Re: [core] tiloca-core-muticast-oscoap-4
peter van der Stok <stokcons@xs4all.nl> Tue, 06 March 2018 08:41 UTC
Return-Path: <stokcons@xs4all.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA906126BF0 for <core@ietfa.amsl.com>; Tue, 6 Mar 2018 00:41:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvdjaefcUCmI for <core@ietfa.amsl.com>; Tue, 6 Mar 2018 00:40:59 -0800 (PST)
Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net [194.109.24.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 053C1120724 for <core@ietf.org>; Tue, 6 Mar 2018 00:40:58 -0800 (PST)
Received: from webmail.xs4all.nl ([IPv6:2001:888:0:22:194:109:20:208]) by smtp-cloud9.xs4all.net with ESMTPA id t89YeZeTvHLVet89YecMi4; Tue, 06 Mar 2018 09:40:57 +0100
Received: from AMontpellier-654-1-236-32.w92-145.abo.wanadoo.fr ([92.145.179.32]) by webmail.xs4all.nl with HTTP (HTTP/1.1 POST); Tue, 06 Mar 2018 09:40:56 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Tue, 06 Mar 2018 09:40:56 +0100
From: peter van der Stok <stokcons@xs4all.nl>
To: Marco Tiloca <marco.tiloca@ri.se>
Cc: consultancy@vanderstok.org, Core <core@ietf.org>
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <1226ef9a-c95d-42c4-4bd0-b59c64135dde@ri.se>
References: <cd41ca36847b1db799e96ca6d6cee1d8@xs4all.nl> <1226ef9a-c95d-42c4-4bd0-b59c64135dde@ri.se>
Message-ID: <04e5444a9d16de7f7004ea926737cbed@xs4all.nl>
X-Sender: stokcons@xs4all.nl
User-Agent: XS4ALL Webmail
X-CMAE-Envelope: MS4wfJuq3zB0w23+Yf7PCMWgKHxUsezhjLIfkTNbuolhSwOokP/63U77lGYEEhepFY8yJdqdw+XerfA8xZ2l2z1dg9+QwjmPNItDtbAdKRnvWNq6phAwJGdj SN4P6yRdaY3qhno8AW4GS3V82qJkCrhO6MNVXPHAriN8Zvkl3gHVr4J9CR+eowkQGbWev/kVXSVbItAd+la2UvoT6NOaxnK7xF8h3UNUnQjlWZ3WmFTom8rb Kg/RsA+L8HzrM6xz3aW8Gw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/GHOtnz0Yg4_WjvfA_sdB4VDvj8Y>
Subject: Re: [core] tiloca-core-muticast-oscoap-4
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 08:41:03 -0000
Hi Marco, thanks for your reaction. I will read the new version and comment on that. Peter Marco Tiloca schreef op 2018-03-05 23:58: > Hello Peter, > > Thank you for your review and comments. Please, find some answers in > line. > > We took into account your comments for producing the latest version of > the draft [1]. Please, find some answers in line. > > Best, > /Marco > > [1] https://tools.ietf.org/html/draft-ietf-core-oscore-groupcomm-01 > > On 2018-02-06 12:04, peter van der Stok wrote: > >> Hi authors, >> >> Many thanks for this very useful document. Below some comments. >> These are mainly restricted to document structure, relation to other >> documents, and new concepts and terminology. I hope they are >> sufficiently clear and help improving the text. >> >> Peter >> >> Abstract: >> I did not see text that validates the phrase: >> “All security requirements fulfilled by OSCORE are >> maintained for multicast OSCORE request messages and related OSCORE >> response messages.” >> I did see: this document specifies the parameter values for OSCORE >> messages applied to group communication. > > [MT] Now rephrased as: “In particular, it is defined how OSCORE > should be used in a group communication setting, while fulfilling the > same security requirements for request messages and related response > message.” > >> Why is source authentication more important (mentioned separately) >> than all other security aspects of OCORE? > > [MT] In the main OSCORE specification, one has source authentication > among two parties directly from the usage of the AEAD. Instead, in the > group communication setting considered by group OSCORE, the Common > Context is sufficient to ensure group authentication, while the same > components alone are not sufficient to achieve source authentication > too. This is the reason why we additionally introduce > countersignatures trough each individual endpoint's private key, and > why we present source-authentication as a specific requirement to be > “brought back again”. > >> Introduction: >> Benefit from a group communication model: A possible group >> communication model is the use of unicast for all individual >> destinations; I don’t see how this increases efficiency. May-be >> you mean: leveraging the broadcast model of the underlying >> communication medium? > > [MT] Yes, that's right, however this should already come from RFC7390. > The advantage from the underlying communication model is limited to > requests. > >> Across intermediary nodes -> possibly involving intermediary nodes. > > [MT] Done. > >> The phrase: “To this end, …. protected