IETF Logo Mail Archive

Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)

Benjamin Kaduk <kaduk@mit.edu> Wed, 27 February 2019 15:57 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A54CC130FF4; Wed, 27 Feb 2019 07:57:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VNVrU780cX0r; Wed, 27 Feb 2019 07:57:38 -0800 (PST)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-eopbgr810095.outbound.protection.outlook.com [40.107.81.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEB2C1200B3; Wed, 27 Feb 2019 07:57:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4IDaIC6Otb+A7CG3i2d1ijt07xcu5MinnOSAx0mUQw4=; b=onkxylS7/4UD/mTnuixYSLs8WTPorvEcptGNCDOxw/iNH8gKCRLqi45rTys+MAmc8g5/m1VjKphHgv6on/CZtgZkG0xiGaTmB5Bzsxvxx2ip4WWcfH8VP3bQp6PF66gBteVF6hyUW87pwTPd8rDzP/tLmuxPX8M3SBoKTeIwQrg=
Received: from BYAPR01CA0066.prod.exchangelabs.com (2603:10b6:a03:94::43) by DM6PR01MB3995.prod.exchangelabs.com (2603:10b6:5:92::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.15; Wed, 27 Feb 2019 15:57:35 +0000
Received: from DM3NAM03FT021.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e49::200) by BYAPR01CA0066.outlook.office365.com (2603:10b6:a03:94::43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1665.15 via Frontend Transport; Wed, 27 Feb 2019 15:57:34 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by DM3NAM03FT021.mail.protection.outlook.com (10.152.82.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.13 via Frontend Transport; Wed, 27 Feb 2019 15:57:34 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x1RFvUJ5005026 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Feb 2019 10:57:32 -0500
Date: Wed, 27 Feb 2019 09:57:30 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: mohamed.boucadair@orange.com
CC: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, "draft-ietf-dots-signal-channel@ietf.org" <draft-ietf-dots-signal-channel@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Message-ID: <20190227155729.GL53396@kduck.mit.edu>
References: <787AE7BB302AE849A7480A190F8B93302EA0EC85@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B93302EA20112@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190215150458.GV56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA20406@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190218162322.GI24387@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA21AC0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA21AC0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(376002)(39860400002)(396003)(346002)(136003)(2980300002)(51444003)(189003)(199004)(54906003)(23756003)(2351001)(229853002)(106002)(6246003)(6916009)(106466001)(33656002)(356004)(36906005)(104016004)(2870700001)(88552002)(53416004)(7696005)(76176011)(305945005)(316002)(58126008)(2906002)(786003)(14444005)(30864003)(26826003)(186003)(26005)(8676002)(966005)(8936002)(126002)(486006)(956004)(476003)(5660300002)(47776003)(11346002)(478600001)(50466002)(426003)(446003)(336012)(4326008)(86362001)(55016002)(6306002)(66574012)(246002)(75432002)(93886005)(1076003)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR01MB3995; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b24668bd-b941-43bb-4ba0-08d69ccc49d7
