IETF Logo Mail Archive

Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04

"MORTON JR., AL" <acmorton@att.com> Thu, 25 May 2023 14:19 UTC

Return-Path: <acmorton@att.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E223C13AE33; Thu, 25 May 2023 07:19:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.595
X-Spam-Level:
X-Spam-Status: No, score=-2.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbpN5-XmDgsL; Thu, 25 May 2023 07:19:22 -0700 (PDT)
Received: from mx0b-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEA33C13AE2D; Thu, 25 May 2023 07:19:21 -0700 (PDT)
Received: from pps.filterd (m0288868.ppops.net [127.0.0.1]) by m0288868.ppops.net-00191d01. (8.17.1.19/8.17.1.19) with ESMTP id 34PDfPDD016088; Thu, 25 May 2023 10:19:20 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0288868.ppops.net-00191d01. (PPS) with ESMTPS id 3qsqxuu9tf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 25 May 2023 10:19:20 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 34PEJI8K032634; Thu, 25 May 2023 10:19:19 -0400
Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [135.47.91.189]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 34PEJF5b032544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 25 May 2023 10:19:15 -0400
Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [127.0.0.1]) by zlp30483.vci.att.com (Service) with ESMTP id 38A59404794B; Thu, 25 May 2023 14:19:15 +0000 (GMT)
Received: from GAALPA1MSGEX1CF.ITServices.sbc.com (unknown [135.50.89.113]) by zlp30483.vci.att.com (Service) with ESMTP id DE7D5404794C; Thu, 25 May 2023 14:19:14 +0000 (GMT)
Received: from GAALPA1MSGED2CA.ITServices.sbc.com (135.50.89.132) by GAALPA1MSGEX1CF.ITServices.sbc.com (135.50.89.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 25 May 2023 10:19:14 -0400
Received: from GAALPA1MSGETA02.tmg.ad.att.com (144.160.249.124) by GAALPA1MSGED2CA.ITServices.sbc.com (135.50.89.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23 via Frontend Transport; Thu, 25 May 2023 10:19:14 -0400
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.57.48) by edgeal.exch.att.com (144.160.249.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.23; Thu, 25 May 2023 10:19:10 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PME9d9dMwwKDrPqKuBHS0X+KgsTxbpGfUM0BKvYjYkVjhfviKXPynJuZVhtKheG+O+ZDokNQEh6gTt+LOA93xyj9uqrWAa0UbYslFS5I+KO7BJjVE/nC8yQfyFS2y0yICz5601AKP07nC7Xeyccg45iq4IFjp6kRpKPjb7lfzmaVqenWRI8SrKtSWlRzFhoDCOgvwEy8tQ6J8Fk7obislRbTUMnI337W0s9NnkO+RThmQhEYHnB8atmSt0vdzTt2K/SWP9HyAgQjLrSNGU5T+ZDhhmAhZn30mxJlhCur+3Nqc25MXEl96DumauCN2okYBilBwQ2NjS1TIjWTvAsevA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oqoGOliYbUHFadYQOtG8z3p8D1xBYp9hRCl+0ozvrdI=; b=WJbpX+SoHk66Sw77Pxtl0x60niDr7SUXzOT7RCcAI5yA4RTXC8rADiB5GZq/zWlIoxjWCVUuBkwiYHjkvMr0ShzYRY8n82u+1kE6E++396BdYranKNul1U74DIXKh039Lug6+ie77iOUjUEYfTPUcKri5NllmpdbreLkZTo03v/0Pwqu3jb8ofq4NJw0oLSmzOWZlINnuWpSwKII/pIqHEDPUp+IdHT0A3YUMayZmcZ/QWM32Nz/7hGu3LspS4JeOepm4DiHagmScTFxHcf9w9Qnnqr0/Y4+whxFkTlGFGtbBd0wsxctqS1npk2qXD99pFB1e6fHOOO/NZDIbL+QkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oqoGOliYbUHFadYQOtG8z3p8D1xBYp9hRCl+0ozvrdI=; b=pgr5kgPVhWSzlM+M56+/LWa1ZtoN3Fcq1GxKI5E0C51vPhWztiIIchurVXWVZQ95wOeKsPiJnK7Y5e3+AmxtwfsyVKvngMXd64FnfgUVqm+TTGGhyUrPa6cMtgw769Ji7brvyRz5a+Wxg+0Jp03EFMn1qOLOfSDFh4XkiNImoPA=