message” is funny. I >> did not know that you could protect messages by including payload >> (something went wrong in this phrase). > > [MT] We rephrased as “To this end, a CoAP message is protected by > including its payload (if any), certain options, and header fields in > a COSE object, which finally replaces the authenticated and encrypted > fields in the protected message.” > >> Remove: “while fulfilling the same security requirements”. My >> suggestion: end-to-end security is assured by using the same >> security technology as for OSCORE. > > [MT] As aligned with the main OSCORE document, we rephrased as “so > that end-to-end security is assured by using the same security > method”. > >> The OSCORE draft mentions: >> “providing end-to-end encryption, integrity, replay protection, >> and >> secure the binding of response to request”. It does not mention >> source authentication explicitly. So, why is multicast-oscoap >> different? > > [MT] In OSCORE, one has source authentication among two parties > directly from the usage of the AEAD. Instead, in the group > communication setting considered by group OSCORE, the Common Context > is sufficient to ensure group authentication, while the same > components alone are not sufficient to achieve source authentication > too. This is the reason why we additionally introduce > countersignatures trough each individual endpoint's private key, and > why we present source-authentication as a specific requirement to be > “brought back again”. > >> Section 1.1 >> Multicaster: Is M <= N? > > [MT] Not necessarily. > >> sub-question is: are the destinations always all group members and >> is the source also a destination? > > [MT] Destinations are always group members, while a source is not > necessarily a destination, it depends on the role(s) in the group. For > example, an endpoint configured only as multicaster will be > only-source in a group where all the other members are configured as > pure listeners. > >> May be you should refer to section 2.2 which provides a better >> explanation. > > [MT] Section 2.2 has now become Appendix A.2, in order to have the > document body more in synch with the main OSCORE document. Which > portion(s) of Appendix A.2 do you think it is better to point at? > >> Endpoint ID: why this exclusion of pure listeners? It complicates >> the protocol. > > [MT] This was previously discussed with Jim, as a group member > configured _only_ as pure listener does not need to receive upon join > (and thereafter store) an Endpoint ID. In fact, that endpoint is never > going to transmit group messages where including its own Endpoint ID > as Sender ID. > >> Remove: “That is, …. same time”. Does not clarify uniqueness. > > [MT] Done. > >> Section 2. >> I do understand the purpose of section 2.2, but not of section 2.1. >> As far as I understand the Group Manager is essential for secure >> group communication as specified here; No GM means no group >> communication (is that correct?) In that case I would suggest two >> other subsections. > > [MT] “No GM means no group communication” is essentially correct > in this context, as there would be no provisioning of keying material > to joining endpoints. To be more precise, with no GM: i) group > membership has to be static; and ii) all key provisioning has to be > done once and for all before deployment through other means. > >> Section 2.1a Requirements on group manager, section 2.1b, Protocol >> characteristics. > > [MT] Also related to other comments, we now have a new Section 6 > listing the responsibilities of the Group Manager (that is, your > proposed Section 2.1a). Instead, your proposed Section 2.1b is > essentially the current Appendix A. This was driven by having the > document body more in synch with the main OSCORE document. > >> Multicast communication topology: remove the lighting use case, and >> refer to appendix. > > [MT] Done. > >> Multicast group size: is this the number of members? The fact that a >> member may be listener as well as multicaster is another aspect and >> not relevant to size. The numbers are interesting to guide >> implementers. > > [MT] We now put less stress on the roles of group members, but we > would anyway keep the roles related to the indicative numbers > provided, i.e. “… The group size is the current number of members > in a multicast group. In the use cases mentioned in this document, the > number of multicasters (normally the controlling devices) is expected > to be much smaller than the number