IETF Logo Mail Archive

Re: [Tls-reg-review] [UNVERIFIED SENDER] Re: Request to Register Value in TLS ALPN Registry

"Thakar, Eeshan" <thakar@amazon.com> Tue, 13 August 2019 00:12 UTC

Return-Path: <prvs=1216fe053=thakar@amazon.com>
X-Original-To: tls-reg-review@ietfa.amsl.com
Delivered-To: tls-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27A7B12001B for <tls-reg-review@ietfa.amsl.com>; Mon, 12 Aug 2019 17:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T8U7iKlxnSZq for <tls-reg-review@ietfa.amsl.com>; Mon, 12 Aug 2019 17:12:36 -0700 (PDT)
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23B6F120018 for <tls-reg-review@ietf.org>; Mon, 12 Aug 2019 17:12:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1565655156; x=1597191156; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=NMIzMibaIFhLZECYs5V2TUzg0nUFyYUJHWCeBOJ60Ks=; b=K22nZVUJg3sJA8OOPz/6ODqk2+XQwr1m5kFNiyEdwN0xycc4TpptwJU0 qJmDGHhPtIofhI8aurqSTFwvXzHBPAlk77asHy911PqUHboF9Em9XyyrA 7W6WeXXXwnA0P2344i5uOOwGj4FbfPxUP27VqGL+mbpeuIrVPC79qGSt1 Y=;
X-IronPort-AV: E=Sophos;i="5.64,379,1559520000"; d="scan'208,217";a="746413372"
Received: from iad6-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-2c-6f38efd9.us-west-2.amazon.com) ([10.124.125.2]) by smtp-border-fw-out-2101.iad2.amazon.com with ESMTP; 13 Aug 2019 00:12:33 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2c-6f38efd9.us-west-2.amazon.com (Postfix) with ESMTPS id 44581A1FC7; Tue, 13 Aug 2019 00:12:33 +0000 (UTC)
Received: from EX13D12UWC001.ant.amazon.com (10.43.162.78) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 13 Aug 2019 00:12:32 +0000
Received: from EX13D08UWC001.ant.amazon.com (10.43.162.110) by EX13D12UWC001.ant.amazon.com (10.43.162.78) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 13 Aug 2019 00:12:32 +0000
Received: from EX13D08UWC001.ant.amazon.com ([10.43.162.110]) by EX13D08UWC001.ant.amazon.com ([10.43.162.110]) with mapi id 15.00.1367.000; Tue, 13 Aug 2019 00:12:32 +0000
From: "Thakar, Eeshan" <thakar@amazon.com>
To: Yoav Nir <ynir.ietf@gmail.com>
CC: "tls-reg-review@ietf.org" <tls-reg-review@ietf.org>, "Lee, Alexandra" <alexanl@amazon.com>, "Sharfin, Jared" <sharfinj@amazon.com>, "Gochenaur, Drew" <gochenau@amazon.com>
Thread-Topic: [UNVERIFIED SENDER] Re: [Tls-reg-review] Request to Register Value in TLS ALPN Registry
Thread-Index: AQHVTvNp07s5hq458kCx7r8BLIaHW6b0GCUAgAOsNQA=
Date: Tue, 13 Aug 2019 00:12:32 +0000
Message-ID: <817DAF60-C05C-4BA4-AA34-BF94A43854A9@amazon.com>
References: <237DADD1-883D-47C3-88D4-3B39D9843CBC@amazon.com> <73904165-C904-455B-B681-488F7EE676C2@gmail.com>
In-Reply-To: <73904165-C904-455B-B681-488F7EE676C2@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.19.0.190512
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.148]
Content-Type: multipart/alternative; boundary="_000_817DAF60C05C4BA4AA34BF94A43854A9amazoncom_"
MIME-Version: 1.0
Precedence: Bulk
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls-reg-review/61WltTKn_gSwrT1QIKMfYB8Idi8>
X-Mailman-Approved-At: Wed, 14 Aug 2019 09:25:09 -0700
Subject: Re: [Tls-reg-review] [UNVERIFIED SENDER] Re: Request to Register Value in TLS ALPN Registry
X-BeenThere: tls-reg-review@ietf.org
X-Mailman-Version: 2.1.29
List-Id: TLS REVIEW <tls-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls-reg-review/>
List-Post: <mailto:tls-reg-review@ietf.org>
List-Help: <mailto:tls-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2019 00:12:40 -0000

Hi Yoav,

Thanks for taking a look through the request. The current implementation for the AWS IoT Gateway endpoint does support HTTP/1.1 and MQTT (3.1 and 3.1.1) on the same port (443) using ALPN (with a custom ALPN protocol id).
It also supports MQTT on the IANA registered port (8883), but allows ALPN based MQTT connections on 443 to work around standard firewall configurations [1].

The goal with getting the “mqtt” protocol id registered was to have a common basis for all implementers of gateways that support HTTP and MQTT (multiple cloud IoT services do so today, albeit not on the same port) to have a way to accept MQTT traffic on port 443. This is similar to how CoAP has both an ALPN registered string (“coap”) and a registered port (5684 for CoAP with TCP/TLS).

Thanks,

Eeshan

[1]: https://aws.amazon.com/blogs/iot/mqtt-with-tls-client-authentication-on-port-443-why-it-is-useful-and-how-it-works/

From: Yoav Nir <ynir.ietf@gmail.com>
Date: Saturday, August 10, 2019 at 2:08 AM
To: "Thakar, Eeshan" <thakar@amazon.com>
Cc: "tls-reg-review@ietf.org" <tls-reg-review@ietf.org>, "Lee, Alexandra" <alexanl@amazon.com>, "Sharfin, Jared" <sharfinj@amazon.com>, "Gochenaur, Drew" <gochenau@amazon.com>
Subject: [UNVERIFIED SENDER] Re: [Tls-reg-review] Request to Register Value in TLS ALPN Registry

On 9 Aug 2019, at 23:45, Thakar, Eeshan <thakar=40amazon.com@dmarc.ietf.org<mailto:thakar=40amazon.com@dmarc.ietf.org>> wrote:

Type of Assignment:
Registration of “mqtt” token

Registry:
Application Layer Protocol Negotiation (ALPN) Protocol ID

Description:
The mqtt protocol has the protocol version written into the first message on a connection. The mqtt server implementations typically understand the protocol version based on the fixed header on the first message (connect).

Adding this protocol id to the registry will help the community since clients wanting to request mqtt as the protocol would have an appropriate specification reference to use.

Additional Info:
[1] MQTT 3.1 Specification: http://public.dhe.ibm.com/software/dw/webservices/ws-mqtt/mqtt-v3r1.html
[2] MQTT 3.1.1 Specification: http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/csprd02/mqtt-v3.1.1-csprd02.html
[3] MQTT 5.0 Specification: http://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html


Hi, Eeshan.

I’ve looked through the linked specifications, especially the third one because it says it replaces the others.

It says that TCP port 8883 is registered with IANA for MQTT over TLS, and the IANA registry confirms it.  If you have your own port, why do you need ALPN?

ALPN is used to negotiate a particular service (such as HTTP) over a single port, typically 443.

So if you were using a server listening on port 443 and serving both MQTT and HTTP/2 you would need that to distinguish clients that need MQTT from web browsers that need HTTP/2.

The linked document does not make any mention of such a server.  Is this described elsewhere?

Thanks

Yoav

v2.23.0 | Report a Bug | By Email