Re: [Isms] wg last call on the (d)tls transport model
"David Harrington" <ietfdbh@comcast.net> Wed, 09 December 2009 01:49 UTC
Return-Path: <ietfdbh@comcast.net>
X-Original-To: isms@core3.amsl.com
Delivered-To: isms@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D46693A69FA for <isms@core3.amsl.com>; Tue, 8 Dec 2009 17:49:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.311
X-Spam-Level:
X-Spam-Status: No, score=0.311 tagged_above=-999 required=5 tests=[AWL=-1.790, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, J_CHICKENPOX_43=0.6, J_CHICKENPOX_47=0.6, J_CHICKENPOX_74=0.6, MANGLED_LIST=2.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ux0KwUEMszXv for <isms@core3.amsl.com>; Tue, 8 Dec 2009 17:49:37 -0800 (PST)
Received: from QMTA05.westchester.pa.mail.comcast.net (qmta05.westchester.pa.mail.comcast.net [76.96.62.48]) by core3.amsl.com (Postfix) with ESMTP id C51873A68D6 for <isms@ietf.org>; Tue, 8 Dec 2009 17:49:36 -0800 (PST)
Received: from OMTA21.westchester.pa.mail.comcast.net ([76.96.62.72]) by QMTA05.westchester.pa.mail.comcast.net with comcast id Eol41d04Q1ZXKqc55ppSs6; Wed, 09 Dec 2009 01:49:26 +0000
Received: from Harrington73653 ([24.147.240.98]) by OMTA21.westchester.pa.mail.comcast.net with comcast id Eppl1d00Y284sdk3hppmu8; Wed, 09 Dec 2009 01:49:47 +0000
From: David Harrington <ietfdbh@comcast.net>
To: 'Wes Hardaker' <wjhns1@hardakers.net>, Pasi.Eronen@nokia.com
References: <20091029111229.GA20307@elstar.local><808FD6E27AD4884E94820BC333B2DB774E7F81BEAD@NOK-EUMSG-01.mgdnok.nokia.com> <sdk4wxt2x3.fsf@wjh.hardakers.net>
Date: Tue, 08 Dec 2009 20:49:23 -0500
Message-ID: <016f01ca7871$d6186140$6601a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <sdk4wxt2x3.fsf@wjh.hardakers.net>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Thread-Index: Acp4ZUBXkFXA92GPRD+vfOsVPfrC2QAC0gMg
Cc: isms@ietf.org
Subject: Re: [Isms] wg last call on the (d)tls transport model
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/isms>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2009 01:49:38 -0000
Re: sessions These parts should probably explicitly say that the concept of "session" here is totally unrelated to TLS sessions in RFC 5246 (which are TLS-internal optimization detail not visible to TLSTM). But the name "tlsSessionID" is very poorly chosen, since it's very different from the TLS SessionID in RFC 5246. + WH: How does tlsSnmpSessionID sound? I've changed it to this. SNMP does not have sessions. RFC5590 says: The architecture defined in [RFC3411] and the Transport Subsystem defined in this document do not support SNMP sessions or include a session selector in the Abstract Service Interfaces. The Transport Subsystem might support transport sessions. [...] However, because the handling of transport sessions is specific to each Transport Model, some Transport Models MAY restrict selecting a particular transport session. [...] Implementations SHOULD be able to maintain some reasonable number of concurrent transport sessions, [...] and from RFC5591: The Transport Security Model does not work with transport sessions directly. Instead the transport-related state is associated with a unique combination of transportDomain, transportAddress, securityName, and securityLevel, and is referenced via the tmStateReference parameter. How and if this is mapped to a particular transport or channel is the responsibility of the Transport Subsystem. So any session ID here is specific to the TLS Transport Model Ergo, I recommend tlstmSessionID. dbh > -----Original Message----- > From: isms-bounces@ietf.org [mailto:isms-bounces@ietf.org] On > Behalf Of Wes Hardaker > Sent: Tuesday, December 08, 2009 7:19 PM > To: Pasi.Eronen@nokia.com > Cc: isms@ietf.org > Subject: Re: [Isms] wg last call on the (d)tls transport model > > >>>>> On Fri, 6 Nov 2009 12:15:14 +0100, <Pasi.Eronen@nokia.com> said: > > PE> Some random comments scribbled on printout during my > flight earlier > PE> today (or yesterday, depending on your point of view :-): > > Pasi, > > Thanks for the comments and suggestions. My responses are prefixed > below with "WH:" if you want to search for them. The status of each > item is as follows: > > DONE: Suggestion was acted on > WONTDO: Nothing was done; refer to the WH: response for > reasons why > DISCUSS: There is an outstanding question back to you > > > * DONE Technical > + DONE How the notification originator authenticates the > other end (TLS > server) when fingerprints are not used is very unclear (the > fingerprint case is clear). Section 5.3, step 3b, > suggests we could > use path validation, but it doesn't e.g. say what the "reference > identity" (in draft-saintandre-tls-server-id-check > terminology) would > be. Perhaps the MIB should allow specifying that > reference identity. > (MIB, tlstmAddrTable, is relevant here.) > > + WH: This was discussed in a past WG meeting and it was > determined that it was out of scope to establish X.509 > path validation management. So that's left up to possible > future work, possibly within the PKIX or other working > group that wants to take on creating an X.509 TA MIB. I > will state this fact more clearly and make sure it's > declared as implementation dependent. > > + WH: I've reworded the section to make it much clearer about > exactly what must be done. See if the new wording fixes > your issues. > > + DONE (I guess this applies to command generators, too, to > some degree > at least -- they also act as TLS clients, and have to authenticate > the server somehow.) > + WH: correct... They're in the same boat. If there is no > fingerprint for outgoing connections it's expected they do > path validation through another out-of-scope process. > > + DONE While TLS supports several different authentication > mechanism (X.509 certs, OpenPGP certs, pre-shared keys, > Kerberos, SRP, ...), TLSTM supports only one of them (X.509 > certs). This should be mentioned in e.g. Section 1 and Section > 4.1. > + WH: I've added sentences to both those locations stating that > other authentication forms are outside the scope of this > specification. > > + DONE Section 1.1, 2nd to last paragraph, and Section 3.1.3: > These parts should probably explicitly say that the concept > of "session" here is totally unrelated to TLS sessions in > RFC 5246 (which are TLS-internal optimization detail not > visible to TLSTM). But the name "tlsSessionID" is very > poorly chosen, since it's very different from the TLS > SessionID in RFC 5246. > + WH: How does tlsSnmpSessionID sound? I've changed it to this. > + WH: Note that I think it's possible to use the same sessionID > for both uses. It gets a bit more trick after > renegotiation though since the SNMP session ID can't > change. I've added text describing this potential conflict. > > + DONE Section 5.3 (last para) and Section 8.2: (D)TLS does > have the > "server_name" extension that does allow doing this. > + WH: Added a reference to RFC4366. > > + DONE MIB, Snmp*Address TCs: do we need four pages worth > of new TCs > to just describe (IPv4 address/IPv6 address/hostname)+port? > Surely many existing MIBs use address+port, too, and we could > import from somewhere? > + WH: per discussion at IETF, I've changed this so it's a single > address TC now and the 3 Domains all use it. > > + DONE MIB, Fingerprint TC, last paragraph: this is not really > consistent with how certificate fingerprints are used in many > other protocols -- usually we compare just the fingerprint > (not the whole certificate), and assume it's produced by a > good hash function. > + WH: Per IETF discussion I've made it so that fingerprints can > be used as the method of comparison. (Originally the text > was actually written to allow for "cheap" referencing > methods (beyond just hash fingerprints)). > > + DONE MIB, tlstmCertToSNSANType: is SecurityName case > sensitive? If it > is, you need to specify the case for IPv6 address, and probably > normalize the dNSName and domain part of rfc822name > (e.g., convert to > lower case). > + WH: Modified per discussion results during the IETF meeting. > > + DONE MIB, tlstmCertToSNSANType: how would othername be > converted to > SnmpAdminString? (which is UTF-8, so "take the raw DER" > does not work, > and it would be very administator-unfriendly, too) > + WH: As per discussion from the IETF, we're no longer directly > defining otherName mappings but do have an extensible OID > selection mechanism so future documents can define an > otherName mapping. > > + DONE Sections 3.3 and others: the document has snmpTLSDomain, > snmpDTLSUDPDomain and snmpDTLSSCTPDomain. Probably for > consistency, > the first should be snmpTLSTCPDomain, since SCTP would > also normally > use TLS, not DTLS (there's a draft proposing how to run DTLS over > SCTP, but it's just work in progress, not something that > can be done > today). > + WH: Ok, I've changed it. > > + DONE Section 2.1: if the CG/NO is always the (D)TLS > client, and it MUST > be authenticated (2nd bullet), then why is authenticating > the client > only SHOULD? (1st bullet) > + WH: Because I changed one from a SHOULD to a MUST and missed the > second. Thanks for the catch. I also cleaned up the wording a > bit more to make it clearer. > > + DONE The openSession ASI in Section 4.4.1 looks very different > from the SSHTM ASI -- is this intentional? > + WH: The SSH document changed from the point where that text > was copied and I didn't catch it. I've realigned the > document to the published RFC. > > + DONE Section 4.4.1: "this restriction is not needed for > TLS or DTLS over > SCTP": this restriction is present in TLS-over-TCP/SCTP, too, but > TCP/SCTP take care of ensuring that <src IP, src port, > dst IP, dst port> > is unique. > + WH: That section was actually dropped as it was TLS specific > ASIs and is no longer included with the document. > > + DONE Section 4.4.2 and 4.4.3: I think these sections should be > just deleted -- these are TLS internal details. Furthermore, > for normal TLS (or DTLS, when a single datagram contains > multiple DTLS records), TLSTM cannot even determine > "wholeTlsMsgLength", since that would require parsing the TLS > messages (which would be a layering violation). > + WH: I agree and per discussion during the WG meeting, I've > removed them. > > + DONE Section 5.1.1 is also a bit questionable; it also seems to > suggest parsing DTLS records by TLSTM. And the details aren't > quite right: the same demultiplexing (mapping incoming UDP > packet, based on <src IP,src port,dst IP, dst port> tuple, to > the right DTLS connection/context) has to happen for DTLS > handshake messages, too, not just DTLS application data > messages. > + WH: Per discussion at the IETF I've simplified it quite a bit > so it still discusses demultiplexing within UDP but > doesn't talk about (D)TLS specific packet types. See if > the new text looks better to you. > > + DONE Section 8.1, 1st paragraph: the last sentence of this > paragraph is very confusing, since the sessions this document > talks about are totally unrelated to TLS sessions (and TLS > session resumption). Besides, all TLS implementations support > session resumption, so this SHOULD is not really needed in > this document. > + WH: I've dropped the sentence > > + DONE Section 8.1, 2nd paragraph: Separate ports might be a > reasonable idea, but I don't understand what the rest of the > paragraph is saying... > + WH: It's discussing SNMP specific message types. But I agree > it's not needed. Not only that, we're asking for separate > ports from IANA anyway. So... I've deleted the whole > paragraph as I don't think any of it is necessary. > > + DONE Section 10: SSHTM uses ports >1023 -- should be good enough > for TLSTM, too (the criteria for allocating ports <1023 is > much stricter). > + WH: I don't mind something higher and at the WG meeting > everyone agreed. Changed. > > + DONE In normal SNMP-over-UDP, if e.g. the notification receiver > restarts, that's not a problem: at least if the notification > generator didn't send anything exactly when the restart was > ongoing, everything will continue just fine after the restart. > > But when using DTLS-over-UDP, if the notification receiver > restarts, the notification generator has to know that it needs > to start a new DTLS "connection" (because otherwise the > receiver will just silently drop all the packets it gets). The > same problem has been discussed for syslog-over-DTLS recently, > and draft-seggelmann-tls-dtls-heartbeat proposes one possible > solution. > > In SNMP most requests result in a response, so if no > response is seen, > *some* component will know there's something wrong. But > since TLSTM > isn't supposed to know about PDU types, it might be > architecturally > slightly tricky how opening a new DTLS "connection" > should be triggered > here. But the document should probably say something > about this issue. > > + WH: Per discussion in the WG meeting text was added to > reference the heartbeat work and to recommend that users > implement a dead-peer detection mechanism. > > + DONE Should the document say something about MTU/avoiding > fragmentation > for DTLS-over-UDP? > + WH: I added a paragraph in the operational considerations > section that functionally says we can't summarize all > those problems but readers should be aware of them. I > think if we dove down into it in depth it would amount to > pages of discussions about the ramifications of each > selection choice. > > + DONE DTLS allows multiple DTLS records in a single > datagram -- should > the document say something about this? > + WH: I've added some text describing this during the incoming > processing EOPs. > > + DONE Should the document say something about SCTP Partial > Reliability, > or use of SCTP streams? > + WH: I think this falls into the text already added for > "understand what's beneath you" in the operational > considerations. > > * DONE Minor editorial comments: > > + DONE The document title should have the acronym "TLS" in it. > + WH: Added > > + DONE Section 4.1.1: While the actual details of how self-signed > certificates can be used in TLSTM (in the rest of the spec) look > mostly OK, I would recommend against using the term > "trust anchor" to > refer to self-signed end-entity certificates. > + WH: You're right it's another over-used term and is confusing > depending on your definition of it (some use it as the > keying material, but 5280 seems to declare it the entity > producing the keying material)... How does this sound: > > "Trusted public keys from either CA certificates and/or > self-signed certificates, must be installed through a > trusted out of band mechanism into the server and its > authenticity MUST be verified before access is granted." > > + DONE Section 3.1.1, item 4, 2nd paragraph: this is quite > unclear, and goes > into details that are IMHO not relevant for TLSTM. > Perhaps something > like "Most TLS cipher suites do encryption" ? > + I removed the offending text and shortened it so that it really > says "(D)TLS" supports encryption. > > + DONE Section 3.1.1, item 5,: the sentence about > "amplification" is quite > unclear; the main purpose of DTLS cookie exchange is to limit > server-side resource consumption, not amplification (and > "detecting" > amplification could be tricky). > + WH: You're absolutely right about this. I'm surprised > no one (myself > included) has caught this before. Thanks for pointing it > out. I've changed it to: > > "Implementations are not required to perform the stateless > cookie exchange for every DTLS handshake, but in > environments where an overload on server side resources is > detectable it is RECOMMENDED that the cookie exchange is > utilized." > > + DONE Section 3.1.2: This text should probably mention that TLS > does not have any NULL integrity cipher suites. > + WH: I tried to clean this up a bit, but I'm not sure it should > be our job to describe what TLS has and what it doesn't. > (There is nothing prohibiting one from being created in the > future, EG.) > > + DONE MIB, tlstmParamsEntry: should "usable" be "unusable"? > + WH: Yep; Juergen caught this too. > > + WONTDO Section 9, "DTLS is more vulnerable to denial of > service attacks". > Well, a hypothetical version of DTLS that didn't include > the cookie > exchange might be more vulnerable, but since we don't have such > a version, this isn't really true. > + WH: I think the text following that statement functionally says > just this so I don't think any changes are needed. The > paragraph is really there to remind users that they need to > use cookies. > + DONE Global: s/US-US-ASCII/US-ASCII/; > + WH: Whoops; that was a search-and-replace gone awry > > + DONE The reference [x509] looks wrong. > + WH: I think that was originally a reference to RSA which I > removed long ago. I've changed it to reference the ITU doc. > > + WONTDO Appendix A and B: I would suggest deleting these. > + WH: The WG decided that these contained useful information but > should move to an appendix. > > + DONE Appendix C: "blueberry" is not a valid rfc822Name > ("blueberry@example.com" would be) > + WH: changed > > -- > Wes Hardaker > Cobham Analytic Solutions > _______________________________________________ > Isms mailing list > Isms@ietf.org > https://www.ietf.org/mailman/listinfo/isms >
- [Isms] wg last call on the (d)tls transport model Juergen Schoenwaelder
- Re: [Isms] wg last call on the (d)tls transport m… Donati Andrew-MGIA0477
- Re: [Isms] wg last call on the (d)tls transport m… Pasi.Eronen
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… David Harrington
- Re: [Isms] wg last call on the (d)tls transport m… David Harrington
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… Donati Andrew-MGIA0477
- Re: [Isms] wg last call on the (d)tls transport m… Juergen Schoenwaelder
- Re: [Isms] wg last call on the (d)tls transport m… Donati Andrew-MGIA0477
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker
- Re: [Isms] wg last call on the (d)tls transport m… Wes Hardaker