Re: [Iotops] Error categories in constrained IoT authentication

Göran Selander <goran.selander@ericsson.com> Thu, 25 February 2021 15:52 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 759B43A1B81 for <iotops@ietfa.amsl.com>; Thu, 25 Feb 2021 07:52:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.671
X-Spam-Level:
X-Spam-Status: No, score=-2.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HXMS68GsQmCH for <iotops@ietfa.amsl.com>; Thu, 25 Feb 2021 07:52:06 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50066.outbound.protection.outlook.com [40.107.5.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2910A3A1B79 for <iotops@ietf.org>; Thu, 25 Feb 2021 07:52:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VqXAV8cYGj+1XL3tfU4C88d47M2urGXtRqFFeOemyXPmUtI7wkTtmG7PZFbk5gBlO34WnDoquJFsOkCfBRlKAh0SyzOyuvbZjvJg6U3iuCrvAzJjBAK8fZzKHTDnviKp9BfjzF27/chqZnEfaJg3XsAOTgmblu9xwDJyhKSz9zFEqyvkDVE7ahs0WK/8XJ24x9dUiWhDntnFKWPxzq/pphv/XtYlHFMV538a7NV6ho1yaCRABbe30Oh3ZkvMv1dRYr13QsjfonowGhItvbWCb4M3SZliYZWl1PYgXkWIJuFmvnAM0DtRUG5B0Zd+GEtPYX4GMTRdRdXi6E7KOumOQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/a3e+QcmB4Q4K3qGkUL4IOo5awTIHl6XpWmtrl/3Sgk=; b=fq65//17XMjDsFmHEGRmJgx6AeADq5FspNge/6mTQ9JN3IQDeyZ4lKTE6GPDX+g8r6dPizmEihq1oNW6kUHtW/S8Xb3QQ5I4akJn4qTjVHDTlajHKfV12dF5bJhOEJ4lS82LtefI4VA9P2WyYzE6Kf89rxap2QTzFAkI/MvrU3lgSvFFM5CkpsmvCNfr83d7Q539GDFFQ7/JGXEHTEktpPC08pI9qVA8Bg07hL7lJf9h23dMYd1yOqtWQwwlErhN5yvP1gBTw2wGD03s9nhhcKlZY4I1jfBu7Utbp03Na7FxVAsilAcE2b42mSI822amsg638QDK/blZzozVEGJFyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/a3e+QcmB4Q4K3qGkUL4IOo5awTIHl6XpWmtrl/3Sgk=; b=M+4HphDtST/b8+WLqNKKXJxARoC2YF8XffSG0WxRTnnvqyxDGQ9HIQZJay1zkp1LUU32oVnloro4tKGKYEYT8cxxLJIkf6KwR4op5OtTI6puhy/nroz7CvFLtrf7aF8We/FnoH7abRP9gG4/Bq06uqIfot3wXQd8smw3/5hLXlQ=
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com (2603:10a6:7:82::14) by HE1PR07MB3065.eurprd07.prod.outlook.com (2603:10a6:7:35::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.20; Thu, 25 Feb 2021 15:52:03 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8%5]) with mapi id 15.20.3846.045; Thu, 25 Feb 2021 15:52:03 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: [Iotops] Error categories in constrained IoT authentication
Thread-Index: AQHXA7sevPYsVE9D80KdsgQDTgiUsqpZdgoAgAEA24CAAJSDAIAKpjwAgABCHICAAq2kgA==
Date: Thu, 25 Feb 2021 15:52:03 +0000
Message-ID: <C5FBCCC4-7FC2-43D2-93DA-AC6054CE0778@ericsson.com>
References: <49569FF2-938B-4584-B290-F16558F352F5@ericsson.com> <27125.1613409584@localhost> <7FFB63D7-801D-4E8B-8257-BE9BCF7BA6BF@ericsson.com> <32317.1613496636@localhost> <08C9D759-335F-4AED-9A53-458834804998@ericsson.com> <AFF64648-E1ED-43C3-AEC3-3F9B6FE73C48@cisco.com>
In-Reply-To: <AFF64648-E1ED-43C3-AEC3-3F9B6FE73C48@cisco.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21021600
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e6cd4338-eb65-4f22-937e-08d8d9a54ba9
x-ms-traffictypediagnostic: HE1PR07MB3065:
x-ms-exchange-minimumurldomainage: ietf.org#9483
x-microsoft-antispam-prvs: <HE1PR07MB30650AB5264652486609D4F4F49E9@HE1PR07MB3065.