Re: [dtn-interest] RG "last call" on draft-irtf-dtnrg-bundle-checksum
Kevin Fall <kfall@cs.berkeley.edu> Thu, 19 March 2009 07:58 UTC
Received: from gateway0.EECS.Berkeley.EDU (gateway0.EECS.Berkeley.EDU [169.229.60.87]) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n2J7wYua031183 for <dtn-interest@mailman.dtnrg.org>; Thu, 19 Mar 2009 00:58:34 -0700
Received: from [172.17.171.203] ([208.253.64.131]) (authenticated bits=0) by gateway0.EECS.Berkeley.EDU (8.14.3/8.13.5) with ESMTP id n2J7bDqj011088 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for <dtn-interest@mailman.dtnrg.org>; Thu, 19 Mar 2009 00:37:16 -0700 (PDT)
Message-Id: <2F568242-DF63-45CE-91A1-741FC8D2F6FE@cs.berkeley.edu>
From: Kevin Fall <kfall@cs.berkeley.edu>
To: DTN interest <dtn-interest@mailman.dtnrg.org>
Content-Type: multipart/alternative; boundary="Apple-Mail-2--704489759"
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Thu, 19 Mar 2009 00:37:11 -0700
References: <95A10DE0-D663-4C68-B839-19F4B182BA4E@gmail.com>
X-Mailer: Apple Mail (2.930.3)
Subject: Re: [dtn-interest] RG "last call" on draft-irtf-dtnrg-bundle-checksum
X-BeenThere: dtn-interest@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Delay Tolerant Networking Interest List <dtn-interest.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-interest>, <mailto:dtn-interest-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-interest>
List-Post: <mailto:dtn-interest@maillists.intel-research.net>
List-Help: <mailto:dtn-interest-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-interest>, <mailto:dtn-interest-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2009 07:58:34 -0000
> From: Kevin Fall > Date: March 19, 2009 12:34:45 AM PDT > To: DTN interest <dtn-interest@mailman.dtnrg.org> > Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie> > Subject: Re: [dtn-interest] RG "last call" on draft-irtf-dtnrg- > bundle-checksum > > I also have a number of comments on this draft which I believe we > can cover on thursday. > At a high level, the authors appear to wish to explain both the > approach and its (comparatively > lengthy) rationale. I believe the rationale belongs elsewhere, > possibly in an informational > document that discusses reliability, integrity and the BP. I > believe this will help promote getting > the technical details through the process. > > A couple of other things brought up by this draft: > > should a bundle somehow indicate an app's {non}desire for error free > bundles > need any corresponding API have the ability to specify this? > that there should possibly be a configuration flag in bundle agents > indicating whether bundles failing integrity checks are dropped > (and/or whether the integrity check is applied at all-- note that we > may be running in a high performance network as well). > > - K > > > On Mar 16, 2009, at Mar 167:50 AMPDT, Stephen Farrell wrote: > >> >> My comments on the first part (up to the end of section 3, I ran >> out of time since there was so much that needed comment) are >> attached. This is not ready IMO, I'd guess a couple more >> revs are needed before it'd be done. >> >> Stephen. >> >> >> >> SF comments on draft-irtf-dtnrg-checksum >> >> 20090312 >> >> General >> >> #0 There are many editorial changes required. There are numerous >> erroneous, >> imprecise or misleading statements that should be removed (examples >> below). >> There are also many sections of text that appear to be discussing >> "DTN history >> before checksums." While such text might be interesting for some it >> doesn't IMO >> belong in an experimental RFC unless it is beneficial for >> implementers (again, >> examples below). Basically what should be a useful specification is >> sometimes >> almost a rant which is inappropriate. (In addition to my opinion on >> this, the >> IRSG review specifically aims to ensure that the content is as >> suitable as >> journal content, so this kind of change will be needed later anyway >> its not >> just me being a pain) >> >> #1 I think a lot of the motivation stuff could be removed and that >> that'd >> improve the document. Simpler/shorter is better. >> >> #2 The BSP has the concept of end-to-end-ishness where e.g. the >> security source >> might not be the actual source. That's mainly to cater for less >> capable nodes >> at the edges, and is probably not needed here, but worth asking >> anyway. Are >> there any cases where it'd make sense to add a checksum in the >> middle of a path >> or to strip one in the middle of a path? >> >> #3 A lot of the discussion about integrity only applies for >> accidental >> integrity violations. There should be a statement up front saying >> that this >> draft doesn't consider deliberate integrity violations and that >> those are >> address by other ciphersuites, e.g. in the BSP spec. >> >> #4 I'm totally unclear as to why there need to be three >> ciphersuites. Is >> there a real justification for anything other than min and max here? >> >> #5 origin authentication is not