IETF Logo Mail Archive

Re: [core] Implications of IP address / port changes for CoAP & Co

"Kraus Achim (INST/ESY1)" <Achim.Kraus@bosch-si.com> Thu, 01 September 2016 09:12 UTC

Return-Path: <Achim.Kraus@bosch-si.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 415A512D896 for <core@ietfa.amsl.com>; Thu, 1 Sep 2016 02:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5bH6Bvx6GUh for <core@ietfa.amsl.com>; Thu, 1 Sep 2016 02:12:17 -0700 (PDT)
Received: from smtp6-v.fe.bosch.de (smtp6-v.fe.bosch.de [IPv6:2a03:cc00:ff0:100::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 893CE12B059 for <core@ietf.org>; Thu, 1 Sep 2016 02:12:17 -0700 (PDT)
Received: from vsmta13.fe.internet.bosch.com (unknown [10.4.98.53]) by imta24.fe.bosch.de (Postfix) with ESMTP id 3C7EED8021F for <core@ietf.org>; Thu, 1 Sep 2016 11:12:14 +0200 (CEST)
Received: from IMBVW2EXC00.bosch-si.com (vsgw23.fe.internet.bosch.com [10.4.98.23]) by vsmta13.fe.internet.bosch.com (Postfix) with ESMTP id A3C802E4075A for <core@ietf.org>; Thu, 1 Sep 2016 11:12:13 +0200 (CEST)
Received: from IMBPW2EXD01.bosch-si.com ([fe80::d052:f355:928e:e5ba]) by IMBVW2EXC00 ([10.55.1.51]) with mapi id 14.03.0301.000; Thu, 1 Sep 2016 11:12:35 +0200
From: "Kraus Achim (INST/ESY1)" <Achim.Kraus@bosch-si.com>
To: "core@ietf.org WG" <core@ietf.org>
Thread-Topic: [core] Implications of IP address / port changes for CoAP & Co
Thread-Index: AQHSA3Oph8BKpt9FVU2PsqNm6BqgGKBkVYqg
Date: Thu, 01 Sep 2016 09:12:34 +0000
Message-ID: <BC36447FF5C62E46BEF3F124D3C1E8925E1D7975@imbpw2exd01.bosch-si.com>
References: <4a70a2b1-b998-b0c1-c42a-2ceb634b9945@gmx.net>
In-Reply-To: <4a70a2b1-b998-b0c1-c42a-2ceb634b9945@gmx.net>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.144.101]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1679-8.0.0.1202-22546.006
X-TMASE-MatchedRID: vwDfdEWUC5fM5du6ILPva5mug812qIbzvXPle/NgW1IeH35Xwro9LtXf akMEIQ7HQ466dTA5zGzJo6l+yr3D0jJz3NGP4sGin4TOxGsZP0hQCOsAlaxN78pj/9aYiP+h0RA sk+VhCoQJKSZsZFjAXnQOrI4rsSvxoVVi0fhQg53Wmh5xCo4mMCnGh6cFQ6shY8r/ndGdDsXLsL vOp8aQisrfCsxYhUl5cmHAUC91bv1iZyE2UOy4HMnUT+eskUQPS2qKEFuCMh6Y9ZFUJrkz0qAxl HNAADt8jzgVoOjNndyuHF8XwCwpsy2W7Y+Npd9RCFaAixm5eU+Hxi2fvkKUM3e9QDr8+LTcxbsk XFeoFkOI/YkOGzjRtzEg+3KNkVnRxdqG4jH8d+UAKzYLecaUGCseSAhqf1rRFJfW7wEu1kA62xg U98hiEap3muhLqOMEmFon3S75kCo86jprCBoTOeLdprnA5EQRY9JlLwL1dg0toOKrlTFnpXlgWA IEhZArpFWSyofFJaUC+YYCP7Qu06gSz5LfW6gEjSOVeRIcbV55y+Nu7/EOOruqk4cq52pz0vjOt IIVol658Ekbt0Wd7CV/L61HAy7j2+sv1ZHxJcodxBAG5/hkWyGi0ftsSkQyZ5yuplze9pu5h6FE WqTnjX3mWGw+DdrAhXRMKA3Zk2+pl11JQiuwkuwSNio74PJoGPx27R2NrHsR34ro7k23nWFwmoC 00lhIW0ASbXTw1ghQ7O10u0levThUupg4y4m6kE7MrqaPYs2Vq+okl1rYD6yA0UDhY9J1Fd8oDK JoE51IwttzS159QzDEq5IKtYgDz1FYyuHjH/ueAiCmPx4NwIRgZNP+6bISxEHRux+uk8jpP8tMO yYmaA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/t0Xj109-F1encJwmGpu3AASqHb4>
Subject: Re: [core] Implications of IP address / port changes for CoAP & Co
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2016 09:12:21 -0000

Hi Hannes,

thank you! 
I appreciate your writing, because it sum up the critical topics using CoAP and DTLS in an IPv4 environment.

The current "work around" for DTLS may be to always emit a "DTLS session resume", if the last sent
message was some time ago, unfortunately the "some time" is rather small an just a couple of seconds.

