IETF Logo Mail Archive

Re: [Dots] TLS APLN extension

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 28 May 2018 06:03 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09D53124239 for <dots@ietfa.amsl.com>; Sun, 27 May 2018 23:03:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KiCvhFyN5oO4 for <dots@ietfa.amsl.com>; Sun, 27 May 2018 23:03:17 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B55FC12421A for <dots@ietf.org>; Sun, 27 May 2018 23:03:17 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1527487397; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-exchange-antispam-report-test:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Office365-Filtering-Correlation-Id:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=3W5QMsVlNZBb9dOZ1y7YjuU8vzAXc/l2obFJIK V7geQ=; b=OIgVr+AWn2eI4E86WR6CdFrAH4dWWUaEE8wwz6Re Vvz+XW1v1CJwCjxfJtCxAyM1LCNU7TPItJQ0Vhr+eEqm0O+WIR miIFYDiTcmkSvDEly6jbsydzoMG3hr+SNzoYBKOOTPC4jneAQJ pZt12T/4GEDmUbcnpXV58FRKr7PulvY=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 0cbe_6b86_80fe391c_f70d_4ec1_91f6_f57927065612; Mon, 28 May 2018 01:03:16 -0500
Received: from DNVEXUSR1N12.corpzone.internalzone.com (10.44.48.85) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 28 May 2018 00:02:47 -0600
Received: from DNVEXUSR1N09.corpzone.internalzone.com (10.44.48.82) by DNVEXUSR1N12.corpzone.internalzone.com (10.44.48.85) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 28 May 2018 00:02:47 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXUSR1N09.corpzone.internalzone.com (10.44.48.82) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Mon, 28 May 2018 00:02:47 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 28 May 2018 00:02:45 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1540.namprd16.prod.outlook.com (10.172.208.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.797.11; Mon, 28 May 2018 06:02:43 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::601e:a909:b9fe:31bd]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::601e:a909:b9fe:31bd%8]) with mapi id 15.20.0797.017; Mon, 28 May 2018 06:02:43 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Jon Shallow <supjps-ietf@jpshallow.com>, 'Benjamin Kaduk' <kaduk@mit.edu>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] TLS APLN extension
Thread-Index: AdPw2PQOXpzyKiqHQ7+v5FEn8F2ThwAyFv1gACMjQgAAEIhhgAD2J+BA
Date: Mon, 28 May 2018 06:02:43 +0000
Message-ID: <BN6PR16MB142569E727B738DA81844E73EA6E0@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <13d301d3f0d8$f66f7c60$e34e7520$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93302DF1E28F@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <20180523003451.GG10597@kduck.kaduk.org> <15bc01d3f26f$fecf3380$fc6d9a80$@jpshallow.com>
In-Reply-To: <15bc01d3f26f$fecf3380$fc6d9a80$@jpshallow.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.300.84
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1540; 7:Bl/vN5OsCipZbZ8hmmOKVqndPKlJ7DNPBx5Kv4n8ylq1o99rgmh9xE8yQf6S2WmvAoN6ZZ4ZB7NZSeMRigm7dSh/AcJdo5zky6pxWd3V+kk8CMOgZUy6vH8tL+7P/6r5BRhFg4VhadXVKbh3v5p+I/7FdwMcY4lR51/Kh+Fku+1MY86fm0HYpWdUaNT4Y5kA0S6Z8hmJCi1fsqlo+s/93cF4EL2cHdOA047dN26FVEwLlpTpwsCM79if064ucNnl
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1540;
x-ms-traffictypediagnostic: BN6PR16MB1540:
x-microsoft-antispam-prvs: <BN6PR16MB154067FC588D989B7632EF15EA6E0@BN6PR16MB1540.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(18271650672692)(240460790083961);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(20161123562045)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:BN6PR16MB1540; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1540;
x-forefront-prvs: 06860EDC7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(39380400002)(39850400004)(346002)(396003)(32952001)(189003)(199004)(57704003)(13464003)(33656002)(7696005)(74316002)(316002)(2900100001)(66066001)(966005)(97736004)(6436002)(2501003)(80792005)(229853002)(5660300001)(305945005)(72206003)(478600001)(9686003)(105586002)(5250100002)(53936002)(99286004)(486006)(2201001)(7736002)(186003)(476003)(93886005)(26005)(86362001)(3846002)(6116002)(106356001)(68736007)(102836004)(8676002)(55016002)(110136005)(6306002)(3660700001)(8936002)(81166006)(76176011)(2906002)(53546011)(6246003)(25786009)(3280700002)(14454004)(2171002)(59450400001)(81156014)(11346002)(446003)(6506007)(217873001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1540; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 3OWqcMGWYxmZtmKy+Ab/2Tf5PumKN1GEuJNbqF8XXLHWnM8TqAaYL7uZ9VZh6cnXc9NB1RQzeexxu6rlS9CRteZK0ykb+MNrSmfrnBEGX5foRt1Kb0B2tZsRWPqN/W0DR8Ds21LcJG68UXMM3MfkF3a5DmalFAT9rDsUZPAe3G8k4Lkcw+qF2uH41Zb0EIMiWprFss0EWZ68SpLFLhfu2A==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 189810dd-5913-4834-d6a8-08d5c460a096
X-MS-Exchange-CrossTenant-Network-Message-Id: 189810dd-5913-4834-d6a8-08d5c460a096
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2018 06:02:43.1062 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1540
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6294> : inlines <6661> : streams <1788017> : uri <2648445>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/bVy1o2Cfsxae-XDH5SOtzkq4oVc>
Subject: Re: [Dots] TLS APLN extension
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 May 2018 06:03:20 -0000

Although coaps+tcp URI scheme is used by DOTS signal channel, we have not yet seen any requirement where multiple protocols will be run on the DOTS server port number 4646. 
I don't see the need to define a new ALPN for DOTS signal channel.

Cheers
-Tiru

> -----Original Message-----
> From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Jon Shallow
> Sent: Wednesday, May 23, 2018 1:58 PM
> To: 'Benjamin Kaduk' <kaduk@mit.edu>; mohamed.boucadair@orange.com;
> dots@ietf.org
> Subject: Re: [Dots] TLS APLN extension
> 
> 
> 
> Hi Ben,
> 
> The DOTS signal spec calls for CoAP secured by running over (D)TLS (either
> UDP and/or TCP), and CoAP over TLS is coaps+tcp.  So, yes, both coaps and
> coaps+tcp have to be supported.
> 
> For example, I can use the github libcoap coap-client (Pull Request #176
> installed) and do "coap-client -c cert.pem
> coaps+tcp://127.0.0.1:4646/.well-known/dots/v1/config" against my DOTS
> server and get back binary data (it is CBOR encoded).
> 
> Regards
> 
> Jon
> 
> -----Original Message-----
> From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Benjamin Kaduk
> Sent: 23 May 2018 01:35
> To: mohamed.boucadair@orange.com
> Cc: Jon Shallow; dots@ietf.org
> Subject: Re: [Dots] TLS APLN extension
> 
> The dedicated port number is only somewhat relevant, I think -- the main
> question is whether the coaps+tcp URI scheme is in use.  The RFC 8323
> requirements only come into play for that URI scheme.
> 
> -Ben
> 
> On Tue, May 22, 2018 at 07:54:39AM +0000,
> mohamed.boucadair@orange.com
> wrote:
> > Re-,
> >
> > Do we need this given that DOTS is using a dedicated port number?
> >
> > Cheers,
> > Med
> >
> > De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon Shallow
> > Envoyé : lundi 21 mai 2018 09:55 À : dots@ietf.org Objet : [Dots] TLS
> > APLN extension
> >
> > Hi there,
> >
> > As per RFC 8323: 8.2.  coaps+tcp URI Scheme
> >
> > ....
> >
> >    o  If a TLS server does not support the Application-Layer Protocol
> >       Negotiation (ALPN) extension [RFC7301] or wishes to accommodate
> >       TLS clients that do not support ALPN, it MAY offer a coaps+tcp
> >       endpoint on TCP port 5684.  This endpoint MAY also be ALPN
> >       enabled.  A TLS server MAY offer coaps+tcp endpoints on ports
> >       other than TCP port 5684, which MUST be ALPN enabled.
> >
> >    o  For TCP ports other than port 5684, the TLS client MUST use the
> >       ALPN extension to advertise the "coap" protocol identifier (see
> >       Section 11.7) in the list of protocols in its ClientHello.  If the
> >       TCP server selects and returns the "coap" protocol identifier
> >       using the ALPN extension in its ServerHello, then the connection
> >       succeeds.  If the TLS server either does not negotiate the ALPN
> >       extension or returns a no_application_protocol alert, the TLS
> >       client MUST close the connection.
> >
> > Do we need to refer to the requirement for ALPN as we are not hosting
> > on
> port 5684?
> >
> > Regards
> >
> > Jon
> 
> > _______________________________________________
> > Dots mailing list
> > Dots@ietf.org
> > https://www.ietf.org/mailman/listinfo/dots
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email