of listeners (i.e. the controlled > devices). A security solution for group communication that supports 1 > to 50 multicasters would be able to properly cover the group sizes > required for most use cases that are relevant for this document > …”. > >> Establishment and Management of Security context: I recommend to >> mention relation to OSCORE security contexts. > > [MT] Done. > >> Actually, the text seems to discuss requirements on the GM. GM >> specification is out of scope but not any GM design can be used with >> oscoap-multicast. > > [MT] Also related to other comments, we now have a new Section 6 > listing the responsibilities of the Group Manager. Do you think any > particular additional requirement/responsibility on the Group Manager > is missing? > > [MT] Note that the Group Manager is not expected to necessarily be an > actual member of the group. That is, it needs to > generate/manage/provide OSCORE Contexts upon joining and to renew > Common Contexts within the group, but it is not required to > communicate by means of group OSCORE itself. > >> Multicast data security Cipher suite: GM requirement?? > > [MT] I would not say so. The Group Manager indicates keying material > and security parameters to new endpoints during the join process (see > current Section 6 and current Appendix D), specifying also the > security Cipher Suite to use in the group. However, the Group Manager > is not required to use such Cipher Suite itself, unless it is also an > actual group member. > >> Backward security: GM requirement? > > [MT] This is actually a requirement of the group rekeying scheme used > by the GM to manage the group keying material. So I would not say it > is a GM requirement. > >> Actually, this poses the question of ordering of messages from >> different sources; Is there a total ordering of messages or only a >> partial source order? (I see this is explained in section 2.2) May >> be a forward reference? > > [MT] At the beginning of current Section 4, we now list the security > objectives fulfilled by group OSCORE, and point at current Appendix > A.2 for further details. > >> Forward security: GM requirement? > > [MT] This is actually a requirement of the group rekeying scheme used > by the GM to manage the group keying material. So I would not say it > is a GM requirement. > >> Section 2.2 security Objectives >> Bullet 2; remove “In fact, …plaintext” ; does not add much > > [MT] Done. > >> Bullet 3: shall be authenticated with respect to two sources (sender >> and group) (simultaneously?) > > [MT] We have group authentication already from the usage of the AEAD, > plus source authentication through the countersignature. Do you think > we should have source authentication as a separate bullet? > >> Section 3; >> Suggestion: Each endpoint stores extensions of the Oscore context. I >> seem to read that the Contexts used for group communication are >> extensions to the one specified for OSCORE. If that is true, use >> different names or use extension of . >> Common context -> group context? In OSCORE the common context is >> defined as common between send and receiver, not common to the >> group. > > [MT] We actually need both “Common context” and “Group > Context”, as different concepts. In each endpoint, “Group > Context” is what you would implicitly define as “pair context” > in OSCORE, and it similarly includes a “Common context”, a > “Sender context” and _multiple_ (unlike OSCORE) “Recipient > contexts”, all of which with additional elements with respect to > their equivalent in OSCORE. > >> Point 1, bullet 2: “ … once the security context is >> established”: do you mean the common context? > > [MT] Yes, now clarified. > >> Point 2, The phrase “In practice, … OSCORE messages” is >> difficult to understand (at least I see multiple explanations) > > [MT] We have rephrased as: “In practice, the symmetric keying > material in the Sender Context of the sender endpoint is shared with > all the recipient endpoints that have received group messages from > that same sender endpoint.” > > [MT] Also, we have similarly rephrased the related sentence in the > paragraph below about the Recipient Context, i.e.: “In practice, the > symmetric keying material in a given Recipient Context of the > recipient endpoint is shared with the associated sender endpoint from > which group messages are received”. > >> Do you mean that SenderID is equal to its endpointID received at >> joining? > > [MT] Yes, we have clarified it in the definition of Endpoint ID