Re: [Iot-directorate] Iotdir telechat review of draft-ietf-emu-rfc5448bis-07
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 02 April 2020 12:03 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: iot-directorate@ietfa.amsl.com
Delivered-To: iot-directorate@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 682FD3A0DE1; Thu, 2 Apr 2020 05:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=kcjAQKNw; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=vvW40BLe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 033xuWedFKMR; Thu, 2 Apr 2020 05:03:19 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 928613A10C1; Thu, 2 Apr 2020 05:02:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7658; q=dns/txt; s=iport; t=1585828964; x=1587038564; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=hM0TkdXBSPKlfgW3cKZNCzD2KBzk1iGLk4i+Q54ajnI=; b=kcjAQKNwr5RVSXe+qoSFCtaVZaFFSBBzKk4zGe1gQhiLvLrZ3FMIrA7n NwMVkaJ2/cvfXeVC7UMJ4lXqfoYsGG49xzYUJlRqMsHfOeB0ESGW1fRKc rRxA2JY6M8zk/RCAxfRjsL9gUQ6cDRnnVD6eGKPgV1KOpCNywFHWHxLeo E=;
IronPort-PHdr: 9a23:3MdmqR2C/7nL9S5zsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxKHt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSwdDjMwXmwI6B8vQBFPqKvXpYgQxHd9JUxlu+HToeUU=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CqBQDz0oVe/5RdJa1dCRwBAQEBAQcBAREBBAQBAYF7gVQkLAVsWCAECyqEG4NFA4psgl+YHoFCgRADVAoBAQEMAQEYCwoCBAEBhEQCF4IpJDgTAgMBAQsBAQUBAQECAQUEbYVWDIVwAQEBAQMBARAREQwBASwLAQsEAgEIEQMBAgMCERUCAgIlCxQBCAgCBAENBRsHgwQBgksDLgEOpBQCgTmIYnWBMoJ/AQEFhTIYggwDBoEOKowTHhqBQT+BEScggU9+PoJnAQGBHhsUGD+CUzKCLI1ogxqfDHgKgj2JUIkXhDQdgkyINQWQbI8pnBYCBAIEBQIOAQEFgWkigVdwFTsqAYI+UBgNjh0LAReDUIUUhUF0gSmOHgEB
X-IronPort-AV: E=Sophos;i="5.72,335,1580774400"; d="scan'208";a="457161361"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Apr 2020 12:02:43 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 032C2hLK028159 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 2 Apr 2020 12:02:43 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 2 Apr 2020 07:02:43 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 2 Apr 2020 08:02:42 -0400
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 2 Apr 2020 07:02:42 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EPaY33RQYTZLf4iJDZTxD4+qmw80/0D5yeiCqJfynrU1iT72rgNVs+Xw7wQwJQjl+dl3TZUhsMasXRaz0s9+zK5JpGZRQGsevvoFeA02BuOacw/xn/oT14/jGqoY3dJS7tCQjKgr8FSJ43c9N1Qp+OsieciXr2FdFPalQ02wQQIAATkCxL9koEIOuSKR/ZefW5g41t6Ke9lqAMdGNM7n5X9S7l88SwdszP3dTl+FBu/CKUBjCnm1tfRHugH1Wsx1JmBKqXOa4rmscgSIu8fV38xMSe2uCzQEdYBWKwafFOmXDutfG3/3CgTpovvqbraK6Z8Tqrl2IUm0Uqk2A+TM1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hM0TkdXBSPKlfgW3cKZNCzD2KBzk1iGLk4i+Q54ajnI=; b=deE2Rc6ovY1Ysy4bnB8Ok45PNBWnEH20XPTlqkQHFdQNMVG/zD8ZmipfDQjgHT5gCrOIDsX1oYtyUL6bfGMKPMyaZYBHVfUGYU4xSCQYo0WsTaX1inlTr9WENNR8Dk+x3TMJFeJXJP6oDBZuQYoZUOHYhk6Qo0fvV5MNsq5yxXUrxc530lulRokCTAK70sU+HueF6N+Td2YJt7eCQBaRwanRoZk/LrQiBdJUJJacvGIRJqJB0qmgKNEDNAGsXd+bkIDWofkxqH1n3nOC+TK8UjsEtb+HixJVbqVAC+gf0J/V2Ku5nKyPwi8+4M/NotXExM2c02EDHH8xQQiLgxdEdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hM0TkdXBSPKlfgW3cKZNCzD2KBzk1iGLk4i+Q54ajnI=; b=vvW40BLeMNmO070mWdJLYoErLgc5Plb6pKtrhNhrCzW0ED8it8lVlmjJAF4EGR73BHieXg+lnK0nvxN9k10qbnfx7vgMn01G6/ETOGmVJ5/K/KvXjK8+tqoYz89NvHB52c2Kw23OP2BphYHx8ZHu+JCmzVCaVm5abccVwhkGeTc=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (2603:10b6:3:10d::13) by DM5PR11MB0076.namprd11.prod.outlook.com (2603:10b6:4:6b::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16; Thu, 2 Apr 2020 12:02:41 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::680d:e22e:72d5:67ca%3]) with mapi id 15.20.2856.019; Thu, 2 Apr 2020 12:02:41 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Russ Housley <housley@vigilsec.com>, "iot-directorate@ietf.org" <iot-directorate@ietf.org>
CC: "draft-ietf-emu-rfc5448bis.all@ietf.org" <draft-ietf-emu-rfc5448bis.all@ietf.org>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Iot-directorate] Iotdir telechat review of draft-ietf-emu-rfc5448bis-07
