Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 18 December 2020 09:53 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 060CC3A11EF; Fri, 18 Dec 2020 01:53:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97dq-QYYLcav; Fri, 18 Dec 2020 01:53:15 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140041.outbound.protection.outlook.com [40.107.14.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D46F3A11EC; Fri, 18 Dec 2020 01:53:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=goe1HSFN6u+qoKnvdtBs9ZoPu7f+7qbLvgs09/EPwNpRNNkxtTEBzv5IeyroeSWCziBvGxwIezxOSuy4gMWCYhhsSN74+jNKPiFVrwWtiFFRlr6oj+KVyCuSrE5kWD1dRy16DJrJcwoACJ94qTSFCBrTvRLzXcKrJDMhRe+A6gfNQvB+RYLHtXnveJo7U+ymHY8XEvFRjtRqrzdbwHUjEl0qGs10l6ST/OdklUjtMLKMyODFbzY49dwjMMb1gJdurB9Sxc8bkDVJbU9OtDiiMxde5zUrlsyYuuwFFIeq+fq4oYtFYGbDcdYYzCOkx+Q3UOl2PLsmmXkxv2vOOSOgVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VA+EDY8VXmpKheKbEkKcDcvToLX0mRKAdvzihez210U=; b=Ae7IiOf1ptQE9TqU/kTKTLseWEkaS4Usnu6ZuZKOv3tRnl1XsvGaeaVOnR3Je1pcBuN4oXYzwngCwT+6ByDMfv/+o6AOj7XyvMyZs2FPkFTCgPtSXUVUtTpa1yz5WT7nvXivASe8a4qA/8jSDtjIFVwQ/65W9WgrMrzbqgkC9WQQRGA17q0iY7AeAIHd1IXDV77bJw5NYRr/pDGnnA83ic89LFmPe+u8bvV/LqdG7XnEuAiTiKBkK8IYMelGi/zAHMOO42yS/zHB5bvOkcfP/AhqFkxsmSkLbfBaHox6ZQccRpClB66nV0XJkAeUrTqH+G+31VW1uHw+kQ54qiuTjg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VA+EDY8VXmpKheKbEkKcDcvToLX0mRKAdvzihez210U=; b=cdkpLKCMNg2XtNg4vZnfa9Ka5tkrYsIM8eZospJpO8owvwZQHcptYVpqVDartZ6vSGS8otRmGGlxjsk1n3sSBUSbTI23EPnYqKxI4Axq2OPTd1cjZBgyw/0CeN2HoDUaUQrbeNyN5qbLEbL4sFpzpE5XhqmEB7Q+rLUAHl+NduU=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR07MB4443.eurprd07.prod.outlook.com (2603:10a6:7:a1::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.12; Fri, 18 Dec 2020 09:53:11 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace%7]) with mapi id 15.20.3676.011; Fri, 18 Dec 2020 09:53:11 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "iesg@ietf.org" <iesg@ietf.org>, "magnus.westerlund=40ericsson.com@dmarc.ietf.org" <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "supjps-ietf@jpshallow.com" <supjps-ietf@jpshallow.com>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>
CC: "valery@smyslov.net" <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, "draft-ietf-dots-signal-call-home@ietf.org" <draft-ietf-dots-signal-call-home@ietf.org>
Thread-Topic: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)
Thread-Index: AQHW1IEMs9vsdNy1dUKXFtQUcezc5qn7Z94AgAAI8ICAABFlgIAACniAgABCigCAAM7vgA==
Date: Fri, 18 Dec 2020 09:53:11 +0000
Message-ID: <9a304e2ec6886de19ec54d2d56309442db652a02.camel@ericsson.com>
References: <160821536495.8335.5498062431481972966@ietfa.amsl.com> <26637_1608218552_5FDB77B8_26637_63_1_787AE7BB302AE849A7480A190F8B93303159F25D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <83fe6f11ec1cfcfd1f4c4493854c8ce6eaa542f4.camel@ericsson.com> <135d01d6d495$9b1b94e0$d152bea0$@jpshallow.com> <75351574777c1f8100f15474ff5c755f6334645a.camel@ericsson.com> <13d001d6d4bc$1c543870$54fca950$@jpshallow.com>
In-Reply-To: <13d001d6d4bc$1c543870$54fca950$@jpshallow.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.130.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3f3bae96-3974-4fc9-5816-08d8a33abaed
x-ms-traffictypediagnostic: HE1PR07MB4443:
