Re: [Iotops] Error categories in constrained IoT authentication

Göran Selander <goran.selander@ericsson.com> Tue, 16 February 2021 07:39 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB0EA3A0FD3 for <iotops@ietfa.amsl.com>; Mon, 15 Feb 2021 23:39:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.671
X-Spam-Level:
X-Spam-Status: No, score=-2.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5SGZdSIUoYB for <iotops@ietfa.amsl.com>; Mon, 15 Feb 2021 23:39:28 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80081.outbound.protection.outlook.com [40.107.8.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5903A0FD1 for <iotops@ietf.org>; Mon, 15 Feb 2021 23:39:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ExOy1c1TVyNZroEeM7hUUVBKw900ERhnhhH9x7fDNh+ESbYG8kscrf8WvPhssJhOxIFvCIq8nULp+s5+zB8+S6HAx0oMBnR4uyUwFuUEDd+vVajR//Kno3jlKB00c4KKPKmwCXU9qs7yVHlTzS3sgnZkjs92wk8+aXIdBolLWKNBF1ScJRZt6tfnoZfnfEarTKA5H77zC4KwcKNrNuI8/n4FIJI3HE+L0XHoVn5yw1znM5zYzBB4EjGns0x6Lo42iobMWO5SxbgPO0ILp/EwJn7mf8JffCC7WsF3vITIGvJUJbWfMRaf8jDHm1fF7PPb2ShCc9opnztguVdGjw1Siw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NRBlOsVDwMDEU0v61IlITc0+vuiIrF33OtVNo+a6Fuc=; b=AB/5NEXH72FMT4x3KX2Yn4QI3/zn9FPaH4Q1iFMjuFtepqYCNt3gW1fQW/uR0LCUCUCIvdDr9LifWTeMVAmMY5iOkHN3TCLZlvU/ClMUawXqtyHJ+h3OvLBJ0MUhPau5RqehmFjG33LTh8w/d8gpm8iruL1Ilel1+tpkgWaCIVKGgVjL6K32SIsKtmmGIrgE0LdqNUsrcKRy5G19lBjb1SbBQ87s7B2q/NoRep3uzjvTS8OHhEcL7vYYZoo1Uty2y4denecVNJ2C4KKpzsT6xXZtbHelZuwGjpCME/5EVMQZlxs3Khkd9VhBm2X3c70Yt176vsl0cvom87SfONxRqw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NRBlOsVDwMDEU0v61IlITc0+vuiIrF33OtVNo+a6Fuc=; b=W3MWJ654oM45L947V9EIWwnCZe7qEn16WF2gvWHcEZTurdc0Rh+CXu/nxnMEYq74loq5S7LMgigSVpu/DCWhn3n9XJ+YJaA7R+ze046ZjO5Rdxh3TQ/fCbBGy/EBH3SNRAThVgaXhgWGerfk5hTiikXARgyKBokN70xgtHiBxpM=
Received: from (2603:10a6:7:82::14) by HE1PR0702MB3673.eurprd07.prod.outlook.com (2603:10a6:7:81::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.11; Tue, 16 Feb 2021 07:39:03 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8%5]) with mapi id 15.20.3846.021; Tue, 16 Feb 2021 07:39:03 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: [Iotops] Error categories in constrained IoT authentication
Thread-Index: AQHXA7sevPYsVE9D80KdsgQDTgiUsqpZdgoAgAEA24A=
Date: Tue, 16 Feb 2021 07:39:03 +0000
Message-ID: <7FFB63D7-801D-4E8B-8257-BE9BCF7BA6BF@ericsson.com>
References: <49569FF2-938B-4584-B290-F16558F352F5@ericsson.com> <27125.1613409584@localhost>
In-Reply-To: <27125.1613409584@localhost>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21021100
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9d6c55d6-ebeb-41cc-4bb1-08d8d24def1a
x-ms-traffictypediagnostic: HE1PR0702MB3673:
x-microsoft-antispam-prvs: <HE1PR0702MB36735C7B44C62B835F94A17DF4879@HE1PR0702MB3673.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Um/6PQIrolhDJwgdAVM8kuR1K1FM88SDCI9+4jmqfyMkWHO94U627WnxK7tV4wAbnrFUPgs1JmcfmFbk5FwD/I/G7f/JpwFGMD+fYAclS8vza8DfFu4cVJQ/QujZky9B6LrtzbtVywIgPuTi1vztgHp+q5MjC7zEsiW0MpwqdZH8UbBqO/9ALr9xywvfmKwtlp0UnccdQUhjt2a4z+fE7xPExqvdZvABYZhvr/ym+dEGDEMwH0gLR0SyN8vidmu/4hqRtutrl9dPft0/K1ykzi/4fnrW1XpnDYZnmwZx09DpX+XhETfUY0/8oV47zfgZJ9xnClRL1P/2KGthXuB2FSb5jUZDAJqSjlfReohWJtNZOd1C8HtAHDE02iLPpapxXpfZePPy38CzVrhFfXIf508zjFFjbj04himR8x51Vg+K6MlESo0E46+L/AOb/f85PeZkoRuX88VZQLLdDvkJV9451rNxnKnXjc5zcs+BQNEx65zJPVk8mstQ8s38h1Nn