IETF Logo Mail Archive

Re: [ippm] draft-ietf-ippm-ioam-data-integrity

Justin Iurman <justin.iurman@uliege.be> Wed, 14 June 2023 13:38 UTC

Return-Path: <justin.iurman@uliege.be>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72825C151B1E; Wed, 14 Jun 2023 06:38:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uliege.be
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0lT2pzBIIygN; Wed, 14 Jun 2023 06:38:16 -0700 (PDT)
Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E8C2C151B21; Wed, 14 Jun 2023 06:38:12 -0700 (PDT)
Received: from [192.168.1.62] (125.179-65-87.adsl-dyn.isp.belgacom.be [87.65.179.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by serv108.segi.ulg.ac.be (Postfix) with ESMTPSA id 587EA200CCF5; Wed, 14 Jun 2023 15:38:10 +0200 (CEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 serv108.segi.ulg.ac.be 587EA200CCF5
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uliege.be; s=ulg20190529; t=1686749890; bh=bBIdzAKU6AxBPm3eo5f0f5A+VFlq6wLCDtZ5p62DiGg=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=c2QTMUrnnZQIsbXwQDozHrXE1YnF/2lyHSDgyFb03HxS5KELcS0GSCSaLSGL3Xhxz dv6hgtfs9nzLhbIO6S7GbAzWXcQlVit0T3p5jB1apoqk0Wzou1ynU4CV8FFwKouPhJ TZ4SGWqm5Vob91+09shk5w5aiPhSemV+gvuCNZx/WqUYJK8n6AQ5SA9WVtsv8xJr/L B5aOhQ2Us0i3kXLiwYlRgpP1LBy5qDgppe/IQuOnB1tgE5WjZIF+37SfuGt4UbIkG9 M7jngzeyfYxULKE8lVLQz7jCROEYomkfwfFfbjnWuR1nHgKvS23Loi4DkdQE6gAXeY gl2iXcu8rmj1A==
Message-ID: <a5611fe3-5a97-69a6-361f-2439ad01d31d@uliege.be>
Date: Wed, 14 Jun 2023 15:38:10 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US
To: Tommy Pauly <tpauly@apple.com>
Cc: IETF IPPM WG <ippm@ietf.org>, IPPM Chairs <ippm-chairs@ietf.org>, draft-ietf-ippm-ioam-data-integrity@ietf.org
References: <bd1ed58e-0ff5-98f3-0e6b-abea7439a363@uliege.be> <F7F0508E-D85C-43E8-A267-2F90ABC61E3E@apple.com>
From: Justin Iurman <justin.iurman@uliege.be>
In-Reply-To: <F7F0508E-D85C-43E8-A267-2F90ABC61E3E@apple.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/9G9uug7e7rT_OXX6WU6l4s85OF0>
Subject: Re: [ippm] draft-ietf-ippm-ioam-data-integrity
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2023 13:38:20 -0000

Hi Tommy,

Please see inline.

On 6/13/23 18:22, Tommy Pauly wrote:
> Hi Justin,
> 
> Thanks for highlighting this to the group. I think defining only the symmetric key solution in this document still achieves the goal of adding integrity to IOAM data, and should be sufficient.

[JI] Ack.

> Since the document establishes a registry for algorithms, can we define things such that this document only adds a symmetric algorithm, but leaves it open for future documents to add asymmetric if necessary (and discuss the difficulties around asymmetric currently, but mention that new documents could define it)?

[JI] Of course, that's also what we had in mind.

> We’ll also want to get more security area reviews on this, but this sounds like a good starting place to me.

[JI] Indeed. Next revision could be a good candidate for a secdir 
review. We'll discuss all this in SF.

Thanks,
Justin

> Best,
> Tommy
> 
>> On May 31, 2023, at 7:32 AM, Justin Iurman <justin.iurman@uliege.be> wrote:
>>
>> Hi ippm, chairs,
>>
>> Today, we (the authors) discussed an important section of the draft and found an issue with our asymmetric key-based signature algorithm (i.e., ECDSA p256 with SHA256). Indeed, it looks like it is way too complicated to end up with a working solution, not to say maybe even impossible for the use case. This observation is also based on the feedback received from an implementer. Very briefly, the issue comes from the signature chain. A node's signature would be over (a) the previous signature and (b) the (hashed) inserted data by the node. We *cannot* afford to hash the whole thing (which is usually the case for a signature), since we need a way to "go back" (i.e., to check the signature chain in the reverse order, with public keys). Therefore, we need the previous signature to stay outside of the hash. But if we do so, the input size (provided to the signature algorithm) would be too big. As a consequence, we don't believe there is a good solution for this. Note that, on second thought, ECDSA is not used for encryption and is "only" a signature algorithm, which might not be the perfect fit for what we want (i.e., to decrypt/retrieve data). A possibility would be to use something else (e.g., RSA), without the certainty that it would even work (and the signature size would be much bigger in that case).
>>
>> TL;DR
>>
>> What we propose here is to not over complicate things unnecessarily and have only the symmetric key-based signature algorithm defined in the draft (i.e., remove the problematic asymmetric key-based signature algorithm). After all, asymmetric algorithms are usually used to safely exchange (symmetric/shared) keys, which makes us think that it's probably not worth it. If anyone thinks otherwise, please say so. If you're a security expert and think we're wrong, please speak up. We hope for feedback from the WG.
>>
>> Thanks,
>> The authors
>>
>> _______________________________________________
>> ippm mailing list
>> ippm@ietf.org
>> https://www.ietf.org/mailman/listinfo/ippm
>

v2.23.0 | Report a Bug | By Email