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oS8BGWcBmn39jt0QseFRJTB6P13vD4+Hae4TLeiuDeohFqiNPF3fVR0igosD6d3egAx+gmoc5t0Bex75OZyM4fm8j2xmwrJeAF7xYE6bEYnwRG+HUF+uAhwbQnh+bEGixdyHZIcVk3Rtqva6jzmaq2E1fnAnpN8CxsbjVN+yPwDoailCtSe2NbyMtdQ7sMXm611vAVkcJA7krLLHQEA9UCNi+gIR0z2ust5zm5pF8s+AcYE6mbwIQ5P+tAAQ2sB96pT8EnGBr6RCADASNohPHjQ1qUQVuZ63Eg2cJwrXn8exKgmj2gj5QPJbpogNrsnUMRZtcKvKM2MAOvhp24iuuZhWDdO76LBubwqLhXzOHBgqJnhqDcWTzUpdbSOxhsQ1fjHH5K6iUimEZ/LhVlV9otRxKp7SR2LqOijUxwhw+6hOTvbAQTT7mOeN3FXt/AWvVMyxrs2lxV8LA+UhoO9uXowcIQNh/CMjE+9XnZMA6N+6IUittfpHRR0+WX9R/I0RYYeyJ/c4pB+vEcd3rhOHW1eo0PfNEA8c51BN+440OVYq+gv5yFd2M59YCvcTOE8MPq0ZV7HodSHe8JuRqldlBDfM8et/u3PIwZjg/VwOAmiNad6AXSHfdwSPPJdeKwg/W8Vz0auqcqruFhUHk9+cpQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(376002)(396003)(39860400002)(136003)(316002)(54906003)(2616005)(66476007)(66556008)(2906002)(8676002)(36756003)(66946007)(76116006)(5660300002)(66446008)(64756008)(26005)(33656002)(86362001)(6486002)(6506007)(71200400001)(53546011)(85202003)(186003)(4326008)(6512007)(8936002)(966005)(66574015)(478600001)(85182001)(83380400001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?Z3p3blJuTnZuWkxiajRWWWdrWUhac085ZzVwaUxIQnFzdVJFR3dkc2xoSmN5?= =?utf-8?B?ejd4OGlMcVc4OGN1cGNYRUVvSWFFZXFqYXhwZkVrUlVoUWdMcnNCN0RGRnR6?= =?utf-8?B?R1l2dEVUNmQwL0NOc2xGK05mVEZNWFBsWnp3eHp3MThTQWxqMGp4MVB5M0Fi?= =?utf-8?B?REMwVFJia3ZyWHhzaFhnZmk0Z3lMYytGQk5iN2FHeTBraHVMSDh4bmJmNE1O?= =?utf-8?B?VThRUzhlWWlWYUVyMjhTWW52WkhQMHgwVFB2d0REZysxYnBlOGFFN2x1OEQy?= =?utf-8?B?S2k2cFlReiswcUpjOEloc3d3SHdJKzVnampuZm5RSWdiMGVicjNUMS9vam9z?= =?utf-8?B?YXBZekVmK3FQL2JOS1gzMzRRWTVIRGc3Z2N4bmRiYXV6bm1CYmZIM0Y4bEd0?= =?utf-8?B?QnVBOVJrb1A1dEZnaDM0amRCd05qZlFCcjc1NkRQSUtIcm5hS0gyWnNYSURU?= =?utf-8?B?SjdYM3hmbnd1R01JS2ZlOXhnR1pxbVk1NTdjRlRHblMrbkthT1B6czRTOHpx?= =?utf-8?B?Smh1SXhqRTBkZTNpUldEeW5LUlltQXhmckF4NkswWkJITHZGOGJpYkkwdVRy?= =?utf-8?B?UzNOSWNUNEJZb0ltekU0dE5XZmpneGQ2Q0h3ek8yZHhVYzlqWjBqdm1IZlhO?= =?utf-8?B?YWRPWU5iMDVESSt5cWVaTnZKQUZsMlJsdHc2eU9Vc1BXRzFnL3luTHdySVM4?= =?utf-8?B?S2NHQjlQTVlFZ29GUEh1SS93WnhjanVJVmVVbERxalRrdEpIcVhEWmtiQy9u?= =?utf-8?B?MEdOT25uQSt2MzdHSUhvQnh6dENzYzA4UERFdnlOc0JoTytuY3B3YlBZYit3?= =?utf-8?B?ZDBxUXRLczBVdytadU5yYnh0NU1KTGFXSmpaNHRWK0FqLzk5WkM5dVpqcDBV?= =?utf-8?B?ZkJGbk9razNSaTFkcDg0TzJsbC9uSEc2ZWN0NW54SHVCSkdaSzdsSzl0dXhy?= =?utf-8?B?VHZtZ1dvVUROeVZqRXdoZ1RyeGNRWEtQeCtWNmRGSUxLWUhEZEpMcXJRYVpl?= =?utf-8?B?S2psMGxhMC9aU1JVL2hucnBCUDZ5TEQ0Nnh1NmdYb0tNRE1rZVRZdXBvaG44?= =?utf-8?B?bHZSL1ZTYnVqZk1CbFpIbU1sVThCU2x0NUkvNGtUM0UyZ2FGKzk2TEdEUFAy?= =?utf-8?B?TWlhaFBVVGNyZForRC9lT3lOMFJkVWhkeUY1bzVwRmVrdUptdW9nZUZnSk0x?= =?utf-8?B?enpuWklCNEJabkpsd3cxbElKV0ZqTWVCQ2xoMEpxUzNrZW5mbFZTbTkwWm1h?= =?utf-8?B?ZWNCaFlMSk5rdklxNjVCVXZRNkhRRFFmb0o2MWM5SnM4M3hhdnVpUzhmSkFF?= =?utf-8?B?c1Z0YmVxRllBRC82NzNRK0V2Yk1SYnJ0MG1VK0lIRVZ0L1hGaTlWWEpMQ3RW?= =?utf-8?B?cGpkMXhxeHprcHdYaXhIT1VTY3F6RFMzQkVXYkRoRjFydE9HeFpSSm9yZ0dv?= =?utf-8?B?NEdZZ1hITExvQUtXSEpTR0dtZ3M4b0JtZjVFb1AwL0RiOHV6c0xlRVFZVCtu?= =?utf-8?B?U2NkTW1MVnJGQnd5VkhpZnZOR2FKR01yZDc1VENIbFd5UThIZHU4L2tOZFhm?= =?utf-8?B?U28vTFB5TC9NQkVBUGxPR2FoZ2dHWDYwMzBRcFZPQmV4TWhYM1NxU2IxUTlR?= =?utf-8?B?ZEw0NVB1K0dDYysvV0dRZEgrbWkwdFRFdittU3ZMQ3NuTTMzVGJwMmtnYklS?= =?utf-8?B?enZkbXhEUGlINll6SCs1dW5rUXFFTm5nenl5UWJBQkdEQm9vL2V3eDRaNVJ5?= =?utf-8?Q?856EuVDhXtL435JYzeeIHZeYyvYHkaC8qX5Juq7?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <7FA4919D1910B049B4503185B6874070@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e6cd4338-eb65-4f22-937e-08d8d9a54ba9
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2021 15:52:03.4271 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b6dDJ+LOVCll+dj3q1lQ9KPO3gzZEibmLMGYaFD8Vhjgm/sxG0ZaF/e+2SHtNp5kdXxWKtUNjYml5wCIqTiHQ7T4WaHw5KjputtXW4ybkyQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3065
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/OoERwoPtkfFVPDAy3830fUeaS0M>
Subject: Re: [Iotops] Error categories in constrained IoT authentication
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 15:52:09 -0000

