Allow OSCORE servers to send outer Echo for reachability, ...

[chrysn]

... and clarify that client aliveness is a cryptographic property.

This is in response to comments about the conflict between "OSCORE servers MUST ONLY produce Inner" and "Echo option [...] MAY be unprotected".

Contributes-To: https://github.com/core-wg/echo-request-tag/issues/46

[emanjon]

Sounds good.

From: chrysn notifications@github.com Reply to: core-wg/echo-request-tag reply@reply.github.com Date: Tuesday, 17 September 2019 at 15:23 To: core-wg/echo-request-tag echo-request-tag@noreply.github.com Cc: John Mattsson john.mattsson@ericsson.com, Comment comment@noreply.github.com Subject: Re: [core-wg/echo-request-tag] Allow OSCORE servers to send outer Echo for reachability, ... (#48)

@chrysn commented on this pull request.

---

In draft-ietf-core-echo-request-tag.mdhttps://protect2.fireeye.com/url?k=5112f2c7-0dc6fba1-5112b25c-8610d8a762ca-c54b8a5254bceef6&q=1&u=https%3A%2F%2Fgithub.com%2Fcore-wg%2Fecho-request-tag%2Fpull%2F48%23discussion_r325163168:

@@ -144,9 +144,7 @@ The server may use request freshness provided by the Echo option to verify the a

Upon receiving a 4.01 Unauthorized response with the Echo option, the client SHOULD resend the original request with the addition of an Echo option with the received Echo option value. The client MAY send a different request compared to the original request. Upon receiving any other response with the Echo option, the client SHOULD echo the Echo option value in the next request to the server. The client MAY include the same Echo option value in several different requests to the server.

-A client MUST only send Echo values to endpoints it received them from (where as defined in {{RFC7252}} Section 1.2, the security association is part of the endpoint).

-In OSCORE processing, that means sending Echo values from outer options back in outer options,

-and those from inner options in inner options in the same security context.

+A client MUST only send Echo values to endpoints it received them from (where as defined in {{RFC7252}} Section 1.2, the security association is part of the endpoint). In OSCORE processing, that means sending Echo values from outer options back in outer options, and those from inner options in inner options in the same security context. Echo options in error responses not protected by OSCORE are treated as outer options.

OK, then let's just say "from outer options (or non-OSCORE messages)"; merging with that on top of it.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://protect2.fireeye.com/url?k=d05ebdf6-8c8ab490-d05efd6d-8610d8a762ca-2e98ea59e8abcd55&q=1&u=https%3A%2F%2Fgithub.com%2Fcore-wg%2Fecho-request-tag%2Fpull%2F48%3Femail_source%3Dnotifications%26email_token%3DAFYXKYQ2DQC2EJDOOXXV3T3QKDK3ZA5CNFSM4IXA5CMKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCE63MBI%23discussion_r325163168, or mute the threadhttps://protect2.fireeye.com/url?k=148e2046-485a2920-148e60dd-8610d8a762ca-502cc4990ac93970&q=1&u=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFYXKYWIDDZMK6LUPMRUR3LQKDK3ZANCNFSM4IXA5CMA.

[chrysn]

I just noticed there as c09eeaf8088bc62110ea4f8f66199105651e6d90 on this stack as well and (hopefully) simplified that into 456a6f4b28cfc309938511f11dfbc87da25408d7, please have a look there.

[emanjon]

Good, looks like an improvement.

From: chrysn notifications@github.com Reply to: core-wg/echo-request-tag reply@reply.github.com Date: Tuesday, 17 September 2019 at 15:39 To: core-wg/echo-request-tag echo-request-tag@noreply.github.com Cc: John Mattsson john.mattsson@ericsson.com, Comment comment@noreply.github.com Subject: Re: [core-wg/echo-request-tag] Allow OSCORE servers to send outer Echo for reachability, ... (#48)

