Re: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft
Brian Sipos <brian.sipos+ietf@gmail.com> Wed, 08 September 2021 01:25 UTC
Return-Path: <brian.sipos@gmail.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 129C73A08E9 for <dtn@ietfa.amsl.com>; Tue, 7 Sep 2021 18:25:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HowezhX0W0l4 for <dtn@ietfa.amsl.com>; Tue, 7 Sep 2021 18:25:24 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D51493A08E6 for <dtn@ietf.org>; Tue, 7 Sep 2021 18:25:23 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id a15so1051798iot.2 for <dtn@ietf.org>; Tue, 07 Sep 2021 18:25:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Z57P1M9BddW+5CnhLFN+g/8A7P9OxenrvOTdFZUXst0=; b=IXOwqn48x54X3LD4FN/yczA4PmQ6xUX2cl9iICxnOD5NyMFrFm00RRXkloG/0S5wb3 TGhJ3HRJdxeZGAh6GHF1XTUdK+f6ESH6ZLcIRzmfJze3DwpG9Npk1PD2VoO5YuxzeHfj 3uvY5ECxfCWhKtakWNAzvWbN1ZMe9P/CXyECnCuCYo/secYmzi7xvmaLKI9Q9uAASyiK bNanKZmgQkTnKcs/dRwKw2iSwLQLPAsgXBvzRUTsmV+wsfYH66MB+S9Yik8uPqEYs1XZ 98A302gfK/yFhXwBvcxRLSUKtJWPGzxf7WJRnKWFdAlkNPW8NNyqLGDPQEPBsnYveZjc uGbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Z57P1M9BddW+5CnhLFN+g/8A7P9OxenrvOTdFZUXst0=; b=X15i4lAWYTkQ2ZniwGUUlboYZ2Oibh1y+LrSfgXS9le0AnG1vxkGnoUt1Y3E5OyjfE SwKgy6SRRo3PaXVJYvhl201NFTmW/Fnfnjzv1gvd1bnGJDSDqWHS8pQGpTN7yqpFnQFr XGDwB4bYwBYVeA7NvZmTRU158q0GHwQlMtQzLSXrLXXIJ/VPBlKDySEIh4NqsPqYJh0P l1CrteyvZf8jE9jzLo2dU7Q/LVAkc71lCaazM4cJhNaNmllBndX4cVYQSDWlbiy052ay +xmvZn/FezcomwPUVEquwOH6xeAlozLsxpHp6FDeeEf3+hdIwiz9oedSUuTIelP9ObJu aNWg==
X-Gm-Message-State: AOAM532lFCZMAKQ8fcS3X5bpfh7HwX7507qE0hKwPBVq43nGf/y279l3 +YLRO6NPyVSNrckFfGHAPPIPMU7dIjfMUVnjRzE=
X-Google-Smtp-Source: ABdhPJyd0Wdq33ddzqCBS/KL/T9xEvPaZQeTxa+61jyB3it45PMN6LYGMMAkgLQRvaI8tL1skKExKJyAlythCAsxu10=
X-Received: by 2002:a02:664c:: with SMTP id l12mr1175380jaf.140.1631064321913; Tue, 07 Sep 2021 18:25:21 -0700 (PDT)
MIME-Version: 1.0
References: <BN1P110MB093974F5B749DB68A304FBD2DCCF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN1P110MB093974F5B749DB68A304FBD2DCCF9@BN1P110MB0939.NAMP110.PROD.OUTLOOK.COM>
From: Brian Sipos <brian.sipos+ietf@gmail.com>
Date: Tue, 07 Sep 2021 21:25:11 -0400
Message-ID: <CAM1+-ggA8iRAX3dxo+tuXMY4Lx4qXMQ_RQF5UOhsOr8-Fu6aEw@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "dtn@ietf.org" <dtn@ietf.org>, "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>
Content-Type: multipart/alternative; boundary="00000000000083768e05cb71c151"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/tDCYKiM4CAqiiPmCgNOo28XTX28>
Subject: Re: [dtn] [EXT] Re: Important side issues from ACME Node ID Validation draft
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2021 01:25:29 -0000
Roman, I have updated the pre-draft-submission changes to include the explicit statement that TCPCL re-uses the DNS-ID from RFC 6125. I also relocated the OID definitions (separate from IANA allocations) into a "4.4.2.1. PKIX OID Allocations" section to make it more clear that the dtnEID otherName is *any* EID but this PKIX profile requires a more narrow content of a Node ID. After doing some prototyping, I added an Appendix B example of a dtnEID otherName because it was not obvious during the implementation that I got it right. For those familiar with URI encodings and the "dtn" URI scheme definition, I think this use of IA5String is fine because the "dtn" scheme only allows a restricted character set (no UTF8 here). The same URI [1] works for the new content because it's pulled directly from the git repository. On Fri, Sep 3, 2021 at 10:13 AM Roman Danyliw <rdd@cert.org> wrote: > Hi Brian! > > On Wed, 01 September 2021 14:08 Brian Sipos <brian.sipos+ietf@gmail.com> > wrote: > > > All, > > I have a drafted (but not submitted to the datatracker) redline [1] to > > TCPCLv4 for the NODE-ID encoding changes discussed earlier. It adds one > new > > IANA Considerations subsection for the otherName type and updates the one > > paragraph that uses that new type. This can be wordsmithed if anything > > seems vague or under-specified; specifically, there's no text explaining > > the nuance of "it can encode any Endpoint ID but for this PKIX profile it > > must contain only a Node ID". Something similar could be added if > helpful. > > Thanks for staging this