Re: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft
Brian Sipos <brian.sipos+ietf@gmail.com> Wed, 08 September 2021 13:50 UTC
Return-Path: <brian.sipos@gmail.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDF003A290D for <dtn@ietfa.amsl.com>; Wed, 8 Sep 2021 06:50:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qi2j6iO6ftRm for <dtn@ietfa.amsl.com>; Wed, 8 Sep 2021 06:50:17 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EAC03A2921 for <dtn@ietf.org>; Wed, 8 Sep 2021 06:50:17 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id f6so3387299iox.0 for <dtn@ietf.org>; Wed, 08 Sep 2021 06:50:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7L4HtocLbMd/+UWKnF0ZEO0peOGxJQ0dfN/JaL65C8w=; b=ONZ2Ri3Th0Zkt5efuUW1IYiooYFR4/HH3VURcH0HGxTJ4LLE3vSu3HQyibiM4hi8R2 UGfvYtM5UQ3Oi3RmW7dVY7754Vzdt1Ado4MYHUJqQm0cu3nQR4y6CJT+Ekz1lJa9KErc /gyn6ofrNE2O6PdAfyLVmpXEDxeqT9/tvxYLiF1wza529zHova1QFnKqVRG7I+Gt6V19 R+ibKYQbBR32wBdmi5k0q9+B/W9ASXQLn4lErZxJyKrH3PSJCeSK5Yosbq+NKoby/F7S u+azO/S/rYgZLje2EokG/lq0ADhd9yQnwar17cBIb/I4O9TXdjv85CdYkESxETLto8Wk 6wzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7L4HtocLbMd/+UWKnF0ZEO0peOGxJQ0dfN/JaL65C8w=; b=gdXxPexEQ01vJJkjr1jjpDFifbB+raFrEwUspCq0k38AkebyeUtty+9GLuLtGXYF+H Adzhwp13y7wUR/qhHCVN7FHMwDIq5ersaOJS6t/q7DCMEiftRW0blMq6Asr+0KarM2ky GjqD27dH4z/JtDRNJ8iHenbfGsaPVo96Zz3J+2j6XMn15tBUR4DTPQz25+0E6r+WAIe6 Ag2RO6KxhBm0BUNzHzM8+2inWvjUtVl0UmGLYbUTcYUeehvQUmTp2Z+aVUkKZXUj5kAS Ex65WbePOYrWKM3MTJUQjuf+mt+oZwX6F2BajKHJQUQpJ6Zf92nBzMl9Wfxtu4JmnONQ ItWQ==
X-Gm-Message-State: AOAM530Ny1+dqxU6WA1F7b+Hts3db7TnurftCz8s6JBGrBnwSeqzClVu VfHH0nrjTC5E2RBzV23KeIpzsq3NTgY/OocoF5fwiYqAmn0=
X-Google-Smtp-Source: ABdhPJxgL5llOlO8bup4PJ3peztaXV2TQALWe93eUo7p2pWI9Pb2dusf1L5//cIYntl5k2EHWZ0/VQ5QW0e2RHB3aKY=
X-Received: by 2002:a05:6638:1393:: with SMTP id w19mr3923409jad.86.1631109014238; Wed, 08 Sep 2021 06:50:14 -0700 (PDT)
MIME-Version: 1.0
References: <BN1P110MB093974F5B749DB68A304FBD2DCCF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM> <CAM1+-ggA8iRAX3dxo+tuXMY4Lx4qXMQ_RQF5UOhsOr8-Fu6aEw@mail.gmail.com>
In-Reply-To: <CAM1+-ggA8iRAX3dxo+tuXMY4Lx4qXMQ_RQF5UOhsOr8-Fu6aEw@mail.gmail.com>
From: Brian Sipos <brian.sipos+ietf@gmail.com>
Date: Wed, 08 Sep 2021 09:50:03 -0400
Message-ID: <CAM1+-gj42o3CH=D200TWhsaCh+d11V9P+QLHMJ89fs7d+eZeAg@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "dtn@ietf.org" <dtn@ietf.org>, "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>
Content-Type: multipart/alternative; boundary="000000000000623c3705cb7c296a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/SmbN_RDGrlb5IOBqS_rMHBdOApw>
Subject: Re: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2021 13:50:23 -0000
All, One last editorial change I'm going to make is to change the (newly added) "dtnEID" to "bundleEID" for consistency with the actual phrasing in RFC5050/BPbis of "Bundle Endpoint ID" and to more clearly separate the EID from the "dtn" scheme which is only one option for that URI. On Tue, Sep 7, 2021 at 9:25 PM Brian Sipos <brian.sipos+ietf@gmail.com> wrote: > Roman, > I have updated the pre-draft-submission changes to include the > explicit statement that TCPCL re-uses the DNS-ID from RFC 6125. I also > relocated the OID definitions (separate from IANA allocations) into a > "4.4.2.1. PKIX OID Allocations" section to make it more clear that the > dtnEID otherName is *any* EID but this PKIX profile requires a more > narrow content of a Node ID. > > After doing some prototyping, I added an Appendix B example of a dtnEID > otherName because it was