Re: [Iotops] Iotdir early review of draft-ietf-iotops-security-protocol-comparison-02
John Mattsson <john.mattsson@ericsson.com> Mon, 04 March 2024 17:26 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC6F7C15793B for <iotops@ietfa.amsl.com>; Mon, 4 Mar 2024 09:26:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B0WUDQ2bHc_u for <iotops@ietfa.amsl.com>; Mon, 4 Mar 2024 09:26:08 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2044.outbound.protection.outlook.com [40.107.20.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49FCCC1E7339 for <iotops@ietf.org>; Mon, 4 Mar 2024 09:25:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QHArXktsFhuFLmpEmDxu1DuK8tN7AaAbvSETDGt5XzewinkJsWMS20JHQEfBwNxF0yIl0f++ZZ1AmkP85UCptRdYz2iBDPfGCz/d6sTqj12fGjlDtcPYPYH9oAonPZ5GviDtCj6iK8FZTj1Mfcrg0xNYNNF4vTytFN8G/WNbE5DkPPBAglpFuLsuKJiKHFJEIVzVQdzPZd+Bea8hbGjAoUQX3ELxTiWZTIkkTfXw5qxDBEuoOxcQ+KhncXM1kVoEx21YIRejEqEqTeSR7ZVW2BvG/wFpj1yQ164DdvjcRvx6BWJYvna50GVrOf7Rkr4uYdgTnUz9I3pg41TBTZxq+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kbU3nSlx9ysf4D+69VJdjgZuhRjfm/rXbsqcyG5YWqc=; b=cq/twUbcSrM1TQ3TN9mHjnRYi4y6LyotF1iGQrSc7I6qIlEYai/+ZvZPXP43GjGmcUoNQL5uT5NXVJPnvQmu+seydiLaqxlXQp3DKaBbHzcRiAfKrhKSy3MH2Ua9yJpK7YTEgGDCm+VPXmNGWX+NjcyOPdXA58bGcfiQ5joc9xgcFLEakCZw7BB5jZUXekEjIPnRI92QXwXSOIf0ozfPicXCkgXMX8/amAkAZvRtrOUfBIKlbs6LxAx3WDQUFjPUnseiuC2YxPPehQUVj/wnFQFi7lzSV95Z8iMl/IpruZbhZwrtaM4dkGAIUTPl0ze8669JEIm4GEPEZlcyVvHG1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kbU3nSlx9ysf4D+69VJdjgZuhRjfm/rXbsqcyG5YWqc=; b=BR21aIABR+3XmUTvY4NnjrKEhLhJR+Gj66GwOEHplFUv8IysXIciSL+2okGSTNMe3pRY8FWDZ2rGBHHh4dxSRA1pSOdf/wGlFT/0iBzlCsDw+zn00sbFg78MIt+St5tjaG0VrHVjmsssOQKqTksU+yVAuO1JIaK8diZm5NIP/8hEg2AE7tZl4L/um+3Tn56bL/EGdM2K7nnm0FRwaIu/XoVpLvj1rMzz76lGdRVe1HqfmAGJMKJ44+UwhlbkB0vUkHXFfMg9d7cg0xvEYriWRSdZa6IrsLmO3gOjIxXwP4LCt6hHYce0gRF2MS+GGyKRevEhD1vwxmDwPEuTUnlNLg==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DBBPR07MB7641.eurprd07.prod.outlook.com (2603:10a6:10:1f3::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.36; Mon, 4 Mar 2024 17:25:37 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::b0d0:9785:585a:9568]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::b0d0:9785:585a:9568%4]) with mapi id 15.20.7339.035; Mon, 4 Mar 2024 17:25:37 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Russ Housley <housley@vigilsec.com>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: Iotdir early review of draft-ietf-iotops-security-protocol-comparison-02
Thread-Index: AQHZsEv6QyhSKWZXdE+JSgiAgPMF/bEpUQHl
Date: Mon, 04 Mar 2024 17:25:37 +0000
Message-ID: <GVXPR07MB9678CCFD695323C83E2A4D3489232@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <168867682401.54313.7513479286780895806@ietfa.amsl.com>
In-Reply-To: <168867682401.54313.7513479286780895806@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DBBPR07MB7641:EE_
x-ms-office365-filtering-correlation-id: 742df7ed-f567-4841-ef18-08dc3c701b68
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jI/7gZ4o7mRzhIBtMo/df0pAZ/7sNNiauyWcG9LM7Z9HBnG4LTSiCPVYnGLBZbJYuIlxGDGVGRilDU28jCl1dws+3pxN78hWZ7GaESpisy3ugk06Dl0EOIiVGPqmFw8QGDHR5H3PIbksmTYqRfljJd1aWHH3c9Yk7VqbWyfph7n9tsngGo9OAUqrUIAysOJO9pxp+CsUleeRotk4TWzJit9Zk4SIPjmLQURD88Kkkz6TZL3pn/1JvYU/4TFk8JJur842oaBDxPZivb6sAhhuZAL17bwA7ysAd0jU5Lfm2q6SCSR2YHXSpbgaW7bLiei/9XSRW2lCDp2VYgfS0e8nlKGPZC/pacW0gDZt42rLJoUw57vu7Ki22c1L4gE4om7b7xJ+uaerdWqfirxO4dCOgqg4YXmVc8zcNs1uuLrkLBdpphNtXOAvyogIFBjVfahEHz5TnMaWwNOcOFSjXF0h7lDgRJmX+Trh3gpwbi+wpvSctieyEr7+tJj8Ijku0qskvWzFolQOQ374BUPGENBnVJdHBkC/LcNMtLAEQ6ibIzJXd/huSRg0VeFCjRZHw/QBZODefHzYhiddMtQUhqFvJAMioIrQmY6Hz3qynMJ8VI0Um8MTabSswSxF8Btl6682LnL2dAGdIOcaTWKhWEXXI8XiwcufWjuGaPgmSY837c4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dAXr+ItT5oLu5i7L//Ia8fgsfjmKtlB1XmKQSyK3a431K1A5AgM6oJR76a+tZAO9QOjQ8nTCyjz/RLdBrruX3sSROnTV8g5NzeA/86SfIRTdIweh+gFvk600MLOJI9A9qWd+xHNvUPdH34r0U962t+N6wcSXrsy6Eqr2pA13cuMtFJqcP1U77TeQRSF9TbrP4itsWyUIg1ycV76Jz80JWz6RnsuVO71oj+gBN0c8GDYV3RHxQLR5iL4Xo7GObbPNdYnubHGwKI0VvjQnPBicQ8pDLbBPU7YxWuEMXJE1l0LglP1wwuc9vnZ44Fauz6TNX/7lGXrdGTbl8p5B1z1tDwt3mh30VM9I8ReoC9k3/wzFNd/9ZM1i0/OZAy7EwAUepHZlLXNMUlE8Kh7RhINe0UI6uxuy76ehNhGmEr1HJpRk6G6yBOiqPhrn3mROOF9JwPzbNGknxssquHnACC9GRbwVAuN4CKhH6exwJpH2BOvKg3AWreEU3idoILds/BnpemBJJsJSOcK/qjbbC1hXI8lpjFw4WvhPUg0i677n1s0SDLaqCc8Bp2JAJKqI6JontDMGM/PxmdjUS2RyXg0Qs9xosuEfRpTD4VDsd0vGiX0bAAXDHTAIYMmaA7y7HILpRBchTxfF4W6jBAjBXzmrV/aN2OvvIOjMI1AN+orHha43qlbeBo4Wz7IlZePj5M11JY9A8VlPDsq+Jh+eJLKfMB4moAqsE6RK7JiQxYcxQBgnHBuu1xISWjBI5OYQdNlgplqbdf11DBVs+a/HVQxl+PLv2PjffVskkLYQV3MejEcsY1Fy/5Ep9n+OYzyYekHpPHJAVIjyO/6u/Gn9dJcoYyoog+EV7ELwNv3WxHIEn8VIeet6x52yi1A8vWKvBVFk5XyHI71b2m0WjLVneYYABqVq+ahdOfEhb1SUwIhPbGGP25F0phwbPpegXl5P7FlExxgFP0uZCP/1J2iD3cS+YRe2YcKeIFWeeWQYqD7swO21QQWmNpnSI/O1Ej5PKC2VWM1isEu+Hg/pzKW0EPKCthdZuf2b57TaJyIYCaGasukkdlBL++9s2BR8UOPwVtRNR2VCJ7EgXse5VcobMJGUc11xk9cwTNThvNFvTr9qMNsshrE7uVXwZTYI7LqMU80xJcz5pZYAWYCM7gQ+ic1SZc57tIUVnnPCPGDaERqqica3q1/9oZ8BfKdgimIncOgcGuTp6iyeTh4gVeNeuLEcEJZioohXC2ACUV07Zycqg4qHtb3U3y5axbcM5624hEv2yvX/JMb6I2GwIzoHfItySc0r0Y18Z8MI+h2djjFCz2ABIcmDfRxXhBbG+w02FwHgu0ePGJQa6ho+yEtuMgj+exN47gpd5JfEv+zYQdP0RJZp7fAuUvD6ext7V05voU/UINtsj0S9OUad3hEVKF9lf91/Fur5U38o0PrK6SJz/mbsNLhBO1tU6oV6Nztm7dllR0qPs1qm7Hp5UnpThQv8fxezJkewrqYOUmi2iZRWisocM97D3s0504zWCq2JrOxKpaI2XeE5ud/oF7mbcSP5UYN9m8J/wzcYKwJ60KfdNyK8s01lx3MfgQSmZkpV0e8Hkk6w/zy4LGbtrD/ojKlXcIFkogVvRMOg8psoLonwOsM=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678CCFD695323C83E2A4D3489232GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 742df7ed-f567-4841-ef18-08dc3c701b68
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2024 17:25:37.3018 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AV384E6LzFfmecUkESOHI1ywLHYeUkQ1nDVy0Be3gXH0nwFSETDPJOA/i60LkotuKMZUMup1surBQJkU/xfy3OzEakfVpUM7gaaq4BFn1tY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR07MB7641
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/2aIm9mfxWs9x1jJDfy3XXVlSQDQ>
Subject: Re: [Iotops] Iotdir early review of draft-ietf-iotops-security-protocol-comparison-02
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 17:26:12 -0000
Thanks Russ, We agree with all your comments, and we have tried to address them all in -04. A diff from -02 to -04 can be found here: https://author-tools.ietf.org/iddiff?url1=draft-ietf-iotops-security-protocol-comparison-02&url2=draft-ietf-iotops-security-protocol-comparison-04&difftype=--html Major Concerns: >Global: The document struggles with terminology. Each of these security >protocols have their own terms, which make comparison more difficult. >Figure 1 shows the size of some exchanges with three flights, yet OSCORE >and Group OSCORE do not really fit this model. This leads me to the >conclusion that the document needs to start with a discussion of the >comparison methodology. Yes. We agree that this is likely confusing to many readers. The document already had a split between “Authenticated Key Exchange Protocols” in Section 3 and “Protection of Application Data” in Section 4. The same split exists between IKEv2 and ESP as well as DTLS-SRTP and SRTP. We have expanded the document with an explanation of the difference between an AKE and a protocol for protection of application data. We have also explained which protocols belongs to each category and which belong to both. >Section 5: Yes, this document is purely informational. Other purely >informational RFCs have useful security considerations. I agree that >there is little to say here, but the Security Considerations of each >security protocol could be referenced. Fully Agree. We have significantly expanded the security considerations. Minor Concerns: >Section 2: I find the first paragraph hard to put in context. First, a >sentence of introduction to this topic would he helpful. Why are these >protocols being discussed at all? I ask because the previous section >says that "overheads are independent of the underlying transport". >Second, i