IETF Logo Mail Archive

Re: Artart last call review of draft-ietf-core-coap-tcp-tls-07

Carsten Bormann <cabo@tzi.org> Mon, 10 April 2017 09:46 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 760E412946D; Mon, 10 Apr 2017 02:46:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id laIirY-Qwsht; Mon, 10 Apr 2017 02:46:48 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6762B129469; Mon, 10 Apr 2017 02:46:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [134.102.201.11]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id v3A9kf6R029982; Mon, 10 Apr 2017 11:46:41 +0200 (CEST)
Received: from client-0078.vpn.uni-bremen.de (client-0078.vpn.uni-bremen.de [134.102.107.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3w1lh10PjCzDJ1N; Mon, 10 Apr 2017 11:46:41 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: Artart last call review of draft-ietf-core-coap-tcp-tls-07
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <149179722452.3118.982908107963516290@ietfa.amsl.com>
Date: Mon, 10 Apr 2017 11:46:40 +0200
Cc: art@ietf.org, draft-ietf-core-coap-tcp-tls.all@ietf.org, ietf@ietf.org, core@ietf.org
X-Mao-Original-Outgoing-Id: 513510400.415103-770b8e04c4ebcf4e77d1fedbfcf44f5f
Content-Transfer-Encoding: quoted-printable
Message-Id: <5E5238DC-B835-4BDF-B50D-8D594A46C4D4@tzi.org>
References: <149179722452.3118.982908107963516290@ietfa.amsl.com>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/rNlrjnTSPVfUPiFC9v83VQicXBE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2017 09:46:50 -0000

Hi Mark,

thank you for this thoughtful review.

This message will focus on a few technical points; I’ll leave aside the philosophical issues about whether the IETF should have a constrained node stack.

> WebSockets
> is a specialised protocol that allows bidirectional, stream-based
> transport from a Web browser -- it is effectively TCP wrapped into the
> Web browser's security model, to make doing so safe.

Indeed, that is the use case that was motivating this part.

> Using it for
> other purposes (i.e., non-browser use cases) isn't really appropriate.
> I'd suggest either removing the WebSockets binding, or changing its
> motivation in the Introduction.

I agree that the introduction should focus on the Browser use case and keep out of the firewall traversal jungle.

> Section 7 defines a number of new URI schemes for COAP protocols.
> Syntactically, they use "+" to separate "coap" from the underlying
> transport(-ish) protocol that they're bound to; e.g., "coap+tcp". This
> syntax is allowed by RFC3986, but is unprecedented, and implies a
> sub-syntax convention similar to those used in media types, etc. Is
> there an expectation that other URI schemes starting with "coap+" are
> reserved? 

There is no such expectation.

We did have the discussion about reserved URI scheme prefixes in the IETF, and as I recall, the result was that there are none.  While it would be a bit weird to register a URI scheme starting with coap+ or coaps+ that is unrelated to CoAP, only the slightly boggled response from an expert review is in the way of that happening.

Would the scheme names be more palatable with a dash instead of a plus?
Careful choice of the scheme name mostly benefits the implementer, so it can be changed in the spec (at the cost of changing existing implementations).

> Defining URI schemes that switch transport protocol based upon their
> name deserves wider review as well; this has been a contentious topic
> in the past, and it would be good to understand what tradeoffs are
> being made by doing so. Locking identifiers into a specific transport
> protocol sacrifices much of the power of URLs.

The “siloing” of URIs along schemes is indeed a problem, which started for CoAP with the separation of the coap:/coaps: name spaces.  The CoRE WG did not see it as its task to address this shortcoming.  So, for now, we’ll have to live with it; approaches such as draft-silverajan-core-coap-protocol-negotiation are trying to address its practicalities.

> Furthermore, creating
> "coap+ws" to denote a specific protocol over WebSockets (which has its
> own URI scheme) is questionable; taken to its natural conclusion,
> we'll have a proliferation of URI schemes for things over WebSockets.

I’m not sure that a proliferation will happen — WebSockets is mostly used for tightly bound proprietary protocols between a JavaScript mobile code client and a server that provides this mobile code client.  On the other hand, deciding to never use URIs to refer to resources available over a WebSockets protocol strikes me as an unnecessary restriction.

> Will COAP take the same approach for HTTP?

Not sure what this question is leading into.
(We do have a defined relationship with HTTP, in RFC 7252 and RFC 8075.
But maybe this is about something different.)

> I would suggest a wider discussion of these issues on art@ / uri@.

Indeed, a wider discussion of these longstanding issues would be useful.
I’m not sure that waiting for their resolution is blocking this spec.

> Section 7.4 shows how to convert a "coap+ws://" URI into a "wss://"
> URI, using a well-known URI in the "wss" scheme. However, "wss" is not
> defined to use well-known URIs, so this is an invalid use. 

This incorrect use of RFC 5785 is indeed embarrassing.  More about that later.

> Section 8.1 makes it Mandatory to Implement the protocol without any
> security ("NoSec"). This seems counter to best practice in the IETF,
> but I'll defer to the Security Area review.

Since it is the implementers who will decide whether they implement this, this co-author could live with making implementing NoSec completely optional.  (It will be anyway, in practice, at the level of what is actually configured.)  The important point(*) from the WG perspective here is that TLS is mandatory to implement, with the specifics depending on the security mode needed (cf. RFC 7925).  (Note also that there are other ways to provide security with CoAP.)

Grüße, Carsten

(*) https://github.com/core-wg/coap-tcp-tls/commit/fe348f543fc45e981e38e9354242012afb28dc60

v2.23.0 | Report a Bug | By Email