IETF Logo Mail Archive

Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Mon, 16 November 2020 12:01 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C6D93A0D9B; Mon, 16 Nov 2020 04:01:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s998uo9xs1Ol; Mon, 16 Nov 2020 04:01:42 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D31E3A0D99; Mon, 16 Nov 2020 04:01:40 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0AGC1W96019779 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 16 Nov 2020 07:01:37 -0500
Date: Mon, 16 Nov 2020 04:01:32 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: The IESG <iesg@ietf.org>, draft-ietf-core-stateless@ietf.org, core-chairs@ietf.org, core@ietf.org, Carsten Bormann <cabo@tzi.org>
Message-ID: <20201116120132.GW39170@kduck.mit.edu>
References: <158741679923.20291.1071401061463555301@ietfa.amsl.com> <0c186080-6ac1-2a9d-1e0a-7cf3b3667d52@sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <0c186080-6ac1-2a9d-1e0a-7cf3b3667d52@sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/uEut6I2y5xuwiS8njLvwaeRaPz4>
Subject: Re: [core] Benjamin Kaduk's Discuss on draft-ietf-core-stateless-06: (with DISCUSS and COMMENT)
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 12:01:45 -0000

Hi Michael,

Thanks; this looks good and I'm happy to clear the discuss (and will do so
shortly).

A couple notes inline, and also one on the (nicely) expanded §5.2:

   When encryption is used, the use of AES-CCM [RFC3610] with a 64-bit	
   tag is recommended, combined with a sequence number and a replay	
   window.  This choice is informed by available hardware acceleration	
   of on many constrained systems.  If a different algorithm is	
   available accelerated on the sender, with similar strength, then it	
   SHOULD be preferred.  Where privacy of the state is not required, and	

(similar strength or stronger, presumably).

On Thu, Nov 05, 2020 at 11:16:18AM -0500, Michael Richardson wrote:
> The ID submission system is closed, but we have a -08 ready.

(It's open again now!)

> You can view the diff against -06 at:
>  
> https://ietf.org/rfcdiff?url1=draft-ietf-core-stateless-06.txt&url2=https://raw.githubusercontent.com/core-wg/stateless/master/draft-ietf-core-stateless-08.txt
> 
> If you'd like to approve updating this document, the XML is at:
>  
> https://raw.githubusercontent.com/core-wg/stateless/master/draft-ietf-core-stateless-08.xml
> 
> The document is ready.
> 
> On 2020-04-20 5:06 p.m., Benjamin Kaduk via Datatracker wrote:
>  > ----------------------------------------------------------------------
>  > DISCUSS:
>  > ----------------------------------------------------------------------
>  >
>  > Let's discuss whether the various and sundry conditional SHOULDs in 
> Section
>  > 3.1 are better written as conditional MUSTs (i.e., with the listed
>  > exclusions being the only allowed exclusion).
> 
> Hi, we have left them as SHOULD.
> AFAIK, a SHOULD is a conditional MUST, and I agree that exclusions need 
> to be
> listed.

Okay, thanks for thinking about it.

> The security considerations say:
>     It maybe that in some very specific case, as a result of a careful
>     and detailed analysis of any potential attacks, that there may be
>     cases where such cryptographic protections do not add value.  The
>     authors of this document have not found such a use case as yet, but
>     this is a local decision.

nit: I see what you are trying to say, but the current wording looks like
there's supposed to be cause/effect between doing the analysis and lack of
value in cryptographic protection.  Maybe s/as a result of/as revealed by/?

Thanks again!

