[core] CoAP observation in NATed environment using DTLS
Simon Bernard <contact@simonbernard.eu> Thu, 03 November 2016 18:03 UTC
Return-Path: <contact@simonbernard.eu>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63D86129695 for <core@ietfa.amsl.com>; Thu, 3 Nov 2016 11:03:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIrZm0Isx329 for <core@ietfa.amsl.com>; Thu, 3 Nov 2016 11:03:47 -0700 (PDT)
Received: from 17.mo3.mail-out.ovh.net (17.mo3.mail-out.ovh.net [87.98.178.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F7F7129490 for <core@ietf.org>; Thu, 3 Nov 2016 11:03:46 -0700 (PDT)
Received: from player772.ha.ovh.net (b7.ovh.net [213.186.33.57]) by mo3.mail-out.ovh.net (Postfix) with ESMTP id 1085B5928D for <core@ietf.org>; Thu, 3 Nov 2016 19:03:44 +0100 (CET)
Received: from [10.41.51.97] (130.163-14-84.ripe.coltfrance.com [84.14.163.130]) (Authenticated sender: contact@simonbernard.eu) by player772.ha.ovh.net (Postfix) with ESMTPSA id A51224C0073 for <core@ietf.org>; Thu, 3 Nov 2016 19:03:44 +0100 (CET)
To: "core@ietf.org" <core@ietf.org>
From: Simon Bernard <contact@simonbernard.eu>
Message-ID: <ef7b578b-0882-bcc9-b95d-57fc5a7d3d65@simonbernard.eu>
Date: Thu, 03 Nov 2016 19:03:43 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Ovh-Tracer-Id: 8935141662914918567
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeelvddrkeejgdelvdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecu
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/0vwuEnq6IRHJc70l3BTggX6p9vs>
Subject: [core] CoAP observation in NATed environment using DTLS
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 18:03:49 -0000
Hi list,
I have attended meeting of the T2T RG in Ludwigsburg, there is a
discussion around CoAP observation in NATed environment using DTLS (1.2).
I would like to share my thought here about that:
The problem :
Currently the CoAP spec say :
"All notifications resulting from a GET request with an Observe Option
MUST be returned within the same epoch of the same connection as the
request."
Currently, in TLS, a connection is identified by its IP/Port address.
So when your IP address changed because of the NAT expiration, you must
create a new TLS connection and so create a new CoAP observation relation.
Behind this practical problem, I understand there is 2 separated
issue :
1) Define a long term identifier for CoAP instead of limited CoAP
interaction to the same DTLS connection. At CoAP level users would like
to know from which or to which they send data.
2) Be able to use DTLS with dynamic IP address (e.g. NAT) without the
need to redo full handshake or resume handshake.
Possible Solutions ?
1) Using the DTLS identity (PSK identity for PSK, public key for RPK, CN
for certificate, ...) and only if there is no authentication the DTLS
Session as constraint for CoAP exchange. (we remove the same epoch/same
connection constraint)
2) Using the "connectionId" extension proposed in the
draft-fossati-tls-iot-optimizations-00.
Does it make sense ?
Simon
- [core] CoAP observation in NATed environment usin… Simon Bernard
- Re: [core] CoAP observation in NATed environment … Stephen Farrell
- Re: [core] CoAP observation in NATed environment … Lauri Piikivi
- Re: [core] CoAP observation in NATed environment … Simon Bernard
- Re: [core] CoAP observation in NATed environment … Simon Bernard
- Re: [core] CoAP observation in NATed environment … Simon Bernard
- Re: [core] CoAP observation in NATed environment … Lauri Piikivi
- Re: [core] CoAP observation in NATed environment … Ludwig Seitz