[core] Re: Review of draft-ietf-core-oscore-groupcomm-17

chrysn <chrysn@fsfe.org> Mon, 01 July 2024 21:39 UTC

Return-Path: <chrysn@fsfe.org>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9B4CC180B41; Mon, 1 Jul 2024 14:39:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.607
X-Spam-Level:
X-Spam-Status: No, score=-2.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_FAIL=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MMkMmSCe0T39; Mon, 1 Jul 2024 14:39:25 -0700 (PDT)
Received: from smtp.akis.at (smtp.akis.at [IPv6:2a02:b18:500:a515::f455]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17386C169430; Mon, 1 Jul 2024 14:39:23 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by smtp.akis.at (8.17.2/8.17.2) with ESMTPS id 461LdJpC062535 (version=TLSv1.2 cipher=ECDHE-ECDSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 1 Jul 2024 23:39:20 +0200 (CEST) (envelope-from chrysn@fsfe.org)
X-Authentication-Warning: smtp.akis.at: Host 095129206250.cust.akis.net [95.129.206.250] claimed to be poseidon-mailhub.amsuess.com
Received: from poseidon-mailbox.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bf]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id DB8143DB45; Mon, 1 Jul 2024 23:39:18 +0200 (CEST)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:b8f3:68be:587:a349]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 9645A3786B; Mon, 1 Jul 2024 23:39:18 +0200 (CEST)
Received: (nullmailer pid 28769 invoked by uid 1000); Mon, 01 Jul 2024 21:39:16 -0000
Date: Mon, 01 Jul 2024 23:39:16 +0200
From: chrysn <chrysn@fsfe.org>
To: core@ietf.org, draft-ietf-core-oscore-groupcomm@ietf.org
Message-ID: <ZoMiBCNr4_OZcqQu@hephaistos.amsuess.com>
References: <167155165139.12883.5074467066117832003@ietfa.amsl.com> <ZDBAZn9uxU6eB9IY@hephaistos.amsuess.com> <ZoMLbTXHh9ub78Q5@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="53xDifARaxn+niWf"
Content-Disposition: inline
In-Reply-To: <ZoMLbTXHh9ub78Q5@hephaistos.amsuess.com>
X-Scanned-By: MIMEDefang 2.86
Message-ID-Hash: MQAJZO4LO7JU5OMSGQES5QKO7FV4DWWI
X-Message-ID-Hash: MQAJZO4LO7JU5OMSGQES5QKO7FV4DWWI
X-MailFrom: chrysn@fsfe.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-core.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [core] Re: Review of draft-ietf-core-oscore-groupcomm-17
List-Id: "Constrained RESTful Environments (CoRE) Working Group list" <core.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/zX5DsiXWXnDv3U2Hqs955M8uMCc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Owner: <mailto:core-owner@ietf.org>
List-Post: <mailto:core@ietf.org>
List-Subscribe: <mailto:core-join@ietf.org>
List-Unsubscribe: <mailto:core-leave@ietf.org>

> While there are points which I'm still reviewing in more detail, and
> some remarks based on the latest version, what I can start with is a
> list of items I found neither changed nor mentioned in a response (or I
> missed where that happened). Many of those may easily be fine, just want
> to make sure none of that is getting lost:

There are three more items on that same list -- these are related to
each other and less directly associated to a single section, so I may
have missed changes that should have addressed them, but my impression
so far is that they could still be relevant (items copied from the
original review; those where I have more detailed comments come in the
next thread):

* 2.5.1.1/2.5.1.2 Reboot and Total Loss, and related "invalid replay
  window" sections:

  There are two aspects to replay protection:

  * Nonce reuse: Can I respond to this message without using an own
    Partial IV? From this PoV, it's OK to initialize with "valid" in
    section 2.5.1.1.

  * Replay detection: Have I never processed this request before? From
    that PoV, the device is prone to processing requests again that it
    has processed before, and it'd be advisable to initialize the replay
    window with "not valid" (triggering the 2.5.1.2 item 2 mechanism).

