[core] Implications of IP address / port changes for CoAP & Co
Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 31 August 2016 10:36 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03BEC12D099 for <core@ietfa.amsl.com>; Wed, 31 Aug 2016 03:36:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.149
X-Spam-Level:
X-Spam-Status: No, score=-3.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNv1UVlNivaT for <core@ietfa.amsl.com>; Wed, 31 Aug 2016 03:36:48 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF295120727 for <core@ietf.org>; Wed, 31 Aug 2016 03:36:47 -0700 (PDT)
Received: from [192.168.91.132] ([90.127.74.115]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MhhwJ-1bRcUw2Ac7-00MrWe for <core@ietf.org>; Wed, 31 Aug 2016 12:36:45 +0200
To: "core@ietf.org WG" <core@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Message-ID: <4a70a2b1-b998-b0c1-c42a-2ceb634b9945@gmx.net>
Date: Wed, 31 Aug 2016 12:36:30 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:JwvcJXOKI4avFOXPkZNWdxWUp1R2VrEktdONQq8GeZD1uMRPUwM sT4uDcCXk6o0Bhwnv58PqCohWJzfcwNgVNt1T42cG5d5XumtjOGPEb9UieIrCRaxh9AWqf6 KBJOPpCH1mSnlc9G9pYokSL3RKSTUzVBwEl/T+xlDhTO0WtBM39hf2NF93PT8hYAgE/qQv+ cb8APxUbCNN4nE+i0OwRQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:lCIJnDusagA=:yE+CECNE8PxeD1XsPujniO G5bawXK8Rm+QDQeQ1R3NLioPGVihEg2FuKdKVC21rjUPM2QEUObxmg+4ikfZ7CKMvnE8XquRn uEHguJGAjz9VjwwuJjpynjTxFAWPnwuJQj3rZp2Vucd82IqWm4bBrZ3BXRXNSctN8WXbkReDV kaDa7jX8VpluIAVZWKWa/RY2cQTjq+hfHWdCjB0QDBMU278HWccOyPGMLSoKq2giy4s9Wy+c5 Uow/bFh6AO29ql6eubDkP9tX+oR3C1waf/rLsyhJ4yT6uPl8PdFCWGGRPBfRGoh+PfmvUKW1L 1tmpXIlWAS7wDGTUKdmY5m7WIR56AJXaPlFkgaW2f4HEBxARpzpVhEHkUKZSamPG2QRcXWB5S 4Db4yxeWNRu4kDVpEko5jesXMZlDIwWZ35rRwEGVPnAisCkgG90k/lgRx/jWZxdrsIpGGIVB2 A5xNS+La8lV4314X+swIt0/XgFPAhuNGWzWnjzD+APWJIEO3ew8ApAdmVHnMpj+deOi/9uKxY EOV+h2hiXOPBFEAbG/EsQJglFeH3FlovZN7+MKoo0nf1eo14qhA5w5RsAh3DQsHN0KdFc+6kM h29A4cGjDPouESPv4Gicl974UTffHIN/MOdyV7ZDxy7C7NSPLP4f7+acN6qdk1OcnFfCI/PSI CRa8qOnEQwDOSX2DA6K+OdAlsdLhqjf5AQxqplijKnqLvupR0nsJ2fw/E8AbcUFqI1TAHwuB3 J4JkUoLfTHvrGEW7zpZGGF+ik6C6klU7Ldd0D8PFcnitgZZNZ/VCYuSqUmkTfVO3P4YbpDKgE wreSfPM
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/hBwiotLHyYvhPPTG9eXzXC1XpZI>
Subject: [core] Implications of IP address / port changes for CoAP & Co
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 10:36:50 -0000
Hi all,
in the OMA device management group we have been discussing the
implications of IP address and/or port number changes of devices
(particularly with devices that sleep for an extended period of time).
The challenge from a protocol point of view is to use an identifier that
does not depend on the IP address and port. Of course, when a IP packet
has to be sent to a specific node then IP address and port information
has to be used from somewhere but my expectation is that at least the
protocol machinery shouldn't break when an IP address changes (or there
should be a story for how to recover).
In CoAP the 'endpoint' appears to be an important identifier. In an
attempt to define what an endpoint is the CoAP specification is a bit
confusing:
Section 1.2 says:
"
Endpoint
An entity participating in the CoAP protocol. Colloquially, an
endpoint lives on a "Node", although "Host" would be more
consistent with Internet standards usage, and is further
identified by transport-layer multiplexing information that can
include a UDP port number and a security association
(Section 4.1).