2hLMKvEdFqSdH8Vo99rLuiIWpucNz6mTPzvwfRFdVLEAoYhzjF31AeXJg/Teq+oa6phTaIzwi31UVqttzcTNcA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(136003)(376002)(39860400002)(396003)(85182001)(6512007)(33656002)(66946007)(66476007)(110136005)(76116006)(66446008)(83380400001)(64756008)(66556008)(186003)(86362001)(316002)(8936002)(36756003)(66574015)(6486002)(6506007)(478600001)(26005)(85202003)(5660300002)(2616005)(2906002)(71200400001)(8676002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?ek9DbzF4MGM3QkpsWVJBOHM4b28zOUdJVEFXRkJhVG9Kbmtqb3hDVFRKb0JH?= =?utf-8?B?dnkrSHJHOXVSZEtkTU1wd3BCb0EvNDJVSFMwQnZ3Y0hLL0Q0NXFzc1JMS04w?= =?utf-8?B?Y3FhMVo3UVBydXJvWkZKQ1dKdmFsRi9rUnhlYTdBR0V0T21TRkk2WkhHdUh4?= =?utf-8?B?QlVyRDBBYkh4b1NoQjJtZG03cGxhR0NzSWlOeXRRSWdyZk02R3dFMEt3QTgr?= =?utf-8?B?YmsvaGRPdnhmM3ZyNGFXdjRBWlNndUIxNDBuYUFVMUJpeUdzQW5aWTAvWlpY?= =?utf-8?B?OHhVL1F4c0ppVEp6Qk1ML09DUk1Lam0xMGNNbFg2Wlh0dkg0RTY2azJPRU1s?= =?utf-8?B?ZGdjcmVIVWgrN3ljNkcxUzhwVGFaSGo4WWZoWGkxVTBlbkN6eVYvWVVaSVgv?= =?utf-8?B?VlFURXp1ZVhnZXB4YkNUbk1MMWo5bzJURVgyK3lvNWdqanZ3dG1Hb0krUVk0?= =?utf-8?B?bGNMMjgvYnZYM3EzOUtveTNUYTZ3ZDJab0hjbFQ1QldlaHZaQXFIZTFndlBE?= =?utf-8?B?NGRWUEh4azZZUTVIM2pTWXRJZFpiVUNUODVaeUxzN1ladGFBQnN0VGh3OVhR?= =?utf-8?B?b1BWN1B0a2lrM09TZDdQb1NmRXZVUjd4MVFzdmFSWEhIUkg0UmNmU2p1VDZu?= =?utf-8?B?amFBNmo3SW5Vc3grOENzd2ZwQnR3RFJvUjhaRGFlWEFrQlNhTkxYUWtXdEta?= =?utf-8?B?ek9IbFJ4dWZ6SFFMek82TWdzYk9ielVaWktla2RUbW42a1ZRempWNUJ6RWJ1?= =?utf-8?B?SjBrc2xQRW5mY3U5a2lPMko5T0FIc05WOElxZ09ieG5EdXIxdUw0UmJzazJr?= =?utf-8?B?cFVSRVNJUmFzWTAraStieWVubVBqbVZucmplbXd6TkRycEdoc2pNRE4rSW01?= =?utf-8?B?UWNFeHM5TUsxWDVFV2t0bWJNWFJQU2htQ1B1a2pTQjZVcmh4bWw4cm1CeHg5?= =?utf-8?B?SUJVRkpKZ1MxTzNHZFVsTTQyQndOQzBDK3VQR25XK0lWY1E2WXpCbElCSHJk?= =?utf-8?B?SDVJcldSdWZva1lBdjVDdDZCUDkrQXhXakNtN3I2ZkhsTVh6d2J0a2VqQmtJ?= =?utf-8?B?RVNjNms2MnIzeHVPT29sdFZBaGFYNnUxcVFZWGFPVmpnU2laRVFFVldhY0x6?= =?utf-8?B?NHM2YkNNQzhWNmRkUTk3YVl5NGhuMjR6UDI4U0JOZUU2bHFpNFVkZzE4YUVL?= =?utf-8?B?Rmd3LzgyTHQydk9RaklTRXJ1MlgzejU1VUZXeFYzQTcwNGwrUkRYaG91OGFs?= =?utf-8?B?RnRoYUpoRmd1MHV1UXlEMTNQbzhWb3lONGNnYmVDRFR4QzRQL00zalJHTCtG?= =?utf-8?B?Mjdua0drY3o5OWRTNFlQTVg2VnJNek81UWZvYmJTT3F3aW9aQUd2eDNWdTJZ?= =?utf-8?B?L1FBZ2pWc1M0TEdvNTFKd25SNmNPUi9xZ2d4cWJXa2FEU3hLTkNNNjRwTGR5?= =?utf-8?B?WEswNFpSS3k4YU04dVdPb2xKR05reEpYS0NDdUJHcnRZaTROK3lSb1BiKzVo?= =?utf-8?B?a2Z0Sll4SVlIWXduKzczemlxSklhaGhZRVY1dGlXcG5FZEpGYk9PTFNjRll4?= =?utf-8?B?Z0lVczNJUkxEZzRzaFBPYmcvT2NCdUFhTGtSUWxBVDRDSWswd3kzVEhzMHdr?= =?utf-8?B?UmsrSnpLdkdqOFdRTW1uWkdOZllKYWt4cFZVN3JWcEhvQjVsTWlNOTdvZmds?= =?utf-8?B?RW9VUHNVOXRFMVd3OFEyUnB3aGdyditxVHNKL2ZBa0l5VmUwKzF2dDMvL2VH?= =?utf-8?Q?dgsIbJgvT/NQf8ugefCWraOvlxvn33ed0rw6UGc?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <5B6270E7EFE0174A89EED418B8853199@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9d6c55d6-ebeb-41cc-4bb1-08d8d24def1a
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Feb 2021 07:39:03.7408 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GQpEDltKs2PEFH6NJ/f6Uo1oeWsIcWTCvumlwEiWdIzEuHtXTeUYxOcXgb0fYlj/NRU+uYxO0Y2VcS0IN33GIGPaQdz4uRqO1Dfy/d1+2JQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3673
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/Uct32B-alPP-6BSH6ZnWWbXsW8c>
Subject: Re: [Iotops] Error categories in constrained IoT authentication
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 07:39:30 -0000