  (Message freshness is a third aspect, that's related insofar as that
  message freshness can be used to infer absence of replays).

  So after reading 2.5.1.1, it appears we mainly care about nonce reuse
  (which is absolutely critical), and treat replay protection more
  sloppily. Treating replay protection sloppily is, in my opinion, often
  fine depending on the message (I've sketched a bit on that in [3]),
  but so far that has not been taken up in OSCORE.

  Inconsistently, when 2.5.1.2 talks of silent servers (which can't do
  the Echo dance to re-initialize their replay windows), the only option
  described for a silent server is to wait for a rekeying, whereas it
  already has all the properties a regular server gains by doing 2.5.1.2
  item 1 (retrieve a new security context) implicitly: It will not do
  nonce-reuse (because it never sends anything), and it will be just as
  prone to replays as a server that just obtained a new security
  context. So by the standards of everything else, silent servers could
  just keep going. (But 6.4 implies that replay protection is just as
  good as with regular OSCORE, so getting a new security context may
  *not* be good enough).

* 10. Challenge-Response synchronization: I don't think it's a good idea
  to allow this mechanism when there is no pairwise mode. If the server
  protects the follow-up request (the one with the Echo) in group mode,
  even if it sends it to a unicast address, that request could be
  replayed to any server that already processed the request's original
  instance. This leads to request being processed twice.

  The whole section is quite hard to process, as it mixes the topics of
  initializing a replay window and finding freshness properties. In
  particular, it speaks of not delivering non-fresh requests requests to
  the application, when generally freshness is not an absolute term, and
  can often only be judged by the application that sets the
  requirements. The large-enough gap mechanism in introduced in this
  section is weird to me:

  If, as a server, my concern is that a malicious party is delaying
  requests to me (say, a sensor sends values every 5 seconds with a
  max-age of 11 seconds, and the attacker delays messages such that the
  server receives a single message every 9 seconds), then if anything, a
  large gap is an indication of *not* being under attack any more -- and
  is thus a bad criterion. IMO the level of freshness that is implied
  here is unobtainable without excessive synchronization, at which point
  it is easier to rekey frequently (thus ensuring that the request is
  more recent than the last rekeying).

  The challenge-response mechanism makes sense for recovering a replay
  window, particularly for reusing the the client's PIVs -- where it is
  nice to have, but not critical to have (because it's always an option
  to take an own PIV instead). It makes some sense for avoiding
  duplicate processing of requests, but whether it's necessary depends
  on the application semantics (not really needed for idempotent
  requests). For freshness, I'm not convinced the full screen page of
  spec text gives any benefits.

* A.2 freshness: Unlike for general freshness (difficult, see above),
  freshness in the sense of the last item of A.2 (ie. ordering of
  messages) is a good goal.

  The term freshness is not well defined here. The use for ordering is
  inconsistent with the term's use in RFC9175 (to which this document
  doesn't explicitly defer, but whose mechanisms it uses for freshnes),
  as RFC9175 freshness is a measure of when the message was sent on the
  recipient's time scale, whereas the message ordering used here is on
  the sender's time scale.

  As a note, when implementing Group OSCORE for constrained devices, I
  would likely not attempt to provide any total order of received
  messages to the application. For received requests, it will need to
  suffice that the request is not replayed (ie., that I'll only send
  every request once to the application). For responses, the two easy
  behaviors are to "accept responses in any sequence" or to "accept only
  the latest and discard all other" messages. There might be a third
  option to allow the application to allocate some counter (so that
  families of responses could each go through an accept-only-the-latest)
  filter. Keeping a persistent total order on all messages received for
  a request is likely not practical without extra allocations in the
  first place.


BR
c

-- 
To use raw power is to make yourself infinitely vulnerable to greater powers.
  -- Bene Gesserit axiom