[Hipsec] Benjamin Kaduk's Discuss on draft-ietf-hip-native-nat-traversal-30: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 04 March 2020 04:09 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: hipsec@ietf.org
Delivered-To: hipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CE4013A0D79; Tue, 3 Mar 2020 20:09:00 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-hip-native-nat-traversal@ietf.org, hip-chairs@ietf.org, hipsec@ietf.org, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, gonzalo.camarillo@ericsson.com
X-Test-IDTracker: no
X-IETF-IDTracker: 6.119.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <158329494071.7765.9192526076932474796@ietfa.amsl.com>
Date: Tue, 03 Mar 2020 20:09:00 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/wQuDYH1GDTBNPkqqi8Hr0cCKvSU>
Subject: [Hipsec] Benjamin Kaduk's Discuss on draft-ietf-hip-native-nat-traversal-30: (with DISCUSS and COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 04:09:01 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-hip-native-nat-traversal-30: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- One fairly minor point to start: Section 4.3 says that we define a new mode (ICE-HIP-UDP) for the NAT_TRAVERSAL_MODE parameter type, but then goes on to say that "the presence of the parameter in a HIP base exchange means that the end-host supports NAT traversal extensions defined in this document". If I undrestand correctly, only the specific presence of the ICE-HIP-UDP mode of the NAT_TRAVERSAL_MODE parameter does so, and so to say that the presence of "the [NAT_TRAVERSAL_MODE] parameter" indicates support for this document would be backwards incompatible with RFC 5770. I'd also like to delve a little further into the potential "cross-protocol" attack (same protocol, really, but the same attack) that Ekr raised, between RVS_HMAC and RELAY_HMAC. This is probably a "discuss discuss", so let's see where it leads... The semantics for either type of HMAC is that it is an HMAC over the HIP packet excluding itself and subsequent parameters. Pulling up the HIP packet format from RFC 7401, that looks like: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Header Length |0| Packet Type |Version| RES.|1| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Controls | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sender's Host Identity Tag (HIT) | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Receiver's Host Identity Tag (HIT) | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / HIP Parameters / / / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The HMAC key is the integrity key for that direction of traffic between HITs, so the "cross-protocol" part can only come in by confusing the packet recipient into confusion as to whether it is processing an RVS_HMAC or a RELAY_HMAC (but any other entity will reject the packet by virtue of it using the wrong key). Modern best practices are to go through a key derivation step that incorporates as much information as possible about what the derived key will be used for, which would in this case include the TLV type of the HMAC parameter and presumably the HITs in question as well. In particular, the TLV type of the HMAC parameter is *not* input into the HMAC calculation (at least for RVS_HMAC), so the trivial discriminator is not present. The "packet type" in the header in the header is potentially going to differ across usages, so I think that's a good place to focus discussion. Unfortunately, Section 4.2.1 of RFC 8004 suggests that RVS_HMAC is going to be present a lot of the time, so it's not really clear to me what packet types either RVS_HMAC and/or REPLAY_HMAC are expected to occur in. Could a HIP expert please jump in and help clarify? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- [My latest reply to the ballot thread for my previous ballot position, https://mailarchive.ietf.org/arch/msg/hipsec/iP_of3P2RfxJIbeVDz2qGonO8nY/ , seems to have not gotten a response] Why did some rfc5245bis references get converted to RFC5245 and others to RFC8445? The phrase "Control Data Relay" occurs just five times in the document (vs. over a hundred for "Control Relay") and seems to needlessly conflate "Control Relay" and "Data Relay". I'd suggest rewording to avoid this phrase. Abstract and UDP encapsulation of data and signaling traffic. The main difference from the previously specified modes is the use of HIP messages instead of ICE for all NAT traversal procedures due to its kernel-space dependencies. It might be worth disambiguating what "its" refers to. Section 1 messages tunneled over a single UDP flow. The benefit of using ICE and its STUN/TURN messaging formats is that one can re-use the NAT traversal infrastructure already available in the Internet, such as STUN and TURN servers. Also, some middleboxes may be STUN-aware and may be able to do something "smart" when they see STUN being used for NAT traversal. Don't we go on to say that we can't