[core] Re: Review of draft-ietf-core-oscore-groupcomm-17
chrysn <chrysn@fsfe.org> Mon, 01 July 2024 21:39 UTC
Return-Path: <chrysn@fsfe.org>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9B4CC180B41; Mon, 1 Jul 2024 14:39:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.607
X-Spam-Level:
X-Spam-Status: No, score=-2.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_FAIL=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MMkMmSCe0T39; Mon, 1 Jul 2024 14:39:25 -0700 (PDT)
Received: from smtp.akis.at (smtp.akis.at [IPv6:2a02:b18:500:a515::f455]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17386C169430; Mon, 1 Jul 2024 14:39:23 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by smtp.akis.at (8.17.2/8.17.2) with ESMTPS id 461LdJpC062535 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 1 Jul 2024 23:39:20 +0200 (CEST) (envelope-from chrysn@fsfe.org)
X-Authentication-Warning: smtp.akis.at: Host 095129206250.cust.akis.net [95.129.206.250] claimed to be poseidon-mailhub.amsuess.com
Received: from poseidon-mailbox.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bf]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id DB8143DB45; Mon, 1 Jul 2024 23:39:18 +0200 (CEST)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:b8f3:68be:587:a349]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 9645A3786B; Mon, 1 Jul 2024 23:39:18 +0200 (CEST)
Received: (nullmailer pid 28769 invoked by uid 1000); Mon, 01 Jul 2024 21:39:16 -0000
Date: Mon, 01 Jul 2024 23:39:16 +0200
From: chrysn <chrysn@fsfe.org>
To: core@ietf.org, draft-ietf-core-oscore-groupcomm@ietf.org
Message-ID: <ZoMiBCNr4_OZcqQu@hephaistos.amsuess.com>
References: <167155165139.12883.5074467066117832003@ietfa.amsl.com> <ZDBAZn9uxU6eB9IY@hephaistos.amsuess.com> <ZoMLbTXHh9ub78Q5@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="53xDifARaxn+niWf"
Content-Disposition: inline
In-Reply-To: <ZoMLbTXHh9ub78Q5@hephaistos.amsuess.com>
X-Scanned-By: MIMEDefang 2.86
Message-ID-Hash: MQAJZO4LO7JU5OMSGQES5QKO7FV4DWWI
X-Message-ID-Hash: MQAJZO4LO7JU5OMSGQES5QKO7FV4DWWI
X-MailFrom: chrysn@fsfe.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-core.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [core] Re: Review of draft-ietf-core-oscore-groupcomm-17
List-Id: "Constrained RESTful Environments (CoRE) Working Group list" <core.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/zX5DsiXWXnDv3U2Hqs955M8uMCc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Owner: <mailto:core-owner@ietf.org>
List-Post: <mailto:core@ietf.org>
List-Subscribe: <mailto:core-join@ietf.org>
List-Unsubscribe: <mailto:core-leave@ietf.org>
> While there are points which I'm still reviewing in more detail, and > some remarks based on the latest version, what I can start with is a > list of items I found neither changed nor mentioned in a response (or I > missed where that happened). Many of those may easily be fine, just want > to make sure none of that is getting lost: There are three more items on that same list -- these are related to each other and less directly associated to a single section, so I may have missed changes that should have addressed them, but my impression so far is that they could still be relevant (items copied from the original review; those where I have more detailed comments come in the next thread): * 2.5.1.1/2.5.1.2 Reboot and Total Loss, and related "invalid replay window" sections: There are two aspects to replay protection: * Nonce reuse: Can I respond to this message without using an own Partial IV? From this PoV, it's OK to initialize with "valid" in section 2.5.1.1. * Replay detection: Have I never processed this request before? From that PoV, the device is prone to processing requests again that it has processed before, and it'd be advisable to initialize the replay window with "not valid" (triggering the 2.5.1.2 item 2 mechanism). (Message freshness is a third aspect, that's related insofar as that message freshness can be used to infer absence of replays). So after reading 2.5.1.1, it appears we mainly care about nonce reuse (which is absolutely critical), and treat replay protection more sloppily. Treating replay protection sloppily is, in my opinion, often fine depending on the message (I've sketched a bit on that in [3]), but so far that has not been taken up in OSCORE. Inconsistently, when 2.5.1.2 talks of silent servers (which can't do the