Thanks Eliot!

I agree that information about the error needs to be restricted since the message is sent in clear. Since there is no secure communication in place yet, a handshake protocol already reveals some information and allows in many cases an eavesdropper to infer that the protocol has failed just by following the message flow. Depending on where in the message flow the protocol fails also reveals candidate reasons why the protocol failed. So an explicit error messages does not necessarily leak much more additional information and can remove unnecessary overhead due to resending of protocol messages which each time fail for the same reason. (The peer should also beware that error messages may spoofed. Spoofing may be used as denial of service, but this is just one out of several ways to interrupt the protocol.)

EDHOC is expected to be transported over CoAP or other protocol providing the same reliability properties, so the kind of error message related to e.g. ordering, message duplication etc. is not in scope. But the same style of errors could be considered. I like the idea of categories and sub-categories that can be refined which Esko mentioned. But for a handshake protocol it may be relevant to use both top-level category messages and certain specific sub-categories.

Just to give a concrete example, is it necessary for a constrained IoT handshake protocol to distinguish between "certificate revoked", "certificate expired" and "CA unknown". Or is "credential error" the right level?


Thanks,
Göran



On 2021-02-23, 17:05, "Eliot Lear" <lear=40cisco.com@dmarc.ietf.org> wrote:

    Hi Göran

    I’m thinking that there are some errors that are ok and some that should remain generic, given that the message is transmitted in the clear.  CoAP-style error messages seem reasonable.

    Eliot

    > On 23 Feb 2021, at 12:08, Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org> wrote:
    > 
    > Thanks Michael, a question below.
    > 
    > On 2021-02-16, 18:30, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:
    > 
    >        mcr>     I think that there is a sweet spot where we could get enough
    >        mcr> information to do further investigation, while not blasting useless
    >        mcr> information around.
    > 
    >        GS> Exactly this was the intent with the draft error categories A-G in my
    >        GS> previous mail. Are they doing a good job?
    > 
    >    mcr> They get close, but they only describe complete failures, and they may need
    >    mcr> to announce intermediate progress, or even failures to even begin.
    > 
    > [GS]  Could you give some example of "failure to begin", and "announce intermediate progress" which illustrates missing top level categories?
    > 
    > * I can see that category D (access denied, credential valid but peer not allowed access) -  is announcing intermediate progress since it denies error of category C (credential error).
    > 
    > * Intermediate progress could also be incorporated in sub-categories. For example, if we define :
    > 
    > A.1 Syntax error
    > A.2 Incorrect protocol field.
    > 
    > then A.2 indicates intermediate progress because to be able to determine incorrect protocol field at least some part of syntax needs to be correct.
    > 
    > Thanks
    > Göran
    > 
    > --
    > Iotops mailing list
    > Iotops@ietf.org
    > https://www.ietf.org/mailman/listinfo/iotops