actually use stock TURN infrastructure since we'd need extra encapsulation for the HIP bits? Section 2 HIP offer: Before two end-hosts can establish a communication channel using the NAT traversal procedures defined in this document, they need exchange their locators (i.e. candidates) with each other. In ICE, this procedure is called Candidate Exchange and it does specify how the candidates are exchanged but Session Description nit: s/does specify/does not specify/ handover. Following [RFC5770] and Session Description Protocol (SDP) [RFC3264] naming conventions, "HIP offer" is the the nit: we just expanded SDP a few lines previously; we probably don't need to do it again. Section 3 connected to the public Internet. To be contacted from behind a NAT, at least the Responder must be registered with is own Control Relay Server reachable on the public Internet. The Responder may have also nit: "is own" is not right; I'm not sure whether "his own" or "its own" was intended (but the "a Control Relay Server in the -28 didn't seem wrong to me either). Section 4.1 In step 3, the Relay Client selects the services for which it registers and lists them in the REG_REQ parameter. The Relay Client registers for the Control Data Relay service by listing the RELAY_UDP_HIP value in the request parameter. If the Relay Client requires also ESP relaying over UDP, it lists also RELAY_UDP_ESP. (This is one of the five "Control Data Relay"s I mention previously.) I'd suggest using "Data Relay Service" in combination with RELAY_UDP_ESP to reinforce the link between the two terms. The current "mix and match" of "Control [...] Relay" and "RELAY_UDP_ESP" requires more effort to understand than using a uniform set of terminology would. ECHO_REQUEST_SIGNED . In case the Data Relay Server admitted a new relayed UDP port for the Data Relay Client, the REG_RES parameter MUST list RELAY_UDP_ESP as a service and the UPDATE message MUST also include a RELAYED_ADDRESS parameter describing the relayed UDP port. nit: "admitted" is a surprising word choice, to me. Section 4.2 local preference value MUST be unique. Dual-stack considerations for IPv6 apply also here as defined in [RFC8445] in section 5.1.2.2. It looks like this should be 5.1.2.1, not 5.1.2.2. where Ta is the value used for the connectivity check pacing and Num- Of-Cands is the sum of server-reflexive and relay candidates. A smaller value than 500 ms for the RTO MUST NOT be used. nit: I don't think addition is defined on (set-of-server-reflexive candidates, set-of-relay candidates); presumably there's some missing "number of"s here. Section 4.3 In step 4, the Responder concludes the base exchange with an R2 packet. If the Initiator chose ICE NAT traversal mode, the Responder nit(?): s/ICE NAT/ICE-HIP-UDP/? Section 4.5 repeated here. Similarly, the NAT traversal mode negotiation process (denoted as NAT_TM in the example) was described in Section 4.3 and is neither repeated here. If a Control Relay Server receives an R1 nit: AFAIK this is not a correct usage of "neither". It is RECOMMENDED that the Initiator send an I1 packet encapsulated in UDP when it is destined to an IPv4 address of the Responder. Respectively, the Responder MUST respond to such an I1 packet with a UDP-encapsulated R1 packet, and also the rest of the communication related to the HIP association MUST also use UDP encapsulation. Is this Responder behavior also restricted to IPv4? Server. The Control Relay Server protects the I1 packet with RELAY_HMAC as described in [RFC8004], except that the parameter type is different (see Section 5.8). The Control Relay Server changes the I suggest dropping the 8004 reference and just using Section 5.8 of this document. In step 3, the Responder receives the I1 packet. The Responder processes it according to the rules in [RFC7401]. In addition, the Responder validates the RELAY_HMAC according to [RFC8004] and silently drops the packet if the validation fails. The Responder [likewise here] In step 7, the Responder receives the I2 packet and processes it according to [RFC7401]. The Responder validates the RELAY_HMAC according to [RFC8004] and silently drops the packet if the validation fails. It replies with an R2 packet and includes a [and here] Hosts MUST include the address of one or more Control Relay Servers (including the one that is being used for the initial signaling) in the LOCATOR_SET parameter in I2 and R2 if they intend to use such servers for relaying HIP signaling immediately after the base exchange completes. The traffic type of these addresses MUST be "HIP signaling" and they MUST NOT be used as HIP candidates. If the I'm not sure I understand how the recipient will know that a given "HIP signaling" candidate is intended only for signaling and is not to be used as a HIP candidate. Is that inherent to the "HIP signaling" traffic type (vs. ESP)? (We don't seem to define "HIP candidate" specifically", which probably contributes to my confusion.) Section 4.6.2 