Re: [core] tiloca-core-muticast-oscoap-4
Marco Tiloca <marco.tiloca@ri.se> Mon, 05 March 2018 22:58 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1D831275AB for <core@ietfa.amsl.com>; Mon, 5 Mar 2018 14:58:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.619
X-Spam-Level:
X-Spam-Status: No, score=-1.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htj_Oc5nXr0y for <core@ietfa.amsl.com>; Mon, 5 Mar 2018 14:58:30 -0800 (PST)
Received: from se-out2.mx-wecloud.net (se-out2.mx-wecloud.net [89.221.255.177]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F99C12711E for <core@ietf.org>; Mon, 5 Mar 2018 14:58:29 -0800 (PST)
Received: from sp-mail-2.sp.se (unknown [194.218.146.197]) by se-out2.mx-wecloud.net (Postfix) with ESMTPS id 17994221FCD; Mon, 5 Mar 2018 22:58:29 +0000 (UTC)
Received: from [192.168.0.65] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.35; Mon, 5 Mar 2018 23:58:26 +0100
To: consultancy@vanderstok.org, Core <core@ietf.org>
References: <cd41ca36847b1db799e96ca6d6cee1d8@xs4all.nl>
From: Marco Tiloca <marco.tiloca@ri.se>
Message-ID: <1226ef9a-c95d-42c4-4bd0-b59c64135dde@ri.se>
Date: Mon, 05 Mar 2018 23:58:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <cd41ca36847b1db799e96ca6d6cee1d8@xs4all.nl>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="VBNPWHlO6sy7A9jH9bZMVjIJjjLQsM45u"
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.2 cv=K9NSJ2eI c=1 sm=1 tr=0 a=L5DDne6A+dD0FbDkt2Fblw==:117 a=L5DDne6A+dD0FbDkt2Fblw==:17 a=sZ8rJzgPlrQA:10 a=v2DPQv5-lfwA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=xPT6tdSuAAAA:8 a=gf6o5gKAHCQBkT3G5IUA:9 a=3EBF0hqEJpPGorfV:21 a=K1HI0-BMohcEc9dS:21 a=QEXdDO2ut3YA:10 a=PkKVtKu-3bODk5XFDMMA:9 a=mSqDSMiuFR75rgdb:21 a=8ht8O83RjKfo48HU:21 a=fQz2Tac5qV1fLKqh:21 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10 a=mBr-oMQauN9WSH-0ONEA:9 a=ONNS8QRKHyMA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=80PJfYVSYmV_jLpvUEnt:22
X-Virus-Scanned: clamav-milter 0.99.3 at MailSecurity
X-Virus-Status: Clean
X-MailSecurity-Status: 0
X-Scanned-By: WeCloud MailSecurity
X-MailSecurity-Score: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/OvSlrStaAiH7mTC16LcUFUi0C8Y>
Subject: Re: [core] tiloca-core-muticast-oscoap-4
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2018 22:58:38 -0000
Hello Peter, Thank you for your review and comments. Please, find some answers in line. We took into account your comments for producing the latest version of the draft [1]. Please, find some answers in line. Best, /Marco [1] https://tools.ietf.org/html/draft-ietf-core-oscore-groupcomm-01 On 2018-02-06 12:04, peter van der Stok wrote: > Hi authors, > > Many thanks for this very useful document. Below some comments. These > are mainly restricted to document structure, relation to other > documents, and new concepts and terminology. I hope they are > sufficiently clear and help improving the text. > > Peter > > Abstract: > I did not see text that validates the phrase: > “All security requirements fulfilled by OSCORE are > maintained for multicast OSCORE request messages and related OSCORE > response messages.” > I did see: this document specifies the parameter values for OSCORE > messages applied to group communication. [MT] Now rephrased as: “In particular, it is defined how OSCORE should be used in a group communication setting, while fulfilling the same security requirements for request messages and related response message.” > Why is source authentication more important (mentioned separately) > than all other security aspects of OCORE? > [MT] In the main OSCORE specification, one hassource authentication among two parties directly from the usage of the AEAD. Instead, in the group communication setting considered bygroup OSCORE, the Common Context is sufficient to ensure group authentication, while the same components alone are not sufficient to achieve source authentication too. This is the reason why we additionally introduce countersignatures trough each individual endpoint's private key, and why we present source-authentication as a specific requirement to be “brought back again”. > Introduction: > Benefit from a group communication model: A possible group > communication model is the use of unicast for all individual > destinations; I don’t see how this increases efficiency. May-be you > mean: leveraging the broadcast model of the underlying communication > medium? [MT] Yes, that's right, however this should already come from RFC7390. The advantage from the underlying communication model is limited to requests. > Across intermediary nodes -> possibly involving intermediary nodes. [MT] Done. > The phrase: “To this end, …. protected message” is funny. I did not > know that you could protect messages by including payload (something > went wrong in this phrase). [MT] We rephrased as “To this end, a CoAP message is protected by including its payload (if any), certain options, and header fields in a COSE object, which finally replaces the authenticated and encrypted fields in the protected message.” > Remove: “while fulfilling the same security requirements”. My > suggestion: end-to-end security is assured by using the same security > technology as for OSCORE. [MT] As aligned with the main OSCORE document, we rephrased as “so that end-to-end security is assured by using the same security method”. > The OSCORE draft mentions: > “providing end-to-end encryption, integrity, replay protection, and > secure the binding of response to request”. It does not mention source > authentication explicitly. So, why is multicast-oscoap different? [MT] In OSCORE, one hassource authentication among two parties directly from the usage of the AEAD. Instead, in the group communication setting considered by group OSCORE, the Common Context is sufficient to ensure group authentication, while the same components alone are not sufficient to achieve source authentication too. This is the reason why we additionally introduce countersignatures trough each individual endpoint's private key, and why we present source-authentication as a specific requirement to be “brought back again”. > > Section 1.1 > Multicaster: Is M <= N? [MT] Not necessarily. > sub-question is: are the destinations always all group members and is > the source also a destination? [MT] Destinations are always group members, while a source is not necessarily a destination, it depends on the role(s) in the group. For example, an endpoint configured only as multicaster will be only-source in a group where all the other members are configured as pure listeners. > May be you should refer to section 2.2 which provides a better > explanation. [MT] Section 2.2 has now become Appendix A.2, in order to have the document body more in synch with the main OSCORE document. Which portion(s) of Appendix A.2 do you think it is better to point at? > > Endpoint ID: why this exclusion of pure listeners? It complicates the > protocol. [MT] This was previously discussed with Jim, as a group member configured _only_ as pure listener does not need to receive upon join (and thereafter store) an Endpoint ID. In fact, that endpoint is never going to transmit group messages where including its own Endpoint ID as Sender ID. > Remove: “That is, …. same time”. Does not clarify uniqueness. [MT] Done. > > Section 2. > I do understand the purpose of section 2.2, but not of section 2.1. As > far as I understand the Group Manager is essential for secure group > communication as specified here; No GM means no group communication > (is that correct?) In that case I would suggest two other subsections. [MT] “No GM means no group communication” is essentially correct in this context, as there would be no provisioning of keying material to joining endpoints. To be more precise, with no GM: i) group membership has to be static; and ii) all key provisioning has to be done once and for all before deployment through other means. > Section 2.1a Requirements on group manager, section 2.1b, Protocol > characteristics. [MT] Also related to other comments, we now have a new Section 6 listing the responsibilities of the Group Manager (that is, your proposed Section 2.1a). Instead, your proposed Section 2.1b is essentially the current Appendix A. This was driven by having the document body more in synch with the main OSCORE document. > > Multicast communication topology: remove the lighting use case, and > refer to appendix. [MT] Done. > Multicast group size: is this the number of members? The fact that a > member may be listener as well as multicaster is another aspect and > not relevant to size. The numbers are interesting to guide implementers. [MT] We now put less stress on the roles of group members, but we would anyway keep the roles related to the indicative numbers provided, i.e. “… The group size is the current number of members in a multicast group. In the use cases mentioned in this document, the number of multicasters (normally the controlling devices) is expected to be much smaller than the number of listeners (i.e. the controlled devices). A security solution for group communication that supports 1 to 50 multicasters would be able to properly cover the group sizes required for most use cases that are relevant for this document …”. > > Establishment and Management of Security context: I recommend to > mention relation to OSCORE security contexts. [MT] Done. > Actually, the text seems to discuss requirements on the GM. GM > specification is out of scope but not any GM design can be used with > oscoap-multicast. [MT] Also related to other comments, we now have a new Section 6 listing the responsibilities of the Group Manager. Do you think any particular additional requirement/responsibility on the Group Manager is missing? [MT] Note that the Group Manager is not expected to necessarily be an actual member of the group. That is, it needs to generate/manage/provide OSCORE Contexts upon joining and to renew Common Contexts within the group, but it is not required to communicate _by means of_group OSCORE itself. > > Multicast data security Cipher suite: GM requirement?? [MT] I would not say so. The Group Manager indicates keying material and security parameters to new endpoints during the join process (see current Section 6 and current Appendix D), specifying also the security Cipher Suite to use in the group. However, the Group Manager is not required to use such Cipher Suite itself, unless it is also an actual group member. > > Backward security: GM requirement? [MT] This is actually a requirement of the group rekeying scheme used by the GM to manage the group keying material. So I would not say it is a GM requirement. > Actually, this poses the question of ordering of messages from > different sources; Is there a total ordering of messages or only a > partial source order? (I see this is explained in section 2.2) May be > a forward reference? [MT] At the beginning of current Section 4, we now list the security objectives fulfilled by group OSCORE, and point at current Appendix A.2 for