Re: [lp-wan] draft-ietf-lpwan-coap-static-context-hc-14.txt and Magnus Westerlund Discuss
Ana Minaburo <ana@ackl.io> Fri, 03 July 2020 07:19 UTC
Return-Path: <ana@ackl.io>
X-Original-To: lp-wan@ietfa.amsl.com
Delivered-To: lp-wan@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECF653A0DCE for <lp-wan@ietfa.amsl.com>; Fri, 3 Jul 2020 00:19:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ackl-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w_cy6GrLhi9o for <lp-wan@ietfa.amsl.com>; Fri, 3 Jul 2020 00:19:08 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F13393A0DCB for <lp-wan@ietf.org>; Fri, 3 Jul 2020 00:19:07 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id a12so31541512ion.13 for <lp-wan@ietf.org>; Fri, 03 Jul 2020 00:19:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ackl-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZJbQr7qdpMqBe+ZUMaClueb25oTNpcrbMIjGS60vq94=; b=M7plNL+NYw1BLXfbVWqADdPaooBfp/LTR2tj772sh2VYlFVhvKLOcYYZU2iCSyc4tX TTDz3eZjghf2JCd4DRUm98MrFXHkvQEx0ZGo3H7xBF/TvKOzPdzRB2H4PDYlfJGrz32u ZzZ07/3neJURPtKz5SrAM7DhHRAT9G/nRzd+bIaURY6sBfbt7p4jEc0rSxRm2vohBo8R z3yYBh8mSQCrrgWhTEpQKhE8E8dS3ipDES7o5hQ6wmgBQX8Q0HTBicsrFS1szGo6KRLa ybNvY0DHMUDWXs8JJyTmUzbwiVugQbX1LYGXORzofLaljWhNal1l8q4pqJaS+1VRHWak JD2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZJbQr7qdpMqBe+ZUMaClueb25oTNpcrbMIjGS60vq94=; b=NkUKCOU7Olajjmmsfjj/4AZDgEiW1Io6b2A70W4Jb8SxEwFOcTd5i+urqxCtjZ0ZK0 CDU0PfehMJcYos5p80PTQeSyBY54zw8yO6KcarmEDncgFDld34a6i1xu0ztv10z+8Fj5 H/eBVFB7S564kTX5Zlf3jTx7B0/cq6GHCACZDKR61INpiaLriIWUtpFRoDCeNQz92hLK 2taGeo2kDZoN2mdCWAo6ynl7f9ROyjTv/UHbTeZ50B2xmmNE5RT4I/BrE8/GJMmJU1RJ Y+dCihjEEokvQbAGimZhhNl5T3MFMsygJYosVlRsqcxwrGLCWEaFwRWTNyUq4fA5N08u uZzw==
X-Gm-Message-State: AOAM530Jp40EsYdTO4q/glOslbDKrEx8sFrSVO1+Fjct1sk3o04zMcnP Bp7BQklhhNSkpBcajqLPnyPSyFA9yy1PejDevjGSUg==
X-Google-Smtp-Source: ABdhPJyaL6nFwokC+Jalz8p8csdjKMaznwfD5faj58ctZ4iHSUqCNuO5NmJwHHRzAmGDRU0SxRHjb3z5UdVj7ImzjhE=
X-Received: by 2002:a6b:8d04:: with SMTP id p4mr11040357iod.174.1593760746792; Fri, 03 Jul 2020 00:19:06 -0700 (PDT)
MIME-Version: 1.0
References: <159051093254.21121.16926703305000099981@ietfa.amsl.com> <5dac4a2a45ae78b7b7d6926545aab9533f457c08.camel@ericsson.com> <MN2PR11MB35656543D6AAC7CBB942F9CFD88B0@MN2PR11MB3565.namprd11.prod.outlook.com> <cc849a919dfe78a8c96041d3035d99be6ec00158.camel@ericsson.com>
In-Reply-To: <cc849a919dfe78a8c96041d3035d99be6ec00158.camel@ericsson.com>
From: Ana Minaburo <ana@ackl.io>
Date: Fri, 03 Jul 2020 09:18:40 +0200
Message-ID: <CAAbr+nRLY0Nc-SHM878x4buZcG=50RUcPZLCkJvF9H7it09P+Q@mail.gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Cc: "pthubert=40cisco.com@dmarc.ietf.org" <pthubert=40cisco.com@dmarc.ietf.org>, "draft-ietf-lpwan-coap-static-context-hc@ietf.org" <draft-ietf-lpwan-coap-static-context-hc@ietf.org>, "evyncke@cisco.com" <evyncke@cisco.com>, "lp-wan@ietf.org" <lp-wan@ietf.org>, "laurent.toutain@imt-atlantique.fr" <laurent.toutain@imt-atlantique.fr>
Content-Type: multipart/alternative; boundary="0000000000002b97ae05a9845784"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lp-wan/xi0e0qe7wFNYTaolnjorcjO3k4Q>
Subject: Re: [lp-wan] draft-ietf-lpwan-coap-static-context-hc-14.txt and Magnus Westerlund Discuss
X-BeenThere: lp-wan@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Low-Power Wide Area Networking \(LP-WAN\), also known as LPWA or Low-Rate WAN \(LR-WAN\)" <lp-wan.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lp-wan>, <mailto:lp-wan-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lp-wan/>
List-Post: <mailto:lp-wan@ietf.org>
List-Help: <mailto:lp-wan-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lp-wan>, <mailto:lp-wan-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 07:19:12 -0000