not obvious during the implementation that I got > it right. For those familiar with URI encodings and the "dtn" URI scheme > definition, I think this use of IA5String is fine because the "dtn" scheme > only allows a restricted character set (no UTF8 here). > > The same URI [1] works for the new content because it's pulled directly > from the git repository. > > On Fri, Sep 3, 2021 at 10:13 AM Roman Danyliw <rdd@cert.org> wrote: > >> Hi Brian! >> >> On Wed, 01 September 2021 14:08 Brian Sipos <brian.sipos+ietf@gmail.com> >> wrote: >> >> > All, >> > I have a drafted (but not submitted to the datatracker) redline [1] to >> > TCPCLv4 for the NODE-ID encoding changes discussed earlier. It adds one >> new >> > IANA Considerations subsection for the otherName type and updates the >> one >> > paragraph that uses that new type. This can be wordsmithed if anything >> > seems vague or under-specified; specifically, there's no text explaining >> > the nuance of "it can encode any Endpoint ID but for this PKIX profile >> it >> > must contain only a Node ID". Something similar could be added if >> helpful. >> >> Thanks for staging this diff. The explicit mapping of NODE-ID to >> otherName seems like a good alternative, and it can be cascaded in the >> related ACME draft. >> >> At the risk of re-opening some of the unrelated text, but in the spirit >> of being extremely explicit on how NODE-ID (Node ID), DNS-ID (DNS Name) and >> IPADDR-ID (Network Address) are expected to map into certificates in DTN, I >> noticed that the text in Section 4.4.1 only provide guidance on NODE-ID and >> IPADDR-ID. The obvious is never said about DNS-ID. Specifically: >> >> NEW TEXT (to be symmetric with IPDADDR-ID) >> >> This specification defines a DNS-ID of a certificate as being the >> subjectAltName entry of type dNSName whose value is encoded >> according to [RFC5280]. >> >> Regards, >> Roman >> >> > [1] >> >> https://tools.ietf.org/rfcdiff?url1=https://www.ietf.org/archive/id/draft-ietf-dtn-tcpclv4-26.txt&url2=https://briansipos.github.io/dtn-bpbis-tcpcl/draft-ietf-dtn-tcpclv4.txt >> > >> > >> > >> > On Fri, Aug 27, 2021 at 5:55 PM Birrane, Edward J. < >> > Edward.Birrane@jhuapl.edu> wrote: >> > >> > Rick, >> > >> > >> > >> > Upon review, I agree with your (and Brian's) statement that NODE ID >> > should be preserved but not as a URL. >> > >> > >> > >> > DTNWG, >> > >> > >> > >> > This document ( >> > https://datatracker.ietf.org/doc/html/draft-ietf-dtn-tcpclv4) is >> > currently in the RFC editor "EDIT" state. There will be an update to the >> > document as part of responding to editor comments to produce a final >> > version of the RFC. This update as part of the editor process can be >> used >> > to correct errors in the document as they are identified. >> > >> > >> > >> > The question, of course, is whether the proposed correction to TCPCLv4 >> > (for NODE ID use an otherName with a new OID for Endpoint ID) is a >> > sufficient technical change to warrant restarting DTNWG technical >> review or >> > whether this is a correction that can take place as part of the existing >> > editing process. >> > >> > >> > >> > To that end, if you have a concern that this change requires more >> DTNWG >> > technical review, please say so on this list. >> > >> > >> > >> > Alternatively, if you believe that this change should proceed with >> other >> > corrections in the edit process, please post that as well. >> > >> > >> > >> > -Ed >> > >> > >> > >> > --- >> > Edward J. Birrane, III, Ph.D. (he/him/his) >> > >> > Embedded