Hi Michael, and all,

On 2021-02-15, 18:20, "Iotops on behalf of Michael Richardson" <iotops-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote:


    Göran Selander wrote:
        > Hello IOTOPS,

        > There is a discussion in the LAKE WG regarding the potential need to
        > standardize error messages appearing in a security handshake protocol
        > targeting IoT devices. Is this something IOTOPS could contribute to
        > and/or review?

    Maybe.

[GS] Thanks for the consideration. I now realize this sounded like a formal request to the WG, but it was intended to just probe if anyone has an opinion and wanted to share some thoughts.

        > Assuming this might be the case, here is a background and some draft
        > error categories for discussion.

        > Background:
        > ---
        > LAKE is specifying a lightweight authenticated Diffie-Hellman exchange
        > called EDHOC [1] similar to the TLS 1.3 handshake but targeting
        > constrained IoT. The protocol consists of 3 messages and an error
        > message which may be sent in response to any non-error message. The
        > error message essentially consists of a diagnostic message field
        > containing a text string targeting the peer administrator.

        > All errors are fatal and cause the protocol to discontinue. The intent
        > with the error message is to provide a hint about the error to the peer
        > application, to enable logging of errors and appropriate management
        > operations. (Note that since the protocol failed to establish security
        > the error message is unprotected and needs to be treated accordingly.)

        > The question is what error messages need to be standardized, if any.

        > Detailed information can be provided by using the diagnostic text
        > string. But standardizing detailed error information adds complexity to
        > the specification and implementation, which would contradict one of the
        > design objectives. But perhaps we can we identify a small set of error
        > categories (codes) that require to be singled out, for example because
        > how they impact operations. Such categories could potentially be
        > complemented with text providing additional details.

    I am imaging that the resulting error codes are not just sent to the peer,
    but might be link-local multicast. They *could* be object signed by the sending device!
    It is pretty clear how to do cheap multicast over wired and 802.11, but what
    multicast means over an route-over LLN-mesh remains to be determined: it's
    not free.

    Consider the situation of being able to plug a diagnostic device into the
    home LAN, and be able to find out what devices are failing in what way.

    Significant privacy risk, for sure.
    There could be some kind of blind applied so that the devices are not
    immediately recognizable.
    That could be as easy as just not including a strong identity.

    But, security which fails in ways nobody can diagnose, is security that gets turned off.

    I think that there is a sweet spot where we could get enough information to
    do further investigation, while not blasting useless information around.

[GS] Exactly this was the intent with the draft error categories A-G in my previous mail. Are they doing a good job?

Göran