Jim Schaad
2017-12-15 02:35:11 UTC
I have managed to get back to this topic and given it some deep thought over
the last 24 hours and would like to get some feedback.
First, what does it mean to have something on the same session? There are
three different things that I can think of:
1. A response is required to be returned on the same session. Reconnect on
a different session and the response is dropped on the floor.
2. An observe relationship is defined as returning responses -- see item 1
3. An application could, in theory, require that a sequence of operations
must be done on a single session.
That is the total set that I can think of. Authorization as it is currently
defined is attached to keys for the secure sessions, thus if a new session
is created with the same key the same set of authorizations can be expected.
How one defines a session:
* For UDP, it would be based on the 4-tuple address. A session would last
as long as nobody interferes with the routing table. This can be
indefinitely for a static routing table or something short like 2 minutes or
so. (I had to remotely diagnose this at one point, the fire wall closes the
routing and observe values stop getting to the client. The value depends on
the specific version of windows that is being uses as well as which of the
different firewalls is being used.)
* For TCP, it is based on the TCP session.
* For TLS/DTLS, it would be based on the TLS idea of a session. Sessions
can be re-connected if that was setup when the initial handshakes was
performed. There is also coming the ability to have DTLS sessions be able
to automatically re-route without needing to re-connect the session. The
only potential problem with this concept is that one could do two TLS
session reconnections at the same time. This would either need to be
disallowed or some thought would need to be put into questions of what this
means. I would lean towards the disallow myself, but it is a harder
question for DTLS where the client may think that the session had been lost
and the server thinks it is still open just on a different address 4-tuple
because a re-routing operation. (Closing the first and rolling over to the
second would be a viable option for DTLS.)
These concepts would completely replace the current text in RFC 7252 where
it says it needs to be the same session, but text such as the same EPOCH
would be removed because, from a DTLS view it just does not make any sense.
Future:
1. Is this is correct set of concepts for sessions?
2. What re-writes in what documents need to be made?
3. What is the correct way to do those re-writes. (Are there enough
problems w/ RFC 7252 that a re-issue is needed or could this just be an
update?)
Jim
the last 24 hours and would like to get some feedback.
First, what does it mean to have something on the same session? There are
three different things that I can think of:
1. A response is required to be returned on the same session. Reconnect on
a different session and the response is dropped on the floor.
2. An observe relationship is defined as returning responses -- see item 1
3. An application could, in theory, require that a sequence of operations
must be done on a single session.
That is the total set that I can think of. Authorization as it is currently
defined is attached to keys for the secure sessions, thus if a new session
is created with the same key the same set of authorizations can be expected.
How one defines a session:
* For UDP, it would be based on the 4-tuple address. A session would last
as long as nobody interferes with the routing table. This can be
indefinitely for a static routing table or something short like 2 minutes or
so. (I had to remotely diagnose this at one point, the fire wall closes the
routing and observe values stop getting to the client. The value depends on
the specific version of windows that is being uses as well as which of the
different firewalls is being used.)
* For TCP, it is based on the TCP session.
* For TLS/DTLS, it would be based on the TLS idea of a session. Sessions
can be re-connected if that was setup when the initial handshakes was
performed. There is also coming the ability to have DTLS sessions be able
to automatically re-route without needing to re-connect the session. The
only potential problem with this concept is that one could do two TLS
session reconnections at the same time. This would either need to be
disallowed or some thought would need to be put into questions of what this
means. I would lean towards the disallow myself, but it is a harder
question for DTLS where the client may think that the session had been lost
and the server thinks it is still open just on a different address 4-tuple
because a re-routing operation. (Closing the first and rolling over to the
second would be a viable option for DTLS.)
These concepts would completely replace the current text in RFC 7252 where
it says it needs to be the same session, but text such as the same EPOCH
would be removed because, from a DTLS view it just does not make any sense.
Future:
1. Is this is correct set of concepts for sessions?
2. What re-writes in what documents need to be made?
3. What is the correct way to do those re-writes. (Are there enough
problems w/ RFC 7252 that a re-issue is needed or could this just be an
update?)
Jim