diff. The explicit mapping of NODE-ID to > otherName seems like a good alternative, and it can be cascaded in the > related ACME draft. > > At the risk of re-opening some of the unrelated text, but in the spirit of > being extremely explicit on how NODE-ID (Node ID), DNS-ID (DNS Name) and > IPADDR-ID (Network Address) are expected to map into certificates in DTN, I > noticed that the text in Section 4.4.1 only provide guidance on NODE-ID and > IPADDR-ID. The obvious is never said about DNS-ID. Specifically: > > NEW TEXT (to be symmetric with IPDADDR-ID) > > This specification defines a DNS-ID of a certificate as being the > subjectAltName entry of type dNSName whose value is encoded > according to [RFC5280]. > > Regards, > Roman > > > [1] > > https://tools.ietf.org/rfcdiff?url1=https://www.ietf.org/archive/id/draft-ietf-dtn-tcpclv4-26.txt&url2=https://briansipos.github.io/dtn-bpbis-tcpcl/draft-ietf-dtn-tcpclv4.txt > > > > > > > > On Fri, Aug 27, 2021 at 5:55 PM Birrane, Edward J. < > > Edward.Birrane@jhuapl.edu> wrote: > > > > Rick, > > > > > > > > Upon review, I agree with your (and Brian's) statement that NODE ID > > should be preserved but not as a URL. > > > > > > > > DTNWG, > > > > > > > > This document ( > > https://datatracker.ietf.org/doc/html/draft-ietf-dtn-tcpclv4) is > > currently in the RFC editor "EDIT" state. There will be an update to the > > document as part of responding to editor comments to produce a final > > version of the RFC. This update as part of the editor process can be used > > to correct errors in the document as they are identified. > > > > > > > > The question, of course, is whether the proposed correction to TCPCLv4 > > (for NODE ID use an otherName with a new OID for Endpoint ID) is a > > sufficient technical change to warrant restarting DTNWG technical review > or > > whether this is a correction that can take place as part of the existing > > editing process. > > > > > > > > To that end, if you have a concern that this change requires more DTNWG > > technical review, please say so on this list. > > > > > > > > Alternatively, if you believe that this change should proceed with > other > > corrections in the edit process, please post that as well. > > > > > > > > -Ed > > > > > > > > --- > > Edward J. Birrane, III, Ph.D. (he/him/his) > > > > Embedded Applications Group Supervisor > > > > Space Exploration Sector > > > > Johns Hopkins Applied Physics Laboratory > > (W) 443-778-7423 / (F) 443-228-3839 > > > > > > > > > > *From:* Rick Taylor <rick@tropicalstormsoftware.com> > > *Sent:* Wednesday, August 25, 2021 4:07 AM > > *To:* Brian Sipos <brian.sipos+ietf@gmail.com> > > *Cc:* Birrane, Edward J. <Edward.Birrane@jhuapl.edu>du>; R. Atkinson < > > rja.lists@gmail.com>gt;; Brian Sipos <BSipos@rkf-eng.com>om>; > dtn@ietf.org > > *Subject:* RE: [dtn] [EXT] Re: Important side issues from ACME Node ID > > Validation draft > > > > > > > > *APL external email warning: *Verify sender > rick@tropicalstormsoftware.com > > before clicking links or attachments > > > > > > > > Hi Brian, > > > > > > > > From my reading of BPv7, a Node-ID is just an Endpoint ID with a special > > meaning (it's the EID of the node itself, rather than another service on > > the node, or a multicast endpoint), so I suggest having the "otherName" > OID > > registered as "DTN Endpoint ID" type. > > > > > > > > There may be advantage to that flexibility beyond TCPCL, I can imagine > > use-cases where services may need to assert an identity just as a node > does > > for TCPCL, and the generic "otherName" is the right tool for that job as > > well. > > > > > > > > Cheers, > > > > > > > > Rick > > > > > > > > > > > > *From:* Brian Sipos [mailto:brian.sipos+ietf@gmail.com > > <brian.sipos+ietf@gmail.com>] > > *Sent:* 24 August 2021 21:35 > > *To:* Rick Taylor > > *Cc:* Birrane, Edward J.; R. Atkinson; Brian Sipos; dtn@ietf.org > > *Subject:* Re: [dtn] [EXT] Re: Important side issues from ACME Node ID > > Validation draft > > > > > > > > One remaining technical decision about this is: does the SAN otherName > > allow only Node ID values or any Endpoint ID values. This certificate > > profile will only have a use for Node ID, but this restriction is related > > to the SAN otherName type definition