Received: from CH0PR02MB7980.namprd02.prod.outlook.com (2603:10b6:610:105::17) by DS0PR02MB9355.namprd02.prod.outlook.com (2603:10b6:8:150::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.15; Thu, 25 May 2023 14:19:08 +0000
Received: from CH0PR02MB7980.namprd02.prod.outlook.com ([fe80::4ee4:9c4a:6c2a:e758]) by CH0PR02MB7980.namprd02.prod.outlook.com ([fe80::4ee4:9c4a:6c2a:e758%7]) with mapi id 15.20.6433.015; Thu, 25 May 2023 14:19:08 +0000
From: "MORTON JR., AL" <acmorton@att.com>
To: Brian Weis <bew.stds@gmail.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-ippm-capacity-protocol.all@ietf.org" <draft-ietf-ippm-capacity-protocol.all@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "CIAVATTONE, LEN" <lc9892@att.com>
Thread-Topic: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
Thread-Index: AQHZTuzbYBLPZe9D0kiW5s+CN9dy268CrwaggDaADfCAFqDKcIASYo2QgAixxQCAAKU/QA==
Date: Thu, 25 May 2023 14:19:08 +0000
Message-ID: <CH0PR02MB798031E81C4AC933E3311700D3469@CH0PR02MB7980.namprd02.prod.outlook.com>
References: <167797065961.46817.5654760092907121117@ietfa.amsl.com> <CH0PR02MB79807F2F36C90E0C668CF04DD3839@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB79803DDAAF360B4E44E5E5F7D3669@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798059496506CFADD6577240D3709@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798036C0A94A0084E08EEF79D37C9@CH0PR02MB7980.namprd02.prod.outlook.com> <6F266168-74B9-4397-8A26-5AFDD9CA4ABD@gmail.com>
In-Reply-To: <6F266168-74B9-4397-8A26-5AFDD9CA4ABD@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR02MB7980:EE_|DS0PR02MB9355:EE_
x-ms-office365-filtering-correlation-id: 0da1bb5c-555d-490e-8b1a-08db5d2b00ea
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yGxM+EtNG/8Bqk5+fWQqnQiqkyOvBXP5Y22TCoe9J4bUTC5/A7j0ZEzheKbKOCu0X45xFPx2k59sEh8bhcw0V0+hSGuLdxS/h+BV6xnpb7sEZWHLrIDKn5hIEE7qBQXlJvLZCFWO7V4mkNSSadKmx5MitrVRWUMKojH1tQO+ykkopv6chkHK8QJqkvlYgEDbcbE0TCDGWUth3fI28F8UGZXY56R7VjXWSenT5vjDfgAfcrzlCLH8C2jtRtfIWyvVtzK7+sKoE8mLXqIlpgslJaQsXdhJXVagrQ+KTWFSrI62QqgXbtuf2z1f40YP5XgOJKkSVnVndA+O8D1OA0M4sMTgvyTaZF+T4tk1RCaEh/w8PvmJK0EUfYhywUhT3lXW+GMfd3O4RUdXlQstQ6vtSmve/mrQw0DfrD7N5INBmZfXhoFEWENvovjVoZbT+fzl5t/zAZxqGsG4tamrqN5Vpyy7xfUrPG53h0rquXVVoBxRC4N/HAIp/QFiCHCeoE75a8uCMZDYezMSXa3RLKuoom2Mw/MPUM2zYeh2GmlDXRS0kSL+JJasR2Qq7+HNmXwzv8jp6MukZwnNj7cUuJmX0cp5b0FnjCDa1wB5j2CjR6Y=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR02MB7980.