this discussion is needed at all, it might help to describe >the overhead that is associated with the various underlying protocols, >and then say which security protocols are used with the underlying. This has been one of the biggest discussion topics regarding the draft in IOTOPS. Some people asked for a complete coverage of total overhead, including all underlying layers. It was decided that this was out of scope of the document but that it was good to give some information. We have now added an introduction to the underlaying layer section. >Section 2.1: I find the section hard to put in context. A sentence of >introduction would he helpful. Why is this one case explained in detail >and the others not? Yes. The reasons are that there was a discussion about the overhead and Marco Tiloca kindly provided the detailed text. A motivation for inclusion is that the interactions with the underlying layers are more intricate than with UPD and TCP. Agree that the section is hard to put into context. It has now been moved to an appendix. >Section 3: References for the algorithms would be helpful. We have now added references to the algorithms. Nits: >Section 3.1: It says "key/certificate identifiers included" >(two places). I think that "key identifiers" and "certificate >identifiers" need a few words of explanation. We have added a sentence to explain key and certificate identifiers. Cheers, John Preuß Mattsson From: Russ Housley via Datatracker <noreply@ietf.org> Date: Thursday, 6 July 2023 at 22:53 To: iot-directorate@ietf.org <iot-directorate@ietf.org> Cc: draft-ietf-iotops-security-protocol-comparison.all@ietf.org <draft-ietf-iotops-security-protocol-comparison.all@ietf.org>, iotops@ietf.org <iotops@ietf.org> Subject: Iotdir early review of draft-ietf-iotops-security-protocol-comparison-02 Reviewer: Russ Housley Review result: Not Ready I reviewed this document as part of the IoT Directorate's effort to IoT-related IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Internet Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Document: draft-ietf-anima-constrained-join-proxy-05 Reviewer: Russ Housley Review Date: 2023-07-07 Review Due Date: 2023-07-24 A review from the IoT Directorate was requested on 2023-07-05. Summary: Not Ready Major Concerns: Global: The document struggles with terminology. Each of these security protocols have their own terms, which make comparison more difficult. Figure 1 shows the size of some exchanges with three flights, yet OSCORE and Group OSCORE do not really fit this model. This leads me to the conclusion that the document needs to start with a discussion of the comparison methodology. Section 5: Yes, this document is purely informational. Other purely informational RFCs have useful security considerations. I agree that there is little to say here, but the Security Considerations of each security protocol could be referenced. Minor Concerns: Section 2: I find the first paragraph hard to put in context. First, a sentence of introduction to this topic would he helpful. Why are these protocols being discussed at all? I ask because the previous section says that "overheads are independent of the underlying transport". Second, i this discussion is needed at all, it might help to describe the overhead that is associated with the various underlying protocols, and then say which security protocols are used with the underlying. Section 2.1: I find the section hard to put in context. A sentence of introduction would he helpful. Why is this one case explained in detail and the others not? Section 3: References for the algorithms would be helpful. Nits: Section 3.1: It says "key/certificate identifiers included" (two places). I think that "key identifiers" and "certificate identifiers" need a few words of explanation.
- [Iotops] Iotdir early review of draft-ietf-iotops… Russ Housley via Datatracker
- Re: [Iotops] Iotdir early review of draft-ietf-io… John Mattsson