Echo dance to re-initialize their replay windows), the only option described for a silent server is to wait for a rekeying, whereas it already has all the properties a regular server gains by doing 2.5.1.2 item 1 (retrieve a new security context) implicitly: It will not do nonce-reuse (because it never sends anything), and it will be just as prone to replays as a server that just obtained a new security context. So by the standards of everything else, silent servers could just keep going. (But 6.4 implies that replay protection is just as good as with regular OSCORE, so getting a new security context may *not* be good enough). * 10. Challenge-Response synchronization: I don't think it's a good idea to allow this mechanism when there is no pairwise mode. If the server protects the follow-up request (the one with the Echo) in group mode, even if it sends it to a unicast address, that request could be replayed to any server that already processed the request's original instance. This leads to request being processed twice. The whole section is quite hard to process, as it mixes the topics of initializing a replay window and finding freshness properties. In particular, it speaks of not delivering non-fresh requests requests to the application, when generally freshness is not an absolute term, and can often only be judged by the application that sets the requirements. The large-enough gap mechanism in introduced in this section is weird to me: If, as a server, my concern is that a malicious party is delaying requests to me (say, a sensor sends values every 5 seconds with a max-age of 11 seconds, and the attacker delays messages such that the server receives a single message every 9 seconds), then if anything, a large gap is an indication of *not* being under attack any more -- and is thus a bad criterion. IMO the level of freshness that is implied here is unobtainable without excessive synchronization, at which point it is easier to rekey frequently (thus ensuring that the request is more recent than the last rekeying). The challenge-response mechanism makes sense for recovering a replay window, particularly for reusing the the client's PIVs -- where it is nice to have, but not critical to have (because it's always an option to take an own PIV instead). It makes some sense for avoiding duplicate processing of requests, but whether it's necessary depends on the application semantics (not really needed for idempotent requests). For freshness, I'm not convinced the full screen page of spec text gives any benefits. * A.2 freshness: Unlike for general freshness (difficult, see above), freshness in the sense of the last item of A.2 (ie. ordering of messages) is a good goal. The term freshness is not well defined here. The use for ordering is inconsistent with the term's use in RFC9175 (to which this document doesn't explicitly defer, but whose mechanisms it uses for freshnes), as RFC9175 freshness is a measure of when the message was sent on the recipient's time scale, whereas the message ordering used here is on the sender's time scale. As a note, when implementing Group OSCORE for constrained devices, I would likely not attempt to provide any total order of received messages to the application. For received requests, it will need to suffice that the request is not replayed (ie., that I'll only send every request once to the application). For responses, the two easy behaviors are to "accept responses in any sequence" or to "accept only the latest and discard all other" messages. There might be a third option to allow the application to allocate some counter (so that families of responses could each go through an accept-only-the-latest) filter. Keeping a persistent total order on all messages received for a request is likely not practical without extra allocations in the first place. BR c -- To use raw power is to make yourself infinitely vulnerable to greater powers. -- Bene Gesserit axiom
- [core] I-D Action: draft-ietf-core-oscore-groupco… internet-drafts
- [core] Fwd: I-D Action: draft-ietf-core-oscore-gr… Marco Tiloca
- [core] Review of draft-ietf-core-oscore-groupcomm… Christian Amsüss
- [core] Re: Review of draft-ietf-core-oscore-group… Christian Amsüss
- [core] Re: Review of draft-ietf-core-oscore-group… chrysn
- [core] Re: Review of draft-ietf-core-oscore-group… Marco Tiloca
- [core] Re: Review of draft-ietf-core-oscore-group… Marco Tiloca