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(346002)(376002)(39860400002)(366004)(136003)(451199021)(76116006)(71200400001)(33656002)(478600001)(83380400001)(966005)(86362001)(38100700002)(38070700005)(55016003)(122000001)(82960400001)(7696005)(26005)(6506007)(9686003)(82202003)(53546011)(186003)(41300700001)(8936002)(316002)(5660300002)(52536014)(2906002)(30864003)(54906003)(8676002)(66946007)(66556008)(66476007)(66446008)(4326008)(6916009)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bDgPufTLdCRRlJti+coRFGY+K2dFY4gnunwjJUXVkp+p66lOhCKcxAPxCzgwQbkAyrxmSC8OLxPpn6cW1ZVmDz0OkbRcKibBIzvil5584pbesOol0oeVRKQ4Sj//heVSViiJqUPgHuqxTvj9bpe6ZWTZSmfenUeZJrd3gfQuzELOIazMdCiraOwCob/eJNl0QjeN+y12fD6k3HcR1uvStw0QkH7H88WlYu8RzM58Mb4kpuYQAn484NGDKgVOHQ0HQT5Ee6mfTjY5fjtHf+580pHdnNxGb1oNhPParTyi9U1wThzxzXyIom9jFyv2lF0Hw5Sq7a2BhYsuuGUEHZ1U5zL3C9UszEALFzEe+HX3CCB4PnvIZwQQOvFlHEEOUAEb72kCLPGy2R426CLRYgTyrLQsaZuA8asNkPK56WdLqMd4Gq20x4FiYHB7j/cyXqcxPxbXilnvXauS41cnRzeyj8jHhvb9Oq4y7ddHH9Z146LBz3rnO2WdbAgvmLXGspxAK2aTxRzTDhEN5zXCTgQM+NGRjpa0nEkKEq7j+W8+bNpqv/FkZsilimBV5vstgOAQgDEXXdRxrfPGLo7AOOkMMC/+s6mBbH8uO+YA5PXiD7PZ/PQF5k97d3q4bFnHMwMzJiH6R/VnjEKS4zUz/9wNuT/YC/Qq1e6mZYKo15LxFrpQCDHNId/m/XQXSIPWJb1+oDiQT3VK/HhMfF+SQP/d7kHbWOIK3CbvDDwMR8ccmAsoBIZkqAfSx96rOd77xWqMCDgK43mBWn5Vq/1ssKaCZAYKNs5b8rV1fieA6NuQmDoF59mqb7ca4J3Tlsm1+R3ymANBB8DKBOrAggSqBFlXXAT6c9wDBB/64brf3XMaw69tSz1eXc5QBPBuqEJXdQZW1i6fUI/20Bmgj2ISLCDtRPDScoKR3lMlTaejvlSXf6kdqVl1SPxDmC0W9gYekLbll/QQtxzU9Kd7VxsbxTbVY77jHbvFLfFYiq76KAsMXg6Ry66UiqXOKRAQL/0Rymf8fPs9qEMCTZHN1/4Wv8R/J8mrnrXtEJolbSl+Cb/mzg61CgLnt5tOwzB6W7BpPHnZsVyvF2Pjar4lUVN7vbxMX6iNDNHiPiqMdM58qAvWGwhC8Ik4ZzfejeyMrmgiY2hXtfOkOGjZbo6IRcxYPjaA71YmLbQ9D3SAaX0P75WhPd4zylQeT6DocwX7BzIKdOvpSEdV+j89mtmPKvzYyALMCm1ztUC7SEKk5ynDX98tc4JHVx2JHujFFMi+phuulFkdhMAJvoDvvJaf/lTj3ejHz/Ikeu/e+9WTUbW87iK0KcC6+6mBmBFtcSE0c20yam0ZeIKXQRg4GudBVT5ii2zqV18ba6hk3p3A+eFv+DD7zajgej+ZWEiQWo3xVg/DIUxBR1WQPbLhCHrrARv3tjnlkQTY4Q9L0YEHzgDUKmarEkrSft7QVRGYzkaeyQhpYSOasahlyo7yYFqqQzpNXg/IDFJOo7AzDOnwrR869DTwt7xEAQx6T6BBFCCjl3JfoKnPL2rRNLwSC9GaktblyPveMKsLGkvnSvqhu6wwHAdB82s=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR02MB7980.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0da1bb5c-555d-490e-8b1a-08db5d2b00ea
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2023 14:19:08.3198 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 91wAcMmXvBi39LNin108wF30lhdKG9LDOhPQy6mtwv6qajVP4cCx42QjpVREob4O
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR02MB9355
X-TM-SNTS-SMTP: 3083CCFAB1E8B9C8446FA615F609B1D3B4F1141185E56C9D52A9BC029422E5222
X-Proofpoint-ORIG-GUID: ETa4u-dkW1r6rsJW9AOBrfo3QaWx7ED7
X-Proofpoint-GUID: ETa4u-dkW1r6rsJW9AOBrfo3QaWx7ED7
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-25_07,2023-05-25_03,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 mlxscore=0 mlxlogscore=999 priorityscore=1501 clxscore=1011 bulkscore=0 suspectscore=0 lowpriorityscore=0 impostorscore=0 spamscore=0 adultscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305250116
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/7NPp1nzciOWVvizvjq--bX6Spr0>
Subject: Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 14:19:25 -0000

Thanks very much, Brian.

