IETF Logo Mail Archive

Re: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft

"Birrane, Edward J." <Edward.Birrane@jhuapl.edu> Mon, 23 August 2021 16:12 UTC

Return-Path: <Edward.Birrane@jhuapl.edu>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18F703A124E for <dtn@ietfa.amsl.com>; Mon, 23 Aug 2021 09:12:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMQu8F7wX78t for <dtn@ietfa.amsl.com>; Mon, 23 Aug 2021 09:12:21 -0700 (PDT)
Received: from aplegw02.jhuapl.edu (aplegw02.jhuapl.edu [128.244.251.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FA1C3A124F for <dtn@ietf.org>; Mon, 23 Aug 2021 09:12:21 -0700 (PDT)
Received: from pps.filterd (aplegw02.jhuapl.edu [127.0.0.1]) by aplegw02.jhuapl.edu (8.16.0.43/8.16.0.43) with SMTP id 17NG8rrn160385; Mon, 23 Aug 2021 12:12:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=JHUAPLDec2018; bh=Qsm3aUwkOxxw30Dj9CMyLbIuLkt5uNRTCMieCTFgiKo=; b=mfRBJbKoFR0ti9QfNUvPQciT8rYg4crcgKsUwFCtdgAf4vRhHOctpG2qmuuQsuZYhl0B LgwxBKgGXkh7Gg8tfZWouxzv/BJqaiCw9GEt89uD0AhIsOJ3UJeHB4bJbZWVe/4/Kkzq wh1i1t5UdCsRicUlUA67QXRvoVXuv2cjjTqnd3DchV7V6QPXggpA/8Za/jxPhqHVLL68 vh4ywRpAJKYFxYxXT8tEsvoaCAyyYrpRn64ZLjds2q9UZaSpa1ZwDCxVTFU0st10wpDo CE9vNBQ4NHvfDtnweOYttZFMGNjjleslW5VwQFsj2ieNvUZfusbAmtuMIdsxLQL+c9+n nA==
Received: from aplex10.dom1.jhuapl.edu (aplex10.dom1.jhuapl.edu [128.244.198.156]) by aplegw02.jhuapl.edu with ESMTP id 3akudm0sm3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 23 Aug 2021 12:12:19 -0400
X-CrossPremisesHeadersFilteredBySendConnector: APLEX10.dom1.jhuapl.edu
Received: from APLEX29.dom1.jhuapl.edu (10.114.162.14) by APLEX10.dom1.jhuapl.edu (128.244.198.156) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Mon, 23 Aug 2021 12:12:18 -0400
Received: from APLEX21.dom1.jhuapl.edu (10.114.162.6) by APLEX29.dom1.jhuapl.edu (10.114.162.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.7; Mon, 23 Aug 2021 12:12:18 -0400
Received: from APLEX21.dom1.jhuapl.edu ([fe80::3c73:f90:20fa:eda1]) by APLEX21.dom1.jhuapl.edu ([fe80::3c73:f90:20fa:eda1%5]) with mapi id 15.02.0922.007; Mon, 23 Aug 2021 12:12:18 -0400
From: "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>
To: Brian Sipos <brian.sipos+ietf@gmail.com>, "R. Atkinson" <rja.lists@gmail.com>
CC: Brian Sipos <BSipos@rkf-eng.com>, "dtn@ietf.org" <dtn@ietf.org>
Thread-Topic: [EXT] Re: [dtn] Important side issues from ACME Node ID Validation draft
Thread-Index: AQHXgnDX6TLYoAOpjkuz6W8+It1vJKtuxwgAgA5sOACABDVMUA==
Date: Mon, 23 Aug 2021 16:12:18 +0000
Message-ID: <15d2c06ccd974f02a13098c0a19231d1@jhuapl.edu>
References: <CH2PR13MB35583FF57B027B71BCE2FCAB9FE89@CH2PR13MB3558.namprd13.prod.outlook.com> <CD0FA713-E227-4C9B-A691-54E8127ABE41@gmail.com> <CAM1+-giHHM0-YC=QnO6t2nd0D25CVSfW9EP+p7XWefK2cVi10w@mail.gmail.com>
In-Reply-To: <CAM1+-giHHM0-YC=QnO6t2nd0D25CVSfW9EP+p7XWefK2cVi10w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [128.244.198.169]
Content-Type: multipart/alternative; boundary="_000_15d2c06ccd974f02a13098c0a19231d1jhuapledu_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: APLEX10.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-08-23_03:2021-08-23, 2021-08-23 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/2McZCSPor_TB_K-xfuiRQ9ZIxMI>
Subject: Re: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Aug 2021 16:12:28 -0000

Brian,

  If I am reading the TCPCLv4 document correctly (https://datatracker.ietf.org/doc/html/draft-ietf-dtn-tcpclv4-26) then the NODE-ID is optional, and instead a DNS-ID/IPADDR-ID may be used.