Hello Magnus, We try to reflect your input in the document, we have done changes in the following sections. Introduction new text: CoAP {{rfc7252}} is designed to easily interop with HTTP (Hypertext Transfer Protocol) and is optimized for REST-based (Representational state transfer) services. Although CoAP was designed for constrained devices, the size of a CoAP header still is too large for the constraints of LPWAN (Low Power Wide Area Networks) and some compression is needed to reduce the header size. The {{rfc8724}} defines SCHC, a header compression mechanism for LPWAN network based on a static context. Section 5 of the {{rfc8724}} explains the architecture where compression and decompression are done. The context is known by both ends before transmission. The way the context is configured, provisioned or exchanged is out of the scope of this document. *CoAP is an End-to-End protocol at the application level, so CoAP compression requires to install common Rules between two hosts and IP Routing may be needed to allow End-to-End communication. Therefore, SCHC compression may apply at two different levels, one to compress IP and UDP as described in {{rfc8724}} in the LPWAN network and another at the application level. These two compressions may be independent. The Compression Rules can be set up by two independent entities and are out of the scope of this document. In both cases, the SCHC mechanism remains the same.* SCHC compresses and decompresses headers based on shared contexts between devices. Each context consists of multiple Rules. Each Rule can match header fields and specific values or ranges of values. If a Rule matches, the matched header fields are substituted by the RuleID and optionally some residual bits. Thus, different Rules may correspond to different types of packets that a device expects to send or receive. A Rule describes the complete header of the packet with an ordered list of fields descriptions, see section 7 of {{rfc8724}}, thereby each description contains the field ID (FID), its length (FL) and its position (FP), a direction indicator (DI) (upstream, downstream and bidirectional) and some associated Target Values (TV). .... Section 2. Applying SCHC to CoAP headers We have divided the Figure 1, into three different figures, in order to show the architecture of each use case. New text: Applying SCHC to CoAP headers The SCHC Compression Rules can be applied to CoAP headers. SCHC Compression of the CoAP header MAY be done in conjunction with the lower layers (IPv6/UDP) or independently. The SCHC adaptation layers as described in Section 5 of {{rfc8724}} and may be used as shown in {{Fig-SCHCCOAP1}}, {{Fig-SCHCCOAP2}} and {{Fig-SCHCCOAP3}}. In the first example {{Fig-SCHCCOAP1}}, a Rule compresses the complete header stack from IPv6 to CoAP. In this case, SCHC C/D (Static Context Header Compression Compressor/Decompressor) is performed at the Sender and at the Receiver. The host communicating with the device does not implement SCHC C/D. (device) (NGW) (internet) (App) +--------+ +--------+ | CoAP | | CoAP | +--------+ +--------+ | UDP | | UDP | +--------+ +----------------+ +--------+ | IPv6 | | IPv6 | | IPv6 | +--------+ +--------+-------+ +--------+ | SCHC | | SCHC | | | | +--------+ +--------+ + + + | LPWAN | | LPWAN | | | | +--------+ +--------+-------+ +--------+ ((((((())))))) ----- ------ ------ ----- {: #Fig-SCHCCOAP1 title='Compression/decompression at the LPWAN bondary'} In the second example, {{Fig-SCHCCOAP2}}, the SCHC compression is applied in the CoAP layer, compressing the CoAP header independently of the other layers. The RuleID and the Compression Residue are encrypted using a mechanism such as DTLS. Only the other end can decipher the information. If needed, layers below use SCHC to compress the header as defined in {{rfc8724}} document. This use case realizes an End-to-End context initialization between the sender and the receiver and is out-of-scope of this document. (device) (NGW) (internet) (App) +--------+ +--------+ | CoAP | | CoAP | +--------+ +--------+ | SCHC | | SCHC | +--------+ +--------+ | DTLS | | DTLS | +--------+ +--------+ . udp . . udp . .......... .................. .......... . ipv6 . . ipv6 . . ipv6 . .......... .................. .......... . schc . . schc . . . . .......... .......... . . . . lpwan . . lpwan . . . . .......... .................. .......... ((((((())))))) ----- ------ ------ ----- {: #Fig-SCHCCOAP2 title='Standalone CoAP ene-to-end compression/decompression'} In the third example, {{Fig-SCHCCOAP3}} the Object Security for Constrained RESTful Environments (OSCORE) {{rfc8613}} is used. In this case, two rulesets are used to compress the CoAP message. A first ruleset focused on the inner header and is applied end to end by both ends. A second ruleset compresses the outer header and the layers below and is done between the Sender and the Receiver. (device) (NGW) (internet) (App) +--------+ +--------+ | CoAP | | CoAP | | inner | | inner | +--------+ +--------+ | SCHC | | SCHC | +--------+ +--------+ | CoAP | | CoAP | | outer | | outer | +--------+ +--------+ . udp . . udp . .......... .................. .......... . ipv6 . . ipv6 . . ipv6 . .......... .................. .......... . schc . . schc . . . . .......... .......... . . . . lpwan . . lpwan . . . . .......... .................. .......... ((((((())))))) ----- ------ ------ ----- {: #Fig-SCHCCOAP3 title='OSCORE compression/decompression.'} In case of 2 rule-sets, as shown in {{Fig-SCHCCOAP2}} and {{Fig-SCHCCOAP3}}, they may come from different provisioning domains, and that they do not include the cryptography part that is done in between the two SCHC activities. This document focuses on CoAP compression represented in the dashed boxes in the previous figures. ..... We have published the version 14 with these new changes, hoping they cover all your requests. Regards Ana, Laurent, & Ricardo On Wed, Jun 3, 2020 at 3:19 PM Magnus Westerlund < magnus.westerlund@ericsson.com> wrote: > Hi Pascal, > > Let me try to explain the issue I see here. So this document defines how to > compress COAP/UDP/IPv6 and that is given in a framework with a certain set > of > assumption on how to get SCHC rules in place in the compressor and > decompressor. > > The issue I am seeing for the case of COAP/DTLS/UDP/IPv6 is that the inner > compression of COAP, although is the same set of rules that would be > applied for > the actual compression of COAP in the previous case, the application of > these > rules are not building on the same foundation as in the above case. > There are simply a different architectural constraints for getting these > rules > in place at the decompressor. I am not asking you to solve them. I am > asking the > WG to describe the changed context and its architectural principles. > > So let me ask the question that may resolve this in another way. > > Is there a specification for some LPWAN to establish the SCHC rules that is > working between the end-point and the gateway? Looking at > https://datatracker.ietf.org/doc/rfc8724/referencedby/ > there appear to be several ongoing work to use SCHC as intended by the > architecture discussed in RFC 8724. > > So does there exist any similar proposal for developing an establishment > for the > inner COAP compression within a security layer? > > Are you convinced that the ones that need to write such a document are > getting > the support for considerations that are different from what RFC 8724 > describes? > Because I do think there are several different considerations. > > First, dynamic capability determination based on destination, i.e. for > each COAP > server the client talk to needs to determine if there are SCHC support > > Secondly, the choice between trying to rely on the security layer to > identify > data objects with SCHC rules as part of them and those without? > > Third, what rule initiation protocol can you run on top of the security > layer, > you can't do it below as that would leak information that needs to be > secure. > This likely should