IETF Logo Mail Archive

Re: [Taps] TAPS (secure) connection maangement Q

Tommy Pauly <tpauly@apple.com> Wed, 07 August 2019 21:43 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDA5120116 for <taps@ietfa.amsl.com>; Wed, 7 Aug 2019 14:43:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxTUCwhe55yr for <taps@ietfa.amsl.com>; Wed, 7 Aug 2019 14:43:49 -0700 (PDT)
Received: from nwk-aaemail-lapp02.apple.com (nwk-aaemail-lapp02.apple.com [17.151.62.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C407D1200DF for <taps@ietf.org>; Wed, 7 Aug 2019 14:43:49 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.27/8.16.0.27) with SMTP id x77LfUKJ030195; Wed, 7 Aug 2019 14:43:42 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=sender : from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=IGb/Zo3TwADKROEtIMeXO28AMq9pdv4UA3hU6y6lqLc=; b=a4RdBUeJjTBW13/g3iwj4aFB3WFtv/v+hwnKL0Ryk6rYY2B+iYH2LhjhbV/sOHyHJ0mZ Reo839v9MCDnscm0QsVf7Y6PSg6QmZVLNoZc6l/WreFFEnR2NX8WhqAbLqJxH9UsXABr nAxH9LvmJaTRfxTHVyhT4f03nAzGy3hnBDhyDZ7UyUXpCznzJnKyEkGBlsg7rjj/SLy4 17UsJp5c4p9gOmp2Lksdo9vgxVaj6qMYGMcqmHvcf6ugF6i6p2ghvZ2sh/aiVR/UDc77 u1eh+Xv7sI8rkCHZDd18uTzdfwYFOBsT4y3D7hhBaK93XtvnHZ9z3UKotpa+0yyxOIb+ 4g==
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by nwk-aaemail-lapp02.apple.com with ESMTP id 2u56undq39-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 07 Aug 2019 14:43:42 -0700
Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0PVV006IQZ0SF8G0@ma1-mtap-s02.corp.apple.com>; Wed, 07 Aug 2019 14:43:42 -0700 (PDT)
Received: from process_milters-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0PVV00C00YVNU500@nwk-mmpp-sz09.apple.com>; Wed, 07 Aug 2019 14:43:41 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 1d5a643f0bb9eb08f62ba4dedb474f19
X-Va-E-CD: 7e9be8822e98b75cf8f96a9172ae7362
X-Va-R-CD: 8cd832951c4f1d7c383929d24eb89455
X-Va-CD: 0
X-Va-ID: 429600d5-3134-4677-afa3-f22f6dace4c3
X-V-A:
X-V-T-CD: 1d5a643f0bb9eb08f62ba4dedb474f19
X-V-E-CD: 7e9be8822e98b75cf8f96a9172ae7362
X-V-R-CD: 8cd832951c4f1d7c383929d24eb89455
X-V-CD: 0
X-V-ID: a767173b-bc33-452c-b52a-a3d9980e00e7
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-08-07_06:,, signatures=0
Received: from [17.234.34.61] by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0PVV00AK4Z0T4K40@nwk-mmpp-sz09.apple.com>; Wed, 07 Aug 2019 14:43:41 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <E4AE346E-25CB-4D3D-900E-5866CDAFFC30@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_103BE246-70F8-4A5D-BF83-31D7E0BF460F"
MIME-version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
Date: Wed, 07 Aug 2019 14:43:35 -0700
In-reply-to: <20190807205149.bad2bvkbj3n5gvzc@faui48f.informatik.uni-erlangen.de>
Cc: taps@ietf.org
To: Toerless Eckert <tte@cs.fau.de>
References: <20190807205149.bad2bvkbj3n5gvzc@faui48f.informatik.uni-erlangen.de>
X-Mailer: Apple Mail (2.3445.104.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-08-07_06:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/wTNPgBJsV-eQEB80wUQQqDcp4cU>
Subject: Re: [Taps] TAPS (secure) connection maangement Q
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 21:43:52 -0000

Hi Toerless,

Thanks for the questions! Definitely an interesting topic.

I think what you're trying to get at, checking the client's authentication properties on the server, is described here: https://tools.ietf.org/html/draft-ietf-taps-interface-04#section-5.3.2.

   o  Trust verification callback: Invoked when a Remote Endpoint's
      trust must be validated before the handshake protocol can proceed.

   TrustCallback := NewCallback({
     // Handle trust, return the result
   })
   SecurityParameters.SetTrustVerificationCallback(trustCallback)


The idea here is that when you configure TLS options on your Listener object, you can configure optional event callbacks to participate in the certificate checking, thus allowing the check to occur prior to the TLS handshake actually completing.

In the Apple implementation, we do this with a call "sec_protocol_options_set_verify_block", documented here:

https://developer.apple.com/documentation/security/2976289-sec_protocol_options_set_verify_?language=objc
https://developer.apple.com/documentation/network/security_options?language=objc

Related to this, we recently had an issue we were discussing around allowing the application to filter a connection prior to accepting TCP on a server, in the accept path (https://github.com/ietf-tapswg/api-drafts/issues/338). This type of event would *only* allow looking at the client IP address, and wouldn't help for looking at the TLS certificate. We determined that for the TCP case, there can often be a way to push down firewall type rules in the system, and doing this as a per-accept callback may not be the best model.

Thanks,
Tommy

> On Aug 7, 2019, at 1:51 PM, Toerless Eckert <tte@cs.fau.de> wrote:
> 
> [ Sorry for being lazy and ask even though i haven't read all the documents.
>  If the question is answers by some existing text/thread, pls. let me know. ]
> 
> Precursor question: Server for TCP connections wants to be able to
> dynamically reject connection requests based on the clients connection
> parameters, e.g.: client IP-address. Dynamic meaning that the server
> should get a notification/callback, be able to examine the parameters
> and decide. Aka: no predefined policy object that can not run server
> code at the time of  receiving the client connection request.
> 
> I do not even remember wht the best current POSIX socket API is to do
> this today. Traditionally, servers suck at this, because they use an
> accept(), so the connection is established, and then they immediately
> close the connection once they have retrieved the clients IP-address
> (getpeername or the like).
> 
> So, the actual question is pretty much the same except that i don't care
> about the client IP-address but for TLS connections in the ability for
> the client-side to examine the server certificate presented and the
> server-side to examine the client-side cetificate presented - and in
> both cases have the hook for this notification/callback early enough 
> in the sate machinery of the transport protocol that no unnecessary
> steps are performed (e.g.: exactly NOT the above mentioned connect &
> drop behavior).
> 
> Thanks!
>    Toerless
> 
> _______________________________________________
> Taps mailing list
> Taps@ietf.org
> https://www.ietf.org/mailman/listinfo/taps

v2.23.0 | Report a Bug | By Email