Applications Group Supervisor >> > >> > Space Exploration Sector >> > >> > Johns Hopkins Applied Physics Laboratory >> > (W) 443-778-7423 / (F) 443-228-3839 >> > >> > >> > >> > >> > *From:* Rick Taylor <rick@tropicalstormsoftware.com> >> > *Sent:* Wednesday, August 25, 2021 4:07 AM >> > *To:* Brian Sipos <brian.sipos+ietf@gmail.com> >> > *Cc:* Birrane, Edward J. <Edward.Birrane@jhuapl.edu>du>; R. Atkinson < >> > rja.lists@gmail.com>gt;; Brian Sipos <BSipos@rkf-eng.com>om>; >> dtn@ietf.org >> > *Subject:* RE: [dtn] [EXT] Re: Important side issues from ACME Node ID >> > Validation draft >> > >> > >> > >> > *APL external email warning: *Verify sender >> rick@tropicalstormsoftware.com >> > before clicking links or attachments >> > >> > >> > >> > Hi Brian, >> > >> > >> > >> > From my reading of BPv7, a Node-ID is just an Endpoint ID with a special >> > meaning (it's the EID of the node itself, rather than another service on >> > the node, or a multicast endpoint), so I suggest having the "otherName" >> OID >> > registered as "DTN Endpoint ID" type. >> > >> > >> > >> > There may be advantage to that flexibility beyond TCPCL, I can imagine >> > use-cases where services may need to assert an identity just as a node >> does >> > for TCPCL, and the generic "otherName" is the right tool for that job as >> > well. >> > >> > >> > >> > Cheers, >> > >> > >> > >> > Rick >> > >> > >> > >> > >> > >> > *From:* Brian Sipos [mailto:brian.sipos+ietf@gmail.com >> > <brian.sipos+ietf@gmail.com>] >> > *Sent:* 24 August 2021 21:35 >> > *To:* Rick Taylor >> > *Cc:* Birrane, Edward J.; R. Atkinson; Brian Sipos; dtn@ietf.org >> > *Subject:* Re: [dtn] [EXT] Re: Important side issues from ACME Node ID >> > Validation draft >> > >> > >> > >> > One remaining technical decision about this is: does the SAN otherName >> > allow only Node ID values or any Endpoint ID values. This certificate >> > profile will only have a use for Node ID, but this restriction is >> related >> > to the SAN otherName type definition and not how that type is used by >> the >> > profile. From the tool perspective, it seems a little easier to allow >> the >> > type to contain any EID. A non-Node-ID value won't match any CL peer >> Node >> > ID so there's no harm in the otherName value being an EID. >> > >> > >> > >> > On Tue, Aug 24, 2021 at 4:20 PM Brian Sipos <brian.sipos@gmail.com> >> wrote: >> > >> > Ed and Rick, >> > >> > The fundamental issue is that tools can and do make assumptions beyond >> the >> > already incompatible requirement from RFC 5280 that a SAN URI have an >> > internet name (DNS FQDN or IP address), and there are some pre-existing >> > issues anyway with tools using SAN URI and PKIX certificate constraints. >> > The SAN extension is the right place to put it, but the " >> > uniformResourceIdentifier" type . Like some other aspects of IETF >> > protocols, where PKIX uses generic "URI" or similar terms what they >> really >> > mean (and what tools/libraries can assume) "internet name URI." >> > >> > >> > >> > The change is to redefine what is a NODE-ID (it changes from a SAN URI >> to >> > a SAN otherName with a newly allocated type OID to specifically contain >> a >> > DTN EID value). This will require no change or conflict with RFC 5280 or >> > existing PKIX tooling or libraries. It will decouple the NODE-ID >> definition >> > from any earlier/other use of SAN URI. I can draft a modified TCPCL >> > document for these changes. >> > >> > >> > >> > Rick, you are correct that the current definitions can be used in