Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)
<mohamed.boucadair@orange.com> Tue, 05 March 2019 12:16 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22F5212867A for <dots@ietfa.amsl.com>; Tue, 5 Mar 2019 04:16:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tzzUFKtnfKJx for <dots@ietfa.amsl.com>; Tue, 5 Mar 2019 04:15:57 -0800 (PST)
Received: from orange.com (mta134.mail.business.static.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEDCA1310BD for <dots@ietf.org>; Tue, 5 Mar 2019 04:15:56 -0800 (PST)
Received: from opfednr00.francetelecom.fr (unknown [xx.xx.xx.64]) by opfednr26.francetelecom.fr (ESMTP service) with ESMTP id 44DG7t3Qm1z10bT; Tue, 5 Mar 2019 13:15:54 +0100 (CET)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.70]) by opfednr00.francetelecom.fr (ESMTP service) with ESMTP id 44DG7t2XsGzDq7W; Tue, 5 Mar 2019 13:15:54 +0100 (CET)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM33.corporate.adroot.infra.ftgroup ([fe80::c911:d24e:cc19:afa7%21]) with mapi id 14.03.0435.000; Tue, 5 Mar 2019 13:15:54 +0100
From: mohamed.boucadair@orange.com
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)
Thread-Index: AQHU0qRq9ZQe+5ghxkum2rMyhw9TyaX89K7Q
Date: Tue, 05 Mar 2019 12:15:53 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA288FA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <787AE7BB302AE849A7480A190F8B93302EA20112@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190215150458.GV56447@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA20406@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190218162322.GI24387@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA21AC0@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20190227155729.GL53396@kduck.mit.edu> <787AE7BB302AE849A7480A190F8B93302EA2680B@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB2790C6F98C259154C2AC200AEA750@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA26AD5@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <BYAPR16MB279020EAC0BD03A67B6BE253EA710@BYAPR16MB2790.namprd16.prod.outlook.com> <20190304160438.GA31937@kduck.mit.edu>
In-Reply-To: <20190304160438.GA31937@kduck.mit.edu>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/pwV27Jp-toSKStkuShfI37tlF8Q>
Subject: Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 12:16:01 -0000
Hi Ben, The new version is available online: https://tools.ietf.org/html/draft-ietf-dots-signal-channel-30 Cheers, Med > -----Message d'origine----- > De : Benjamin Kaduk [mailto:kaduk@mit.edu] > Envoyé : lundi 4 mars 2019 17:05 > À : Konda, Tirumaleswar Reddy > Cc : BOUCADAIR Mohamed TGI/OLN; draft-ietf-dots-signal-channel@ietf.org; > dots@ietf.org > Objet : Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf- > dots-signal-channel) > > Please go ahead and publish -- this is good enough for me to be willing to > start the IETF LC, though we will probably tweak it a bit more still. > (I'd like to keep the data channel and signal channel docs together through > IETF LC and IESG evaluation to the extent possible.) > > -Ben > > On Mon, Mar 04, 2019 at 04:01:47PM +0000, Konda, Tirumaleswar Reddy wrote: > > Updated text looks good to me. > > @Ben - Please let us know if the proposed update addresses your comments, > we would like to publish the changes. > > > > Cheers, > > -Tiru > > > > > -----Original Message----- > > > From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com> > > > Sent: Thursday, February 28, 2019 6:39 PM > > > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; > > > Benjamin Kaduk <kaduk@mit.edu> > > > Cc: draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org > > > Subject: RE: [Dots] Using Early Data in DOTS (RE: AD review of draft- > ietf-dots- > > > signal-channel) > > > > > > This email originated from outside of the organization. Do not click > links or > > > open attachments unless you recognize the sender and know the content is > safe. > > > > > > Re-, > > > > > > I rearranged the text as follows: > > > > > > OLD: > > > Section 8 of [RFC8446] discusses some mechanisms to implement to > > > limit the impact of replay attacks on 0-RTT data. If the DOTS > > > server accepts 0-RTT, it MUST implement one of these mechanisms. > > > A DOTS server can reject 0-RTT by sending a TLS HelloRetryRequest. > > > The DOTS signal channel messages sent as early data by the DOTS > > > client are idempotent requests. As a reminder, Message ID > > > (Section 3 of [RFC7252]) is changed each time a new CoAP request > > > is sent, and the Token (Section 5.3.1 of [RFC7252]) is randomized > > > in each CoAP request. The DOTS server(s) can use Message ID and > > > Token in the DOTS signal channel message to detect replay of early > > > data, and accept 0-RTT data at most once. Furthermore, 'mid' > > > value is monotonically increased by the DOTS client for each > > > mitigation request, attackers replaying mitigation requests with > > > lower numeric 'mid' values and overlapping scopes with mitigation > > > requests having higher numeric 'mid' values will be rejected > > > systematically by the DOTS server. Likewise, 'sid' value is > > > monotonically increased by the DOTS client for each configuration > > > session, attackers replaying configuration requests with lower > > > numeric 'sid' values will be rejected by the DOTS server if it > > > maintains a higher numeric 'sid' value for this DOTS client. > > > > > > NEW: > > > Section 8 of [RFC8446] discusses some mechanisms to implement to > > > limit the impact of replay attacks on 0-RTT data. If the DOTS > > > server accepts 0-RTT, it MUST implement one of these mechanisms to > > > prevent replay at the TLS layer. A DOTS server can reject 0-RTT > > > by sending a TLS HelloRetryRequest. > > > > > > The DOTS signal channel messages sent as early data by the DOTS > > > client are idempotent requests. As a reminder, the Message ID > > > (Section 3 of [RFC7252]) is changed each time a new CoAP request > > > is sent, and the Token (Section 5.3.1 of [RFC7252]) is randomized > > > in each CoAP request. The DOTS server(s) MUST use the Message ID > > > and the Token in the DOTS signal channel message to detect replay > > > of early data at the application layer, and accept 0-RTT data at > > > most once from the same DOTS client. This anti-replay defense > > > requires sharing the Message ID and the Token in the 0-RTT data > > > between DOTS servers in the DOTS server domain. DOTS servers do > > > not rely on transport coordinates to identify DOTS peers. As > > > specified in Section 4.4.1, DOTS servers couple the DOTS signal > > > channel sessions using the DOTS client identity and optionally the > > > 'cdid' parameter value. Furthermore, 'mid' value is monotonically > > > increased by the DOTS client for each mitigation request, > > > attackers replaying mitigation requests with lower numeric 'mid' > > > values and overlapping scopes with mitigation requests having > > > higher numeric 'mid' values will be rejected systematically by the > > > DOTS server. Likewise, 'sid' value is monotonically increased by > > > the DOTS client for each configuration request (Section 4.5.2), > > > attackers replaying configuration requests with lower numeric > > > 'sid' values will be rejected by the DOTS server if it maintains a > > > higher numeric 'sid' value for this DOTS client. > > > > > > Cheers, > > > Med > > > > > > > -----Message d'origine----- > > > > De : Konda, Tirumaleswar Reddy > > > > [mailto:TirumaleswarReddy_Konda@McAfee.com] > > > > Envoyé : jeudi 28 février 2019 11:50 > > > > À : BOUCADAIR Mohamed TGI/OLN; Benjamin Kaduk Cc : > > > > draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org Objet : RE: > > > > [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf- > > > > dots-signal-channel) > > > > > > > > > -----Original Message----- > > > > > From: Dots <dots-bounces@ietf.org> On Behalf Of > > > > > mohamed.boucadair@orange.com > > > > > Sent: Thursday, February 28, 2019 1:48 PM > > > > > To: Benjamin Kaduk <kaduk@mit.edu> > > > > > Cc: draft-ietf-dots-signal-channel@ietf.org; Konda, Tirumaleswar > > > > > Reddy <TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org > > > > > Subject: Re: [Dots] Using Early Data in DOTS (RE: AD review of > > > > > draft-ietf- > > > > dots- > > > > > signal-channel) > > > > > > > > > > This email originated from outside of the organization. Do not click > > > > > links > > > > or > > > > > open attachments unless you recognize the sender and know the > > > > > content is > > > > safe. > > > > > > > > > > Hi Ben, > > > > > > > > > > Please see inline. > > > > > > > > > > Cheers, > > > > > Med > > > > > > > > > > > -----Message d'origine----- > > > > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : mercredi 27 > > > > > > février 2019 16:58 À : BOUCADAIR Mohamed TGI/OLN Cc : Konda, > > > > > > Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf.org; > > > > > > dots@ietf.org > > > > > > Objet : Re: Using Early Data in DOTS (RE: [Dots] AD review of > > > > > > draft-ietf- > > > > > > dots-signal-channel) > > > > > > > > > > > > On Tue, Feb 19, 2019 at 07:59:29AM +0000, > > > > > mohamed.boucadair@orange.com wrote: > > > > > > > Hi Ben, > > > > > > > > > > > > > > Please see inline. > > > > > > > > > > > > Okay. BTW, it is looking like this is the last topic to resolve > > > > > > before starting IETF LC. It's probably worth s/the exponent is > > > > > > 2/the base of the exponent is 2/ in the next rev, though, just as > > > > > > a minor nit- > > > > fix. > > > > > > > > > > > > > > > > [Med] Fixed. > > > > > > > > > > > > > > > > > > > > -----Message d'origine----- > > > > > > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : lundi 18 > > > > > > > > février 2019 17:23 À : BOUCADAIR Mohamed TGI/OLN Cc : Konda, > > > > > > > > Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf..org; > > > > > > > > dots@ietf.org > > > > > > > > Objet : Re: Using Early Data in DOTS (RE: [Dots] AD review of > > > > > > > > draft-ietf- > > > > > > > > dots-signal-channel) > > > > > > > > > > > > > > > > On Fri, Feb 15, 2019 at 03:36:05PM +0000, > > > > > > > > mohamed.boucadair@orange.com > > > > > > wrote: > > > > > > > > > Re-, > > > > > > > > > > > > > > > > > > Looking forward to discuss this further. > > > > > > > > > > > > > > > > > > I wonder whether you can consider putting the document in > > > > > > > > > the IETF LC > > > > > > for > > > > > > > > now. If it happen that we need to modify the 0-RTT text, we > > > > > > > > will handle > > > > > > it as > > > > > > > > other IETF LC comments. > > > > > > > > > > > > > > > > I would normally be pretty amenable to starting IETF LC and > > > > > > > > continuing discussion; it's just for this issue in particular > > > > > > > > that I seem to be the main person on the IESG that enforces > > > > > > > > the "application profile for 0-RTT data" requirement, so it > > > > > > > > would feel rather odd to go forward in this > > > > > > case. > > > > > > > > > > > > > > [Med] Fair enough. > > > > > > > > > > > > > > > Luckily, I spent some time this weekend reading RFC 7252 and > > > > > > > > have some substantive comments. > > > > > > > > > > > > > > > > The key oberservation here seems to be that the Message ID is > > > > > > > > scoped per endpoint, and replays can come from arbitrary > addresses. > > > > > > > > > > > > > > > > Specifically, we recall that: > > > > > > > > > > > > > > > > The DOTS signal channel is layered on existing standards > > > > > > > > (Figure > > > > 3). > > > > > > > > > > > > > > > > +---------------------+ > > > > > > > > | DOTS Signal Channel | > > > > > > > > +---------------------+ > > > > > > > > | CoAP | > > > > > > > > +----------+----------+ > > > > > > > > | TLS | DTLS | > > > > > > > > +----------+----------+ > > > > > > > > | TCP | UDP | > > > > > > > > +----------+----------+ > > > > > > > > | IP | > > > > > > > > +---------------------+ > > > > > > > > > > > > > > > > We note that CoAP is using the IP address or "DTLS session" > > > > > > > > (arguably a poorly chosen term) to identify a CoAP association > > > > > > > > and that Message IDs > > > > > > are > > > > > > > > only used within the scope of such an association, it seems > > > > > > > > pretty clear that an attacker able to replay TLS 1.3 0-RTT > > > > > > > > data will slice off the top three lines of this figure and > > > > > > > > swap out the TCP/UDP/IP layers. In the absence of DTLS > > > > > > > > connection IDs, my understanding is that the "DTLS > > > > > > session" > > > > > > > > is identified solely by the transport connection, just as for > > > > > > > > coap-not-s, so by spoofing the source address, the attacker > > > > > > > > causes the replayed 0-RTT data (and thus, CoAP request) to be > > > > > > > > interpreted as a new incoming coaps connection. > > > > > > > > > > > > > > > > Given that Message ID is only 16 bits and the servers > > > > > > > > accepting 0-RTT > > > > > > data > > > > > > > > have potential to be quite busy, it does not seem workable to > > > > > > > > attempt to use the incoming Message IDs as globally unique > > > > > > > > replay defense, as the > > > > > > risk > > > > > > > > of collision would be pretty large. > > > > > > > > > > > > > > [Med] The replay detection relies on both Message ID and Token. > > > > > > > > > > > > In stock CoAP, the Message ID and Token are used only with the > > > > > > context of a specific transport association. > > > > > > > > > > [Med] Hmm...RFC7252 defines an endpoint as follows: > > > > > > > > > > The specific definition of an endpoint depends on the transport > being > > > > > used for CoAP. For the transports defined in this specification, > the > > > > > endpoint is identified depending on the security mode used (see > > > > > Section 9): With no security, the endpoint is solely identified by > an > > > > > IP address and a UDP port number. With other security modes, the > > > > > endpoint is identified as defined by the security mode. > > > > > > > > > > DOTS adheres to that definition: it assumes that an endpoint is not > > > > identified by > > > > > its transport coordinates but with its identity. > > > > > > > > > > Furthermore, the correlation between sessions is clearly mentioned > > > > > in the > > > > text: > > > > > > > > > > The DOTS server couples the DOTS signal channel sessions using the > > > > > DOTS client identity and optionally the 'cdid' parameter value, > and > > > > > the DOTS server uses 'mid' and 'cuid' Uri-Path parameter values to > > > > > detect duplicate mitigation requests. > > > > > > > > > > > > > > > In order to use them for (D)TLS 1.3 replay > > > > > > defense, we need to expand that context to a broader scope, and > > > > > > direct the server to check the Message ID/Token globally (or at > > > > > > least within the scope of a given 'cuid'/'cdid'). Since this > > > > > > would reflect a divergence from normal CoAP, if we are going to > > > > > > rely on this sort of behavior, we must call it out very loudly as > specific to > > > DOTS. > > > > > > > > > > > > > > > > [Med] We can make this change if it helps: > > > > > > > > > > OLD: > > > > > The DOTS server(s) can use Message ID and > > > > > Token in the DOTS signal channel message to detect replay of > early > > > > > data, and accept 0-RTT data at most once. > > > > > > > > > > NEW: > > > > > The DOTS server(s) can use Message ID and > > > > > Token in the DOTS signal channel message to detect replay of > early > > > > > data, and accept 0-RTT data at most once from the same DOTS > client. > > > > > DOTS servers do not rely on transport coordinates to > > > > > identify its peers. As a reminder, DOTS servers couples the > > > > > DOTS > > > > signal > > > > > channel sessions > > > > > using the DOTS client identity and optionally the 'cdid' > > > > > parameter > > > > value. > > > > > > > > I propose to update the text as follows: > > > > > > > > The DOTS server(s) can use the Message ID and > > > > Token in the DOTS signal channel message to detect replay of > early > > > > data, and accept 0-RTT data at most once from the same DOTS > client. > > > > This anti-replay defense requires sharing the Message ID and > > > > Token in the 0-RTT data > > > > between DOTS servers in the DOTS server domain. > > > > DOTS servers do not rely on transport coordinates to > > > > identify its peers. As a reminder, DOTS servers couples the DOTS > > > > signal channel sessions > > > > using the DOTS client identity and optionally the 'cdid' > > > > parameter value. > > > > > > > > -Tiru
- [Dots] Using Early Data in DOTS (RE: AD review of… mohamed.boucadair
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… mohamed.boucadair
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… Benjamin Kaduk
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… mohamed.boucadair
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… Konda, Tirumaleswar Reddy
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… Benjamin Kaduk
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… Konda, Tirumaleswar Reddy
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… mohamed.boucadair
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… mohamed.boucadair
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… Benjamin Kaduk
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… mohamed.boucadair
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… Konda, Tirumaleswar Reddy
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… Konda, Tirumaleswar Reddy
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… mohamed.boucadair
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… Konda, Tirumaleswar Reddy
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… Benjamin Kaduk
- Re: [Dots] Using Early Data in DOTS (RE: AD revie… mohamed.boucadair