Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
"MORTON JR., AL" <acmorton@att.com> Thu, 25 May 2023 14:19 UTC
Return-Path: <acmorton@att.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E223C13AE33; Thu, 25 May 2023 07:19:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.595
X-Spam-Level:
X-Spam-Status: No, score=-2.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbpN5-XmDgsL; Thu, 25 May 2023 07:19:22 -0700 (PDT)
Received: from mx0b-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEA33C13AE2D; Thu, 25 May 2023 07:19:21 -0700 (PDT)
Received: from pps.filterd (m0288868.ppops.net [127.0.0.1]) by m0288868.ppops.net-00191d01. (8.17.1.19/8.17.1.19) with ESMTP id 34PDfPDD016088; Thu, 25 May 2023 10:19:20 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0288868.ppops.net-00191d01. (PPS) with ESMTPS id 3qsqxuu9tf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 25 May 2023 10:19:20 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 34PEJI8K032634; Thu, 25 May 2023 10:19:19 -0400
Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [135.47.91.189]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 34PEJF5b032544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 25 May 2023 10:19:15 -0400
Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [127.0.0.1]) by zlp30483.vci.att.com (Service) with ESMTP id 38A59404794B; Thu, 25 May 2023 14:19:15 +0000 (GMT)
Received: from GAALPA1MSGEX1CF.ITServices.sbc.com (unknown [135.50.89.113]) by zlp30483.vci.att.com (Service) with ESMTP id DE7D5404794C; Thu, 25 May 2023 14:19:14 +0000 (GMT)
Received: from GAALPA1MSGED2CA.ITServices.sbc.com (135.50.89.132) by GAALPA1MSGEX1CF.ITServices.sbc.com (135.50.89.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 25 May 2023 10:19:14 -0400
Received: from GAALPA1MSGETA02.tmg.ad.att.com (144.160.249.124) by GAALPA1MSGED2CA.ITServices.sbc.com (135.50.89.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23 via Frontend Transport; Thu, 25 May 2023 10:19:14 -0400
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.57.48) by edgeal.exch.att.com (144.160.249.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.23; Thu, 25 May 2023 10:19:10 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PME9d9dMwwKDrPqKuBHS0X+KgsTxbpGfUM0BKvYjYkVjhfviKXPynJuZVhtKheG+O+ZDokNQEh6gTt+LOA93xyj9uqrWAa0UbYslFS5I+KO7BJjVE/nC8yQfyFS2y0yICz5601AKP07nC7Xeyccg45iq4IFjp6kRpKPjb7lfzmaVqenWRI8SrKtSWlRzFhoDCOgvwEy8tQ6J8Fk7obislRbTUMnI337W0s9NnkO+RThmQhEYHnB8atmSt0vdzTt2K/SWP9HyAgQjLrSNGU5T+ZDhhmAhZn30mxJlhCur+3Nqc25MXEl96DumauCN2okYBilBwQ2NjS1TIjWTvAsevA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oqoGOliYbUHFadYQOtG8z3p8D1xBYp9hRCl+0ozvrdI=; b=WJbpX+SoHk66Sw77Pxtl0x60niDr7SUXzOT7RCcAI5yA4RTXC8rADiB5GZq/zWlIoxjWCVUuBkwiYHjkvMr0ShzYRY8n82u+1kE6E++396BdYranKNul1U74DIXKh039Lug6+ie77iOUjUEYfTPUcKri5NllmpdbreLkZTo03v/0Pwqu3jb8ofq4NJw0oLSmzOWZlINnuWpSwKII/pIqHEDPUp+IdHT0A3YUMayZmcZ/QWM32Nz/7hGu3LspS4JeOepm4DiHagmScTFxHcf9w9Qnnqr0/Y4+whxFkTlGFGtbBd0wsxctqS1npk2qXD99pFB1e6fHOOO/NZDIbL+QkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oqoGOliYbUHFadYQOtG8z3p8D1xBYp9hRCl+0ozvrdI=; b=pgr5kgPVhWSzlM+M56+/LWa1ZtoN3Fcq1GxKI5E0C51vPhWztiIIchurVXWVZQ95wOeKsPiJnK7Y5e3+AmxtwfsyVKvngMXd64FnfgUVqm+TTGGhyUrPa6cMtgw769Ji7brvyRz5a+Wxg+0Jp03EFMn1qOLOfSDFh4XkiNImoPA=
Received: from CH0PR02MB7980.namprd02.prod.outlook.com (2603:10b6:610:105::17) by DS0PR02MB9355.namprd02.prod.outlook.com (2603:10b6:8:150::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.15; Thu, 25 May 2023 14:19:08 +0000
