Re: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)

Jim Zubov <ietf-list@commercebyte.com> Sat, 05 March 2022 22:05 UTC

Return-Path: <ietf-list@commercebyte.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DC0B3A0D35; Sat, 5 Mar 2022 14:05:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=commercebyte.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VIdie205eJbO; Sat, 5 Mar 2022 14:05:47 -0800 (PST)
Received: from ocean1.commercebyte.com (ocean1.commercebyte.com [104.131.120.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AF453A0D32; Sat, 5 Mar 2022 14:05:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=commercebyte.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:References:In-Reply-To:Subject:CC:To:From:Date; bh=ywXPKJjpJyWsBL2ELGS7cWGzz3ntmncojLcMaqCFNY4=; b=AVlhfmP0G5UHYYYA4hiTx7SUYwupFHonUSwCzDc5bkEY9XG0f7giX/bZ6iV7m5cWcZUUdefWrCDie0EgIMuNxS1gpoxWK8BwRQRMqOwtn4vXvAtWf6ngb0hHoTQI/I5b8Wp/aXShVPpkbeQLmP38qAPoiNLL+tYulE24fSF3cIE=;
Received: from [47.204.174.73] (port=40730 helo=[127.0.0.1]) by ocean1.commercebyte.com with esmtpsa (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82) (envelope-from <ietf-list@commercebyte.com>) id 1nQcX2-0000EF-HP; Sat, 05 Mar 2022 17:05:44 -0500
Received: from [206.81.2.95]:7120 (helo=[127.0.0.1]) by [192.168.254.152]:49416 (localhost) with VESmail ESMTP Proxy 1.59 (encrypt=FALSE mode=FALLBACK); Sat, 05 Mar 2022 17:05:43 -0500
Date: Sat, 05 Mar 2022 17:04:57 -0500
From: Jim Zubov <ietf-list@commercebyte.com>
To: secdispatch@ietf.org, Michael Richardson <mcr+ietf@sandelman.ca>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>, "anima@ietf.org" <anima@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>, Jim Zubov <ietf-list@commercebyte.com>
User-Agent: K-9 Mail for Android
In-Reply-To: <16442.1646511327@localhost>
References: <0075B437-024A-4D84-ABD7-92FE8DAFA59F@commercebyte.com>, <1865.1644434146@localhost> <E1nHwaz-0000LM-I5@ocean1.commercebyte.com> <4026.1644516168@localhost> <685366A1-01F4-4788-B025-0F5F4CE7947F@commercebyte.com> <DBBPR08MB591577EC79C3D11114AA747CFA3C9@DBBPR08MB5915.eurprd08.prod.outlook.com> <FC43EB7C-5ABF-4061-89BA-1503F0B6340D@commercebyte.com> <DBBPR08MB59159BFB36A926DA8E851723FA3D9@DBBPR08MB5915.eurprd08.prod.outlook.com> <665685D3-B9AA-4A5E-B5B0-33D313A40716@commercebyte.com> <DBBPR08MB591548B0B00B68F0A4A013ACFA049@DBBPR08MB5915.eurprd08.prod.outlook.com> <C8FFB10D-2C8C-4084-823E-1D5CC2EA451D@commercebyte.com> <DBBPR08MB5915AC6A162154A6B53D27B7FA069@DBBPR08MB5915.eurprd08.prod.outlook.com> <16442.1646511327@localhost>
Message-ID: <BD509E42-72AF-4418-BA74-FAA61A414C07@commercebyte.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----LI0I12QGORW6V91BMZIZHG09AW0CJ6"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ocean1.commercebyte.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - commercebyte.com
X-Get-Message-Sender-Via: ocean1.commercebyte.com: authenticated_id: jz@nixob.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/D5GqVa5gEKoDpZbeiieBPvZx6k0>
Subject: Re: [Iotops] [Secdispatch] I-D: Deploying Publicly Trusted TLS Servers on IoT Devices Using SNI-based End-to-End TLS Forwarding (SNIF)
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2022 22:05:53 -0000

I agree with Hannes that a pre-existing relay infrastructure can be used to tunnel TLS in place of SNIF relay. The CA proxy is still needed to maintain the cert.

As per Eric Rescorla's arguments, i can also envision a possibility to upgrade an established SNIF control socket to MASQUE over H2, or to use MASQUE over QUIC as an alternative. However I still don't see any added value in doing so, opposed to multiple added complications, as I don't see a practical case with a large number of concurrent SNIF service connections.
If anybody has a different opinion please chime in.

On March 5, 2022 3:15:27 PM EST, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>
>Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
>    > Based on what you wrote below I was actually wondering if the use of
>    > TLS or DTLS at the application layer wouldn’t even be a better
>
>It took me a few moments to realize you meant ATLAS.
>There is also, now, oblivious HTTP/TLS.
>
>--
>Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>