I just noticed there as c09eeafhttps://protect2.fireeye.com/url?k=7fe62be5-233227bb-7fe66b7e-8691959ed9b7-2a48e7ccc83ff15d&q=1&u=https%3A%2F%2Fgithub.com%2Fcore-wg%2Fecho-request-tag%2Fcommit%2Fc09eeaf8088bc62110ea4f8f66199105651e6d90 on this stack as well and (hopefully) simplified that into 456a6f4https://protect2.fireeye.com/url?k=fcefcba8-a03bc7f6-fcef8b33-8691959ed9b7-644388e81905fb62&q=1&u=https%3A%2F%2Fgithub.com%2Fcore-wg%2Fecho-request-tag%2Fcommit%2F456a6f4b28cfc309938511f11dfbc87da25408d7, please have a look there.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://protect2.fireeye.com/url?k=e2a18a47-be758619-e2a1cadc-8691959ed9b7-d559d032737d796e&q=1&u=https%3A%2F%2Fgithub.com%2Fcore-wg%2Fecho-request-tag%2Fpull%2F48%3Femail_source%3Dnotifications%26email_token%3DAFYXKYXA7R3DPZWPWTBC6MLQKDMYPA5CNFSM4IXA5CMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD64RZRA%23issuecomment-532225220, or mute the threadhttps://protect2.fireeye.com/url?k=e065bbcd-bcb1b793-e065fb56-8691959ed9b7-4fadb31e0b2d7c3c&q=1&u=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFYXKYUO4BIWO2HRCYSCOXLQKDMYPANCNFSM4IXA5CMA.

[emanjon]

“CoAP-to-CoAP proxy MAY set an Echo option on responses, both on forwarded ones that had no Echo option or ones generated by the proxy (from cache or as an error).”

I assume a proxy having a cache can generate it’s own requests as well. In these cases the proxy should be allowed to behave like any other client. The current text “However, it MUST relay the Echo option of responses unmodified” kind of give the idea that proxys cannot remove the Echo values.

From: John Mattsson john.mattsson@ericsson.com Date: Tuesday, 17 September 2019 at 15:43 To: core-wg/echo-request-tag reply@reply.github.com, core-wg/echo-request-tag echo-request-tag@noreply.github.com Cc: Comment comment@noreply.github.com Subject: Re: [core-wg/echo-request-tag] Allow OSCORE servers to send outer Echo for reachability, ... (#48)

Good, looks like an improvement.

From: chrysn notifications@github.com Reply to: core-wg/echo-request-tag reply@reply.github.com Date: Tuesday, 17 September 2019 at 15:39 To: core-wg/echo-request-tag echo-request-tag@noreply.github.com Cc: John Mattsson john.mattsson@ericsson.com, Comment comment@noreply.github.com Subject: Re: [core-wg/echo-request-tag] Allow OSCORE servers to send outer Echo for reachability, ... (#48)

I just noticed there as c09eeafhttps://protect2.fireeye.com/url?k=7fe62be5-233227bb-7fe66b7e-8691959ed9b7-2a48e7ccc83ff15d&q=1&u=https%3A%2F%2Fgithub.com%2Fcore-wg%2Fecho-request-tag%2Fcommit%2Fc09eeaf8088bc62110ea4f8f66199105651e6d90 on this stack as well and (hopefully) simplified that into 456a6f4https://protect2.fireeye.com/url?k=fcefcba8-a03bc7f6-fcef8b33-8691959ed9b7-644388e81905fb62&q=1&u=https%3A%2F%2Fgithub.com%2Fcore-wg%2Fecho-request-tag%2Fcommit%2F456a6f4b28cfc309938511f11dfbc87da25408d7, please have a look there.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://protect2.fireeye.com/url?k=e2a18a47-be758619-e2a1cadc-8691959ed9b7-d559d032737d796e&q=1&u=https%3A%2F%2Fgithub.com%2Fcore-wg%2Fecho-request-tag%2Fpull%2F48%3Femail_source%3Dnotifications%26email_token%3DAFYXKYXA7R3DPZWPWTBC6MLQKDMYPA5CNFSM4IXA5CMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD64RZRA%23issuecomment-532225220, or mute the threadhttps://protect2.fireeye.com/url?k=e065bbcd-bcb1b793-e065fb56-8691959ed9b7-4fadb31e0b2d7c3c&q=1&u=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFYXKYUO4BIWO2HRCYSCOXLQKDMYPANCNFSM4IXA5CMA.