Re: [Taps] TAPS (secure) connection maangement Q
Toerless Eckert <tte@cs.fau.de> Thu, 08 August 2019 19:32 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AA0A120177 for <taps@ietfa.amsl.com>; Thu, 8 Aug 2019 12:32:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.998
X-Spam-Level:
X-Spam-Status: No, score=-3.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.201, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1P1UVg16JQG1 for <taps@ietfa.amsl.com>; Thu, 8 Aug 2019 12:31:59 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6515312013B for <taps@ietf.org>; Thu, 8 Aug 2019 12:31:59 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 6530854800E; Thu, 8 Aug 2019 21:31:54 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 55400440041; Thu, 8 Aug 2019 21:31:54 +0200 (CEST)
Date: Thu, 08 Aug 2019 21:31:54 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Tommy Pauly <tpauly@apple.com>
Cc: taps@ietf.org
Message-ID: <20190808193154.fp5hytpdbxcs5bb6@faui48f.informatik.uni-erlangen.de>
References: <20190807205149.bad2bvkbj3n5gvzc@faui48f.informatik.uni-erlangen.de> <E4AE346E-25CB-4D3D-900E-5866CDAFFC30@apple.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E4AE346E-25CB-4D3D-900E-5866CDAFFC30@apple.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/153AR7sWOZ4fHE6QOQLkn4Q57YA>
Subject: Re: [Taps] TAPS (secure) connection maangement Q
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 19:32:15 -0000
Thanks Tommy,
I couldn't quite figure out from the spec what context/parameters
would be made available to the callback.
Also: i would be worried about not having the callback option for
the client IP address checking. Just think of all the apps
doing GeoBlocking (video streaming) or verifying client DNS
domain for list of subscribers (academic papers come to mind).
I don't think you always want to force the server software
developer to calculate such a long ACL upfront. It might be
preferred in high-performance cases, but the most simple server
would do this on-demand.
Cheers
Toerless
On Wed, Aug 07, 2019 at 02:43:35PM -0700, Tommy Pauly wrote:
> Hi Toerless,
>
> Thanks for the questions! Definitely an interesting topic.
>
> I think what you're trying to get at, checking the client's authentication properties on the server, is described here: https://tools.ietf.org/html/draft-ietf-taps-interface-04#section-5.3.2.
>
> o Trust verification callback: Invoked when a Remote Endpoint's
> trust must be validated before the handshake protocol can proceed.
>
> TrustCallback := NewCallback({
> // Handle trust, return the result
> })
> SecurityParameters.SetTrustVerificationCallback(trustCallback)
>
>
> The idea here is that when you configure TLS options on your Listener object, you can configure optional event callbacks to participate in the certificate checking, thus allowing the check to occur prior to the TLS handshake actually completing.
>
> In the Apple implementation, we do this with a call "sec_protocol_options_set_verify_block", documented here:
>
> https://developer.apple.com/documentation/security/2976289-sec_protocol_options_set_verify_?language=objc
> https://developer.apple.com/documentation/network/security_options?language=objc
>
> Related to this, we recently had an issue we were discussing around allowing the application to filter a connection prior to accepting TCP on a server, in the accept path (https://github.com/ietf-tapswg/api-drafts/issues/338). This type of event would *only* allow looking at the client IP address, and wouldn't help for looking at the TLS certificate. We determined that for the TCP case, there can often be a way to push down firewall type rules in the system, and doing this as a per-accept callback may not be the best model.
>
> Thanks,
> Tommy
>
> > On Aug 7, 2019, at 1:51 PM, Toerless Eckert <tte@cs.fau.de> wrote:
> >
> > [ Sorry for being lazy and ask even though i haven't read all the documents.
> > If the question is answers by some existing text/thread, pls. let me know. ]
> >
> > Precursor question: Server for TCP connections wants to be able to
> > dynamically reject connection requests based on the clients connection
> > parameters, e.g.: client IP-address. Dynamic meaning that the server
> > should get a notification/callback, be able to examine the parameters
> > and decide. Aka: no predefined policy object that can not run server
> > code at the time of receiving the client connection request.
> >
> > I do not even remember wht the best current POSIX socket API is to do
> > this today. Traditionally, servers suck at this, because they use an
> > accept(), so the connection is established, and then they immediately
> > close the connection once they have retrieved the clients IP-address
> > (getpeername or the like).
> >
> > So, the actual question is pretty much the same except that i don't care
> > about the client IP-address but for TLS connections in the ability for
> > the client-side to examine the server certificate presented and the
> > server-side to examine the client-side cetificate presented - and in
> > both cases have the hook for this notification/callback early enough
> > in the sate machinery of the transport protocol that no unnecessary
> > steps are performed (e.g.: exactly NOT the above mentioned connect &
> > drop behavior).
> >
> > Thanks!
> > Toerless
> >
> > _______________________________________________
> > Taps mailing list
> > Taps@ietf.org
> > https://www.ietf.org/mailman/listinfo/taps
>
--
---
tte@cs.fau.de
- [Taps] TAPS (secure) connection maangement Q Toerless Eckert
- Re: [Taps] TAPS (secure) connection maangement Q Tommy Pauly
- Re: [Taps] TAPS (secure) connection maangement Q Toerless Eckert
- Re: [Taps] TAPS (secure) connection maangement Q Max Franke
- Re: [Taps] TAPS (secure) connection maangement Q Toerless Eckert