non-repudiation (if such exists as >> a network >> service) as any security primer would tell you >> >> #6 MD5 is not a checksum algorithm, it is a digest alg. which is a >> different >> beast (second pre-image resistance etc.) >> >> #7 You're probably better off removing the downref to my expired >> key mgmt draft >> (draft-farrell-dtnrg-km) since someone starting over on that might >> not base on >> that draft, which'd leave the eventual RFC with a bad pointer. >> >> #8 If you want to make the claim that using the PIB is problematic >> for some >> reason, you need to justify that. Just saying "not designed >> for." (which is >> ungrammatic as used) is not sufficient. >> >> #9 (sigh) The use of the term private key seems to indicate a lack of >> familiarity with crypto mechanisms. Public keys are used to verify >> signatures. >> "3rd party intermediate nodes that do not possess that private >> key..." is a >> crypto-101 error. >> >> #10 The RSA/SHA256 ciphersuite is criticised for some odd reason. >> That adds >> nothing and should be deleted. (The sentence includes the terms >> "excessive" and >> "disadvantageous.") If you are arguing that keyed ciphersuites are >> not what you >> need then such points are superflous and would only serve to >> confuse a reader. >> >> #11 What is a "NULL key pair"? As far as I'm aware this is the >> first time >> anyone's suggested using a known key for RSA ever. (No one else has >> becuase >> it'd be silly, a known symmetric key is similar strength and far >> easier.) I >> don't believe anyone has ever suggested re-using an existing >> ciphersuite with a >> known key, all previous cases invent a new ciphersuite. There is >> really no >> point in discussing obviously silly design choices that could have >> been made by >> someone not skilled in the art. (Actually, just deleting that >> entire paragraph >> is best.) >> >> #12 BAB-HMAC discussion. I'm not sure if its a good idea to opine >> here on >> changes that "could" be made to the BP, but if that remains, it >> should at least >> say "a future version of the BP." Noting that the BP doesn't >> mandate the BSP is >> fine, but the future looking stuff might confuse a reader, so I'd >> leave it out. >> Saying that some "path" seems to be desirable is also needlessly >> confusing, >> this document should just specify and explain the new ciphersuites >> and not be >> as argumentative. >> >> #13 Mention of your "previous proposal" adds nothing and exposes an >> apparent >> minsunderstanding on the author's part of compliance. This spec can >> and should >> define new PIB ciphersuites. There is no reason why conforming >> implementations >> should also have to implement other ciphersuites as well. (And again >> "heavyweight" is purely pejorative so remove that.) >> >> #14 The "insecure ciphersuites might give a false impression of >> security" >> argument seems to me to be bogus. Have there ever been any cases >> where IPsec or >> TLS equivalents were accidentally used? This could be a security >> cconsideration >> to point out to coders that they shouldn't confuse administrators >> in user >> interfaces, but is not a real issue in terms of the bits on the >> wire.. (I do >> like the idea of naming these ciphersuites INSECURE or something, >> but that >> doesn't mean there's a real issue here.) >> >> #15 "SHOULD subjective ensure" is very odd. >> >> #16 I don't follow why logging output is significant enough for a >> MUST NOT? >> >> #17 The requirement that any future similar ciphersuite be called >> "INSECURE" is >> broken. Just say that these ciphersuites are called that and you're >> done. Also >> PIBs using these are not indistinguishable from those with secure >> ciphersuites >> - that's the whole point of the ciphersuite types. You're confusing >> the name of >> the ciphersuites (that might appear in GUIs) with the bits on the >> wire where >> no such confusion arises. >> >> #18 You seem to contradict yourself when you say that things MUST >> be called >> INSECURE_* but then say that PIB-HMAC with NULL keys is ok. I think >> one or the >> other is ok, but not both. I think that PIB-HMAC if its useful (and >> it could >> be) ought be in a different document (probably BSP) and the NULL >> key version >> should be here as its own ciphersuite. (Or just omitted, I'm not >> sure who wants >> PIB-HMAC-WITH-NULL?) >> >> #19 Talking about what BP implementations MUST support is missing >> the point. >> This spec should talk about what implementations doing this spec >> MUST support >> and not others. >> >> #20 Mutable c14n is defined in the BSP and not in appendix A.1 The >> PIB wire >> format is defined in the BSP and not in appendix A.2. As-is, both >> inaccurate >> statements would mislead implementers. >> >> #21 Using a zero KeyID as the indicator of a NULL ciphersuite is a >> bad >> choice IMO. (It should be a separate ciphersuite as explained >> above.) The >> problem is that there are times when shared secrets are used without >> KeyIDs (which is bad practice, but happens). A zero KeyID is too easy >> for a coder to mistake as a missing KeyID so its better to either >> have >> the same semantic or none. >> >> #22 end of p12, I don't get what "the later two EIDs" means? Needs >> some >> clarification I guess. (Maybe just a type s/EID/SDNV/?) >> >> #23 What makes you think an 80-bit MAC is less good at error >> detection >> than a (known weak) 128 bit digest? Such statements are better >> deleted >> (or else justified with references). >> >> #24 "Although the BSP was intended..." again the authors appear >> confused >> about compliance - this document does not UPDATE 5050 (not sure what >> that'd mean for an experimental RFC anyway) so discussion of things >> that are "needed" by BP implementations is off base. This is even >> clearer in the next paragraph where the spec tries to impose >> requirements >> on 5050 implementations doing custody stuff. >> >> #25 "...private keys shared only..." Private keys are never shared in >> any DTN ciphersuite. Another crypto-101 error. >> >> #26 You have a SHOULD on dropping when checks fail. What about >> fragmentation? >> >> #27 "...end-to-end private key" crypto-101 Entire paragraphs needs >> fixing. >> >> ------------ >> >> Editorial changes in the early pages. (I stopped separatng them >> after a while since there are so many.) >> >> Abstract: >> >> #1 the BP does not include a checksum, yet it *is* possible to do >> verification, >> if the BSP is used. The statement is misleading. >> >> #2 "Without assurance...cannot" is wrong. "may not" would be correct. >> >> #3 sometimes errored bundle forwarding is desired, suggest >> replacing "instead >> of..." with "where it may have been better to..."` >> >> #4 "address the situation" implies that this is correcting a >> serious unexpected >> fault which is disputed >> >> #5 "Formerly called" adds no value >> >> #6 "Regardless of" clause adds no value >> >> #7 "Divorcing" clause seems odd - I think you mean to say there's >> no need for >> keys but I don't see any papers being served. >> >> #8 "necessary detail" why would you include unnecessary detail? >> delete >> necessary >> >> #9 Overall an abstrct like the following would be much better: >> >> The Delay-Tolerant Networking Bundle Protocol includes a custody >> transfer >> mechanism to provide acknowledgements of receipt for particular >> bundles. The >> bundle protocol does not define a checksum that allows verification >> of >> error-free forwarding at any hop on the path. This document defines >> new >> "keyless" data integrity ciphersuites for use with the Bundle >> Security >> Protocol's Payload Integrity Block that can be used to increase >> reliability in >> many situations. >> >> Section 1: >> >> #0 this entire section could be deleted, or almost all >> >> #1 2nd para: "does not take bundle inegrity into account" is >> misleading; the BP >> asssumes that CLs do that which is different. >> >> #2 something that's not always sufficient is not always >> insufficient to talking >> about "the insufficiency" is a mistatement >> >> #3 s/painstakingly// it adds nothing but pique >> >> #4 delivering errored content does not require that "all underlying >> layers pass >> through and accept errors", only perhaps that the layers in use >> when the error >> occurs support that, and with bugs, memory or file system errors >> not even that >> >> #5 the claim that the "ability to provide a check" is primary to >> "overall >> strength" needs a reference or should be deleted >> >> #6 last para of p7:s/much more important/potentially much more >> important/ >> >> #7 same para as #6, everything from "the bundle protocol..does >> neither..." down >> to"...Internet traffic." should be deleted. Its only purpose seems >> to be to try >> make the bundle protocol look bad? >> >> #8 last para: delete the paragraph I guess it just vituperative, >> hard to >> understand how it ever got added >> >> section 2: >> >> #1 there are currently 4 block types in BSP but I don't think >> there's any need >> to discuss that, just say we're re-using PIB. There is no reason to >> discuss >> BAB, PCB or, now ESB at all. >> >> #2 delete the sentence that says "truly suitable" - actually an >> entire page or >> so can best be deleted here, incl. the "what's a MAC" part. >> >> #3 The "in fact, several popular" sentence gets it wrong, some >> digest algs are >> used for MACs >> >> >> _______________________________________________ >> dtn-interest mailing list >> dtn-interest@maillists.intel-research.net >> http://maillists.intel-research.net/mailman/listinfo/dtn-interest >
- Re: [dtn-interest] RG "last call" on draft-irtf-d… Kevin Fall
- Re: [dtn-interest] RG "last call" on draft-irtf-d… Kevin Fall
- Re: [dtn-interest] RG "last call" on draft-irtf-d… Stephen Farrell
- Re: [dtn-interest] RG "last call" ondraft-irtf-dt… L.Wood
- Re: [dtn-interest] RG "last call" on draft-irtf-d… Peter TB Brett
- [dtn-interest] RG "last call" on draft-irtf-dtnrg… Stephen Farrell