some >> > circumstances (the proof-of-concept implementation works fine with Node >> IDs >> > such as "dtn://node-A/") can run into problems when node names fall >> outside >> > of allowed DNS names (e.g. "dtn://_node_A/" or other disallowed DNS name >> > characters "dtn://_&@/") tools can rightfully refuse to either issue or >> > accept certificates with these SAN URIs. >> > >> > >> > >> > On Mon, Aug 23, 2021 at 3:38 PM Rick Taylor < >> > rick@tropicalstormsoftware.com> wrote: >> > >> > Hi Brian, Ed, >> > >> > I personally agree with the ACME Sec review... I think subjectAltName >> is >> > the wrong field to be using for Node-ID in the certificate, and using it >> > definitely ties our hands with Naming and Addressing to only use >> Node-IDs >> > (and by extension Endpoint IDs) that map to RFC3986 valid formats. >> > >> > @Brian, Can you suggest some replacement text for the 3rd paragraph of >> > 4.4.1 that meet the ACME suggestion? >> > >> > Everyone else, do you consider the change to use a different field/type >> in >> > the certificate to be a change that requires returning TCPCLv4 to the >> WG. >> > Note that doing this will delay BPv7 and BPSec as they are all bound >> > together. >> > >> > With my chair hat on, I would suggest that the current text specifies >> the >> > wrong field to use, rather than specifying something functionally >> incorrect. >> > >> > Cheers, >> > >> > Rick >> > >> > >> > From: dtn [mailto:dtn-bounces@ietf.org] On Behalf Of Birrane, Edward J. >> > Sent: 23 August 2021 17:12 >> > To: Brian Sipos; R. Atkinson >> > Cc: Brian Sipos; dtn@ietf.org >> > Subject: Re: [dtn] [EXT] Re: Important side issues from ACME Node ID >> > Validation draft >> > >> > Brian, >> > >> > If I am reading the TCPCLv4 document correctly ( >> > https://datatracker.ietf.org/doc/html/draft-ietf-dtn-tcpclv4-26) then >> the >> > NODE-ID is optional, and instead a DNS-ID/IPADDR-ID may be used. >> > >> > If the bundle EID scheme (there may be more than dtn://) does not map >> > cleanly to a fully qualified domain name or IP address, my intuition is >> > that the DNS-ID/IPADDR-ID construct would need to be used instead. >> > >> > Since this is a TCP convergence layer, we already need to map a domain >> > name or an IP Address anyway. >> > >> > If that is the correct interpretation, it may be useful to strengthen >> > the wording in the draft, but I don't think we need a technical change. >> > >> > Am I missing something here? >> > >> > -Ed >> > >> > --- >> > Edward J. Birrane, III, Ph.D. (he/him/his) Embedded Applications Group >> > Supervisor Space Exploration Sector Johns Hopkins Applied Physics >> Laboratory >> > (W) 443-778-7423 / (F) 443-228-3839 >> > >> > >> > From: dtn <dtn-bounces@ietf.org> On Behalf Of Brian Sipos >> > Sent: Friday, August 20, 2021 3:36 PM >> > To: R. Atkinson <rja.lists@gmail.com> >> > Cc: Brian Sipos <BSipos@rkf-eng.com>om>; dtn@ietf.org >> > Subject: [EXT] Re: [dtn] Important side issues from ACME Node ID >> > Validation draft >> > >> > APL external email warning: Verify sender dtn-bounces@ietf.org before >> > clicking links or attachments >> > >> > All, >> > After further discussion in the ACME WG (security area), based on a need >> > to avoid the requirements on DNS-name/IP-address and to avoid both valid >> > and invalid assumptions made by tools/libraries about SAN URI contents, >> the >> > strong recommendation is to avoid the SAN uniformResourceIdentifier >> > entirely in favor of a new SAN otherName type-id OID which is used just >> for >> > DTN EID (and thus Node ID) claims. >> > >> > Unfortunately, this would require editing of a portion of the TCPCLv4 >> > draft now in the RFC editors queue, and a new IANA registration for the >> OID >> > under the "SMI Security for PKIX Other Name Forms" IANA sub-registry >> [6]. >> > Is this late edit an acceptable path for the document? >> > It would avoid many potential interoperability issues that were brought >> up >> > in the ACME discussion and require only slight change to a DTN >> > implementation to use a different SAN type (but identically encoded >> value). >> > >> > [6] >> > >> https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8 >> > >> > On Wed, Aug 11, 2021 at 11:20 AM R. Atkinson <rja.lists@gmail.com> >> wrote: >> > >> > >> > > On Jul 26, 2021, at 21:04, Brian Sipos <BSipos@rkf-eng.com> wrote: >> > > >> > > The second issue is unfortunately more technical; the "dtn" URI scheme >> > has been set in stone and is already in use, but the PKIX profile in [4] >> > specifically requires that when any SAN URI which includes an authority >> > part (the "dtn" scheme does, it is the node name) that authority is >> either >> > a DNS name or IP address. And we know that a Node ID is _not_ going to >> > contain a network-level name but some other name. This technically >> breaks >> > the profile in [5] as well as [2], which both use SAN URI as Node ID >> > authentication. Because neither RFC5280 nor RFC6125 require to >> dereference >> > the SAN URI and the DTN PKIX profiles explicitly avoid the URI-ID >> > definition of RFC6125, the only risk is really that some application may >> > inadvertently try to DNS probe the node name (or something like that). I >> > don't yet know how much of a blocking issue this will be, and it's >> > unfortunate that it wasn't noticed earlier. >> > >> > Brian, >> > >> > DNS Operations folks consider "noise" DNS queries (such as an >> application >> > trying to use DNS to resolve the node name or something similar) to be a >> > significant operational challenge - because the volume of "noise" DNS >> > queries already is high. >> > >> > I imagine the DNS Operations folks would be greatly unhappy at the >> > prospect of the DTN URI scheme being the cause of additional "noise" DNS >> > queries. >> > >> > A prospective change would be to update the PKIX profile in [4] to make >> > clear that a dtn URI is neither a DNS name nor an IP address - ever. >> > >> > In short, this looks like a real-world operational problem that will >> need >> > _some_ form of solution, even if different from the prospective change I >> > outlined just above. >> > >> > Yours, >> > >> > Ran >> > >> > _______________________________________________ >> > dtn mailing list >> > dtn@ietf.org >> > https://www.ietf.org/mailman/listinfo/dtn >> > >> > >> >> _______________________________________________ >> dtn mailing list >> dtn@ietf.org >> https://www.ietf.org/mailman/listinfo/dtn >> >
- [dtn] Important side issues from ACME Node ID Val… Brian Sipos
- Re: [dtn] Important side issues from ACME Node ID… R. Atkinson
- Re: [dtn] Important side issues from ACME Node ID… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.
- Re: [dtn] [EXT] Re: Important side issues from AC… Rick Taylor
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Rick Taylor
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.
- Re: [dtn] [EXT] Re: Important side issues from AC… sburleig.sb
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Roman Danyliw
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.