From c948478128bc633bdb3e4e5a5a72b37082c76ac3 Mon Sep 17 00:00:00 2001 From: chrysn Date: Wed, 25 Sep 2024 23:36:45 +0200 Subject: [PATCH 1/4] Security considerations: Point into corr-clar-future --- draft-ietf-core-dns-over-coap.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/draft-ietf-core-dns-over-coap.md b/draft-ietf-core-dns-over-coap.md index 1ad4e23..95b6c0e 100644 --- a/draft-ietf-core-dns-over-coap.md +++ b/draft-ietf-core-dns-over-coap.md @@ -77,7 +77,15 @@ informative: I-D.lenders-core-dnr: core-dnr I-D.amsuess-core-cachable-oscore: cachable-oscore DoC-paper: DOI.10.1145/3609423 - + amp-0rtt: + title: 'PR #40 "Amplification and 0-RTT" on "CoAP: Corrections and Clarifications"' + date: 2024-09-25 + format: + HTML: https://github.com/core-wg/corrclar/pull/40 + ann: | + Note: It is expected that that PR will be merged way ahead of this document's publication; + at the next revision, this reference will be replaced with a reference to what will by then most likely be + I-D.ietf-core-corr-clar-00 (now bormann-core-clar-05). --- abstract @@ -499,6 +507,11 @@ harden against injecting spoofed responses. Consequently, it is of little concern to leverage the benefits of CoAP caching by setting the ID to 0. +General CoAP security considerations apply. +Exceeding those in {{Section 11 of RFC7252}}, +the request patterns of DoC make it likely that long-lived security contexts are maintained: +{{amp-0rtt}} goes into more detail on what can and needs to be done +when those are resumed from a new address. IANA Considerations =================== From 0df9671e1c5d0ffebddee4cec8030863170b5574 Mon Sep 17 00:00:00 2001 From: chrysn Date: Thu, 26 Sep 2024 10:51:13 +0200 Subject: [PATCH 2/4] seccons: Simplify Co-authored-by: Martine Lenders --- draft-ietf-core-dns-over-coap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-core-dns-over-coap.md b/draft-ietf-core-dns-over-coap.md index 95b6c0e..4487278 100644 --- a/draft-ietf-core-dns-over-coap.md +++ b/draft-ietf-core-dns-over-coap.md @@ -510,7 +510,7 @@ Consequently, it is of little concern to leverage the benefits of CoAP caching b General CoAP security considerations apply. Exceeding those in {{Section 11 of RFC7252}}, the request patterns of DoC make it likely that long-lived security contexts are maintained: -{{amp-0rtt}} goes into more detail on what can and needs to be done +{{amp-0rtt}} goes into more detail on what needs to be done when those are resumed from a new address. IANA Considerations From 30f29a003072d2707aae94e661dd4230e6bf6642 Mon Sep 17 00:00:00 2001 From: chrysn Date: Thu, 26 Sep 2024 10:52:07 +0200 Subject: [PATCH 3/4] seccons: s/address/endpoint/ See-Also: https://github.com/core-wg/draft-dns-over-coap/pull/31draft-ietf-core-dns-over-coap.mddiscussion_r1776654021 --- draft-ietf-core-dns-over-coap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-core-dns-over-coap.md b/draft-ietf-core-dns-over-coap.md index 4487278..a5607ba 100644 --- a/draft-ietf-core-dns-over-coap.md +++ b/draft-ietf-core-dns-over-coap.md @@ -511,7 +511,7 @@ General CoAP security considerations apply. Exceeding those in {{Section 11 of RFC7252}}, the request patterns of DoC make it likely that long-lived security contexts are maintained: {{amp-0rtt}} goes into more detail on what needs to be done -when those are resumed from a new address. +when those are resumed from a new endpoint. IANA Considerations =================== From 0c41739ee3c262449efe4817901259ad356059ba Mon Sep 17 00:00:00 2001 From: chrysn Date: Thu, 26 Sep 2024 10:54:29 +0200 Subject: [PATCH 4/4] seccons: "General CoAP apply" to the top See-Also: https://github.com/core-wg/draft-dns-over-coap/pull/31#discussion_r1776636468 --- draft-ietf-core-dns-over-coap.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/draft-ietf-core-dns-over-coap.md b/draft-ietf-core-dns-over-coap.md index a5607ba..f1b7f84 100644 --- a/draft-ietf-core-dns-over-coap.md +++ b/draft-ietf-core-dns-over-coap.md @@ -496,6 +496,12 @@ Last update of this information: Security Considerations ======================= +General CoAP security considerations apply. +Exceeding those in {{Section 11 of RFC7252}}, +the request patterns of DoC make it likely that long-lived security contexts are maintained: +{{amp-0rtt}} goes into more detail on what needs to be done +when those are resumed from a new endpoint. + When using unencrypted CoAP (see {{sec:unencrypted-coap}}), setting the ID of a DNS message to 0 as specified in {{sec:req-caching}} opens the DNS cache of a DoC client to cache poisoning attacks via response spoofing. @@ -507,12 +513,6 @@ harden against injecting spoofed responses. Consequently, it is of little concern to leverage the benefits of CoAP caching by setting the ID to 0. -General CoAP security considerations apply. -Exceeding those in {{Section 11 of RFC7252}}, -the request patterns of DoC make it likely that long-lived security contexts are maintained: -{{amp-0rtt}} goes into more detail on what needs to be done -when those are resumed from a new endpoint. - IANA Considerations ===================