-Ben

> There are no interoperability requirements around what the token format is.
> I don't feel strongly one way or another but it seems like the text is
> already pretty clear.
> 
>  > Also, Appendix A.2 seems to show "Len (extended)" as just 0-2 bytes when
>  > IIUC it is 0-4 bytes.
> 
> This was fixed in the diagram.
> 
>  > ----------------------------------------------------------------------
>  > COMMENT:
>  > ----------------------------------------------------------------------
>  >
>  > Section 2.1
>  >
>  >     The new definition of the TKL field increases the maximum token
>  >     length that can be represented in a message to 65804 bytes.  However,
>  >     the maximum token length that sender and recipient implementations
>  >     support may be shorter.  For example, a constrained node of Class 1
>  >     [RFC7228] might support extended token lengths only up to 32 bytes.
>  >
>  > Is there anything to say about IP MTU here?
> 
> Not really.   Obviously, if you can't fit the bigger token into the packet,
> then you can't use it.
> 
>  > This is a fairly subtle way of saying that core RFC 7252
>  > procedures/semantics are being updated; I'd suggest calling out 
> (alongside
>  > the other updates) the new(?) requirement for distinguishing whether an
>  > extension is unrecognized vs. an invalid value by producing reset vs. a
>  > distinguished error code.  (I do see that the semantics for 5.03 and 4.00
>  > are not changing, but the use of Reset vs. error code for feature
>  > negotiation seems important for implementors to be aware of.)
> 
> This was opened as https://github.com/core-wg/stateless/issues/3
> The document already Updates RFC7252.
> 
> comments on Section 3.1/3.2 already applied
> 
>  > Section 4
>  >
>  > Perhaps it's worth noting that this nesting of state will necessarily
>  > increase the token size as it progresses along a chain of intermediaries?
>  >
>  > There's also some considerations relating to how the freshness window 
> of the
>  > client an intermediary interact, with the client effectively being 
> limited
>  > to the minimum of all windows in use by client and intermediate(s) on the
>  > path.
>  >
>  > If the intermediary has a very long freshness window it could be tricked
>  > into sending "replies" to addresses that it thinks are clients but 
> may not
>  > be any more, e.g., allowing a DoS attack to traverse a NAT or firewall.
> 
> Opened as https://github.com/core-wg/stateless/issues/4
> closed as wontfix after some discussion in the issue and on the list
> 
>  > Section 4.3
>  >
>  > RFC 7252 doesn't really suggest that there's a protocol element that 
> would
>  > be set to "infinite" here; perhaps we should just say that "in this case,
>  > the gateway cannot return such a response and as such cannot 
> implement such
>  > a timeout".
> 
> Text updated as suggested.
> 
>  > Section 5
>  >
>  > With no integrity protection on the rejection of trial-and-error (section
>  > 2.2.2) it's susceptible to downgrade, IIUC even by an off-path attacker.
>  > (I did not think too hard about whether OSCORE could protect the 
> Resets in
>  > question or not, though.)  It seems like such forced downgrade would have
>  > second-order effects in causing clients to use more local state and 
> thus be
>  > more readily susceptible to other DoS vecros.
>  >
>  > Also, when integrity protection is not in use, the client is 
> susceptible to
>  > spoofed responses that had no corresponding request -- only a very 
> limited
>  > subset of request/response pairs are safe to convert to "unauthenticated
>  > server push", as that would effectivley do, and we should probably 
> mention
>  > that explicitly.
>  >
>  > I'd also suggest noting that a self-encrypted state token bears 
> significant
>  > resemblance to a TLS self-encrypted session ticket, and reference the RFC
>  > 5077 security considerations.  (Yes, I know that RFC 8446 Obsoletes RFC
>  > 5077; it would be an informational reference only.)
>  >
>  > This could also lead to some discussion about having in general an
>  > appropriate amount of sanity checks on the returned token that may or may
>  > not reflect serialized state, to limit the scope of various attacks 
> even in
>  > the absence of cryptographic protections.
> 