Another quick question came-up:
Do we need to use different keys for the AUTH and Encrypt processes, or can we use the same long-lived key for both?

Al

> -----Original Message-----
> From: Brian Weis <bew.stds@gmail.com>
> Sent: Thursday, May 25, 2023 12:26 AM
> To: MORTON JR., AL <acmorton@att.com>
> Cc: secdir@ietf.org; draft-ietf-ippm-capacity-protocol.all@ietf.org;
> ippm@ietf.org; CIAVATTONE, LEN <lc9892@att.com>
> Subject: Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-
> 04
> 
> Hi Al,
> 
> Many apologies for the late response. Yes, combining AES-CBC-128 ad SHA-256 is
> a reasonable solution. They are often used together, and are safe to use with
> long-lived keys. I notice that some of the PDUs defined in -04 (e.g., Figure
> 2) have a field defined as "authDigest[AUTH_DIGEST_LENGTH](256 bits)  or
> Initialization Vector (IV)”, but actually both fields are needed: an IV for
> AES-CBC-128, and the authDigest for SHA-256.
> 
> Hope that helps,
> Brian
> 
> > On May 19, 2023, at 8:44 AM, MORTON JR., AL <acmorton@att.com> wrote:
> >
> > Hi Brian,
> >
> > Revising our key question:
> >
> > For Encrypted mode:  What if we combined AES-CBC-128 with our current
> Authentication HASH (SHA-256), for a complete (but two-part) solution?
> >
> > Will this be acceptable, given our plan to use long-lived keys?
> >
> > We would abandon the "authenticated encryption" preference stated earlier.
> >
> > please let us know, thanks,
> > Al
> >
> >
> >> -----Original Message-----
> >> From: MORTON JR., AL
> >> Sent: Sunday, May 7, 2023 6:55 PM
> >> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org
> >> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org
> >> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity-
> protocol-
> >> 04
> >>
> >> Hi Brian, reminder of our key question, below,
> >> Al
> >>
> >>> -----Original Message-----
> >>> From: MORTON JR., AL
> >>> Sent: Sunday, April 23, 2023 9:26 AM
> >>> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org
> >>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org
> >>> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity-
> >> protocol-
> >>> 04
> >>>
> >>> Hi Brian,
> >>>
> >>> We would like to receive your feedback on our proposal for a replacement
> >>> encryption algorithm:
> >>>
> >>>> Ok. We were attracted to the "authenticated encryption" aspect of GCM,
> but
> >>> we
> >>>> can get that with AES-CCM too.
> >>>
> >>> Does AES-CCM alleviate the issues and fit our plans to use long-lived
> keys,
> >>> etc.?
> >>>
> >>> With this feedback, we can proceed with updates to the draft.
> >>> thanks,
> >>> Al
> >>>
> >>>> -----Original Message-----
> >>>> From: MORTON JR., AL
> >>>> Sent: Sunday, March 19, 2023 5:08 PM
> >>>> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org
> >>>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org
> >>>> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity-
> >>> protocol-
> >>>> 04
> >>>>
> >>>> Hi Brian,
> >>>>
> >>>> Thanks for your reply on the second SEC-DIR early review!
> >>>>
> >>>> We have summarized the topics for reply, below. Your review is appended.
> >>>>
> >>>> Al and Len
> >>>>
> >>>>
> >>>> # Key comments and replies for discussion:
> >>>>
> >>>>> — The use of AES-GCM with a long-lived symmetric key (such as one
> >>>>> on an RFC 7210 key chain) is not safe. ... (suggests a CBC mode) ...
> >>>> and
> >>>>> — Unauthenticated encryption is generally seen as risky, so when...
> >>>>
> >>>> Ok. We were attracted to the "authenticated encryption" aspect of GCM,
> but
> >>> we
> >>>> can get that with AES-CCM too. The Initialization Vector (IV) will be
> >>>> generated by a pseudo-random generator with unique seed for each session,
> >>> and
> >>>> have sufficient size to avoid duplication over the life of a long-lived
> >> key.
