Re: [Dots] TLS APLN extension
<mohamed.boucadair@orange.com> Tue, 29 May 2018 09:38 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4397012D965 for <dots@ietfa.amsl.com>; Tue, 29 May 2018 02:38:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgUAARRiD-LA for <dots@ietfa.amsl.com>; Tue, 29 May 2018 02:38:19 -0700 (PDT)
Received: from orange.com (mta136.mail.business.static.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F401612EA42 for <dots@ietf.org>; Tue, 29 May 2018 02:38:18 -0700 (PDT)
Received: from opfednr04.francetelecom.fr (unknown [xx.xx.xx.68]) by opfednr25.francetelecom.fr (ESMTP service) with ESMTP id CD7BB1806AE; Tue, 29 May 2018 11:38:17 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.2]) by opfednr04.francetelecom.fr (ESMTP service) with ESMTP id AB23A400B8; Tue, 29 May 2018 11:38:17 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06%19]) with mapi id 14.03.0389.001; Tue, 29 May 2018 11:38:17 +0200
From: mohamed.boucadair@orange.com
To: Jon Shallow <supjps-ietf@jpshallow.com>, "'Konda, Tirumaleswar Reddy'" <TirumaleswarReddy_Konda@mcafee.com>, Benjamin Kaduk <kaduk@mit.edu>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] TLS APLN extension
Thread-Index: AQF7fY0SEnbbzScVHebrKQTjRWAcaAIi09JrAU1FL/ABpTg7WwITkQo3AlFTTtUCAn+wpwGSMkFzAlhh1J8AmoNr6AJ1YtACpGOMeTCAAB8ZgA==
Date: Tue, 29 May 2018 09:38:16 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302DF21E64@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <13d301d3f0d8$f66f7c60$e34e7520$@jpshallow.com> <787AE7BB302AE849A7480A190F8B93302DF1E28F@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <20180523003451.GG10597@kduck.kaduk.org> <15bc01d3f26f$fecf3380$fc6d9a80$@jpshallow.com> <BN6PR16MB142569E727B738DA81844E73EA6E0@BN6PR16MB1425.namprd16.prod.outlook.com> <18b001d3f65f$8d47df20$a7d79d60$@jpshallow.com> <BN6PR16MB14254F55D58FD5EE301C6CADEA6E0@BN6PR16MB1425.namprd16.prod.outlook.com> <18d701d3f66a$bfd2dcf0$3f7896d0$@jpshallow.com> <BN6PR16MB1425C4A5A36C10D3F2961038EA6E0@BN6PR16MB1425.namprd16.prod.outlook.com> <192201d3f692$62c4a930$284dfb90$@jpshallow.com> <BN6PR16MB1425A7BC48FD29D05B88E2B6EA6D0@BN6PR16MB1425.namprd16.prod.outlook.com> <196a01d3f720$a44ab550$ece01ff0$@jpshallow.com>
In-Reply-To: <196a01d3f720$a44ab550$ece01ff0$@jpshallow.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.2]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/iWzWWK0PnceidaAIf4OdTm-RtF8>
Subject: Re: [Dots] TLS APLN extension
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 09:38:22 -0000
Re-, I updated the draft accordingly. Cheers, Med > -----Message d'origine----- > De : Jon Shallow [mailto:supjps-ietf@jpshallow.com] > Envoyé : mardi 29 mai 2018 09:43 > À : 'Konda, Tirumaleswar Reddy'; Benjamin Kaduk; BOUCADAIR Mohamed IMT/OLN; > dots@ietf.org > Objet : RE: [Dots] TLS APLN extension > > Hi Tiru, > > Suggested text looks good to me. > > Regards > > Jon > > -----Original Message----- > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar > Reddy > Sent: 29 May 2018 08:09 > To: Jon Shallow; Benjamin Kaduk; mohamed.boucadair@orange.com; dots@ietf.org > Subject: Re: [Dots] TLS APLN extension > > > -----Original Message----- > > From: Jon Shallow [mailto:supjps-ietf@jpshallow.com] > > Sent: Monday, May 28, 2018 8:15 PM > > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; > > Benjamin Kaduk <kaduk@mit.edu>; mohamed.boucadair@orange.com; > > dots@ietf.org > > Subject: RE: [Dots] TLS APLN extension > > > > This email originated from outside of the organization. Do not click links > or > > open attachments unless you recognize the sender and know the content is > safe. > > > > -----Original Message----- > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, Tirumaleswar > > Reddy > > Sent: 28 May 2018 14:28 > > To: Jon Shallow; Benjamin Kaduk; mohamed.boucadair@orange.com; > > dots@ietf.org > > Subject: Re: [Dots] TLS APLN extension > > > > > -----Original Message----- > > > From: Jon Shallow [mailto:supjps-ietf@jpshallow.com] > > > Sent: Monday, May 28, 2018 3:31 PM > > > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; > > > Benjamin