Skip to content

Commit

Permalink
Clarified security on the different legs with a proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
marco-tiloca-sics committed Sep 5, 2024
1 parent b590f2d commit 24bd5d3
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion draft-ietf-core-groupcomm-bis.md
Original file line number Diff line number Diff line change
Expand Up @@ -903,7 +903,9 @@ For a client performing a group communication request via a forward-proxy, end-t
For a client performing a group communication request via a reverse-proxy, either end-to-end-security or hop-by-hop security can be implemented.
The case of end-to-end security is the same as for the forward-proxy case.

The case of hop-by-hop security is only possible if the proxy can be completely trusted and it is configured as a member of the OSCORE security group(s) that it needs to access, when sending a group request on behalf of clients. The first leg of communication between client and proxy is then protected with a security method for CoAP unicast, such as (D)TLS, OSCORE, or a combination of such methods. The second leg between proxy and servers is protected using Group OSCORE. This can be useful in applications where for example the origin client does not implement Group OSCORE, or the group management operations are confined to a particular network domain and the client is outside this domain.
The case of hop-by-hop security is only possible if the proxy can be completely trusted and it is configured as a member of the OSCORE security group(s) that it needs to access, when sending a group request on behalf of clients. As further clarified below, the first communication leg between the client and the proxy, on one hand, and the second communication leg between the proxy and the servers, on the other hand, are protected individually and independently from one another.

The first leg of communication between client and proxy is then protected with a security method for CoAP unicast, such as (D)TLS, OSCORE, or a combination of such methods. The second leg between proxy and servers is protected using Group OSCORE. This can be useful in applications where for example the origin client does not implement Group OSCORE, or the group management operations are confined to a particular network domain and the client is outside this domain.

For all the above cases, more details on using Group OSCORE are defined in {{I-D.ietf-core-groupcomm-proxy}}.

Expand Down Expand Up @@ -1717,6 +1719,8 @@ Client A B C

## Version -11 to -12 ## {#sec-11-12}

* Clarified security on the different legs with a proxy.

* Editorial improvements.

## Version -10 to -11 ## {#sec-10-11}
Expand Down

0 comments on commit 24bd5d3

Please sign in to comment.