lundi 21 décembre 2020 12:03
> > À : iesg@ietf.org; magnus.westerlund=40ericsson.com@dmarc.ietf.org;
> > supjps-ietf@jpshallow.com; BOUCADAIR Mohamed TGI/OLN
> > <mohamed.boucadair@orange.com>
> > Cc : valery@smyslov.net; dots@ietf.org; dots-chairs@ietf.org; draft-
> > ietf-dots-signal-call-home@ietf.org
> > Objet : Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-
> > signal-call-home-11: (with DISCUSS)
> > 
> > Hi,
> > 
> > I will start my Christmas vacation tomorrow, so don't expect any
> > more responses
> > until after the 7th of December.
> > 
> > I am hearing what you are saying about implementability. However, I
> > have the
> > feeling that the WG design process have failed to take into account
> > some
> > relevant aspects here.
> > 
> > 1. You are using COAP which do share high level semantics with HTTP.
> > Thus,
> > different functionalites can easily be defined to work in parallel
> > on a server.
> > Thus it could have been easy to ensure that individual or coloated
> > dots-signal
> > and dots-call-home could be co-locate. Especially as you do have it
> > part of what
> > is considered.
> > 
> > 2. You got a port for dots-signal to enable firewalls and routers
> > etc to
> > identify and handle this traffic, otherwise I think dots-signal
> > would have been
> > leaned hard on using the default COAP port. Expecting to consume
> > another port
> > just because you didn't consider the constraints, which RFC6335 is
> > clear with I
> > think is tough for me to swallow.
> > 
> > 3. You have several ways of designing yourself out of these issues
> > that has been
> > raised. I understand this might be considered a late surprise, but
> > it shouldn't
> > if you had read the in force BCP.
> > 
> > My next question, do you actually need a fixed port at all for this.
> > The service
> > name enables you to do SRV look ups to find port and IP address for
> > the service.
> > Isn't that sufficient if you still want to run it on dedicated port
> > compared to
> > DOTS-signal?
> > 
> > Cheers
> > 
> > Magnus Westerlund
> > 
> > 
> > 
> > On Sat, 2020-12-19 at 12:08 +0000, supjps-ietf@jpshallow.com wrote:
> > > Hi Magnus,
> > > 
> > > Please see inline.
> > > 
> > > Regards
> > > 
> > > Jon
> > > 
> > > > -----Original Message-----
> > > > From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com]
> > > > Sent: 18 December 2020 09:53
> > > > To: iesg@ietf.org;
> > 
> > magnus.westerlund=40ericsson.com@dmarc.ietf.org; supjps-
> > > > ietf@jpshallow.com; mohamed.boucadair@orange.com
> > > > Cc: valery@smyslov.net; dots@ietf.org; dots-chairs@ietf.org;
> > 
> > draft-ietf-
> > > > dots-
> > > > signal-call-home@ietf.org
> > > > Subject: Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-
> > 
> > dots-signal-
> > > > call-
> > > > home-11: (with DISCUSS)
> > > > 
> > > 
> > > ...
> > > > > > So I think there are several possible implementation paths
> > 
> > for this. I
> > > > > > see
> > > > > > at least
> > > > > > two.
> > > > > > 
> > > > > > First, do a 5-tuple connect on UDP to filter that particular
> > 
> > UDP flow,
> > > > > > process the
> > > > > > DTLS handshake for this socket and then based on ALPN decide
> > 
> > on target
> > > > > > process and then hand over the socket and the DTLS state to
> > 
> > the right
> > > > > > process.
> > > > > 
> > > > > [Jon] UDP has no concept of accept().  If you do a connect()
> > 
> > on a socket
> > > > > that
> > > > > you have just received data on, then that updates the 5 tuple
> > 
> > and then
> > > > > only
> > > > > receives traffic matching the tuple as expected. However, it
> > 
> > appears not
> > > > > possible to leave the original socket ready for the next
> > 
> > packet (from
> > > > > different IP etc.) and set up a new socket to specifically
> > 
> > handle the
> > > > > stream
> > > > > matching the packet just received, bind(same_port), do the
> > 
> > connect() on it
> > > > > etc. (the bind(same_port)fails in my test).
> > > > 
> > > > So I don't have a code exmample for this available, but I
> > 
> > thought you can
> > > > make
> > > > it work with so_reuseport/so_reuseaddr. There are some downside
> > 
> > in that the
> > > > new
> > > > socket can receive packets prior to the connect that just
> > 
> > arrive.
> > > > 
> > > 
> > > [Jon] I was using SO_REUSEADDR, but have found a bug in my test
> > 
> > code so I now
> > > able to bind(same_port).  While a new socket and connect() can be
> > 
> > done to
> > > match a new UDP client, it needs to be thought through when this
> > 
> > is done - the
> > > arrival of the first UDP packet, when the DTLS APLN is known, or
> > 
> > when the DTLS
> > > handshake is complete.  The DOTS stack we have is
> > > https://tools.ietf.org/html/rfc8782#section-3 Figure 3
> > > 
> > > DOTS
> > > CoAP
> > > DTLS
> > > UDP
> > > IP
> > > 
> > > [Jon] It is unclear to me as to how you can hand off a DTLS
> > 
> > context to a
> > > different, non identical process along with its socket (this may
> > 
> > be possible
> > > with OpenSSL, not sure about other TLS libraries - there is
> > 
> > limited kernel
> > > AF_KTLS support which may help).  DTLS session resumption then
> > 
> > also gets a lot
> > > more complicated.