> >>>> The IV can be communicated in the clear, so we will.
> >>>>
> >>>>> — Also, there are some additional parameters that need to determined
> >>>>> to guarantee interoperability. For example, which octets are
> >>>>> encrypted, if a partial block needs to be encrypted how is it padded
> >>>>> out before encryption to make a full block, and requirements on IV
> >>>>> generation (e.g., that is must be from a good quality random number
> >>>>> generator).
> >>>>
> >>>> We need to check if padding is needed for any of our PDUs, but the PDUs
> >> will
> >>>> be fixed size so it's a static fix.
> >>>> We'll specify the IV generation method.
> >>>>
> >>>>
> >>>>
> >>>> # Tension between Security and Measurement operation:
> >>>>
> >>>>> — Section 5.1.1 doesn’t say the network addresses and headers are
> >>>>> included in the digest. It’s generally good practice to include
> >> (them)...
> >>>>
> >>>> Our test scope includes ISP Subscribers, so NAPT transversal is critical
> >> and
> >>>> precludes including the addresses.
> >>>>
> >>>>> ... a valid message
> >>>>> (e.g., Setup Request) can be extracted and placed in a different
> >>>>> measurement flow that is not intended by the original sender. This is
> >>>>> a substitution attack.
> >>>>
> >>>> All of the IPPM test protocols are susceptible to the substitution
> attack,
> >>> and
> >>>> there is no thorough mitigation that we know-of (including time in the
> >>> digest
> >>>> is a partial mitigation).
> >>>>
> >>>> Packet De-duplication, in DTLS and IPsec:
> >>>>> This is generally seen as a feature for network
> >>>>> encryption methods.
> >>>> Right, but measurement systems expect to observe packet duplication when
> >> it
> >>>> occurs. A trade-off is required, and the primary goal is measurement.
> >>>>
> >>>>
> >>>> # Edits and Nits:
> >>>> We will take care of other requests for clarifications requested
> >>>> - digest coverage
> >>>> - MBZ definition
> >>>> -  “Support for client-server authentication ….”.
> >>>> - four Security modes, but encrypted tunnel makes five - becomes a
> >> paragraph
> >>>> - mismatch
> >>>>
> >>>>> -----Original Message-----
> >>>>> From: ippm <ippm-bounces@ietf.org> On Behalf Of Brian Weis via
> >> Datatracker
> >>>>> Sent: Saturday, March 4, 2023 5:58 PM
> >>>>> To: secdir@ietf.org
> >>>>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org
> >>>>> Subject: [ippm] Secdir early review of draft-ietf-ippm-capacity-
> >> protocol-
> >>> 04
> >>>>>
> >>>>> Reviewer: Brian Weis
> >>>>> Review result: Has Issues
> >>>>>
> >>>>> I have reviewed this document as part of the security directorate's
> >>>>> ongoing effort to review all IETF documents being processed by the
> >>>>> IESG. These comments were written primarily for the benefit of the
> >>>>> security area directors. Document editors and WG chairs should treat
> >>>>> these comments just like any other last call comments.
> >>>>>
> >>>>> General comments
> >>>>>
> >>>>> (1) The guidance of what bytes are included in the SHA-256 calculation
> >>>>> and result placed in the authDigest field might need some enhancement.
> >>>>>
> >>>>> — Some places say that the authDigest field is zeroed (e.g., Section
> >>>>> 4.2.2 ) and some says “The SHA-256 calculation SHALL cover all the
> >>>>> preceding fields.”, which seems to omit the auhDigest field. I guess
> >>>>> these aren't mutually exclusive statements, but it would be cleaner
> >>>>> to have all of the description in one place so it is clear.
> >>>>>
> >>>>> — Section 5.1.1 doesn’t say the network addresses and headers are
> >>>>> included in the digest. It’s generally good practice to include
> >>>>> more context into the digest calculation so that a valid message
> >>>>> (e.g., Setup Request) can’t be extracted and placed in a different
> >>>>> measurement flow that is not intended by the original sender. This is
> >>>>> a substitution attack.
> >>>>>
> >>>>> — If network addresses and headers aren’t included in the digest,
> >>>>> then it will be important to describe why the substitution attack
> >>>>> isn’t a threat. I understand that if NAT on the client that including
> >>>>> it's network address is not possible, but there's still an issue.