further details. > > Forward security: GM requirement? [MT] This is actually a requirement of the group rekeying scheme used by the GM to manage the group keying material. So I would not say it is a GM requirement. > > Section 2.2 security Objectives > Bullet 2; remove “In fact, …plaintext” ; does not add much [MT] Done. > Bullet 3: shall be authenticated with respect to two sources (sender > and group) (simultaneously?) [MT] We have group authentication already from the usage of the AEAD, plus source authentication through the countersignature. Do you think we should have source authentication as aseparate bullet? > > Section 3; > Suggestion: Each endpoint stores extensions of the Oscore context. I > seem to read that the Contexts used for group communication are > extensions to the one specified for OSCORE. If that is true, use > different names or use extension of . > Common context -> group context? In OSCORE the common context is > defined as common between send and receiver, not common to the group. [MT] We actually need both “Common context” and “Group Context”, as different concepts. In each endpoint, “Group Context” is what you would implicitly define as “pair context” in OSCORE, and it similarly includes a “Common context”, a “Sender context” and _multiple_ (unlike OSCORE) “Recipient contexts”, all of which with additional elements with respect to their equivalent in OSCORE. > Point 1, bullet 2: “ … once the security context is established”: do > you mean the common context? [MT] Yes, now clarified. > Point 2, The phrase “In practice, … OSCORE messages” is difficult to > understand (at least I see multiple explanations) [MT] We have rephrased as: “In practice, the symmetric keying material in the Sender Context of the sender endpoint is shared with all the recipient endpoints that have received group messages from that same sender endpoint.” [MT] Also, we have similarly rephrased the related sentence in the paragraph below about the Recipient Context, i.e.: “In practice, the symmetric keying material in a given Recipient Context of the recipient endpoint is shared with the associated sender endpoint from which group messages are received”. > Do you mean that SenderID is equal to its endpointID received at joining? [MT] Yes, we have clarified it in the definition of Endpoint ID in Section 1.1. > It would be nice to give tables with additions to OSCORE security > context for Sender Context, Recipient Context and Common (group) > context; Now one has to search for them in the text. [MT] Done. > Point 3 Is Recipient Id also equal to endpointID. The text about > Recipient context creation is unclear. Is the creation done by the > Recipient endpoint? How are the contexts shared? Who does the sharing? > Or do you mean that they are copied over at reception? > Sender pubic key is extracted from Sender context (stored in GM, or > sent over with message?) or from a trusted key repository? This > paragraph is not very clear to me. Parts of the text are good > candidates for a GM requirements section. See my comments about > appendix C. [MT] Also related to other comments, we now have a new Section 6 listing the responsibilities of the Group Manager. [MT] As to the other points: - Like in OSCORE, the Recipient ID is the Endpoint ID of a sender endpoint _from the perspective of the recipient endpoint_. - Yes, the creation of a Recipient Context is done by the recipient endpoint upon the reception of a first message from the corresponding other endpoint acting as sender endpoint. Now it is stated explicitly, and followed by a pointer to current Sections4.2 and 4.4about processing incoming messages. - The sender's public key has to be retrieved anyway from a trusted key repository, using the Endpoint ID of such sender endpoint. As a possible configuration (see current Appendix D.2), the Group Manager can be configured to act as trusted key repository. This is also mentioned as an optional task of the Group Manager in the current Section 6. > > Section 3.1 Remove: “such a risk… office buildings. Nevertheless”. The > fun with drones provided by Dutch universities, proves these > assumptions to be futile. [MT] Done. > > Distribution of master key is another GM requirement. [MT] Also related to other comments, we now have a new Section 6 listing the responsibilities of the Group Manager. The Group Manager distributes the OSCORE Master Secret as part of the Security Common Context. > > Section 4 bullit 1: The phrase “set to the SenderId of the endpoint” > creates the impression that an endpoint has multiple IDs. Probably, > you mean: the SenderId of the Context is set to the ID of the > endpoint (or similar much better text) [MT] The Sender ID is related to the endpoint, which has indeed a single one stored in its own Sender Context, but not to the Context. We rephrased as “set to the Endpoint ID of the endpoint transmitting the message, i.e. the Sender ID”. > Bullit 2 star 1: Is the group’s Security Context equal to the Common > context? [MT] No, and we actually need both “Common context” and “Group Context”, as different concepts. In each endpoint, “Group Context” is what you would implicitly define as “pair context” in OSCORE, and it similarly includes a “Common context”, a “Sender context” and _multiple_ (unlike OSCORE) “Recipient contexts”, all of which with additional elements with respect to their equivalent in OSCORE. > > Figure 1 differs from figure 7 in OSCORE draft [MT] Figure 1 actually is related to Figure 8 in the OSCORE