Thread-Index: AQHWAhuFkCDJ/bW/eES5n3dAFMeviahl6oiA
Date: Thu, 02 Apr 2020 12:02:41 +0000
Message-ID: <FA53D655-2B0E-4E7D-9F8E-475B787E3A0B@cisco.com>
References: <158508197187.19714.2310393273939699203@ietfa.amsl.com>
In-Reply-To: <158508197187.19714.2310393273939699203@ietfa.amsl.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.35.20030802
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c1:36:ad33:1e6:78ba:617b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a9ab5eff-4e75-476e-7c51-08d7d6fdbf1e
x-ms-traffictypediagnostic: DM5PR11MB0076:
x-microsoft-antispam-prvs: <DM5PR11MB00766C2987737447B60A18E9A9C60@DM5PR11MB0076.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 0361212EA8
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR11MB1753.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(366004)(136003)(396003)(346002)(39860400002)(376002)(6486002)(110136005)(4326008)(33656002)(54906003)(5660300002)(2906002)(966005)(71200400001)(316002)(478600001)(36756003)(6506007)(6512007)(66946007)(81166006)(66574012)(76116006)(186003)(53546011)(91956017)(2616005)(86362001)(66556008)(66446008)(8936002)(64756008)(8676002)(66476007)(81156014); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ohLMEgNPcMbixiEWEwrgOsiYdNf/hgiyhGEZ5q9wRogsNq95z1p5ImL/5JEKbJ0mxn8HNLiADmwpg3bDjm9mjcJgT4r/SWeWak5kGXwU1P7vDj1oh6uN24EJd+hcr38ZrLAQXIsY+HDixfMneNKJmkJK+OOP5qYyU93pL3zQV4L3BJDJaUXYiBzkEDt3cWPJS2rJ/4lVRPVGmScBi7YlTvZbq71o9cv1f7LQZ5J9mw98BWamww8Cx7WOmu5HGrK/PyP0t9kQ66FATf6fd0NwN+U9sYkyTYAMjjAjLjnUYlaSL0NgF74wgFzE8gKF6rp7X8roZ1RSJRHTK258J9OSlB4PUmpyalg714sQ2mMHl88mwqgM1JIU+CE+5dRkx+vzvmkCeLCLO5v1qYLKVhMycfSKvVxfDfrdsYntZ3xdO/ePmG3mbujkyrAwbx98zJLKvoTStuoYLo0bMeJacVYAz7foA/avMUnlzIS7cyIGmvUpvjKVCl/sMrT1+6tMnpzwU8srX0Oe4jay19CAy6YNqw==
x-ms-exchange-antispam-messagedata: EpHTURz9tEp8n6AkBwVZjvEaisQ/OuituiG6OTWAQ7rSRvuR28F22kF3jfecdc0cvUSkG41wZW0rVTUmK5hBVHzAEMOTZ3fIrNniqJbXZMO8B4mOsJeBLzhzAafkZ4J4AsZcWqFxYvdZB/tKZG8hiOL0uCbVq8jatdeJWYI0hp2Ug8ieM8CR/0IP6EM19yOGv1hoqkXtQR98paGdU60sZQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <471C2B7C1A45CF4384D672CB51BC6127@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a9ab5eff-4e75-476e-7c51-08d7d6fdbf1e
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2020 12:02:41.6761 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DHYieGVnvHXWj39k5b6u3KKQNdg+fG5OAlolrul5Ed+WX3HqL40bK8lCdEVWxgBkww1SONnalafhglu0vdAEzw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB0076
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-directorate/65YhZgc9zWC4PAviVZloKgz9ViE>
Subject: Re: [Iot-directorate] Iotdir telechat review of draft-ietf-emu-rfc5448bis-07
X-BeenThere: iot-directorate@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for the IoT Directorate Members <iot-directorate.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-directorate/>
List-Post: <mailto:iot-directorate@ietf.org>
List-Help: <mailto:iot-directorate-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2020 12:03:22 -0000
Belated thank you Russ for the review, my ballot will take this into account. -éric -----Original Message----- From: Iot-directorate <iot-directorate-bounces@ietf.org> on behalf of Russ Housley via Datatracker <noreply@ietf.org> Reply-To: Russ Housley <housley@vigilsec.com> Date: Tuesday, 24 March 2020 at 21:33 To: "iot-directorate@ietf.org" <iot-directorate@ietf.org> Cc: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-emu-rfc5448bis.all@ietf.org" <draft-ietf-emu-rfc5448bis.all@ietf.org>, "emu@ietf.org" <emu@ietf.org> Subject: [Iot-directorate] Iotdir telechat review of draft-ietf-emu-rfc5448bis-07 Reviewer: Russ Housley Review result: Ready with Issues I reviewed this document as part of the IoT Directorate's effort to IoT-related IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Internet Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Document: draft-ietf-emu-rfc5448bis-07 Reviewer: Russ Housley Review Date: 2020-03-24 IETF LC End Date: 2020-01-29 IESG Telechat date: 2020-04-09 A review from the IoT Directorate was requested on 2020-03-23, which is after the IETF Last Call ended. I assume that the Internet ADs want this review to help inform them during IESG Evaluation. Note: I did not review the Appendices. Summary: Ready with Issues Major Concerns: Section 5.2 says: The pseudonym usernames and fast re-authentication identities MUST be generated in a cryptographically secure way so that that it is computationally infeasible for an attacker to differentiate two identities belonging to the same user from two identities belonging to different users. This can be achieved, for instance, by using random or pseudo-random identifiers such as random byte strings or ciphertexts. See also [RFC4086] for guidance on random number generation. It is not clear to me that a random number generator is needed to hide the identities. For example, a hash of a configured secret value and a counter are probably good enough. There are clearly other ways to do it too, and some of them need a random number generator. Because of the way this is worded, it is not clear not me that my proposed solution would meet the MUST statement. I do not think we want to make this harder than necessary. Section 7 says: In general, it is expected that the current negotiation capabilities in EAP-AKA' are sufficient for some types of extensions and cryptographic agility, including adding Perfect Forward Secrecy ([I-D.ietf-emu-aka-pfs]) and perhaps others. But as with how EAP-AKA' itself came about, some larger changes may require a new EAP method type. I do not think it it appropriate to claim cryptographic agility when SHA-256 and HMAC-SHA-256 are hardwired. It would be better to say that a new EAP method will be defined to change the algorithms (as was done to make EAP-AKA' in the first place). Minor Concerns: Section 1 includes the summary of changes from RFC 5448. However, it does not mention the addition of Sections 3.5 and 4.1. Please add them. Section 3.1 says: Only the server sends the AT_KDF_INPUT attribute. The value is sent as specified in [TS-3GPP.24.302] for both non-3GPP access networks for 5G access networks. There are some missing words here. I am not really sure what is intended, so I cannot offer a fix. Section 5.3.1 says: Again, the identity MUST be used exactly as sent. Please delete! Saying it twice does not make it a stronger MUST. Section 7.2: s/encrypt all payload traffic after encryption/ /encrypt all payload traffic after authentication/ Nits: Section 1: s/ non-goal of this draft/ non-goal of this memo/ There is a misalignment in the bottom box in Figure 1. This is surprising because the figure is otherwise identical to the one in RFC 5448. In Section 3.5: The introduction to the numbered columns is simply "In addition:". For clarity, I think it would be better to say something like: The numbered columns indicate the quantity of the attribute within the message as follows: Section 5.1: s/(see Section 5.3.2 and Section 5.3.2.1./ /(see Section 5.3.2 and Section 5.3.2.1)./ Section 5.3: s/as defined in this RFC/as defined in Section 5.1/ I suggest the following structure for Section 5.3.1: 5.3.1. Key Derivation 5.3.1.1 Format of the SUPI 5.3.1.2 Format of the other identities Section 6: s/Peer-Id is null string/Peer-Id is the null string/ Section 7.2: s/recommendations from Section 5.2 need to be followed to avoid this. Section 7.2: s/following the recommendations in Section 5.2 mitigate this concern./ -- Iot-directorate mailing list Iot-directorate@ietf.org https://www.ietf.org/mailman/listinfo/iot-directorate
- [Iot-directorate] Iotdir telechat review of draft… Russ Housley via Datatracker
- Re: [Iot-directorate] Iotdir telechat review of d… Eric Vyncke (evyncke)