and not how that type is used by the > > profile. From the tool perspective, it seems a little easier to allow the > > type to contain any EID. A non-Node-ID value won't match any CL peer Node > > ID so there's no harm in the otherName value being an EID. > > > > > > > > On Tue, Aug 24, 2021 at 4:20 PM Brian Sipos <brian.sipos@gmail.com> > wrote: > > > > Ed and Rick, > > > > The fundamental issue is that tools can and do make assumptions beyond > the > > already incompatible requirement from RFC 5280 that a SAN URI have an > > internet name (DNS FQDN or IP address), and there are some pre-existing > > issues anyway with tools using SAN URI and PKIX certificate constraints. > > The SAN extension is the right place to put it, but the " > > uniformResourceIdentifier" type . Like some other aspects of IETF > > protocols, where PKIX uses generic "URI" or similar terms what they > really > > mean (and what tools/libraries can assume) "internet name URI." > > > > > > > > The change is to redefine what is a NODE-ID (it changes from a SAN URI to > > a SAN otherName with a newly allocated type OID to specifically contain a > > DTN EID value). This will require no change or conflict with RFC 5280 or > > existing PKIX tooling or libraries. It will decouple the NODE-ID > definition > > from any earlier/other use of SAN URI. I can draft a modified TCPCL > > document for these changes. > > > > > > > > Rick, you are correct that the current definitions can be used in some > > circumstances (the proof-of-concept implementation works fine with Node > IDs > > such as "dtn://node-A/") can run into problems when node names fall > outside > > of allowed DNS names (e.g. "dtn://_node_A/" or other disallowed DNS name > > characters "dtn://_&@/") tools can rightfully refuse to either issue or > > accept certificates with these SAN URIs. > > > > > > > > On Mon, Aug 23, 2021 at 3:38 PM Rick Taylor < > > rick@tropicalstormsoftware.com> wrote: > > > > Hi Brian, Ed, > > > > I personally agree with the ACME Sec review... I think subjectAltName is > > the wrong field to be using for Node-ID in the certificate, and using it > > definitely ties our hands with Naming and Addressing to only use Node-IDs > > (and by extension Endpoint IDs) that map to RFC3986 valid formats. > > > > @Brian, Can you suggest some replacement text for the 3rd paragraph of > > 4.4.1 that meet the ACME suggestion? > > > > Everyone else, do you consider the change to use a different field/type > in > > the certificate to be a change that requires returning TCPCLv4 to the WG. > > Note that doing this will delay BPv7 and BPSec as they are all bound > > together. > > > > With my chair hat on, I would suggest that the current text specifies the > > wrong field to use, rather than specifying something functionally > incorrect. > > > > Cheers, > > > > Rick > > > > > > From: dtn [mailto:dtn-bounces@ietf.org] On Behalf Of Birrane, Edward J. > > Sent: 23 August 2021 17:12 > > To: Brian Sipos; R. Atkinson > > Cc: Brian Sipos; dtn@ietf.org > > Subject: Re: [dtn] [EXT] Re: Important side issues from ACME Node ID > > Validation draft > > > > Brian, > > > > If I am reading the TCPCLv4 document correctly ( > > https://datatracker.ietf.org/doc/html/draft-ietf-dtn-tcpclv4-26) then > the > > NODE-ID is optional, and instead a DNS-ID/IPADDR-ID may be used. > > > > If the bundle EID scheme (there may be more than dtn://) does not map > > cleanly to a fully qualified domain name or IP address, my intuition is > > that the DNS-ID/IPADDR-ID construct would need to be used instead. > > > > Since this is a TCP convergence layer, we already need to map a domain > > name or an IP Address anyway. > > > > If that is the correct interpretation, it may be useful to strengthen > > the wording in the draft, but I don't think we need a technical change. > > > > Am I missing something here? > > > > -Ed > > > > --- > > Edward J. Birrane, III, Ph.D. (he/him/his) Embedded Applications Group > > Supervisor Space Exploration Sector Johns Hopkins Applied Physics > Laboratory > > (W) 443-778-7423 / (F) 443-228-3839 > > > > > > From: dtn <dtn-bounces@ietf.org> On Behalf Of Brian Sipos > > Sent: Friday, August 20, 2021 3:36 PM > > To: R. Atkinson <rja.lists@gmail.com> > > Cc: Brian