x-microsoft-antispam-prvs: <HE1PR07MB44437915AC96CDB46596B68B95C30@HE1PR07MB4443.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xfDkAc/Pp0RCHyd2Katy/spAOnC6Sv52m3nD8vJoLee7D8imEOnriw0TOwq7q2Ea4JRZZPlbXEpDW0ayv1CjFgaGTzb+8KJpkyUsgRaXFa0+YPto5UhozDoEtyHrrZMvNsGlaSJNUT8kXYg422Jvmes452D0NM7/89E7b3rGSDez1yhiPQwylSu3O436vVl4XABwqyRd5Lz6rvcO0w3iZsZo1IxL8Q1MPtXE2XQOLKCWvReGQ+yzfLBHquuioecIpkU3fGFJCpU2PeWcTzDSR31MTlBijELvVOXs07k9jBjtifBllHRZyJ3iQX0gXUuCULzVwfuR5C1nVBIr4n+bYDqERUnsnp6pdfx+edM8Taxc4rXKQdXxL5tAV91AquSKwMoSFPa85+TwcgniKkbZWBV/5UwhoIIEG66sYjAf9D4cM1KdA1C7qCGaVX1eY2wS
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(136003)(39860400002)(376002)(366004)(478600001)(76116006)(5660300002)(83380400001)(8676002)(71200400001)(186003)(2616005)(2906002)(6512007)(6506007)(44832011)(66616009)(8936002)(26005)(316002)(6486002)(99936003)(66556008)(66476007)(66446008)(66946007)(4326008)(36756003)(86362001)(64756008)(4001150100001)(110136005)(54906003)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?R2VKakducFNyQ2R3ZkU2aTI1SlY2ZlI5dkx6R3g4VUlSaWRpWUpDcWtRV1cw?= =?utf-8?B?VWIvWHB4dFF3VFVialV5ZU9maXI3N0diWmU2SnBaZ0xmWFZKUnlGbXh2MVAr?= =?utf-8?B?ZTVlRnVpS3JjclJNS3ZZVXFnQzNmQ1FBWGNEMitxNkpMQWFWVU1ISzU0SWha?= =?utf-8?B?dUgyd0RRZ093UnA0MWJvcnluWXE1M2U4UlAzT2srWnY4cjEvZWVrcy9UbDJ6?= =?utf-8?B?Z0tFeDZoODB0eTdkWjBPeE1Tdk1Wc2F6bnQvNUp2cE8ydHI2U3FEOW41OEp0?= =?utf-8?B?V2hDSFgxSXFqVDVOMStxTnJMWW4wa25sMHF4M3V6a1FuSUp5eklrdVZ5elFa?= =?utf-8?B?NGk0d2RQRHJKb3JDN0NvSVpSMjlLMHJLTWN6NVczSkIwejBzaUxLSjNKR3Nx?= =?utf-8?B?R1VqQit1ZHZUbG9MRjdQUXBlZnQ2Z0RvdkUyR3Btb2R6MGxhTExWYjFOcGZG?= =?utf-8?B?WFE0d2lBcmF3VGdSN0tkLyt6YVVZalNOcHRUUnI4Q25HaEJ5K28xS091OWxU?= =?utf-8?B?WU5JRm9ZNFFuTERvZGZjbG4rcTVWdHJPVm02Z2pSazU1bVMwTUhITUZERmlT?= =?utf-8?B?UHNvSnIzSjhkK2x6cHNVVFliVHZjWXQ2TWVOSFNPa1ptUm93K1lHdzFJYWhB?= =?utf-8?B?K3VQZjJ6UDd0SXpBb1JvZ1M2bzlkaUxsNnhxZEtKalJEZGxHc1ZoNktMWnk1?= =?utf-8?B?emJxdTB3TVNFZzFVYVpoUCtXczRKRy9IV3JyNk9KWjNuVDlGNm91MWJvVzZL?= =?utf-8?B?YTBjZXBYbWVRYktLYURaQ1JDUGtHV2pYZjFlc0JkNVA5OHRaL0pZZy8wZGlr?= =?utf-8?B?MDV0WEZQWWVTMFFnTncxa1VKTEphSjdCckdJVThySDV3LzVudEZabHRIa0xw?= =?utf-8?B?R3NWSXpFeTlBYmVwSVVsZG9QSzZCREF2VXdPZ2JPOEx4c0NWdUZsTCtXdlph?= =?utf-8?B?NTNhdlJWVGtETjVBaEZVVVN4UGdDVWd3V2MrRTRraG9QWGZBdmppYWVjaUlH?= =?utf-8?B?YzVLcFZHWCtwRlkxNFBaM0NHWk1wSi8yTnFDN2U2VEZZR2ZUcWxxcEpiOEhy?= =?utf-8?B?YUdWZC94OCt2OWMzUmIvelBST0czRjY5TURGejdtNE9WWmtNUmFjMmFBc2E4?= =?utf-8?B?ZENHWWhXNmFBVk9ZaytET1hkTXhqYjNuLzBQOEZTUTEzZjREVmdMN2hrNE5S?= =?utf-8?B?bDlFZnJBaGQrbkJTd0FoU1phTVFVMHB2eWRUeWxLR0JhMUtiTXZ6UWFJNzFs?= =?utf-8?B?VkZKT2R5TmlMOXU1MUc5UVZGV041T1JISDBSV2RYZ0hTNGQ3ZUVuWFhpd1c1?= =?utf-8?Q?CJ/d9j8x0SF+I1UwwQKATnlx1n+hX8+Wcj?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-tsmNiSeGxlyWVGL/FvIH"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3f3bae96-3974-4fc9-5816-08d8a33abaed
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2020 09:53:11.1343 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 71DRglcKRCdoZwH+hEfWUfyHxLsPmePj01x6uHO/d6fw1HxVcSdVkV3JOJgNlb6g/ahI6cnOyaDk8Jx95+4IKdltYwwdhJnWYJ19Hbvm8sc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4443
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/aAuL6njvycpGEH1822MScSnzACA>
Subject: Re: [Dots] Magnus Westerlund's Discuss on draft-ietf-dots-signal-call-home-11: (with DISCUSS)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 09:53:17 -0000