Kaduk <kaduk@mit.edu>; mohamed.boucadair@orange.com; > > > dots@ietf.org > > > Subject: RE: [Dots] TLS APLN extension > > > > > > This email originated from outside of the organization. Do not click > > > links or open attachments unless you recognize the sender and know the > > content is safe. > > > > > > Hi Tiru, > > > > > > I agree the DOTS server has to send back a "coap" if it receives a > > > ALPN request over TCP. Do we need to state this in the Draft? > > > > No, but I think https://tools.ietf.org/html/draft-ietf-dots-signal-channel- > > 19#section-3 needs to point to both > > RFC7252 and RFC8323. > > > > [Jon] Agreed. Are you able to do this with some suitable wrapper text? > > Proposed text: > DOTS signal channel uses the "coaps" URI scheme defined in Section 6 of > RFC7252 and "coaps+tcp" URI scheme defined in > section 8.2 of RFC 8323 to identify DOTS server resources accessible using > CoAP over UDP secured with DTLS and > CoAP over TCP secured with TLS. > > -Tiru > > > ~Jon > > > > Cheers, > > -Tiru > > > > > > > > Regards > > > > > > Jon > > > > > > -----Original Message----- > > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, > > > Tirumaleswar Reddy > > > Sent: 28 May 2018 10:49 > > > To: Jon Shallow; Benjamin Kaduk; mohamed.boucadair@orange.com; > > > dots@ietf.org > > > Subject: Re: [Dots] TLS APLN extension > > > > > > > -----Original Message----- > > > > From: Jon Shallow [mailto:supjps-ietf@jpshallow.com] > > > > Sent: Monday, May 28, 2018 2:11 PM > > > > To: Konda, Tirumaleswar Reddy > > <TirumaleswarReddy_Konda@McAfee.com>; > > > > Benjamin Kaduk <kaduk@mit.edu>; mohamed.boucadair@orange.com; > > > > dots@ietf.org > > > > Subject: RE: [Dots] TLS APLN extension > > > > > > > > > > > > > > > > Hi Tiru, > > > > > > > > I agree that it makes no sense to have our own ALPN - "coap" is fine > > > > as that is describing the next protocol layer up. However, I did > > > > raise the question in case the DOTS Server needs to respond to a > > > > DOTS client that is correctly following RFC 8323 and expecting to > > > > see back a ALPN > > > response. > > > > > > The DOTS server will not be running on 5684. If the DOTS server is > > > correctly following RFC8323, it should respond with ALPN response "coap". > > > > > > -Tiru > > > > > > > > > > > "If the TLS server either does not negotiate the ALPN extension or > > > > returns a no_application_protocol alert, the TLS client MUST close > > > > the > > > connection." > > > > > > > > Regards > > > > > > > > Jon > > > > > > > > -----Original Message----- > > > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Konda, > > > > Tirumaleswar Reddy > > > > Sent: 28 May 2018 07:03 > > > > To: Jon Shallow; 'Benjamin Kaduk'; mohamed.boucadair@orange.com; > > > > dots@ietf.org > > > > Subject: Re: [Dots] TLS APLN extension > > > > > > > > Although coaps+tcp URI scheme is used by DOTS signal channel, we > > > > have not yet seen any requirement where multiple protocols will be > > > > run on the DOTS server port number 4646. > > > > I don't see the need to define a new ALPN for DOTS signal channel. > > > > > > > > Cheers > > > > -Tiru > > > > > > > > > -----Original Message----- > > > > > From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Jon Shallow > > > > > Sent: Wednesday, May 23, 2018 1:58 PM > > > > > To: 'Benjamin Kaduk' <kaduk@mit.edu>; > > > > > mohamed.boucadair@orange.com; dots@ietf.org > > > > > Subject: Re: [Dots] TLS APLN extension > > > > > > > > > > > > > > > > > > > > Hi Ben, > > > > > > > > > > The DOTS signal spec calls for CoAP secured by running over (D)TLS > > > > > (either UDP and/or TCP), and CoAP over TLS is coaps+tcp. So, yes, > > > > > both coaps and > > > > > coaps+tcp have to be supported. > > > > > > > > > > For example, I can use the github libcoap coap-client (Pull > > > > > Request > > > > > #176 > > > > > installed) and do "coap-client -c cert.pem > > > > > coaps+tcp://127.0.0.1:4646/.well-known/dots/v1/config" against my > > > > > coaps+DOTS > > > > > server and get back binary data (it is CBOR encoded). > > > > > > > > > > Regards > > > > > > > > > > Jon > > > > > > > > > > -----Original Message----- > > > > > From: Dots [mailto: dots-bounces@ietf.org] On Behalf Of Benjamin > > > > > Kaduk > > > > > Sent: 23 May 2018 01:35 > > > > > To: mohamed.boucadair@orange.com > > > > > Cc: Jon Shallow; dots@ietf.org > > > > > Subject: Re: [Dots] TLS APLN extension > > > > > > > > > > The dedicated port number is only somewhat relevant, I think -- > > > > > the main question is whether the coaps+tcp URI scheme is in use. > > > > > The RFC > > > > > 8323 requirements only come into play for that URI scheme. > > > > > > > > > > -Ben > > > > > > > > > > On Tue, May 22, 2018 at 07:54:39AM +0000, > > > > mohamed.boucadair@orange.com > > > > > wrote: > > > > > > Re-, > > > > > > > > > > > > Do we need this given that DOTS is using a dedicated port number? > > > > > > > > > > > > Cheers, > > > > > > Med > > > > > > > > > > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Jon > > > > > > Shallow Envoyé : lundi 21 mai 2018 09:55 À : dots@ietf.org Objet > > > > > > : [Dots] TLS APLN extension > > > > > > > > > > > > Hi there, > > > > > > > > > > > > As per RFC 8323: 8.2. coaps+tcp URI Scheme > > > > > > > > > > > > .... > > > > > > > > > > > > o If a TLS server does not support the Application-Layer > Protocol > > > > > > Negotiation (ALPN) extension [RFC7301] or wishes to > accommodate > > > > > > TLS clients that do not support ALPN, it MAY offer a > coaps+tcp > > > > > > endpoint on TCP port 5684. This endpoint MAY also be ALPN > > > > > > enabled. A TLS server MAY offer coaps+tcp endpoints on ports > > > > > > other than TCP port 5684, which MUST be ALPN enabled. > > > > > > > > > > > > o For TCP ports other than port 5684, the TLS client MUST use > the > > > > > > ALPN extension to advertise the "coap" protocol identifier > (see > > > > > > Section 11.7) in the list of protocols in its ClientHello. > If the > > > > > > TCP server selects and returns the "coap" protocol identifier > > > > > > using the ALPN extension in its ServerHello, then the > connection > > > > > > succeeds. If the TLS server either does not negotiate the > ALPN > > > > > > extension or returns a no_application_protocol alert, the TLS > > > > > > client MUST close the connection. > > > > > > > > > > > > Do we need to refer to the requirement for ALPN as we are not > > > > > > hosting on > > > > > port 5684? > > > > > > > > > > > > Regards > > > > > > > > > > > > Jon > > > > > > > > > > > _______________________________________________ > > > > > > Dots mailing list > > > > > > Dots@ietf.org > > > > > > https://www.ietf.org/mailman/listinfo/dots > > > > > > > > > > _______________________________________________ > > > > > Dots mailing list > > > > > Dots@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/dots > > > > > > > > > > _______________________________________________ > > > > > Dots mailing list > > > > > Dots@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/dots > > > > _______________________________________________ > > > > Dots mailing list > > > > Dots@ietf.org > > > > https://www.ietf.org/mailman/listinfo/dots > > > > > > _______________________________________________ > > > Dots mailing list > > > Dots@ietf.org > > > https://www.ietf.org/mailman/listinfo/dots > > > > _______________________________________________ > > Dots mailing list > > Dots@ietf.org > > https://www.ietf.org/mailman/listinfo/dots > > _______________________________________________ > Dots mailing list > Dots@ietf.org > https://www.ietf.org/mailman/listinfo/dots
- [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension mohamed.boucadair
- Re: [Dots] TLS APLN extension Benjamin Kaduk
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension Konda, Tirumaleswar Reddy
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension Konda, Tirumaleswar Reddy
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension Konda, Tirumaleswar Reddy
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension Konda, Tirumaleswar Reddy
- Re: [Dots] TLS APLN extension Jon Shallow
- Re: [Dots] TLS APLN extension mohamed.boucadair