"
Section 4.1 of RFC 7252 says:
"
A CoAP endpoint is the source or destination of a CoAP message. The
specific definition of an endpoint depends on the transport being
used for CoAP. For the transports defined in this specification, the
endpoint is identified depending on the security mode used (see
Section 9): With no security, the endpoint is solely identified by an
IP address and a UDP port number. With other security modes, the
endpoint is identified as defined by the security mode.
"
The two definitions do not appear to be in sync, particularly when using
DTLS to secure CoAP since the DTLS record layer adds nothing with
respect to additional multiplexing. I also did not find text that
describes what the different endpoint definition is when DTLS is used.
In any case, when DTLS is used an IP address / port change at the client
will prevent the CoAP server from finding the right security context and
a new (hopefully abbreviated) handshake has to be run.
Luckily the implications of an IP address/port change are quite minimal
for CoAP itself since the only impact (as far as I can tell) is with
regards to the use of request/response exchange, as described in Section
5.3.2 "Request/Response Matching Rules". The likelihood that a client
changes IP address in the middle of a request/response interaction are
IMHO minimal.
The story is more interesting when we look at extensions to CoAP, like
CoAP Observe. Section 4.1 of https://tools.ietf.org/html/rfc7641 says:
"
The entry in the list of observers is keyed by the client endpoint
and the token specified by the client in the request. If an entry
with a matching endpoint/token pair is already present in the list
(which, for example, happens when the client wishes to reinforce its
interest in a resource), the server MUST NOT add a new entry but MUST
replace or update the existing one.
"
With Observe a token is used for demultiplexing (in addition to the
endpoint info). I assume that the spec uses the same definition of
endpoint as in CoAP.
While the spec does not say what is actually being updated or replaced
one can assume that a client sending a request with a new IP address and
port (which corresponds to the endpoint definition in CoAP) gets at
least that information updated.
The spec is IMHO unclear what should happen in case of an IP
address/port change. I suspect that an implementation would send a new
register message and the server would update state. Of course, when the
IP address / port of the client is not in sync with what is being stored
at the server then the notifications sent by the server will not reach
the client.
The story for RD appears to be different again. First, there appears to
be a different definition of endpoint being used (which I prefer more).
For multiplexing it does not use IP address & port information. Of
course, RD will still have to maintain this information but at least one
can be sure that packets are not dropped after the IP address and/or
port at the client change.
Section 11.1 of draft-ietf-core-resource-directory-08 says:
"
An Endpoint is determined to be unique by an RD by the Endpoint
identifier parameter included during Registration, and any associated
TLS or DTLS security bindings. An Endpoint MUST NOT be identified by
its protocol, port or IP address as these may change over the
lifetime of an Endpoint.
"
It appears that the way how state is indexed is different throughout the
specifications developed in the CORE working group and I am curious
whether someone else has been looking at the implications of IP address
and/or port changes on the protocol operation. I would certainly
appreciate your thoughts on this topic.
Ciao
Hannes
- [core] Implications of IP address / port changes … Hannes Tschofenig
- Re: [core] Implications of IP address / port chan… Kraus Achim (INST/ESY1)
- Re: [core] Implications of IP address / port chan… Hudalla Kai (INST/ESY1)
- Re: [core] Implications of IP address / port chan… Fossati, Thomas (Nokia - GB)
- Re: [core] Implications of IP address / port chan… Lauri Piikivi
- Re: [core] Implications of IP address / port chan… Oliver Kleine
- Re: [core] Implications of IP address / port chan… Dave Thaler
- Re: [core] Implications of IP address / port chan… Stephen Farrell
- Re: [core] Implications of IP address / port chan… Mohit Sethi
- Re: [core] Implications of IP address / port chan… Carsten Bormann
- Re: [core] Implications of IP address / port chan… Stephen Farrell
- Re: [core] Implications of IP address / port chan… Dave Thaler
- Re: [core] Implications of IP address / port chan… Peter Saint-Andre - Filament
- Re: [core] Implications of IP address / port chan… Stephen Farrell
- Re: [core] Implications of IP address / port chan… Stephen Farrell
- Re: [core] Implications of IP address / port chan… Peter Saint-Andre - Filament
- Re: [core] Implications of IP address / port chan… Stephen Farrell
- Re: [core] Implications of IP address / port chan… Peter Saint-Andre - Filament
- Re: [core] Implications of IP address / port chan… Peter Saint-Andre - Filament