The observe seems for me only be usable, if we expect frequently notifies (also just a couple of seconds).
Any other usage of observe (say for notifies just for a couple of minutes or longer), seems for me raising
issues. Even, if we use the DTLS resume approach above, the "epoch" seems to be just the same "number",
but in fact, this is more the result, that epoch 1 is the first after a successful handshake then really the same
(so RFC7252 9.1.2 . "The DTLS session MUST be the same, and the epoch MUST be the same." smells to
be faked. Some statement from encryption experts may be required).    

Mit freundlichen Grüßen / Best regards

Achim Kraus

Bosch Software Innovations GmbH
Communications (INST/ESY1)
Stuttgarter Straße 130
71332 Waiblingen
GERMANY
www.bosch-si.de
www.blog.bosch-si.com 

Registered office: Berlin, Register court: Amtsgericht Charlottenburg, HRB 148411 B
Executives: Dr.-Ing. Rainer Kallenbach; Michael Hahn



-----Ursprüngliche Nachricht-----
Von: core [mailto:core-bounces@ietf.org] Im Auftrag von Hannes Tschofenig
Gesendet: Mittwoch, 31. August 2016 12:37
An: core@ietf.org WG <core@ietf.org>
Betreff: [core] Implications of IP address / port changes for CoAP & Co

Hi all,

in the OMA device management group we have been discussing the implications of IP address and/or port number changes of devices (particularly with devices that sleep for an extended period of time).

The challenge from a protocol point of view is to use an identifier that does not depend on the IP address and port. Of course, when a IP packet has to be sent to a specific node then IP address and port information has to be used from somewhere but my expectation is that at least the protocol machinery shouldn't break when an IP address changes (or there should be a story for how to recover).

In CoAP the 'endpoint' appears to be an important identifier. In an attempt to define what an endpoint is the CoAP specification is a bit
confusing:

Section 1.2 says:

"
    Endpoint
       An entity participating in the CoAP protocol.  Colloquially, an
       endpoint lives on a "Node", although "Host" would be more
       consistent with Internet standards usage, and is further
       identified by transport-layer multiplexing information that can
       include a UDP port number and a security association
       (Section 4.1).
"	

Section 4.1 of RFC 7252 says:
	
"
    A CoAP endpoint is the source or destination of a CoAP message.  The
    specific definition of an endpoint depends on the transport being
    used for CoAP.  For the transports defined in this specification, the
    endpoint is identified depending on the security mode used (see
    Section 9): With no security, the endpoint is solely identified by an
    IP address and a UDP port number.  With other security modes, the
    endpoint is identified as defined by the security mode.
"

The two definitions do not appear to be in sync, particularly when using DTLS to secure CoAP since the DTLS record layer adds nothing with respect to additional multiplexing. I also did not find text that describes what the different endpoint definition is when DTLS is used.

In any case, when DTLS is used an IP address / port change at the client will prevent the CoAP server from finding the right security context and a new (hopefully abbreviated) handshake has to be run.

Luckily the implications of an IP address/port change are quite minimal for CoAP itself since the only impact (as far as I can tell) is with regards to the use of request/response exchange, as described in Section
5.3.2 "Request/Response Matching Rules". The likelihood that a client changes IP address in the middle of a request/response interaction are IMHO minimal.

The story is more interesting when we look at extensions to CoAP, like CoAP Observe. Section 4.1 of https://tools.ietf.org/html/rfc7641 says:

"
    The entry in the list of observers is keyed by the client endpoint
    and the token specified by the client in the request.  If an entry
    with a matching endpoint/token pair is already present in the list
    (which, for example, happens when the client wishes to reinforce its
    interest in a resource), the server MUST NOT add a new entry but MUST
    replace or update the existing one.
"

With Observe a token is used for demultiplexing (in addition to the endpoint info). I assume that the spec uses the same definition of endpoint as in CoAP.

While the spec does not say what is actually being updated or replaced one can assume that a client sending a request with a new IP address and port (which corresponds to the endpoint definition in CoAP) gets at least that information updated.

The spec is IMHO unclear what should happen in case of an IP address/port change. I suspect that an implementation would send a new register message and the server would update state. Of course, when the IP address / port of the client is not in sync with what is being stored at the server then the notifications sent by the server will not reach the client.

The story for RD appears to be different again. First, there appears to be a different definition of endpoint being used (which I prefer more). 
For multiplexing it does not use IP address & port information. Of course, RD will still have to maintain this information but at least one can be sure that packets are not dropped after the IP address and/or port at the client change.

Section 11.1 of draft-ietf-core-resource-directory-08 says:

"
    An Endpoint is determined to be unique by an RD by the Endpoint
    identifier parameter included during Registration, and any associated
    TLS or DTLS security bindings.  An Endpoint MUST NOT be identified by
    its protocol, port or IP address as these may change over the
    lifetime of an Endpoint.
"

It appears that the way how state is indexed is different throughout the specifications developed in the CORE working group and I am curious whether someone else has been looking at the implications of IP address and/or port changes on the protocol operation. I would certainly appreciate your thoughts on this topic.

Ciao
Hannes

_______________________________________________
core mailing list
core@ietf.org
https://www.ietf.org/mailman/listinfo/core

v2.23.0 | Report a Bug | By Email