Hi

Please see below

On Thu, 2020-12-17 at 21:32 +0000, supjps-ietf@jpshallow.com wrote:
> Hi Marcus,
> 
> Thanks for coming back on this and the suggestions.
> 
> Please see inline.
> 
> Regards
> 
> Jon
> 
> > -----Original Message-----
> > From: Magnus Westerlund [mailto:
> > magnus.westerlund=40ericsson.com@dmarc.ietf.org]
> > 
> > 
> > > 
> > > > Based on what you write in your email to my understanding ALPN in
> > > > (D)TLS would work fairly well to dispatch the secured connection to
> > > > the individual implementation of DOTS-signal and Dots-call home if that
> > > > is
> > 
> > needed.
> > > 
> > > When using TCP, it is relatively easy to dispatch a secured connection
> > > and attach it to, say a forked copy of the appropriate application or
> > > a new thread in the application which then does all the network i/o
> > > over that secured connection.
> > > 
> > > However, for UDP from an implementation perspective, I cannot see how
> > > this can be done so the network stack can itself steer each input
> > > packet to the appropriate application when the traffic arrives on the
> > > same IP and port (only one application can receive traffic on a
> > > specific udp port).  I welcome any wisdom on how to do this.
> > 
> > So I think there are several possible implementation paths for this. I see
> > at least
> > two.
> > 
> > First, do a 5-tuple connect on UDP to filter that particular UDP flow,
> > process the
> > DTLS handshake for this socket and then based on ALPN decide on target
> > process and then hand over the socket and the DTLS state to the right
> > process.
> 
> [Jon] UDP has no concept of accept().  If you do a connect() on a socket that
> you have just received data on, then that updates the 5 tuple and then only
> receives traffic matching the tuple as expected. However, it appears not
> possible to leave the original socket ready for the next packet (from
> different IP etc.) and set up a new socket to specifically handle the stream
> matching the packet just received, bind(same_port), do the connect() on it
> etc. (the bind(same_port)fails in my test).

So I don't have a code exmample for this available, but I thought you can make
it work with so_reuseport/so_reuseaddr. There are some downside in that the new
socket can receive packets prior to the connect that just arrive. 

> 
> > 
> > Secondly, is to run some type of front end dispatcher that processes the
> > packets
> > and tracks all the different DTLS connection and have secure message passing
> > between the front end dispatcher and the different servers. But this do
> > requie
> > another security model and trust relationship between the dispatcher and the
> > servers.
> 
> [Jon] This does complicate things.  The DOTS signal channel requires mutual
> authentication of the agents and introducing some sort of man-in-middle that
> changes the network flow IP addresses etc. and potentially changes encryption
> characteristics breaks this mutual authentication.  It is not easy to change
> how the base DOTS signal works.

Sorry, I don't understand why you bring in changes to network flow IP address. I
said secure communication here, and I mean internal to the server software
between processes. Basic interprocess communication here. Also, it might be that
you can start the DTLS processing in the dispatcher and then hand over the DTLS
state and only have encrypted UDP payloads being dispatached.

I would note that I think a lot of this dicsussion comes from that the
implementation you made so far has been done based on the assumption that there
would be a new port and separation rather than designing for coloaction. If we
take the step beyond your current implenentation from a protocol perspective in
an implementation built for co-location is there really any significant issues
here? 


Cheers

Magnus Westerlund