have its own paragraph in the security consideration. > > I think these all have challenges that are significantly different from > when > SCHC implementation is embedded in the network stack between IP and L2. > And when > the NGW and its SCHC capabilities are not dependent on IP destination, but > simply if it is going to the NGW at all. > > These are all reasons I think there are need for a discussion of the > architectural changes that COAP/SEC/UDP/IP has compared to both UDP/IP and > COAP/UDP/IP. > > Part of the issue here is that do get the inner COAP establishment correct > require knowledge of both SCHC and the security layer + COAP to get correct > possibly with external methods for service discovery, i.e. DNS etc. Thus I > think > it is well motivated that you actually describe the considerations needs > to be > taken care for a developer of a SCHC COAP compression above OSCORE or DTLS > or > any other security layer. > > I hope this clarifies my discuss. > > Cheers > > Magnus Westerlund > > > On Tue, 2020-06-02 at 15:33 +0000, Pascal Thubert (pthubert) wrote: > > Hello Magnus > > > > I think there's a confusion here. It is true that this draft discusses > how > > upper layer security and that COSE can be used. But for all I can see it > does > > not affect the SCHC operation or the way it is provisioned. It really > affects > > the deployment since the decompression is done in 2 stages (possibly in 2 > > different places, the first router and then the application) but that's > still > > SCHC, operating twice, for outer and inner pieces, as described in fig 8. > > > > If a rule matches, say, a source and destination IP address, and the > other > > checked things in the bit stream that follows also match, then the rule > > applies, and the bit stream is transformed mechanically. Whether that bit > > stream contains encrypted content is not really the point, this is all > bits. > > SCHC does not do the en/decryption, and is not aware of the content of > the > > security association or the key material. This much happens between the 2 > > rounds of SCHC but is not part of SCHC. > > > > > From the rule perspective, the cyphertext is inlined as another bit > stream > > > that cannot be compressed. > > > > To your point: > > > - Discover the peers capability to perform SCHC for COAP or can one > > > opportunistically try? > > > > This is a problem for the security layer between the 2 SCHC stages but > SCHC > > itself is not affected. We do not try anything, we mechanically change a > > content into another when a rule matches. The security processing is > handled > > in that intermediate layer between the 2 stages and it is what is > affected by > > the architectural change you point out. That layer must be provisioned > or must > > discover / negotiate with its end peers, but that's not SCHC. > > > > > - Taking into account that an COAP application can potentially talk to > a > > > number of peers, each having different capabilities. > > > > If the rules are match a particular IP address then we can have different > > format, with and without the 2 stages, but the cyphertext is an opaque > > bitstream from a different layer to the outer SCHC operation: > > > > > - Are there need for a redirection/invocation mechanism- The actual > context > > > exchange mechanism. > > > > The SCHC rules (as opposed to say RoHC) are not dynamic and fully > provisioned > > in advance, and this does not change when SCHC compresses CoAP or COSE. > Note > > that we are working separately on the data model for that. But I do not > see > > that the data model is affected by the 2 stages operations. There will > just be > > different sets of rules for inner and outer. > > > > Cc'ed authors, do I have it right ? > > > > Pascal > > > > > > > > > > > -----Original Message----- > > > From: lp-wan <lp-wan-bounces@ietf.org> On Behalf Of Magnus Westerlund > > > Sent: jeudi 28 mai 2020 17:33 > > > To: Pascal Thubert (pthubert) <pthubert@cisco.com>; > draft-ietf-lpwan-coap- > > > static-context-hc@ietf.org; Eric Vyncke (evyncke) <evyncke@cisco.com>; > lp- > > > wan@ietf.org > > > Subject: [lp-wan] draft-ietf-lpwan-coap-static-context-hc-14.txt and > Magnus > > > Westerlund Discuss > > > > > > Hi, > > > > > > I have looked at the changes in the latest version. However, I don't > think > > > they > > > resolve my discuss ( > https://datatracker.ietf.org/doc/draft-ietf-lpwan-coap- > > > static-context-hc/ballot/#magnus-westerlund > > > ). > > > > > > Let me try to re-iterate on why I think my discuss is relevant and you > > > should do > > > something credible to address it. > > > > > > So my discuss are really only focused on the case where SCHC is used > on top > > > of > > > a security layer that pushes the SCHC implementation into the COAP > stacks at > > > the end-points, rather than potentially lower layers on top of the L2 > > > infrastructure. > > > > > > To me it appears that this change results in several architectural > > > considerations > > > that didn't existed before for the entity that are going to determine > the > > > SCHC > > > capability in the peer as well as the context establishment. > > > What I am asking for is really only an description of the changed > > > architectural > > > context and the requirements on a solution for the SCHC context > > > establishment > > > mechanism. > > > > > > - Discover the peers capability to perform SCHC for COAP or can one > > > opportunisticly try? > > > - Taking into account that an COAP application can potentially talk to > a > > > number > > > of peers, each having different capabilities. > > > - Are there need for a redirection/invocation mechanism > > > - The actual context exchange mechanism. > > > > > > Can we please write a paragraph or two in the suitable section in this > > > document rather a single sentence pointing to an appendix. That > appending > > > containing a single bullet that are supposed to be added: > > > > > > This section extends the RFC8724 Annex D list. > > > > > > o How to establish the End-to-End context initialization using SCHC > > > for CoAP header only. > > > > > > Annex D of RFC 8724 list is preface by: > > > "This section lists the information that needs to be provided in the > LPWAN > > > technology-specific documents." > > > > > > That is not really information to be provided, there are procedures > that are > > > needed. > > > > > > > > > Cheers > > > > > > Magnus Westerlund > > > > > > > > > ---------------------------------------------------------------------- > > > Networks, Ericsson Research > > > ---------------------------------------------------------------------- > > > Ericsson AB | Phone +46 10 7148287 > > > Torshamnsgatan 23 | Mobile +46 73 0949079 > > > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > > > ---------------------------------------------------------------------- > > > > > > _______________________________________________ > > > lp-wan mailing list > > > lp-wan@ietf.org > > > https://www.ietf.org/mailman/listinfo/lp-wan > -- > Cheers > > Magnus Westerlund > > > ---------------------------------------------------------------------- > Networks, Ericsson Research > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Torshamnsgatan 23 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ---------------------------------------------------------------------- > >
- [lp-wan] draft-ietf-lpwan-coap-static-context-hc-… Magnus Westerlund
- Re: [lp-wan] draft-ietf-lpwan-coap-static-context… Pascal Thubert (pthubert)
- Re: [lp-wan] draft-ietf-lpwan-coap-static-context… Magnus Westerlund
- Re: [lp-wan] draft-ietf-lpwan-coap-static-context… Ricardo Andreasen
- Re: [lp-wan] draft-ietf-lpwan-coap-static-context… Ana Minaburo
- Re: [lp-wan] draft-ietf-lpwan-coap-static-context… Magnus Westerlund
- Re: [lp-wan] draft-ietf-lpwan-coap-static-context… Eric Vyncke (evyncke)