Received: from CH0PR02MB7980.namprd02.prod.outlook.com ([fe80::4ee4:9c4a:6c2a:e758]) by CH0PR02MB7980.namprd02.prod.outlook.com ([fe80::4ee4:9c4a:6c2a:e758%7]) with mapi id 15.20.6433.015; Thu, 25 May 2023 14:19:08 +0000
From: "MORTON JR., AL" <acmorton@att.com>
To: Brian Weis <bew.stds@gmail.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-ippm-capacity-protocol.all@ietf.org" <draft-ietf-ippm-capacity-protocol.all@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "CIAVATTONE, LEN" <lc9892@att.com>
Thread-Topic: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
Thread-Index: AQHZTuzbYBLPZe9D0kiW5s+CN9dy268CrwaggDaADfCAFqDKcIASYo2QgAixxQCAAKU/QA==
Date: Thu, 25 May 2023 14:19:08 +0000
Message-ID: <CH0PR02MB798031E81C4AC933E3311700D3469@CH0PR02MB7980.namprd02.prod.outlook.com>
References: <167797065961.46817.5654760092907121117@ietfa.amsl.com> <CH0PR02MB79807F2F36C90E0C668CF04DD3839@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB79803DDAAF360B4E44E5E5F7D3669@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798059496506CFADD6577240D3709@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798036C0A94A0084E08EEF79D37C9@CH0PR02MB7980.namprd02.prod.outlook.com> <6F266168-74B9-4397-8A26-5AFDD9CA4ABD@gmail.com>
In-Reply-To: <6F266168-74B9-4397-8A26-5AFDD9CA4ABD@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR02MB7980:EE_|DS0PR02MB9355:EE_
x-ms-office365-filtering-correlation-id: 0da1bb5c-555d-490e-8b1a-08db5d2b00ea
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yGxM+EtNG/8Bqk5+fWQqnQiqkyOvBXP5Y22TCoe9J4bUTC5/A7j0ZEzheKbKOCu0X45xFPx2k59sEh8bhcw0V0+hSGuLdxS/h+BV6xnpb7sEZWHLrIDKn5hIEE7qBQXlJvLZCFWO7V4mkNSSadKmx5MitrVRWUMKojH1tQO+ykkopv6chkHK8QJqkvlYgEDbcbE0TCDGWUth3fI28F8UGZXY56R7VjXWSenT5vjDfgAfcrzlCLH8C2jtRtfIWyvVtzK7+sKoE8mLXqIlpgslJaQsXdhJXVagrQ+KTWFSrI62QqgXbtuf2z1f40YP5XgOJKkSVnVndA+O8D1OA0M4sMTgvyTaZF+T4tk1RCaEh/w8PvmJK0EUfYhywUhT3lXW+GMfd3O4RUdXlQstQ6vtSmve/mrQw0DfrD7N5INBmZfXhoFEWENvovjVoZbT+fzl5t/zAZxqGsG4tamrqN5Vpyy7xfUrPG53h0rquXVVoBxRC4N/HAIp/QFiCHCeoE75a8uCMZDYezMSXa3RLKuoom2Mw/MPUM2zYeh2GmlDXRS0kSL+JJasR2Qq7+HNmXwzv8jp6MukZwnNj7cUuJmX0cp5b0FnjCDa1wB5j2CjR6Y=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR02MB7980.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(346002)(376002)(39860400002)(366004)(136003)(451199021)(76116006)(71200400001)(33656002)(478600001)(83380400001)(966005)(86362001)(38100700002)(38070700005)(55016003)(122000001)(82960400001)(7696005)(26005)(6506007)(9686003)(82202003)(53546011)(186003)(41300700001)(8936002)(316002)(5660300002)(52536014)(2906002)(30864003)(54906003)(8676002)(66946007)(66556008)(66476007)(66446008)(4326008)(6916009)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bDgPufTLdCRRlJti+coRFGY+K2dFY4gnunwjJUXVkp+p66lOhCKcxAPxCzgwQbkAyrxmSC8OLxPpn6cW1ZVmDz0OkbRcKibBIzvil5584pbesOol0oeVRKQ4Sj//heVSViiJqUPgHuqxTvj9bpe6ZWTZSmfenUeZJrd3gfQuzELOIazMdCiraOwCob/eJNl0QjeN+y12fD6k3HcR1uvStw0QkH7H88WlYu8RzM58Mb4kpuYQAn484NGDKgVOHQ0HQT5Ee6mfTjY5fjtHf+580pHdnNxGb1oNhPParTyi9U1wThzxzXyIom9jFyv2lF0Hw5Sq7a2BhYsuuGUEHZ1U5zL3C9UszEALFzEe+HX3CCB4PnvIZwQQOvFlHEEOUAEb72kCLPGy2R426CLRYgTyrLQsaZuA8asNkPK56WdLqMd4Gq20x4FiYHB7j/cyXqcxPxbXilnvXauS41cnRzeyj8jHhvb9Oq4y7ddHH9Z146LBz3rnO2WdbAgvmLXGspxAK2aTxRzTDhEN5zXCTgQM+NGRjpa0nEkKEq7j+W8+bNpqv/FkZsilimBV5vstgOAQgDEXXdRxrfPGLo7AOOkMMC/+s6mBbH8uO+YA5PXiD7PZ/PQF5k97d3q4bFnHMwMzJiH6R/VnjEKS4zUz/9wNuT/YC/Qq1e6mZYKo15LxFrpQCDHNId/m/XQXSIPWJb1+oDiQT3VK/HhMfF+SQP/d7kHbWOIK3CbvDDwMR8ccmAsoBIZkqAfSx96rOd77xWqMCDgK43mBWn5Vq/1ssKaCZAYKNs5b8rV1fieA6NuQmDoF59mqb7ca4J3Tlsm1+R3ymANBB8DKBOrAggSqBFlXXAT6c9wDBB/64brf3XMaw69tSz1eXc5QBPBuqEJXdQZW1i6fUI/20Bmgj2ISLCDtRPDScoKR3lMlTaejvlSXf6kdqVl1SPxDmC0W9gYekLbll/QQtxzU9Kd7VxsbxTbVY77jHbvFLfFYiq76KAsMXg6Ry66UiqXOKRAQL/0Rymf8fPs9qEMCTZHN1/4Wv8R/J8mrnrXtEJolbSl+Cb/mzg61CgLnt5tOwzB6W7BpPHnZsVyvF2Pjar4lUVN7vbxMX6iNDNHiPiqMdM58qAvWGwhC8Ik4ZzfejeyMrmgiY2hXtfOkOGjZbo6IRcxYPjaA71YmLbQ9D3SAaX0P75WhPd4zylQeT6DocwX7BzIKdOvpSEdV+j89mtmPKvzYyALMCm1ztUC7SEKk5ynDX98tc4JHVx2JHujFFMi+phuulFkdhMAJvoDvvJaf/lTj3ejHz/Ikeu/e+9WTUbW87iK0KcC6+6mBmBFtcSE0c20yam0ZeIKXQRg4GudBVT5ii2zqV18ba6hk3p3A+eFv+DD7zajgej+ZWEiQWo3xVg/DIUxBR1WQPbLhCHrrARv3tjnlkQTY4Q9L0YEHzgDUKmarEkrSft7QVRGYzkaeyQhpYSOasahlyo7yYFqqQzpNXg/IDFJOo7AzDOnwrR869DTwt7xEAQx6T6BBFCCjl3JfoKnPL2rRNLwSC9GaktblyPveMKsLGkvnSvqhu6wwHAdB82s=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR02MB7980.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0da1bb5c-555d-490e-8b1a-08db5d2b00ea
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2023 14:19:08.3198 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 91wAcMmXvBi39LNin108wF30lhdKG9LDOhPQy6mtwv6qajVP4cCx42QjpVREob4O
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR02MB9355
X-TM-SNTS-SMTP: 3083CCFAB1E8B9C8446FA615F609B1D3B4F1141185E56C9D52A9BC029422E5222
X-Proofpoint-ORIG-GUID: ETa4u-dkW1r6rsJW9AOBrfo3QaWx7ED7
X-Proofpoint-GUID: ETa4u-dkW1r6rsJW9AOBrfo3QaWx7ED7
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-25_07,2023-05-25_03,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 mlxscore=0 mlxlogscore=999 priorityscore=1501 clxscore=1011 bulkscore=0 suspectscore=0 lowpriorityscore=0 impostorscore=0 spamscore=0 adultscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305250116
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/7NPp1nzciOWVvizvjq--bX6Spr0>
Subject: Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 14:19:25 -0000
Thanks very much, Brian. Another quick question came-up: Do we need to use different keys for the AUTH and Encrypt processes, or can we use the same long-lived key for both? Al > -----Original Message----- > From: Brian Weis <bew.stds@gmail.com> > Sent: Thursday, May 25, 2023 12:26 AM > To: MORTON JR., AL <acmorton@att.com> > Cc: secdir@ietf.org; draft-ietf-ippm-capacity-protocol.all@ietf.org; > ippm@ietf.org; CIAVATTONE, LEN <lc9892@att.com> > Subject: Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol- > 04 > > Hi Al, > > Many apologies for the late response. Yes, combining AES-CBC-128 ad SHA-256 is > a reasonable solution. They are often used together, and are safe to use with > long-lived keys. I notice that some of the PDUs defined in -04 (e.g., Figure > 2) have a field defined as "authDigest[AUTH_DIGEST_LENGTH](256 bits) or > Initialization Vector (IV)”, but actually both fields are needed: an IV for > AES-CBC-128, and the authDigest for SHA-256. > > Hope that helps, > Brian > > > On May 19, 2023, at 8:44 AM, MORTON JR., AL <acmorton@att.com> wrote: > > > > Hi Brian, > > > > Revising our key question: > > > > For Encrypted mode: What if we combined AES-CBC-128 with our current > Authentication HASH (SHA-256), for a complete (but two-part) solution? > > > > Will this be acceptable, given our plan to use long-lived keys? > > > > We would abandon the "authenticated encryption" preference stated earlier. > > > > please let us know, thanks, > > Al > > > > > >> -----Original Message----- > >> From: MORTON JR., AL > >> Sent: Sunday, May 7, 2023 6:55 PM > >> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org > >> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org > >> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity- > protocol- > >> 04 > >> > >> Hi Brian, reminder of our key question, below, > >> Al > >> > >>> -----Original Message----- > >>> From: MORTON JR., AL > >>> Sent: Sunday, April 23, 2023 9:26 AM > >>> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org > >>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org > >>> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity- > >> protocol- > >>> 04 > >>> > >>> Hi Brian, > >>> > >>> We would like to receive your feedback on our proposal for a replacement > >>> encryption algorithm: > >>> > >>>> Ok. We were attracted to the "authenticated encryption" aspect of GCM, > but > >>> we > >>>> can get that with AES-CCM too. > >>> > >>> Does AES-CCM alleviate the issues and fit our plans to use long-lived > keys, > >>> etc.? > >>> > >>> With this feedback, we can proceed with updates to the draft. > >>> thanks, > >>> Al > >>> > >>>> -----Original Message----- > >>>> From: MORTON JR., AL > >>>> Sent: Sunday, March 19, 2023 5:08 PM > >>>> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org > >>>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org > >>>> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity- > >>> protocol- > >>>> 04 > >>>> > >>>> Hi Brian, > >>>> > >>>> Thanks for your reply on the second SEC-DIR early review! > >>>> > >>>> We have summarized the topics for reply, below. Your review is appended. > >>>> > >>>> Al and Len > >>>> > >>>> > >>>> # Key comments and replies for discussion: > >>>> > >>>>> — The use of AES-GCM with a long-lived symmetric key (such as one > >>>>> on an RFC 7210 key chain) is not safe. ... (suggests a CBC mode) ... > >>>> and > >>>>> — Unauthenticated encryption is generally seen as risky, so when... > >>>> > >>>> Ok. We were attracted to the "authenticated encryption" aspect of GCM, > but > >>> we > >>>> can get that with AES-CCM too. The Initialization Vector (IV) will be > >>>> generated by a pseudo-random generator with unique seed for each session, > >>> and > >>>> have sufficient size to avoid duplication over the life of a long-lived > >> key. > >>>> The IV can be communicated in the clear, so we will. > >>>> > >>>>> — Also, there are some additional parameters that need to determined > >>>>> to guarantee interoperability. For example, which octets are > >>>>> encrypted, if a partial block needs to be encrypted how is it padded > >>>>> out before encryption to make a full block, and requirements on IV > >>>>> generation (e.g., that is must be from a good quality random number > >>>>> generator). > >>>> > >>>> We need to check if padding is needed for any of our PDUs, but the PDUs > >> will > >>>> be fixed size so it's a static fix. > >>>> We'll specify the IV generation method. > >>>> > >>>> > >>>> > >>>> # Tension between Security and Measurement operation: > >>>> > >>>>> — Section 5.1.1 doesn’t say the network addresses and headers are > >>>>> included in the digest. It’s generally good practice to include > >> (them)... > >>>> > >>>> Our test scope includes ISP Subscribers, so NAPT transversal is critical > >> and > >>>> precludes including the addresses. > >>>> > >>>>> ... a valid message > >>>>> (e.g., Setup Request) can be extracted and placed in a different > >>>>> measurement flow that is not intended by the original sender. This is > >>>>> a substitution attack. > >>>> > >>>> All of the IPPM test protocols are susceptible to the substitution > attack, > >>> and > >>>> there is no thorough mitigation that we know-of (including time in the > >>> digest > >>>> is a partial mitigation). > >>>> > >>>> Packet De-duplication, in DTLS and IPsec: > >>>>> This is generally seen as a feature for network > >>>>> encryption methods. > >>>> Right, but measurement systems expect to observe packet duplication when > >> it > >>>> occurs. A trade-off is required, and the primary goal is measurement. > >>>> > >>>> > >>>> # Edits and Nits: > >>>> We will take care of other requests for clarifications requested > >>>> - digest coverage > >>>> - MBZ definition > >>>> - “Support for client-server authentication ….”. > >>>> - four Security modes, but encrypted tunnel makes five - becomes a > >> paragraph > >>>> - mismatch > >>>> > >>>>> -----Original Message----- > >>>>> From: ippm <ippm-bounces@ietf.org> On Behalf Of Brian Weis via > >> Datatracker > >>>>> Sent: Saturday, March 4, 2023 5:58 PM > >>>>> To: secdir@ietf.org > >>>>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org > >>>>> Subject: [ippm] Secdir early review of draft-ietf-ippm-capacity- > >> protocol- > >>> 04 > >>>>> > >>>>> Reviewer: Brian Weis > >>>>> Review result: Has Issues > >>>>> > >>>>> I have reviewed this document as part of the security directorate's > >>>>> ongoing effort to review all IETF documents being processed by the > >>>>> IESG. These comments were written primarily for the benefit of the > >>>>> security area directors. Document editors and WG chairs should treat > >>>>> these comments just like any other last call comments. > >>>>> > >>>>> General comments > >>>>> > >>>>> (1) The guidance of what bytes are included in the SHA-256 calculation > >>>>> and result placed in the authDigest field might need some enhancement. > >>>>> > >>>>> — Some places say that the authDigest field is zeroed (e.g., Section > >>>>> 4.2.2 ) and some says “The SHA-256 calculation SHALL cover all the > >>>>> preceding fields.”, which seems to omit the auhDigest field. I guess > >>>>> these aren't mutually exclusive statements, but it would be cleaner > >>>>> to have all of the description in one place so it is clear. > >>>>> > >>>>> — Section 5.1.1 doesn’t say the network addresses and headers are > >>>>> included in the digest. It’s generally good practice to include > >>>>> more context into the digest calculation so that a valid message > >>>>> (e.g., Setup Request) can’t be extracted and placed in a different > >>>>> measurement flow that is not intended by the original sender. This is > >>>>> a substitution attack. > >>>>> > >>>>> — If network addresses and headers aren’t included in the digest, > >>>>> then it will be important to describe why the substitution attack > >>>>> isn’t a threat. I understand that if NAT on the client that including > >>>>> it's network address is not possible, but there's still an issue. > >>>>> > >>>>> — Note that the inclusion of authUnixTime with the receiver > >>>>> checking “acceptable immediacy” is only a partial mitigation for a > >>>>> substitution attack, since the receiver’s notion of “acceptable > >>>>> immediacy” is apparently quite long from an attacker's perspective > >>>>> “(+/- 2.5 minutes)” and any other message including this PDU sent > >>>>> fron an attacker (e.g., with different network headers) during this > >>>>> period will be acceptable to the receiver. Reducing the window > >>>>> size won’t completely mitigate this attack either. > >>>>> > >>>>> (2) There doesn’t seem to be a definition for the MBZ octets and > >>>>> remainder bits, or a description of their purpose. (I’m guessing > >>>>> it’s “must be zero” but even that should be defined for the reader.) > >>>>> > >>>>> Specific comments > >>>>> > >>>>> Section 4.2.4. > >>>>> > >>>>> — The use of AES-GCM with a long-lived symmetric key (such as one > >>>>> on an RFC 7210 key chain) is not safe. The IV used by GCM is not a > >>>>> random IV such as used by some other modes of which you might be > >>>>> aware (e.g., CBC), but rather it is a counter that must NEVER > >>>>> repeat with that key. Ensuring no repeats is not operationally > >>>>> feasible for a key kept on a key chain. I.e., The counter must keep > >>>>> incrementing between packets, reliably stored over a reboot so that > >>>>> it isn't used again, and when the counter reaches the maximum value > >>>>> the key is not longer usable. I would recommend specifying CBC mode > >>>>> and a randomly chosen IV. > >>>>> > >>>>> — Also, there are some additional parameters that need to determined > >>>>> to guarantee interoperability. For example, which octets are > >>>>> encrypted, if a partial block needs to be encrypted how is it padded > >>>>> out before encryption to make a full block, and requirements on IV > >>>>> generation (e.g., that is must be from a good quality random number > >>>>> generator). > >>>>> > >>>>> — Unauthenticated encryption is generally seen as risky, so when > >>>>> encryption is included the the authDigest should also be used as > >>>>> it is in the other modes. Figure 2 should have both authDigest AND > >>>>> IV fields. > >>>>> > >>>>> Section 4.2.5. This section mentions that DTLS is not useful because > >>>>> “The replay protection would remove duplicated packets and prevent > >>>>> transparent measurement of this impairment.”. IPsec will also > >>>>> transparently remove duplicate packets, and since TLS is based on > >>>>> TCP, which has duplicate segment protection, I would expect that > >>>>> the application would also never see duplicate measurement PDUs > >>>>> from TLS either. This is generally seen as a feature for network > >>>>> encryption methods. > >>>>> > >>>>> Section 10. “Client-server authentication and integrity protection > >>>>> for feedback messages conveying measurements is REQUIRED.” Since > >>>>> one of the methods allows “unauthenticated mode for all messages”, > >>>>> I think this is meant to start with “Support for client-server > >>>>> authentication ….”. That is, the REQUIRED language means > >>>>> it must be implemented, but not used. > >>>>> > >>>>> Nits > >>>>> > >>>>> — Section 4.2 says “There are four security modes of operation”, > >>>>> which is also stated elsewhere, but there seems to actually be five. > >>>>> I understand that the fifth one is actually an external security > >>>>> mode that can be combined with one of the four modes (e.g., > >>>>> “unauthenticated mode for all messages”) in the PDU. It might be > >>>>> clearer to take the fifth one out of the list and just make it a > >>>>> paragraph. > >>>>> > >>>>> — Section 4.2.1 s/miss-match/mismatch/ > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> ippm mailing list > >>>>> ippm@ietf.org > >>>>> > >>>> > >>> > >> > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ippm__;!!Bhd > >>>>> T!lLiKK4svDahYLFenpa6d7FQa-qA1f4ltd7wjaRx1S- > >>>> YZCr9cEveGl5UOAc3B7KuEPYEWE3uif4c$
- [ippm] Secdir early review of draft-ietf-ippm-cap… Brian Weis via Datatracker
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL
- Re: [ippm] Secdir early review of draft-ietf-ippm… Brian Weis
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL