Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-dots-signal-channel)

[<mohamed.boucadair@orange.com>]

Hi Ben, 

The new version is available online: 
https://tools.ietf.org/html/draft-ietf-dots-signal-channel-30 

Cheers,
Med

> -----Message d'origine-----
> De : Benjamin Kaduk [mailto:kaduk@mit.edu]
> Envoyé : lundi 4 mars 2019 17:05
> À : Konda, Tirumaleswar Reddy
> Cc : BOUCADAIR Mohamed TGI/OLN; draft-ietf-dots-signal-channel@ietf.org;
> dots@ietf.org
> Objet : Re: [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-
> dots-signal-channel)
> 
> Please go ahead and publish -- this is good enough for me to be willing to
> start the IETF LC, though we will probably tweak it a bit more still.
> (I'd like to keep the data channel and signal channel docs together through
> IETF LC and IESG evaluation to the extent possible.)
> 
> -Ben
> 
> On Mon, Mar 04, 2019 at 04:01:47PM +0000, Konda, Tirumaleswar Reddy wrote:
> > Updated text looks good to me.
> > @Ben - Please let us know if the proposed update addresses your comments,
> we would like to publish the changes.
> >
> > Cheers,
> > -Tiru
> >
> > > -----Original Message-----
> > > From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
> > > Sent: Thursday, February 28, 2019 6:39 PM
> > > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> > > Benjamin Kaduk <kaduk@mit.edu>
> > > Cc: draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org
> > > Subject: RE: [Dots] Using Early Data in DOTS (RE: AD review of draft-
> ietf-dots-
> > > signal-channel)
> > >
> > > This email originated from outside of the organization. Do not click
> links or
> > > open attachments unless you recognize the sender and know the content is
> safe.
> > >
> > > Re-,
> > >
> > > I rearranged the text as follows:
> > >
> > > OLD:
> > >       Section 8 of [RFC8446] discusses some mechanisms to implement to
> > >       limit the impact of replay attacks on 0-RTT data.  If the DOTS
> > >       server accepts 0-RTT, it MUST implement one of these mechanisms.
> > >       A DOTS server can reject 0-RTT by sending a TLS HelloRetryRequest.
> > >       The DOTS signal channel messages sent as early data by the DOTS
> > >       client are idempotent requests.  As a reminder, Message ID
> > >       (Section 3 of [RFC7252]) is changed each time a new CoAP request
> > >       is sent, and the Token (Section 5.3.1 of [RFC7252]) is randomized
> > >       in each CoAP request.  The DOTS server(s) can use Message ID and
> > >       Token in the DOTS signal channel message to detect replay of early
> > >       data, and accept 0-RTT data at most once.  Furthermore, 'mid'
> > >       value is monotonically increased by the DOTS client for each
> > >       mitigation request, attackers replaying mitigation requests with
> > >       lower numeric 'mid' values and overlapping scopes with mitigation
> > >       requests having higher numeric 'mid' values will be rejected
> > >       systematically by the DOTS server.  Likewise, 'sid' value is
> > >       monotonically increased by the DOTS client for each configuration
> > >       session, attackers replaying configuration requests with lower
> > >       numeric 'sid' values will be rejected by the DOTS server if it
> > >       maintains a higher numeric 'sid' value for this DOTS client.
> > >
> > > NEW:
> > >       Section 8 of [RFC8446] discusses some mechanisms to implement to
> > >       limit the impact of replay attacks on 0-RTT data.  If the DOTS
> > >       server accepts 0-RTT, it MUST implement one of these mechanisms to
> > >       prevent replay at the TLS layer.  A DOTS server can reject 0-RTT
> > >       by sending a TLS HelloRetryRequest.
> > >
> > >       The DOTS signal channel messages sent as early data by the DOTS
> > >       client are idempotent requests.  As a reminder, the Message ID
> > >       (Section 3 of [RFC7252]) is changed each time a new CoAP request
> > >       is sent, and the Token (Section 5.3.1 of [RFC7252]) is randomized
> > >       in each CoAP request.  The DOTS server(s) MUST use the Message ID
> > >       and the Token in the DOTS signal channel message to detect replay
> > >       of early data at the application layer, and accept 0-RTT data at
> > >       most once from the same DOTS client.  This anti-replay defense
> > >       requires sharing the Message ID and the Token in the 0-RTT data
> > >       between DOTS servers in the DOTS server domain.  DOTS servers do
> > >       not rely on transport coordinates to identify DOTS peers.  As
> > >       specified in Section 4.4.1, DOTS servers couple the DOTS signal
> > >       channel sessions using the DOTS client identity and optionally the
> > >       'cdid' parameter value.  Furthermore, 'mid' value is monotonically
> > >       increased by the DOTS client for each mitigation request,
> > >       attackers replaying mitigation requests with lower numeric 'mid'
> > >       values and overlapping scopes with mitigation requests having
> > >       higher numeric 'mid' values will be rejected systematically by the
> > >       DOTS server.  Likewise, 'sid' value is monotonically increased by
> > >       the DOTS client for each configuration request (Section 4.5.2),
> > >       attackers replaying configuration requests with lower numeric
> > >       'sid' values will be rejected by the DOTS server if it maintains a
> > >       higher numeric 'sid' value for this DOTS client.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Konda, Tirumaleswar Reddy
> > > > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > > > Envoyé : jeudi 28 février 2019 11:50
> > > > À : BOUCADAIR Mohamed TGI/OLN; Benjamin Kaduk Cc :
> > > > draft-ietf-dots-signal-channel@ietf.org; dots@ietf.org Objet : RE:
> > > > [Dots] Using Early Data in DOTS (RE: AD review of draft-ietf-
> > > > dots-signal-channel)
> > > >
> > > > > -----Original Message-----
> > > > > From: Dots <dots-bounces@ietf.org> On Behalf Of
> > > > > mohamed.boucadair@orange.com
> > > > > Sent: Thursday, February 28, 2019 1:48 PM
> > > > > To: Benjamin Kaduk <kaduk@mit.edu>
> > > > > Cc: draft-ietf-dots-signal-channel@ietf.org; Konda, Tirumaleswar
> > > > > Reddy <TirumaleswarReddy_Konda@McAfee.com>; dots@ietf.org
> > > > > Subject: Re: [Dots] Using Early Data in DOTS (RE: AD review of
> > > > > draft-ietf-
> > > > dots-
> > > > > signal-channel)
> > > > >
> > > > > This email originated from outside of the organization. Do not click
> > > > > links
> > > > or
> > > > > open attachments unless you recognize the sender and know the
> > > > > content is
> > > > safe.
> > > > >
> > > > > Hi Ben,
> > > > >
> > > > > Please see inline.
> > > > >
> > > > > Cheers,
> > > > > Med
> > > > >
> > > > > > -----Message d'origine-----
> > > > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : mercredi 27
> > > > > > février 2019 16:58 À : BOUCADAIR Mohamed TGI/OLN Cc : Konda,
> > > > > > Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf.org;
> > > > > > dots@ietf.org
> > > > > > Objet : Re: Using Early Data in DOTS (RE: [Dots] AD review of
> > > > > > draft-ietf-
> > > > > > dots-signal-channel)
> > > > > >
> > > > > > On Tue, Feb 19, 2019 at 07:59:29AM +0000,
> > > > > mohamed.boucadair@orange.com wrote:
> > > > > > > Hi Ben,
> > > > > > >
> > > > > > > Please see inline.
> > > > > >
> > > > > > Okay.  BTW, it is looking like this is the last topic to resolve
> > > > > > before starting IETF LC.  It's probably worth s/the exponent is
> > > > > > 2/the base of the exponent is 2/ in the next rev, though, just as
> > > > > > a minor nit-
> > > > fix.
> > > > > >
> > > > >
> > > > > [Med] Fixed.
> > > > >
> > > > > > >
> > > > > > > > -----Message d'origine-----
> > > > > > > > De : Benjamin Kaduk [mailto:kaduk@mit.edu] Envoyé : lundi 18
> > > > > > > > février 2019 17:23 À : BOUCADAIR Mohamed TGI/OLN Cc : Konda,
> > > > > > > > Tirumaleswar Reddy; draft-ietf-dots-signal-channel@ietf..org;
> > > > > > > > dots@ietf.org
> > > > > > > > Objet : Re: Using Early Data in DOTS (RE: [Dots] AD review of
> > > > > > > > draft-ietf-
> > > > > > > > dots-signal-channel)
> > > > > > > >
> > > > > > > > On Fri, Feb 15, 2019 at 03:36:05PM +0000,
> > > > > > > > mohamed.boucadair@orange.com
> > > > > > wrote:
> > > > > > > > > Re-,
> > > > > > > > >
> > > > > > > > > Looking forward to discuss this further.
> > > > > > > > >
> > > > > > > > > I wonder whether you can consider putting the document in
> > > > > > > > > the IETF LC
> > > > > > for
> > > > > > > > now. If it happen that we need to modify the 0-RTT text, we
> > > > > > > > will handle
> > > > > > it as
> > > > > > > > other IETF LC comments.
> > > > > > > >
> > > > > > > > I would normally be pretty amenable to starting IETF LC and
> > > > > > > > continuing discussion; it's just for this issue in particular
> > > > > > > > that I seem to be the main person on the IESG that enforces
> > > > > > > > the "application profile for 0-RTT data" requirement, so it
> > > > > > > > would feel rather odd to go forward in this
> > > > > > case.
> > > > > > >
> > > > > > > [Med] Fair enough.
> > > > > > >
> > > > > > > > Luckily, I spent some time this weekend reading RFC 7252 and
> > > > > > > > have some substantive comments.
> > > > > > > >
> > > > > > > > The key oberservation here seems to be that the Message ID is
> > > > > > > > scoped per endpoint, and replays can come from arbitrary
> addresses.
> > > > > > > >
> > > > > > > > Specifically, we recall that:
> > > > > > > >
> > > > > > > >    The DOTS signal channel is layered on existing standards
> > > > > > > > (Figure
> > > > 3).
> > > > > > > >
> > > > > > > >                           +---------------------+
> > > > > > > >                           | DOTS Signal Channel |
> > > > > > > >                           +---------------------+
> > > > > > > >                           |         CoAP        |
> > > > > > > >                           +----------+----------+
> > > > > > > >                           |   TLS    |   DTLS   |
> > > > > > > >                           +----------+----------+
> > > > > > > >                           |   TCP    |   UDP    |
> > > > > > > >                           +----------+----------+
> > > > > > > >                           |          IP         |
> > > > > > > >                           +---------------------+
> > > > > > > >
> > > > > > > > We note that CoAP is using the IP address or "DTLS session"
> > > > > > > > (arguably a poorly chosen term) to identify a CoAP association
> > > > > > > > and that Message IDs
> > > > > > are
> > > > > > > > only used within the scope of such an association, it seems
> > > > > > > > pretty clear that an attacker able to replay TLS 1.3 0-RTT
> > > > > > > > data will slice off the top three lines of this figure and
> > > > > > > > swap out the TCP/UDP/IP layers.  In the absence of DTLS
> > > > > > > > connection IDs, my understanding is that the "DTLS
> > > > > > session"
> > > > > > > > is identified solely by the transport connection, just as for
> > > > > > > > coap-not-s, so by spoofing the source address, the attacker
> > > > > > > > causes the replayed 0-RTT data (and thus, CoAP request) to be
> > > > > > > > interpreted as a new incoming coaps connection.
> > > > > > > >
> > > > > > > > Given that Message ID is only 16 bits and the servers
> > > > > > > > accepting 0-RTT
> > > > > > data
> > > > > > > > have potential to be quite busy, it does not seem workable to
> > > > > > > > attempt to use the incoming Message IDs as globally unique
> > > > > > > > replay defense, as the
> > > > > > risk
> > > > > > > > of collision would be pretty large.
> > > > > > >
> > > > > > > [Med] The replay detection relies on both Message ID and Token.
> > > > > >
> > > > > > In stock CoAP, the Message ID and Token are used only with the
> > > > > > context of a specific transport association.
> > > > >
> > > > > [Med] Hmm...RFC7252 defines an endpoint as follows:
> > > > >
> > > > >    The specific definition of an endpoint depends on the transport
> being
> > > > >    used for CoAP.  For the transports defined in this specification,
> the
> > > > >    endpoint is identified depending on the security mode used (see
> > > > >    Section 9): With no security, the endpoint is solely identified by
> an
> > > > >    IP address and a UDP port number.  With other security modes, the
> > > > >    endpoint is identified as defined by the security mode.
> > > > >
> > > > > DOTS adheres to that definition: it assumes that an endpoint is not
> > > > identified by
> > > > > its transport coordinates but with its identity.
> > > > >
> > > > > Furthermore, the correlation between sessions is clearly mentioned
> > > > > in the
> > > > text:
> > > > >
> > > > >    The DOTS server couples the DOTS signal channel sessions using the
> > > > >    DOTS client identity and optionally the 'cdid' parameter value,
> and
> > > > >    the DOTS server uses 'mid' and 'cuid' Uri-Path parameter values to
> > > > >    detect duplicate mitigation requests.
> > > > >
> > > > >
> > > > >  In order to use them for (D)TLS 1.3 replay
> > > > > > defense, we need to expand that context to a broader scope, and
> > > > > > direct the server to check the Message ID/Token globally (or at
> > > > > > least within the scope of a given 'cuid'/'cdid').  Since this
> > > > > > would reflect a divergence from normal CoAP, if we are going to
> > > > > > rely on this sort of behavior, we must call it out very loudly as
> specific to
> > > DOTS.
> > > > > >
> > > > >
> > > > > [Med] We can make this change if it helps:
> > > > >
> > > > > OLD:
> > > > >       The DOTS server(s) can use Message ID and
> > > > >       Token in the DOTS signal channel message to detect replay of
> early
> > > > >       data, and accept 0-RTT data at most once.
> > > > >
> > > > > NEW:
> > > > >       The DOTS server(s) can use Message ID and
> > > > >       Token in the DOTS signal channel message to detect replay of
> early
> > > > >       data, and accept 0-RTT data at most once from the same DOTS
> client.
> > > > >       DOTS servers do not rely on transport coordinates to
> > > > >       identify its peers. As a reminder, DOTS servers couples the
> > > > > DOTS
> > > > signal
> > > > > channel sessions
> > > > >       using the DOTS client identity and optionally the 'cdid'
> > > > > parameter
> > > > value.
> > > >
> > > > I propose to update the text as follows:
> > > >
> > > >       The DOTS server(s) can use the Message ID and
> > > >       Token in the DOTS signal channel message to detect replay of
> early
> > > >       data, and accept 0-RTT data at most once from the same DOTS
> client.
> > > >       This anti-replay defense requires sharing the Message ID and
> > > > Token in the 0-RTT data
> > > >       between DOTS servers in the DOTS server domain.
> > > >       DOTS servers do not rely on transport coordinates to
> > > >       identify its peers. As a reminder, DOTS servers couples the DOTS
> > > > signal channel sessions
> > > >       using the DOTS client identity and optionally the 'cdid'
> > > > parameter value.
> > > >
> > > > -Tiru