Sipos <BSipos@rkf-eng.com>om>; dtn@ietf.org > > Subject: [EXT] Re: [dtn] Important side issues from ACME Node ID > > Validation draft > > > > APL external email warning: Verify sender dtn-bounces@ietf.org before > > clicking links or attachments > > > > All, > > After further discussion in the ACME WG (security area), based on a need > > to avoid the requirements on DNS-name/IP-address and to avoid both valid > > and invalid assumptions made by tools/libraries about SAN URI contents, > the > > strong recommendation is to avoid the SAN uniformResourceIdentifier > > entirely in favor of a new SAN otherName type-id OID which is used just > for > > DTN EID (and thus Node ID) claims. > > > > Unfortunately, this would require editing of a portion of the TCPCLv4 > > draft now in the RFC editors queue, and a new IANA registration for the > OID > > under the "SMI Security for PKIX Other Name Forms" IANA sub-registry [6]. > > Is this late edit an acceptable path for the document? > > It would avoid many potential interoperability issues that were brought > up > > in the ACME discussion and require only slight change to a DTN > > implementation to use a different SAN type (but identically encoded > value). > > > > [6] > > > https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.8 > > > > On Wed, Aug 11, 2021 at 11:20 AM R. Atkinson <rja.lists@gmail.com> > wrote: > > > > > > > On Jul 26, 2021, at 21:04, Brian Sipos <BSipos@rkf-eng.com> wrote: > > > > > > The second issue is unfortunately more technical; the "dtn" URI scheme > > has been set in stone and is already in use, but the PKIX profile in [4] > > specifically requires that when any SAN URI which includes an authority > > part (the "dtn" scheme does, it is the node name) that authority is > either > > a DNS name or IP address. And we know that a Node ID is _not_ going to > > contain a network-level name but some other name. This technically breaks > > the profile in [5] as well as [2], which both use SAN URI as Node ID > > authentication. Because neither RFC5280 nor RFC6125 require to > dereference > > the SAN URI and the DTN PKIX profiles explicitly avoid the URI-ID > > definition of RFC6125, the only risk is really that some application may > > inadvertently try to DNS probe the node name (or something like that). I > > don't yet know how much of a blocking issue this will be, and it's > > unfortunate that it wasn't noticed earlier. > > > > Brian, > > > > DNS Operations folks consider "noise" DNS queries (such as an application > > trying to use DNS to resolve the node name or something similar) to be a > > significant operational challenge - because the volume of "noise" DNS > > queries already is high. > > > > I imagine the DNS Operations folks would be greatly unhappy at the > > prospect of the DTN URI scheme being the cause of additional "noise" DNS > > queries. > > > > A prospective change would be to update the PKIX profile in [4] to make > > clear that a dtn URI is neither a DNS name nor an IP address - ever. > > > > In short, this looks like a real-world operational problem that will need > > _some_ form of solution, even if different from the prospective change I > > outlined just above. > > > > Yours, > > > > Ran > > > > _______________________________________________ > > dtn mailing list > > dtn@ietf.org > > https://www.ietf.org/mailman/listinfo/dtn > > > > > > _______________________________________________ > dtn mailing list > dtn@ietf.org > https://www.ietf.org/mailman/listinfo/dtn >
- [dtn] Important side issues from ACME Node ID Val… Brian Sipos
- Re: [dtn] Important side issues from ACME Node ID… R. Atkinson
- Re: [dtn] Important side issues from ACME Node ID… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.
- Re: [dtn] [EXT] Re: Important side issues from AC… Rick Taylor
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Rick Taylor
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.
- Re: [dtn] [EXT] Re: Important side issues from AC… sburleig.sb
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Roman Danyliw
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Brian Sipos
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.
- Re: [dtn] [EXT] Re: Important side issues from AC… Birrane, Edward J.