Re: [icnrg] comments on ccnx key exchange draft
<Marc.Mosko@parc.com> Fri, 05 February 2016 06:02 UTC
Return-Path: <Marc.Mosko@parc.com>
X-Original-To: icnrg@ietfa.amsl.com
Delivered-To: icnrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 493091B3605 for <icnrg@ietfa.amsl.com>; Thu, 4 Feb 2016 22:02:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.348
X-Spam-Level:
X-Spam-Status: No, score=-6.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvjgSkTnjZM6 for <icnrg@ietfa.amsl.com>; Thu, 4 Feb 2016 22:02:01 -0800 (PST)
Received: from smtp.parc.xerox.com (alpha.Xerox.COM [13.1.64.93]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2A9A1B3604 for <icnrg@irtf.org>; Thu, 4 Feb 2016 22:02:01 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by smtp.parc.xerox.com (Postfix) with ESMTP id 3D7B16C009F; Thu, 4 Feb 2016 22:02:01 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at newalpha.parc.com
Received: from smtp.parc.xerox.com ([127.0.0.1]) by localhost (smtp.parc.xerox.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2MH1yaz2gigW; Thu, 4 Feb 2016 22:02:01 -0800 (PST)
Received: from exchangehub.parc.xerox.com (vertigo.parc.xerox.com [13.2.13.102]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.parc.xerox.com (Postfix) with ESMTPS id 1CD196C007D; Thu, 4 Feb 2016 22:02:01 -0800 (PST)
Received: from E2010DAG5.corp.ad.parc.com ([fe80::3d0b:7158:aec4:e05e]) by vertigo.corp.ad.parc.com ([fe80::606e:47ce:f5e2:fe3a%14]) with mapi id 14.03.0266.001; Thu, 4 Feb 2016 22:02:00 -0800
From: Marc.Mosko@parc.com
To: mjs@cisco.com
Thread-Topic: [icnrg] comments on ccnx key exchange draft
Thread-Index: AQHRX5F/yrawVuqEGEavhCgpeWb5Up8dfGsA
Date: Fri, 05 Feb 2016 06:02:00 +0000
Message-ID: <F836B275-45A1-4FC3-9B90-C2D25D3DEFA1@parc.com>
References: <56B3BFF0.6060302@cisco.com>
In-Reply-To: <56B3BFF0.6060302@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [13.4.12.115]
Content-Type: text/plain; charset="utf-8"
Content-ID: <455D944EE827B0458C6D33FD2CBAFADD@ad.parc.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/icnrg/iyjrX4oDO5AIqK4ouZEoqv6h5gY>
Cc: icnrg@irtf.org
Subject: Re: [icnrg] comments on ccnx key exchange draft
X-BeenThere: icnrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Information-Centric Networking research group discussion list <icnrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/icnrg>, <mailto:icnrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/icnrg/>
List-Post: <mailto:icnrg@irtf.org>
List-Help: <mailto:icnrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/icnrg>, <mailto:icnrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 06:02:03 -0000
Mark, Thanks for the feedback. I’ll comment on #1 and #2. I think Chris would better answer #3 and I need to look at #4. > On Feb 4, 2016, at 1:17 PM, Mark Stapp <mjs@cisco.com> wrote: > > I've read the key exchange draft, and I've got some initial comments and questions. Let me say right up front that I'm grateful for the work that's gone into the initial version - this kind of protocol is a crucial building-block for many applications. > > Thanks, > Mark > > 1. tls vs quic > > there seems to be quite a lot of emphasis on taking advantage of ideas from quic. I didn't always find that to be compelling, mainly because the crypto parts of quic are sort of subordinated to the transport features such as multiplexing, FEC, improved loss/dup detection, modular cong-control. I think CCN has many of the same needs, and might well benefit from a capable transport protocol stack. > > however, the key-exchange draft is limited to the handshake protocol and key material derivation. the quic authors' documents say that "the quic crypto protocol is _destined to die_" [emphasis in the original] and be replaced with TLS 1.3. it'd be preferable to develop the CCN handshake and key derivation based on tls 1.3. it might be clearer to start without trying to incorporate some of the quic "optimizations", and then revisit the quic protocol when there's a desire to begin developing a CCN transport modelled on quit. I believe the basic handshake that is in the draft is TLS 1.3. The differences are: - we use the hash and hash pre-image to tie round 1 and round 2 together without source addresses. - We allow renaming the KE session to pin it to a specific name (instead of an “anycast” name). - We allow moving the session to a different system after KE finishes (the move token). I think the QUIC influence has to do with some of the message formats, certificate chain compression, etc. We need to produce a side-by-side diagram that shows how we follow TLS 1.3 and where we differ. > > 2. computational work balance during handshake > > In the absence of source address info, I think we may need to be more concerned about work balance between client and server during the handshake. there are a couple of places where that seems to me to be a potential problem [I'm using tls-tls13-11 as a reference]: > > - client sends ClientHello, provoking server into doing DH even if the client has no intention of continuing the exchange > > - client sends ClientHello, provoking a server that authenticates with a cert into producing an expensive signature proof > > [I think that first one may apply even if you stick with the quic scheme: the client generates random goop for its ClientShare1 message, and then the server has to do a DH computation to try to decrypt it.] I’m not sure how our situation is any different than DTLS. We use a similar mechanism, where the server sends a nonce (we call it nonce2) back to the client and it has to be echoed back. In the second round, yes the server must do a DH to then try and decrypt the client message. So, I think anything that might apply to our situation would also apply to (D)TLS and that we should consider working through the problem in the crypto forum. I don’t see how having source addresses makes TLS more resilient to this, when one still needs to respond with the server-provided cookie. > > 3. replay/sequence counter value and GCM > > I didn't follow where an appropriate counter would be conveyed for use in GCM. It wasn't clear to me - from the text in 6.2 for example - how that was meant to work? > > 5. cert name indication (SNI analogue) > > I think we'll need something that corresponds to SNI - Server Name Indication - the TLS extension that helps support CDNs and virtual servers. I can imagine that there may be applications that don't want to expose in the clear any more than they expose today - they reach some cdn or virtualized host, and then everything that's application-specific takes place inside the protected crypto context. > > _______________________________________________ > icnrg mailing list > icnrg@irtf.org > https://www.irtf.org/mailman/listinfo/icnrg
- [icnrg] comments on ccnx key exchange draft Mark Stapp
- Re: [icnrg] comments on ccnx key exchange draft Marc.Mosko
- Re: [icnrg] comments on ccnx key exchange draft Christopher.Wood