> > > 
> > > [Jon] Then there is the challenge of how the received DTLS context
> > 
> > + socket
> > > are integrated into the CoAP & DTLS stack on the receiving
> > 
> > application so that
> > > things keep working.  In my port, it is the CoAP library that
> > 
> > handles the
> > > sockets, not the DOTS application which would mean having
> > 
> > customized code for
> > > the CoAP library - not ideal for maintenance long term.
> > > 
> > > [Jon] My surmise would be that implementors would say "forget this
> > 
> > complexity
> > > with its inherent risks and just use a non-standard port"
> > > 
> > > > > 
> > > > > > 
> > > > > > Secondly, is to run some type of front end dispatcher that
> > 
> > processes the
> > > > > > packets
> > > > > > and tracks all the different DTLS connection and have secure
> > 
> > message
> > > > 
> > > > passing
> > > > > > between the front end dispatcher and the different servers.
> > 
> > But this do
> > > > > > requie
> > > > > > another security model and trust relationship between the
> > 
> > dispatcher and
> > > > 
> > > > the
> > > > > > servers.
> > > > > 
> > > > > [Jon] This does complicate things.  The DOTS signal channel
> > 
> > requires
> > > > > mutual
> > > > > authentication of the agents and introducing some sort of man-
> > 
> > in-middle
> > > > > that
> > > > > changes the network flow IP addresses etc. and potentially
> > 
> > changes
> > > > > encryption
> > > > > characteristics breaks this mutual authentication.  It is not
> > 
> > easy to
> > > > > change
> > > > > how the base DOTS signal works.
> > > > 
> > > > Sorry, I don't understand why you bring in changes to network
> > 
> > flow IP
> > > > address. I
> > > > said secure communication here, and I mean internal to the
> > 
> > server software
> > > > between processes.
> > > 
> > > [Jon] I latched on to "different servers" as possibly having
> > 
> > different backend
> > > IPs.  Here, we actually have a DOTS server (sends responses) and a
> > 
> > DOTS client
> > > (generates requests) that traffic needs to be steered to.
> > > 
> > > > Basic interprocess communication here. Also, it might be
> > > > that
> > > > you can start the DTLS processing in the dispatcher and then
> > 
> > hand over the
> > > > DTLS
> > > > state and only have encrypted UDP payloads being dispatached.
> > > 
> > > [Jon] As above, it is unclear to me as to how you can hand off a
> > 
> > DTLS context
> > > to a different, non identical, process along with its socket and
> > 
> > then
> > > integrate the received DTLS context into the different
> > 
> > application.
> > > 
> > > > 
> > > > I would note that I think a lot of this dicsussion comes from
> > 
> > that the
> > > > implementation you made so far has been done based on the
> > 
> > assumption that
> > > > there
> > > > would be a new port and separation rather than designing for
> > 
> > coloaction. If
> > > > we
> > > > take the step beyond your current implenentation from a protocol
> > 
> > perspective
> > > > in
> > > > an implementation built for co-location is there really any
> > 
> > significant
> > > > issues
> > > > here?
> > > 
> > > [Jon] I am the sort of person that needs to implement something to
> > 
> > prove
> > > something is practically feasible, find what the issues are and
> > 
> > what needs to
> > > be changed based on a specification and then debate how the spec
> > 
> > needs to be
> > > updated to make it usable.
> > > 
> > > [Jon] DOTS call home did come later to the table after the initial
> > 
> > DOTS was
> > > done which created the DOTS client and DOTS server as different
> > 
> > applications
> > > in the implementations done to date.  Adding in the DOTS call home
> > 
> > logic was
> > > very simple (with different port) - simple addition of accepting
> > 
> > new
> > > connections on the call home DOTS client which triggered the
> > 
> > client logic
> > > start up and initiating connections on the call home DOTS server
> > 
> > and
> > > associated configuration logic.
> > > 
> > > [Jon] While it is only software and hence not impossible, it is
> > 
> > significant
> > > work to merge the client and server into a single application as
> > 
> > well as
> > > having to maintain separate applications for running on limited
> > 
> > resource
> > > devices.  We do not want to put in barriers to implementation of
> > 
> > this draft by
> > > making it complex to implement.  Hence using a different port for
> > 
> > the client
> > > service and the server service.
> > > 
> > > > 
> > > > 
> > > > Cheers
> > > > 
> > > > Magnus Westerlund
> > > 
> > > 
> 
> ______________________________________________________________________________
> ___________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
> message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
> electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou
> falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged
> information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete
> this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been
> modified, changed or falsified.
> Thank you.
>