All of the connectivity check packets MUST be protected with HMACs and signatures (even though the illustrations in this specification omit them for simplicity). Each connectivity check sent by a host Are these the RELAY_HMACs defined by this document or the normal HIP_MAC? [RFC7401] states that UPDATE packets have to include either a SEQ or ACK parameter (or both). According to the RFC, each SEQ parameter should be acknowledged separately. In the context of NATs, this I'm not finding where RFC 7401 says that each SEQ parameter should be "acknowledged separately". (A few sentences later we say that an ACK parameter may acknowledge multiple sequence identifiers, too...) Full ICE procedures for prioritizing candidates, eliminating redundant candidates, forming check lists (including pruning) and triggered check-queues MUST be followed as specified in section 6.1 [RFC8445], with the exception that the foundation, frozen candidates nit: missing "of" Section 4.7.2 traversal mode as one of the supported modes in the R1 packet. If the Responder has registered to a Control Relay Server in order to discover its address candidates, it MUST also include a LOCATOR_SET parameter in R1 that contains a preferred address where the Responder Previous mentions of LOCATOR_SET have mandated an ENCRYPTED container. If this instance is notable in its exception from that, I suggest calling it out explicitly as not encrypted; otherwise, I think a reminder might be in order. is able to receive UDP-encapsulated ESP and HIP packets. This locator MUST be of type "Transport address", its Traffic type MUST be "both", and it MUST have the "Preferred bit" set (see Table 1). If there is no such locator in R1, the source address of R1 is used as the Responder's preferred address. Given the last sentence, it seems like the "MUST also include [...] preferred address" is unenforceable by the Initiator. Section 4.9 responds with an UPDATE with ECHO_REQ_SIGN as described in step 3 in Figure 6. Upon receiving the valid response from host M as described in step 6, the peer host MUST restart the connectivity checks with host M. This way, both hosts start the connectivity checks roughly in a synchronized way. It is also important that peer host does not restart the connectivity checks until it has received a valid "fresh" confirmation from host M because the UPDATE message carrying locators could be replayed by an attacker. Can you remind me which step this "fresh" confirmation is in? Step 6 doesn't really seem to match that description... Section 5.4 The format of NAT traversal mode parameter is borrowed from Legacy ICE-HIP [RFC5770]. The format of the NAT_TRAVERSAL_MODE parameter is "Borrowed from"? It had darn well better be *the same as* (i.e., "retained from") the RFC 5770 format, the way we're using the IANA registry for NAT traversal modes... (The "defined in [RFC5770]. but repeated for completeness" language we use for TRANSACTION_PACING seems much better.) Section 5.7 Should we say that the LOCATOR_SET must always appear within an ENCRYPTED wrapper? Section 6.1 It's hard to see the phrase "requires further experimentation" in a proposed standard. (Maybe it shouldn't be, given the "proposed" part, but in practice it seems to be.) Perhaps we could just say that which host addresses to exclude from the LOCATOR_SET is a matter of local policy? This scenario is referred to as the hairpin problem [RFC5128]. With such a legacy NAT, the only option left would be to use a relayed transport address from an Control Relay Server server. Data Relay Server, no? (Also, nit: "Server server".) Section 6.7 replay attacks that are difficult to prevent. The connectivity checks in this protocol are immune against replay attacks because a connectivity request includes a random nonce that the recipient must sign and send back as a response. If I was feeling particularly pedantic I'd request "effectively immune", since there is the minor risk of collision in the random nonce values. Section 10.1 RFC 5766 could probably be just an informative reference; RFCs 6146 and 6147 as well. Section 10.2 I'm not sure that we still need to reference RFC 5245 (vs. 8445)? The status of RFC 5770 is less clear; in Section 5 we note that "most of the parameters are shown for the sake of completeness", implying that not all are shown, which would in theory leave a normative dependency on RFC 5770 for those parameters' interpretation. Similarly, the status of RFC 3948 is also less clear; we do use a fair bit of machinery from it and it's not trivially clear that we reproduce everything that is needed. Could we get "draft-rosenberg-mmusic-ice-nonsip" included in the [MMUSIC-ICE] reference, assuming that's the right I-D? Similarly, a draft name for [HIP-MIDDLE] would be helpful. Appendix A ["further experimentation" here as well]
- [Hipsec] Benjamin Kaduk's Discuss on draft-ietf-h… Benjamin Kaduk via Datatracker
- Re: [Hipsec] Benjamin Kaduk's Discuss on draft-ie… Miika Komu