  If the bundle EID scheme (there may be more than dtn://) does not map cleanly to a fully qualified domain name or IP address, my intuition is that the DNS-ID/IPADDR-ID construct would need to be used instead.

  Since this is a TCP convergence layer, we already need to map a domain name or an IP Address anyway.

  If that is the correct interpretation, it may be useful to strengthen the wording in the draft, but I don’t think we need a technical change.

  Am I missing something here?

-Ed

---
Edward J. Birrane, III, Ph.D. (he/him/his)
Embedded Applications Group Supervisor
Space Exploration Sector
Johns Hopkins Applied Physics Laboratory
(W) 443-778-7423 / (F) 443-228-3839


From: dtn <dtn-bounces@ietf.org> On Behalf Of Brian Sipos
Sent: Friday, August 20, 2021 3:36 PM
To: R. Atkinson <rja.lists@gmail.com>
Cc: Brian Sipos <BSipos@rkf-eng.com>; dtn@ietf.org
Subject: [EXT] Re: [dtn] Important side issues from ACME Node ID Validation draft

APL external email warning: Verify sender dtn-bounces@ietf.org<mailto:dtn-bounces@ietf.org> before clicking links or attachments



All,
After further discussion in the ACME WG (security area), based on a need to avoid the requirements on DNS-name/IP-address and to avoid both valid and invalid assumptions made by tools/libraries about SAN URI contents, the strong recommendation is to avoid the SAN uniformResourceIdentifier entirely in favor of a new SAN otherName type-id OID which is used just for DTN EID (and thus Node ID) claims.

Unfortunately, this would require editing of a portion of the TCPCLv4 draft now in the RFC editors queue, and a new IANA registration for the OID under the "SMI Security for PKIX Other Name Forms" IANA sub-registry [6]. Is this late edit an acceptable path for the document?
It would avoid many potential interoperability issues that were brought up in the ACME discussion and require only slight change to a DTN implementation to use a different SAN type (but identically encoded value).

[6] https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8

On Wed, Aug 11, 2021 at 11:20 AM R. Atkinson <rja.lists@gmail.com<mailto:rja.lists@gmail.com>> wrote:


> On Jul 26, 2021, at 21:04, Brian Sipos <BSipos@rkf-eng.com<mailto:BSipos@rkf-eng.com>> wrote:
>
> The second issue is unfortunately more technical; the "dtn" URI scheme has been set in stone and is already in use, but the PKIX profile in [4] specifically requires that when any SAN URI which includes an authority part (the "dtn" scheme does, it is the node name) that authority is either a DNS name or IP address. And we know that a Node ID is _not_ going to contain a network-level name but some other name. This technically breaks the profile in [5] as well as [2], which both use SAN URI as Node ID authentication. Because neither RFC5280 nor RFC6125 require to dereference the SAN URI and the DTN PKIX profiles explicitly avoid the URI-ID definition of RFC6125, the only risk is really that some application may inadvertently try to DNS probe the node name (or something like that). I don't yet know how much of a blocking issue this will be, and it's unfortunate that it wasn't noticed earlier.

Brian,

DNS Operations folks consider “noise” DNS queries (such as an application trying to use DNS to resolve the node name or something similar) to be a significant operational challenge — because the volume of “noise” DNS queries already is high.

I imagine the DNS Operations folks would be greatly unhappy at the prospect of the DTN URI scheme being the cause of additional “noise” DNS queries.

A prospective change would be to update the PKIX profile in [4] to make clear that a dtn URI is neither a DNS name nor an IP address - ever.

In short, this looks like a real-world operational problem that will need _some_ form of solution, even if different from the prospective change I outlined just above.

Yours,

Ran

_______________________________________________
dtn mailing list
dtn@ietf.org<mailto:dtn@ietf.org>
https://www.ietf.org/mailman/listinfo/dtn

v2.23.0 | Report a Bug | By Email