> >>>>>
> >>>>> — Note that the inclusion of authUnixTime with the receiver
> >>>>> checking “acceptable immediacy” is only a partial mitigation for a
> >>>>> substitution attack, since the receiver’s notion of “acceptable
> >>>>> immediacy” is apparently quite long from an attacker's perspective
> >>>>> “(+/- 2.5 minutes)” and any other message including this PDU sent
> >>>>> fron an attacker (e.g., with different network headers) during this
> >>>>> period will be acceptable to the receiver.  Reducing the window
> >>>>> size won’t completely mitigate this attack either.
> >>>>>
> >>>>> (2) There doesn’t seem to be a definition for the MBZ octets and
> >>>>> remainder bits, or a description of their purpose. (I’m guessing
> >>>>> it’s “must be zero” but even that should be defined for the reader.)
> >>>>>
> >>>>> Specific comments
> >>>>>
> >>>>> Section 4.2.4.
> >>>>>
> >>>>> — The use of AES-GCM with a long-lived symmetric key (such as one
> >>>>> on an RFC 7210 key chain) is not safe. The IV used by GCM is not a
> >>>>> random IV such as used by some other modes of which you might be
> >>>>> aware (e.g., CBC), but rather it is a counter that must NEVER
> >>>>> repeat with that key. Ensuring no repeats is not operationally
> >>>>> feasible for a key kept on a key chain. I.e., The counter must keep
> >>>>> incrementing between packets, reliably stored over a reboot so that
> >>>>> it isn't used again, and when the counter reaches the maximum value
> >>>>> the key is not longer usable. I would recommend specifying CBC mode
> >>>>> and a randomly chosen IV.
> >>>>>
> >>>>> — Also, there are some additional parameters that need to determined
> >>>>> to guarantee interoperability. For example, which octets are
> >>>>> encrypted, if a partial block needs to be encrypted how is it padded
> >>>>> out before encryption to make a full block, and requirements on IV
> >>>>> generation (e.g., that is must be from a good quality random number
> >>>>> generator).
> >>>>>
> >>>>> — Unauthenticated encryption is generally seen as risky, so when
> >>>>> encryption is included the the authDigest should also be used as
> >>>>> it is in the other modes. Figure 2 should have both authDigest AND
> >>>>> IV fields.
> >>>>>
> >>>>> Section 4.2.5. This section mentions that DTLS is not useful because
> >>>>> “The replay protection would remove duplicated packets and prevent
> >>>>> transparent measurement of this impairment.”. IPsec will also
> >>>>> transparently remove duplicate packets, and since TLS is based on
> >>>>> TCP, which has duplicate segment protection, I would expect that
> >>>>> the application would also never see duplicate measurement PDUs
> >>>>> from TLS either. This is generally seen as a feature for network
> >>>>> encryption methods.
> >>>>>
> >>>>> Section 10. “Client-server authentication and integrity protection
> >>>>> for feedback messages conveying measurements is REQUIRED.” Since
> >>>>> one of the methods allows “unauthenticated mode for all messages”,
> >>>>> I think this is meant to start with “Support for client-server
> >>>>> authentication ….”. That is, the REQUIRED language means
> >>>>> it must be implemented, but not used.
> >>>>>
> >>>>> Nits
> >>>>>
> >>>>> — Section 4.2 says “There are four security modes of operation”,
> >>>>> which is also stated elsewhere, but there seems to actually be five.
> >>>>> I understand that the fifth one is actually an external security
> >>>>> mode that can be combined with one of the four modes (e.g.,
> >>>>> “unauthenticated mode for all messages”) in the PDU. It might be
> >>>>> clearer to take the fifth one out of the list and just make it a
> >>>>> paragraph.
> >>>>>
> >>>>> — Section 4.2.1 s/miss-match/mismatch/
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> ippm mailing list
> >>>>> ippm@ietf.org
> >>>>>
> >>>>
> >>>
> >>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ippm__;!!Bhd
> >>>>> T!lLiKK4svDahYLFenpa6d7FQa-qA1f4ltd7wjaRx1S-
> >>>> YZCr9cEveGl5UOAc3B7KuEPYEWE3uif4c$

v2.23.0 | Report a Bug | By Email