in > Section 1.1. > >> It would be nice to give tables with additions to OSCORE security >> context for Sender Context, Recipient Context and Common (group) >> context; Now one has to search for them in the text. > > [MT] Done. > >> Point 3 Is Recipient Id also equal to endpointID. The text about >> Recipient context creation is unclear. Is the creation done by the >> Recipient endpoint? How are the contexts shared? Who does the >> sharing? Or do you mean that they are copied over at reception? >> Sender pubic key is extracted from Sender context (stored in GM, or >> sent over with message?) or from a trusted key repository? This >> paragraph is not very clear to me. Parts of the text are good >> candidates for a GM requirements section. See my comments about >> appendix C. > > [MT] Also related to other comments, we now have a new Section 6 > listing the responsibilities of the Group Manager. > > [MT] As to the other points: > > - Like in OSCORE, the Recipient ID is the Endpoint ID of a sender > endpoint from the perspective of the recipient endpoint. > > - Yes, the creation of a Recipient Context is done by the recipient > endpoint upon the reception of a first message from the corresponding > other endpoint acting as sender endpoint. Now it is stated explicitly, > and followed by a pointer to current Sections 4.2 and 4.4 about > processing incoming messages. > > - The sender's public key has to be retrieved anyway from a trusted > key repository, using the Endpoint ID of such sender endpoint. As a > possible configuration (see current Appendix D.2), the Group Manager > can be configured to act as trusted key repository. This is also > mentioned as an optional task of the Group Manager in the current > Section 6. > >> Section 3.1 Remove: “such a risk… office buildings. >> Nevertheless”. The fun with drones provided by Dutch universities, >> proves these assumptions to be futile. > > [MT] Done. > >> Distribution of master key is another GM requirement. > > [MT] Also related to other comments, we now have a new Section 6 > listing the responsibilities of the Group Manager. The Group Manager > distributes the OSCORE Master Secret as part of the Security Common > Context. > >> Section 4 bullit 1: The phrase “set to the SenderId of the >> endpoint” creates the impression that an endpoint has multiple >> IDs. Probably, you mean: the SenderId of the Context is set to the >> ID of the endpoint (or similar much better text) > > [MT] The Sender ID is related to the endpoint, which has indeed a > single one stored in its own Sender Context, but not to the Context. > We rephrased as “set to the Endpoint ID of the endpoint transmitting > the message, i.e. the Sender ID”. > >> Bullit 2 star 1: Is the group’s Security Context equal to the >> Common context? > > [MT] No, and we actually need both “Common context” and “Group > Context”, as different concepts. In each endpoint, “Group > Context” is what you would implicitly define as “pair context” > in OSCORE, and it similarly includes a “Common context”, a > “Sender context” and _multiple_ (unlike OSCORE) “Recipient > contexts”, all of which with additional elements with respect to > their equivalent in OSCORE. > >> Figure 1 differs from figure 7 in OSCORE draft > > [MT] Figure 1 actually is related to Figure 8 in the OSCORE draft. > >> Section 5; Suggestion: In case of malformed messages a “listening >> only” receiver endpoint silently rejects the message and sends no >> error message; all other receivers return an error message x.xx. > > [MT] The current text was the result of a discussion with Jim at > IETF99, to avoid congesting the group. Perhaps we can rephrase the > current text as a possible conservative behavior, while adding what > you suggest especially in case of groups that are small or hard to > congest. > >> Section 5.1 >> The document uses two terms: multicaster endpoint and sender >> endpoint; I assume they are equal concepts; If yes, choose one, if >> no, explain difference. > > [MT] The definition of “Multicaster” is provided in Section 1.1, > and it refers to an endpoint acting as “Sender” when transmitting > group requests and “Recipient” when receiving responses. On the > other hand, a sender can be a multicaster sending a group request or > as well a listener sending a response. The concepts of “Sender” > and “Recipient” as such as inherited from the main OSCORE > document. > >> Point 1; stores where? Find where? > > [MT] I am not sure we should provide similar details here. Not even > OSCORE specifies this in its Section 8.1, point 6. > >> Section 5.2 point 2; It is not clear how a new Recipient context is >> created; That is probably due to the vague duties of the GM. > > [MT] It is created just like in OSCORE, plus the inclusion of the > sender endpoint's public key to be separately retrieved. > >> Section 6; I think that synchronizing sequence numbers is part of >> the standard and should be specified as requirement on the GM. > > [MT] The GM is expected to indicate to a joining endpoint the approach > to follow. So, specifying the approach to use can be seen as a GM > requirement, rather than enforcing that approach in the group itself. > This is now also part of the GM's responsibilities listed in current > Section 6. > >> Section 7.1 Remove “for instance .. those roles” Refer to >> appendix A. > > [MT] Done (now Appendix B). > >> Section 7; Don’t you need some discussion on size of group to >> discuss security breach probabilities? > > [MT] That's something more we can add. Input are welcome. > >> Appendix A >> lighting control; here you refer to multicast group, which is >> sometimes correct. In the introduction you talk about group >> communication. > > [MT] A group displays group communication including delivery of > multicast messages (requests) together with unicast messages > (responses). We have revised the document and simply refer to > “group” now. > >> Switches but also sensors can control the state of the lights. Why >> is the backbone multicast enabled? Is that a MUST? > > [MT] That can be relaxed, as long as IP packets having a multicast > destination address are correctly delivered all the way to the border > routers acting as entry points. > >> Events within a 200 ms interval are perceived as simultaneous by >> humans. Necessary in many configurations. > > [MT] Ok, now mentioned. > >> In Building control, intervals of seconds are sufficient. > > [MT] Ok, now mentioned. > >> Commissioning of LLN system; Interesting idea that multicast should >> be enabled on a subnetwork for discovery. However, that would be >> after enrollment of the devices? I think the use case needs a bit >> more thought. > > [MT] Agree, we can think more about it and collect input. > >> Emergency multicast; Also interesting, but that needs a fault >> tolerant multicast algorithm, like MPL. for example. > > [MT] Ok, now mentioned. > >> Appendix C. I like this appendix, it provides the necessary >> understanding how things will work in practice. Please keep this >> appendix but also create a section with GM requirements, with the >> purpose of the requirements explained in the appendix. (this is a >> suggestion, don’t know if it will work actually) > > [MT] Also related to other comments, we now have a new Section 6 > listing the responsibilities of the Group Manager. > >> C.1 bullit management keying material: depend -> depends > > [MT] I think that “depend” is correct. The subject is > “elements”. > >> C.3 I think the utilization of ACE framework SHOULD be part of the >> standard. Too many options reduce the interoperability. Especially >> standards about the GM seem rather crucial to me. > > [MT] This is something we can further discuss in the WG. I personally > support your view, while for the time being the ACE-based approach in > current Appendix D.3 is seen as a possible incarnation of the more > generic description in current Appendix D.1. It might be good to still > leave room for alternative join approaches that are not based on ACE, > as long as they correctly initialize new endpoints upon joining the > group. > >> Appendix D. Are the proposed options interoperable within a group? >> Also here I would advocate interoperable solutions only. > > [MT] Yes, they are. Upon joining, the Group Manager can possibly > mention the synchronization policy to follow on a per-endpoint basis > (see current Section 5 introducing this aspect at a high-level). > >> > > -- > Marco Tiloca, PhD > Research Institutes of Sweden > RISE ICT/SICS > Isafjordsgatan 22 / Kistagången 16 > SE-164 40 Kista (Sweden) > Phone: +46 (0)70 60 46 501 > https://www.sics.se > > The RISE institutes Innventia, SP and Swedish ICT > have merged in order to become a stronger research > and innovation partner for businesses and society. > > SICS Swedish ICT AB, has now changed name to RISE SICS AB.
- [core] tiloca-core-muticast-oscoap-4 peter van der Stok
- Re: [core] tiloca-core-muticast-oscoap-4 Marco Tiloca
- Re: [core] tiloca-core-muticast-oscoap-4 peter van der Stok