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060); SRVR:DM6PR01MB3995;
X-MS-TrafficTypeDiagnostic: DM6PR01MB3995:
X-MS-Exchange-PUrlCount: 2
X-Microsoft-Exchange-Diagnostics: 1; DM6PR01MB3995; 20:NcIpUkBCaIOVakzICkO6kUi+11JNM0CwilaO5H+trZfrQhvPzGxDcpGk/gluCCcLy0x9iS9u5ZIEh8JNMFM4UG2+UTsVh0GrUWyKcVPd0Qp30a0LJtfby/XftLra4FUi5qg/LM0GHvOS+wEpXED1moQgU5Ixp5g4Ug0broPXd4iSnlHPbtGOXrMqOfZ94MtNHVARXjelKdzf26tljb8WDWEfYjV55SAa2rQAd8vVfgUeoI5H0mfu5Qt1BjmxqmATMntMOpc6h4qt0/WWyVo5jDqWDJX0cV0bcsDufZZzryJUDrRj3tx3+wCekK9myDNF9ZACYL5YJPAuYuSsKVtLddI136lKXAHtYa/kXMTEiPxxKpjfmw/vf94i9GJyIAPSN86aB7FfXH8tVMK3HWGNJPhLbW2DuAuGVkHTvvld/DV7P3wC61FztSe3c7PBGiM2qGuR9X2Qj8EMTkbN/0G1kVkkpoRd6Iw+TEdt7Hlv+lynursdTF1gCeqCo9hNqd/BCk7yJW8oFxhASzO2QNxtyTSQYyCxhw4zadvwNiRItgdMOX4jf6PxxyXrMaKJiTwK29p/GT75jkhgkqE86J6YjkCsi75pq6MRlYvsZaWVLwg=
X-Microsoft-Antispam-PRVS: <DM6PR01MB39955A1561F84E3D3E5C15CFA0740@DM6PR01MB3995.prod.exchangelabs.com>
X-Forefront-PRVS: 0961DF5286
X-Microsoft-Exchange-Diagnostics: 1; DM6PR01MB3995; 23:dCJGIECWoPGkjwqg76GSE6TwDyb4a/FO472cRfFgPskua9tfGjRyAlBHNeKEqelwv9r2wTGv/D4ULSaEuQc5CdDEXgnW5Y7wab2ViwmxjQDQJFSigYGymnCr3LHiyCiePLovGpjWCcVxMi3BIQF2lsaE7kJX8Zxz46Ku3wXYoiWYjE8E0AJnONyZT3pzsCw19Vh72o5RWtDRIKdkjqaC9F2YI7yQn7en2hhbrEktMPDkvh43RmK/h8RUqrLrBggmE4OpqSsw7L2qq00fndRRx9OHO6HeXzv7G+G6lb6uIaROWwiqgwn0EbFcIWWH/Krm2bhvWmoFOZDZ4Av2278JDI6PqqXReQ/hkUFMWS8qiVK2j37WKHpf2jpXO4GpQwuCk7EDNaLin3aXB56cenLIbfwTwiXMTcovkE8Kj8fOltCAwUZnLA4nyT5bzZe+Nzx8VxnNyQzVhk63QUJCUPafGF+wDzk4lhZh52BLJt3wZFQ/4MCEHnTS48jUBNzWBJlhNQWEdTyqyIUAU/GicZITwGtVbwYWuAYWQXauU00YtduVbTn6TuNI+Y72Pfk7kH2FlFDhMbLr/MHJlRQ56IsAXA2gpNO+ls7fFxhECig+pvwsgXcADLF3jYPx5fZngbCQlcp/a7pv3NS0kUjmFm1qldMA+71X3z0Sog6J9WzIgq2Eg6XbGvWsYQu97AFwJY7GuuEtVMA9nkyxsIyZLmF+9CMB4lDuxFmPc7E8H2nfvBwwpogikx0h65BNvDc4PLVtnOJF9ouBBcFapOjQ9N4UfIu94uuXhFmWRZJmOYZbAeVghOODt1zxITrYc1YIoweogIzLVEwahzlvMxSiiTWNMt2q6b/jWKtwpplMnnhIJGr2/j9XURtfNWUGc0WSRXGTh6siYehM/7Zt+MPvIsS0TS3Y+8uKHWIuJBCMTrP0mFM/9S5o4hyHcSCrMA5BEq4VRVLdEkQu3fpY4U/Ie8rFe9/9kfq9ByDPUZA8rE9LJZ8Hi+Ezbin8NKNAADUNY1jGE9tRgSOwZeAD+q63x56fxdHYEtXhLXUI/oe+g3km6LqPet9rZiSOVbQupxed2avPvhMJB0+mnbtuTkn58CssKdlBiSEBMADkVQ1/NuD9yifQ5V4uz3YRiC/ZFwvtbt0ZN8z0BSupn8T2jzZE4Zso5Jjq0lw2MeXasSBoTWpY+JaLwvBADGfkRkl67+L9wfl7JnFc8PVgVWCEuN9AFHEqbcO2Fy1U/i/0isq4Fy5g6B+iT+aUuAoNYjEOw80GE13q3gfC7FtveDm1tXMc5NQ73+IxXy0fSbQMJP5QY/9FdWCvBXxc65I0J5UTKm+9ZQ78
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: Vph+H1nVvBwH7UL+IzVgVRQ1aPGpmE8mtGZmyCl67yhHkJblY0JJGi2IQ5pHPwPIbhb3ir5TJq6w+bMxwNUULgIX+/a+s12VTZRQcEQrDeji5MQRY/SNT3Fan3DHg2/7QqTpoKfsLIIra5P2zaoXdqJxLrX2ygZlsEqc18NPZ0fngC91E8UOfC2fDdYutrS60p29DOABGwB2PC4sgSMaeBSpUW8r7A9UPMqLUcgSiMXxuk7TCR8Y2cQtdJDrLSHncpf9EadOGCo77lBLw2dPFwrCxci/kO+CtdeC3cUqWltBaR1J/KNTZz4WOwRj7WBsCekmMmRT5jXXZgPh8FJurFauf03vI8hkUOSTHPJedcNINmY/uGJRSSQX0OgiXAOJYCNSvVHkW79X5xuUp8sY3irxRttY3ZEPN9yw97709zI=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Feb 2019 15:57:34.0557 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b24668bd-b941-43bb-4ba0-08d69ccc49d7
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB3995
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/cjSLgoC4sJ557IEi3WHT7GYhMV0>
Subject: Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2019 15:57:42 -0000

On Tue, Feb 19, 2019 at 07:59:29AM +0000, mohamed.boucadair@orange.com wrote:
> Hi Ben, 
> 
> Please see inline. 

Okay.  BTW, it is looking like this is the last topic to resolve before
starting IETF LC.  It's probably worth s/the exponent is 2/the base of the
exponent is 2/ in the next rev, though, just as a minor nit-fix.

> 
> > -----Message d'origine-----
> > De : Benjamin Kaduk [mailto:kaduk@mit.edu]
> > Envoyé : lundi 18 février 2019 17:23
> > À : BOUCADAIR Mohamed TGI/OLN
> > Cc : Konda, Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf.org;
> > dots@ietf.org
> > Objet : Re: Using Early Data in DOTS (RE: [Dots] AD review of draft-ietf-
> > dots-signal-channel)
> > 
> > On Fri, Feb 15, 2019 at 03:36:05PM +0000, mohamed.boucadair@orange.com wrote:
> > > Re-,
> > >
> > > Looking forward to discuss this further.
> > >
> > > I wonder whether you can consider putting the document in the IETF LC for
> > now. If it happen that we need to modify the 0-RTT text, we will handle it as
> > other IETF LC comments.
> > 
> > I would normally be pretty amenable to starting IETF LC and continuing
> > discussion; it's just for this issue in particular that I seem to be the
> > main person on the IESG that enforces the "application profile for 0-RTT
> > data" requirement, so it would feel rather odd to go forward in this case.
> 
> [Med] Fair enough. 
> 
> > Luckily, I spent some time this weekend reading RFC 7252 and have some
> > substantive comments.
> > 
> > The key oberservation here seems to be that the Message ID is scoped per
> > endpoint, and replays can come from arbitrary addresses.
> > 
> > Specifically, we recall that:
> > 
> >    The DOTS signal channel is layered on existing standards (Figure 3).
> > 
> >                           +---------------------+
> >                           | DOTS Signal Channel |
> >                           +---------------------+
> >                           |         CoAP        |
> >                           +----------+----------+
> >                           |   TLS    |   DTLS   |
> >                           +----------+----------+
> >                           |   TCP    |   UDP    |
> >                           +----------+----------+
> >                           |          IP         |
> >                           +---------------------+
> > 
> > We note that CoAP is using the IP address or "DTLS session" (arguably a
> > poorly chosen term) to identify a CoAP association and that Message IDs are
> > only used within the scope of such an association, it seems pretty clear
> > that an attacker able to replay TLS 1.3 0-RTT data will slice off the top
> > three lines of this figure and swap out the TCP/UDP/IP layers.  In the
> > absence of DTLS connection IDs, my understanding is that the "DTLS session"
> > is identified solely by the transport connection, just as for coap-not-s,
> > so by spoofing the source address, the attacker causes the replayed 0-RTT
> > data (and thus, CoAP request) to be interpreted as a new incoming coaps
> > connection.
> > 
> > Given that Message ID is only 16 bits and the servers accepting 0-RTT data
> > have potential to be quite busy, it does not seem workable to attempt to
> > use the incoming Message IDs as globally unique replay defense, as the risk
> > of collision would be pretty large.
> 
> [Med] The replay detection relies on both Message ID and Token.

In stock CoAP, the Message ID and Token are used only with the context of a
specific transport association.  In order to use them for (D)TLS 1.3 replay
defense, we need to expand that context to a broader scope, and direct the
server to check the Message ID/Token globally (or at least within the scope
of a given 'cuid'/'cdid').  Since this would reflect a divergence from
normal CoAP, if we are going to rely on this sort of behavior, we must call
it out very loudly as specific to DOTS.

> > 
> > So I think that the 'mid' monotonicity and the rejection of conflicting
> > request scopes are the main mitigating factors against replay in the
> > current design (alongside the RFC 8446 mechanisms, of course), and the text
> > should be adjusted to reflect that.
> 
> [Med] We do already have the following in the draft:
> 
>       The DOTS server(s) can use Message ID and
>       Token in the DOTS signal channel message to detect replay of early
>       data, and accept 0-RTT data at most once.  Furthermore, 'mid'
>                                                  ^^^^^^^^^^^^^^^^^^
>       value is monotonically increased by the DOTS client for each
>       mitigation request, attackers replaying mitigation requests with
>       lower numeric 'mid' values and overlapping scopes with mitigation
>       requests having higher numeric 'mid' values will be rejected
>       systematically by the DOTS server.

Sorry for being unclear in my comment. I was intending to emphasize that
'mid' and scope are the *only* measures that actually mitigate against
0-RTT replay, and that we are wrong to have text that indicates anything
else is an effective anti-replay mechanism, at least given the present
design.  So I was trying to ask for the text about Message ID and Token to
be removed.  (Our subsequent discussion indicates that it would maybe also
work to expand on it instead of remove it, noting that DOTS is requiring
additional behavior not mandated by the CoAP spec.)

> > 
> > It seems that the 'mid' ordering is probably enough to protect
> > reordering/replay of mitigiation request and withdraw, even when reordered
> > across other mitigation actions.  But I am more concerned about
> > reordering/replay of other messages, like efficacy updates and session
> > configuration changes.
> 
> [Med] For the configuration changes, I don't expect the exchange to happen during an attack. The part of the text we are discussing is about mitigation requests. 
> 
>    o  0-RTT mode in which the DOTS client can authenticate itself and
>       send DOTS mitigation request messages in the first message, thus
>       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>       reducing handshake latency.

If we don't expect to do anything other than mitigation requests in 0-RTT,
then why don't we just limit the messages allowed in 0-RTT data to be such
mitigation request messages (and explicitly exclude session configuration)?
I am not going to insist on it, but that does seem like the simplest way
to resolve the question, at least from over here.

> Putting that aside, we do have the following: 
> 
>    The PUT request with a higher numeric 'sid' value overrides the DOTS
>    signal channel session configuration data installed by a PUT request
>    with a lower numeric 'sid' value.  To avoid maintaining a long list
>    of 'sid' requests from a DOTS client, the lower numeric 'sid' MUST be
>    automatically deleted and no longer available at the DOTS server.
> 
> Any replayed configuration change request will be discarded owing to the 'sid' checks. 

That does help, yes.  (I'm not sure whether I had confused myself that the
sid was for the abstract "DOTS session" that is roughly akin to the DTLS
association, or this was added in response to some of my earlier comments
and I failed to internalize it properly.  It shows up as new in the diff
from -25 to -29 that I'm looking at in preparation for starting IETF LC.)

> > 
> > Consider
> > 
> > client                   attacker                    server
> > |
> > |----efficacy: attack mitigated--------------------->|
> > |                                                    |
> > |----efficacy: under attack------------------------->|
> > |                                                    |
> > |                        |-replay: attack mitigated->|
> > 
> > Is the server going to end up with the expected state?
> 
> [Med] A general comment: The dots server uses the information conveyed in the efficacy update as a hint; it may but it is not required to rely on those requests to adjust its mitigation actions. 
> 
> If the two first status messages are bound to distinct "mids" and adjusted scopes, the replayed request will be discarded by the server thanks to the presence of If-Match option. The server does not maintain the request with the old mid.  
> 
> If, for some reason, the same mid is used and this flow is observed, the server will detect that the same Message ID and Token are reused again and then reject.  

Not if the replay comes from a different transport endpoint!  (But let's
keep this topic at the discussion above, as it's the same topic.)

-Ben

> > 
> > -Ben
> > 
> > 
> > >
> > > > -----Message d'origine-----
> > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu]
> > > > Envoyé : vendredi 15 février 2019 16:05
> > > > À : BOUCADAIR Mohamed TGI/OLN
> > > > Cc : Konda, Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf.org;
> > > > dots@ietf.org
> > > > Objet : Re: Using Early Data in DOTS (RE: [Dots] AD review of draft-ietf-
> > > > dots-signal-channel)
> > > >
> > > > Hi Med,
> > > >
> > > > Short form: I need to think about it harder.  There's some indication
> > that
> > > > the CoAp Message ID is at the wrong level to protect the 0-RTT data, but
> > > > I'm not sure yet.
> > > >
> > > > Sorry for the delays; this has been a frenetic couple weeks :(
> > > >
> > > > -Ben
> > > >
> > > > On Fri, Feb 15, 2019 at 03:01:29PM +0000, mohamed.boucadair@orange.com
> > wrote:
> > > > > Hi Ben,
> > > > >
> > > > > What is the status for this one? Are we OK to move forward?
> > > > >
> > > > > Thank you.
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : mohamed.boucadair@orange.com
> > [mailto:mohamed.boucadair@orange.com]
> > > > > > Envoyé : mardi 29 janvier 2019 14:32
> > > > > > À : Benjamin Kaduk
> > > > > > Cc : Konda, Tirumaleswar Reddy; draft-ietf-dots-signal-
> > channel@ietf.org;
> > > > > > dots@ietf.org
> > > > > > Objet : Using Early Data in DOTS (RE: [Dots] AD review of draft-ietf-
> > > > dots-
> > > > > > signal-channel)
> > > > > >
> > > > > > Hi Ben, all,
> > > > > >
> > > > > > We edited a short draft (https://tools.ietf.org/html/draft-boucadair-
> > > > dots-
> > > > > > earlydata-00) to motivate the following text included in the signal
> > > > channel
> > > > > > draft:
> > > > > >
> > > > > >       Section 8 of [RFC8446] discusses some mechanisms to implement
> > to
> > > > > >       limit the impact of replay attacks on 0-RTT data.  If the DOTS
> > > > > >       server accepts 0-RTT, it MUST implement one of these
> > mechanisms.
> > > > > >       A DOTS server can reject 0-RTT by sending a TLS
> > HelloRetryRequest.
> > > > > >       The DOTS signal channel messages sent as early data by the DOTS
> > > > > >       client are idempotent requests.  As a reminder, Message ID
> > > > > >       (Section 3 of [RFC7252]) is changed each time a new CoAP
> > request
> > > > > >       is sent, and the Token (Section 5.3.1 of [RFC7252]) is
> > randomized
> > > > > >       in each CoAP request.  The DOTS server(s) can use Message ID
> > and
> > > > > >       Token in the DOTS signal channel message to detect replay of
> > early
> > > > > >       data, and accept 0-RTT data at most once.  Furthermore, 'mid'
> > > > > >       value is monotonically increased by the DOTS client for each
> > > > > >       mitigation request, attackers replaying mitigation requests
> > with
> > > > > >       lower numeric 'mid' values and overlapping scopes with
> > mitigation
> > > > > >       requests having higher numeric 'mid' values will be rejected
> > > > > >       systematically by the DOTS server.
> > > > > >
> > > > > >       Owing to the aforementioned protections, especially those
> > afforded
> > > > > >       by CoAP deduplication (Section 4.5 of [RFC7252]) and RFC 8446
> > > > > >       anti-replay mechanisms, all DOTS signal channel requests are
> > safe
> > > > > >       to transmit in TLS 1.3 as early data.  Refer to
> > > > > >       [I-D.boucadair-dots-earlydata] for more details.
> > > > > >
> > > > > > This text and also the Designated Expert guidelines are implemented
> > in -
> > > > 28.
> > > > > > These are the two pending issues from your AD review.
> > > > > >
> > > > > > Other edits were also made to record what was agreed on the list.
> > > > > >
> > > > > > We hope this version is now ready to move forward.
> > > > > >
> > > > > > Cheers,
> > > > > > Med
> > > > > >
> > > > > > > > > > > Regarding the (D)TLS 1.3 0-RTT data, RFC 8446 notes that
> > > > > > "Application
> > > > > > > > > > > protocols MUST NOT use 0-RTT data without a profile that
> > > > defines
> > > > > > its
> > > > > > > > use.
> > > > > > > > > > > That profile needs to identify which messages or
> > interactions
> > > > are
> > > > > > > safe
> > > > > > > > to
> > > > > > > > > > use
> > > > > > > > > > > with 0-RTT and how to handle the situation when the server
> > > > rejects
> > > > > > 0-
> > > > > > > > RTT
> > > > > > > > > > and
> > > > > > > > > > > falls back to 1-RTT."  So we either need to say which
> > client
> > > > > > requests
> > > > > > > > are
> > > > > > > > > > 0-RTT
> > > > > > > > > > > safe (and why) or defer that profile to another document.
> > > > draft-
> > > > > > > ietf-
> > > > > > > > > > dnsop-
> > > > > > > > > > > session-signal is perhaps an example of a document that
> > > > specifies
> > > > > > > which
> > > > > > > > > > > messages are/aren't allowed in early data.
> > > > > > > > > > > (draft-ietf-acme-acme is another, but an uninteresting one,
> > > > since
> > > > > > > they
> > > > > > > > make
> > > > > > > > > > > every request include a single-use nonce, and all messages
> > are
> > > > 0-
> > > > > > RTT
> > > > > > > > safe.)
> > > > > > > > > > > Our use of increasing 'mid' values may help here, in terms
> > of
> > > > > > > allowing
> > > > > > > > > > DELETEs
> > > > > > > > > > > to be safe, but I'd have to think a little more to be sure
> > that
> > > > > > > > requesting
> > > > > > > > > > > mitigation would be safe.  (On first glance the session-
> > > > managemnet
> > > > > > > bits
> > > > > > > > > > would
> > > > > > > > > > > not be safe, but I may be missing something.)
> > > > > > > > > >
> > > > > > > > > > The draft only uses idempotent requests (GET, PUT and
> > DELETE),
> > > > and
> > > > > > CoAP
> > > > > > > > is
> > > > > > > > > > capable of detecting message duplication (see
> > > > > > > > > > https://tools.ietf.org/html/rfc7252#section-4.5) for both
> > > > confirmable
> > > > > > > and
> > > > > > > > > > non-confirmable messages.
> > > > > > > > > >  [1] An attacker replaying DELETE will not have any adverse
> > > > impact,
> > > > > > > 2.02
> > > > > > > > > > (Deleted) Response Code is returned even if the mitigation
> > > > request
> > > > > > does
> > > > > > > > not
> > > > > > > > > > exist.
> > > > > > > > > > [2] The techniques discussed in Section 8 of RFC8446 should
> > > > suffice
> > > > > > to
> > > > > > > > handle
> > > > > > > > > > anti-replay (e.g. an attacker replaying a 0-RTT data carrying
> > an
> > > > old
> > > > > > > > > > mitigation request replaced by a new mitigation scope).
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > [Med] FWIW, we do already have this text in the draft:
> > > > > > > > >
> > > > > > > > >       Section 8 of [RFC8446] discusses some mechanisms to
> > implement
> > > > to
> > > > > > > > >       limit the impact of replay attacks on 0-RTT data.  If the
> > > > DOTS
> > > > > > > > >       server accepts 0-RTT, it MUST implement one of these
> > > > mechanisms

v2.23.0 | Report a Bug | By Email