> open as issue: https://github.com/core-wg/stateless/issues/5
> Text updated as per:
> https://github.com/core-wg/stateless/commit/83535c69958467099cd20ca49d9bbb8e8cc03068 
> and
> https://github.com/core-wg/stateless/commit/83535c69958467099cd20ca49d9bbb8e8cc03068
> 
>  > Section 5.1
>  >
>  >     size that need to be mitigated.  A node in the server role supporting
>  >     extended token lengths may be vulnerable to a denial-of-service when
>  >     an attacker (either on-path or a malicious client) sends large tokens
>  >     to fill up the memory of the node.  Implementations need to be
>  >     prepared to handle such messages.
>  >
>  > This seems particularly problematic given that we disallow sending 
> Reset in
>  > response to too-large tokens and instead imply that it should echo 
> the large
>  > token in a 4.00 response.  I guess technically this is a SHOULD and not a
>  > MUST, so there is some leeway to do something else, but what would that
>  > "something else" be in this case?  It seems like we have a hard 
> requirement
>  > to do something sane with a token as large as 65804 bytes.
> 
> opened as https://github.com/core-wg/stateless/issues/6
> Discussion is that in order to receive such a large token, you have to
> receive it.  If you can receive such a large packet, then you can answer it.
> As the token is never stored, there is no exhaustion attack possible.
> closed as wontfix
> 
>  > Section 5.2
>  >
>  >     The use of encryption, integrity protection, and replay protection of
>  >     serialized state is recommended, unless a careful analysis of any
>  >     potential attacks to security and privacy is performed.  [...]
>  >
>  > I suggest an alternative wording:
>  >
>  > % It is generally expected that the use of encryption, integrity 
> protection,
>  > % and replay protection for serialized state is appropriate.  However, a
>  > % careful analysis of any potential attacks to the security and privacy
>  > % properties of the system might reveal that there are cases where such
>  > % cryptographic protections do not add value in a specific case.
> 
> Text used as part of rewrite.
>  >
>  >     a 64 bit tag is recommended, combined with a sequence number and a
>  >     replay window.  Where encryption is not needed, HMAC-SHA-256,
>  >     combined with a sequence number and a replay window, may be used.
>  >
>  > Can we give guidance on sizing the replay window?
>  > Should the HMAC-SHA-256 output be truncated akin to the truncated CCM 
> tag?
>  > In what cases would one want to use an absolute timestamp instead of/in
>  > addition to a sequence-based replay window?
> 
> issue opened as: https://github.com/core-wg/stateless/issues/7
> Replay recommendation/analysis is at:
> https://github.com/core-wg/stateless/commit/b019c61e2b44757a4427956af95e99fbec15180e
> updated by:
> https://github.com/core-wg/stateless/commit/a7157fea61c3948899ded7311b5b0920cbd1b1c2
> and then today by:
> https://github.com/core-wg/stateless/pull/15
> 
>  >     guarantees are voided.  Devices with low-entropy sources -- as is
>  >     typical with constrained devices, which incidentally happen to be a
>  >     natural candidate for the stateless mechanism described in this
>  >
>  > nit: "low-entropy sources" is a weird phrasing; "low-quality entropy
>  > sources" would feel more natural to me.
>  > Also, draft-irtf-cfrg-randomness-improvements may be of interest to 
> at least
>  > some such devices.
> 
> suggested text adopted.
> 
>  >
>  >     provides the above uniqueness guarantee.  Additionally, since it can
>  >     be difficult to use AES-CCM securely when using statically configured
>  >     keys, implementations should use automated key management [RFC4107].
>  >
>  > This is BCP 107, so I think we could use stronger language than "should
>  > use".  Also we should cite it as the BCP.
> 
> open as https://github.com/core-wg/stateless/issues/8
> We removed the reference to RFC4107.
> There is no reason to cite RFC4107, there is no key agreement needed.
> The key is entirely a local manner, and a few pull requests referenced in
> this ticket rewrite that text.
> 
>  > Section 6.1
>  >
>  > Should the table formatting be consistent between here and Section 2.2.1?
> 
> The tables look similar now.
>

v2.23.0 | Report a Bug | By Email