IETF Logo Mail Archive

Re: [T2TRG] RESTful Design & Security

Ari Keränen <ari.keranen@ericsson.com> Mon, 06 March 2017 20:20 UTC

Return-Path: <ari.keranen@ericsson.com>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6587B1294C0 for <t2trg@ietfa.amsl.com>; Mon, 6 Mar 2017 12:20:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ED_j1-G3-ZBn for <t2trg@ietfa.amsl.com>; Mon, 6 Mar 2017 12:20:07 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC9DE12940E for <T2TRG@irtf.org>; Mon, 6 Mar 2017 12:20:06 -0800 (PST)
X-AuditID: c1b4fb25-8a2a398000007fa8-5e-58bdc474ce11
Received: from ESESSHC014.ericsson.se (Unknown_Domain [153.88.183.60]) by (Symantec Mail Security) with SMTP id BD.75.32680.474CDB85; Mon, 6 Mar 2017 21:20:04 +0100 (CET)
Received: from ESESSMB109.ericsson.se ([169.254.9.56]) by ESESSHC014.ericsson.se ([153.88.183.60]) with mapi id 14.03.0319.002; Mon, 6 Mar 2017 21:20:02 +0100
From: Ari Keränen <ari.keranen@ericsson.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [T2TRG] RESTful Design & Security
Thread-Index: AQHSlpsnqy+AoCImUUiOE0neEUa+86GIMBaA
Date: Mon, 06 Mar 2017 20:20:02 +0000
Message-ID: <09D28E31-4D5E-47D8-B8D1-E849F12D5720@ericsson.com>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net>
In-Reply-To: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.154]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <0E25149D4B05FF4E99EE31DC9BDFF976@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMIsWRmVeSWpSXmKPExsUyM2K7jW7Jkb0RBjfPGlks3XmP1eL9gx4W ByaPxZv2s3lM3niYLYApissmJTUnsyy1SN8ugSvjxrb7TAWHuCuadlxlbmDczNnFyMkhIWAi 8XryeeYuRi4OIYF1jBKXzp9ngXAWMUrMuvuOBaSKTcBeYvKaj4wgtoiAocT1mdNZQWxmAVWJ qYfugdUIC+hJbJmxlxWiRl/i5Kketi5GDiDbSOLhXVuQMIuAisTLjXuYQWxeoJFTdq9gBCkR ErCS2PmBDSTMKWAtcbdzEzuIzSggJvH91BomiE3iEreezGeCuFlAYsme88wQtqjEy8f/WCFs JYlFtz9D1etJ3Jg6hQ3Ctpb4s+UoVFxbYtnC11AnCEqcnPmEZQKj2CwkK2YhaZ+FpH0WkvZZ SNoXMLKuYhQtTi1Oyk03MtZLLcpMLi7Oz9PLSy3ZxAiMqoNbfqvuYLz8xvEQowAHoxIPb0Hl 3ggh1sSy4srcQ4wSHMxKIrwPcoBCvCmJlVWpRfnxRaU5qcWHGKU5WJTEec1W3g8XEkhPLEnN Tk0tSC2CyTJxcEo1MFpOWM31tvWKdoopS+iXhfaXG2KlFrIcNtHbe11H6TvXlLbbBw/3zTvn cmup0Pxj+xZE6mfOXh8qceH++chbJt+uXrwpyfEiY8K7rVGdsc/6dr94qFd8r+rOqtIHfEv5 E77uzPf61Pb2ku0L16/C5k28WXeMnY497VhjuG6J057v9dtXB1xI+p+qxFKckWioxVxUnAgA 4r8m06YCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/OY2PkF58XCD_DxVIy10-C7OBDbc>
Cc: "t2trg@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 20:20:08 -0000

Hi Hannes,

I agree that the draft is currently thin on the security side and some recommendations would be useful.

What would you recommend for the application security issue you mentioned below?


Cheers,
Ari

> On 06 Mar 2017, at 18:59, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
> 
> Hi all,
> 
> reading through
> https://tools.ietf.org/html/draft-keranen-t2trg-rest-iot-03 I was
> wondering whether there are some thoughts regarding security protection.
> 
> From the web we know that TLS goes very well with RESTful designs.
> 
> However, when dealing with intermediaries in the IoT space, such as it
> happens with interconnecting different IoT islands, RESTful protocols
> appear to run into challenges.
> 
> The challenge is quite simple: an application layer security for a
> RESTful protocol has to protect some (or must?) header fields.
> Intermediaries often change or, in case of a protocol translation from
> one IoT technology to another one, completely rebuild header fields.
> This breaks application layer security mechanisms.
> 
> Needless to say that these challenges have also been observed in other
> protocols as well, such as HTTP and even SIP.
> 
> What is the story for providing application layer security?
> 
> Ciao
> Hannes
> 
> _______________________________________________
> T2TRG mailing list
> T2TRG@irtf.org
> https://www.irtf.org/mailman/listinfo/t2trg

v2.23.0 | Report a Bug | By Email