draft. > > Section 5; Suggestion: In case of malformed messages a “listening > only” receiver endpoint silently rejects the message and sends no > error message; all other receivers return an error message x.xx. [MT] The current text was the result of a discussion with Jim at IETF99, to avoid congesting the group. Perhaps we can rephrase the current text as a possible conservative behavior, while adding what you suggest especially in case of groups that are small or hard to congest. > > Section 5.1 > The document uses two terms: multicaster endpoint and sender endpoint; > I assume they are equal concepts; If yes, choose one, if no, explain > difference. [MT] The definition of “Multicaster” is provided in Section 1.1, and it refers to an endpoint acting as “Sender” when transmitting group requests and “Recipient” when receiving responses. On the other hand, a sender can be a multicaster sending a group request or as well a listener sending a response. The concepts of “Sender” and “Recipient” as such as inherited from the main OSCORE document. > > Point 1; stores where? Find where? [MT] I am not sure we should provide similar details here. Not even OSCORE specifies this in its Section 8.1, point 6. > > Section 5.2 point 2; It is not clear how a new Recipient context is > created; That is probably due to the vague duties of the GM. [MT] It is created just like in OSCORE, plus the inclusion of the sender endpoint's public key to be separately retrieved. > > Section 6; I think that synchronizing sequence numbers is part of the > standard and should be specified as requirement on the GM. [MT] The GM is expected to indicate to a joining endpoint the approach to follow. So, specifying the approach to use can be seen as a GM requirement, rather than enforcing that approach in the group itself. This is now also part of the GM's responsibilities listed in current Section 6. > > > Section 7.1 Remove “for instance .. those roles” Refer to appendix A. [MT] Done (now Appendix B). > > Section 7; Don’t you need some discussion on size of group to discuss > security breach probabilities? [MT] That's something more we can add. Input are welcome. > > Appendix A > lighting control; here you refer to multicast group, which is > sometimes correct. In the introduction you talk about group communication. [MT] A group displays group communication including delivery of multicast messages (requests) together with unicast messages (responses). We have revised the document and simply refer to “group” now. > Switches but also sensors can control the state of the lights. Why is > the backbone multicast enabled? Is that a MUST? [MT] That can be relaxed, as long as IP packets having a multicast destination address are correctly delivered all the way to the border routers acting as entry points. > Events within a 200 ms interval are perceived as simultaneous by > humans. Necessary in many configurations. [MT] Ok, now mentioned. > > In Building control, intervals of seconds are sufficient. > [MT] Ok, now mentioned. > Commissioning of LLN system; Interesting idea that multicast should be > enabled on a subnetwork for discovery. However, that would be after > enrollment of the devices? I think the use case needs a bit more thought. [MT] Agree, we can think more about it and collect input. > > Emergency multicast; Also interesting, but that needs a fault tolerant > multicast algorithm, like MPL. for example. [MT] Ok, now mentioned. > > Appendix C. I like this appendix, it provides the necessary > understanding how things will work in practice. Please keep this > appendix but also create a section with GM requirements, with the > purpose of the requirements explained in the appendix. (this is a > suggestion, don’t know if it will work actually) [MT] Also related to other comments, we now have a new Section 6 listing the responsibilities of the Group Manager. > > C.1 bullit management keying material: depend -> depends [MT] I think that “depend” is correct. The subject is “elements”. > > C.3 I think the utilization of ACE framework SHOULD be part of the > standard. Too many options reduce the interoperability. Especially > standards about the GM seem rather crucial to me. [MT] This is something we can further discuss in the WG. I personally support your view, while for the time being the ACE-based approach in current Appendix D.3 is seen as a possible incarnation of the more generic description in current Appendix D.1. It might be good to still leave room for alternative join approaches that are not based on ACE, as long as they correctly initialize new endpoints upon joining the group. > > Appendix D. Are the proposed options interoperable within a group? > Also here I would advocate interoperable solutions only. [MT] Yes, they are. Upon joining, the Group Manager can possibly mention the synchronization policy to follow on a per-endpoint basis (see current Section 5 introducing this aspect at a high-level). > > -- Marco Tiloca, PhD Research Institutes of Sweden RISE ICT/SICS Isafjordsgatan 22 / Kistagången 16 SE-164 40 Kista (Sweden) Phone: +46 (0)70 60 46 501 https://www.sics.se The RISE institutes Innventia, SP and Swedish ICT have merged in order to become a stronger research and innovation partner for businesses and society. SICS Swedish ICT AB, has now changed name to RISE SICS AB.
- [core] tiloca-core-muticast-oscoap-4 peter van der Stok
- Re: [core] tiloca-core-muticast-oscoap-4 Marco Tiloca
- Re: [core] tiloca-core-muticast-oscoap-4 peter van der Stok