Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE

Michael StJohns <mstjohns@comcast.net> Fri, 29 July 2016 16:11 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1478D12D660 for <ace@ietfa.amsl.com>; Fri, 29 Jul 2016 09:11:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.986
X-Spam-Level:
X-Spam-Status: No, score=-3.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZzxCPSXCCRZ for <ace@ietfa.amsl.com>; Fri, 29 Jul 2016 09:11:10 -0700 (PDT)
Received: from resqmta-ch2-11v.sys.comcast.net (resqmta-po-11v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:170]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49DF112B068 for <ace@ietf.org>; Fri, 29 Jul 2016 09:11:10 -0700 (PDT)
Received: from resomta-po-10v.sys.comcast.net ([96.114.154.234]) by resqmta-po-11v.sys.comcast.net with SMTP id TAMVbmJg2Ep5XTANRbczbH; Fri, 29 Jul 2016 16:11:09 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1469808669; bh=fp2CMKzOOQxBi9kb+CZSoa/B/25t6otwafwh4QAqRjs=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=tRQzTRPrJ4bU96L2zHKDnRKOrIm5vvz432iTGXpgcNYHuqeXOYEQAb2iRU/ru0Sgx kKSany0NyQeDmUcIrowjQE5bkQgE5GxdCJENuj6cHsBX5pAd85CImTBpBz/2Ah/OrX wwTCxFtzXvKbJt0lnbdxELOEISZiL8j3m3EE5YU35sdG/FqcRsnxfyv3GewhFztMPD 7FxrC+4Y8E/tDQ6XsA1SeLzMXq+tW2Shg9Mnw3/Oj8RD42sYrIpBbNgWJh34XAyDFw rgi/E0OXYlJmERml58gMb1N81kgYYX/IzCIUVD5i9t+ZzBsCdGI6/9VJBceUycTqyF giG1nbG4+WYHA==
Received: from [100.47.160.179] ([100.47.160.179]) by comcast with SMTP id TANFbwP4XkumdTANIbFTge; Fri, 29 Jul 2016 16:11:07 +0000
To: "Grunwald, Markus" <M.Grunwald@osram.com>, "ace@ietf.org" <ace@ietf.org>
References: <4D6B5484A4456C4684818BBF9B04AC2133162422D5@EXC-MCHMBX33.mch.osram.de>
From: Michael StJohns <mstjohns@comcast.net>
Message-ID: <5a236070-2197-1c33-9ae8-c968c4d817eb@comcast.net>
Date: Fri, 29 Jul 2016 12:11:11 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <4D6B5484A4456C4684818BBF9B04AC2133162422D5@EXC-MCHMBX33.mch.osram.de>
Content-Type: multipart/alternative; boundary="------------939EF90CE4DD690DF8935C3B"
X-CMAE-Envelope: MS4wfEsdejtvQdtlv59tCKyUMKl8xKYOaMipjGcR7ENcku9U3ZGoEHnO6JhEZE07WAlyZpO4QblY/+6q+916+CawyonoCKi2RjkBEt+O6blOMafhx6ICQ2H2 SorKXsbrts20FLjObNfw4sHL2BW42ZFVIw1a655bmWtIKqjzdGXwpI5QSy7ZCS8O4kR0vcaJmCWivSRqYEOZfoUt+tQJIsT1gAc=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/D1pPk0WstfsVVeVDfmn-lHkf7Ek>
Subject: Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2016 16:11:12 -0000

Hi Markus -

I needed to think about how to reply to this specifically and explain 
why its still a bad idea to try and scale things.  See below.

On 7/27/2016 8:34 AM, Grunwald, Markus wrote:
>
> Hello,
>
> sorry to break the threading by not replying directly to a post, but 
> until now I have only been reading the list passively. So I have no 
> mail to reply to…
>
> I followed your discussion regarding group multicast and how to 
> encrypt them. I see the problem, but I think one single approach to 
> solve it either way will not be enough:
>
> -The 200ms barrier for lighting products is quite fix. If we build 
> products with a reaction time that is too long, nobody is going to use it.
>
> -On the other hand, I am scared of IoT products that could have bigger 
> latency, but still use a somewhat weaker crypto. I’m thinking of 
> Fire/Smokedetectors at big airports or the like. Even toggling all 
> lights of an airport in a one-second rhythm could cause huge problems.
>
> -So we need both, but can hardly have it.
>
> For me, this leads to multiple security levels:
>
> 1)Basic security: fast response, low cost with lower security: use 
> symmetric keys. Use this where the risk is low.
>
> 2)High security, low cost: Allow slow(er) response times, because of 
> the ECC calculations. Kind of a compromise…
>
> 3)High security, higher cost: add some crypto hardware. For high risk 
> environments with low latency
>

Analogies are sometimes suspect and are never exact matches, but let me 
try one:

You want to build the equivalent of three different types of motor 
powered vehicles: a go-cart, a family car and a high end luxury vehicle.

You obviously don't want to put in all the safety stuff into the 
go-cart.  It's cheap, it's meant for fun, and it won't be driving on the 
roads, so why bother and besides which it would hurt your bottom line?

In the real world, there are lots of things that keep a go-kart off of 
the highway  - two of which are fear of death (both the go-cart driver's 
and everyone else) and police and laws (e.g. a go-cart is not "street 
legal") acting as enforcement mechanisms.

My question - what enforcement mechanism do you propose to keep your 
cheap, unsafe at speed, go-cart symmetric key multicast system off the 
rest of the information superhighway?  How do you propose to keep 
someone from strapping on a physical access control management system to 
the back of your go-cart and taking it for a ride in the real world?

I think go-carts are fun, but I would never propose that they be allowed 
on the highway, or for that matter any public road.



> I don’t think that we will be able to cover the whole range of 
> requirements with one single approach. Implementing the lowest level 
> would be relatively easy for first concepts.
>

You really mean simple, and simple != easy.  Symmetric key multicast is 
a simple concept.  It is not *easy* to get right, and it is not *easy* 
to mitigate the threats from that approach.  The threats are not 
necessarily limited to the original field of use (lighting...).

Later, Mike

ps - way back when - maybe 1990 - I was trying to debug why a telnet 
connections through a terminal server that one of the other parts of the 
organization had bought would silently stop working.  It took me a while 
to figure it out, but it would stop working if any packet got dropped.  
It turns out that the terminal server did not implement TCP 
retransmits.   When we asked the vendor about it they said that they'd 
never seen a drop so they didn't see any need to implement it.  When 
questioned further, it turns out they did all their implementation work 
on a single segment of ethernet and really never saw any dropping 
whereas the real-world network had a router that occasionally dropped 
packets it couldn't queue.   The point of this story is that you as a 
vendor may not necessarily be able to control what me as the customer 
does with your product.  You may think its safe given specific 
constraints, but imposing those constraints on an end user is - hard?  
Impossible?

> Best regards,
>
>
> Markus Grunwald
> Development Engineer
>
> OSRAM GmbH
> DS D LMS-COM DE-1
> Parkring 33
> 85748 Garching, Deutschland
> Tel. +49 89 6213-3678
> mailto:M.Grunwald@osram.com
> www.osram.com
>
> *Bitte prüfen Sie der Umwelt zuliebe, ob der Ausdruck dieser Mail 
> erforderlich ist!
> *
> OSRAM GmbH: Vorsitzender des Aufsichtsrates: Peter Bauer; 
> Geschäftsführung: Dr. Olaf Berlien (Vorsitzender), Dr. Stefan Kampmann;
> Sitz der Gesellschaft: München; Registergericht: München, HRB 201526; 
> WEEE-Reg.-Nr. DE 71568000
>
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace