Re: [ippm] draft-ietf-ippm-ioam-data-integrity
Tommy Pauly <tpauly@apple.com> Tue, 13 June 2023 16:22 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60940C14CE30 for <ippm@ietfa.amsl.com>; Tue, 13 Jun 2023 09:22:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GKaLFsWDPjiS for <ippm@ietfa.amsl.com>; Tue, 13 Jun 2023 09:22:36 -0700 (PDT)
Received: from ma-mailsvcp-mx-lapp03.apple.com (ma-mailsvcp-mx-lapp03.apple.com [17.32.222.24]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69BC0C151531 for <ippm@ietf.org>; Tue, 13 Jun 2023 09:22:23 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp04.rno.apple.com (rn-mailsvcp-mta-lapp04.rno.apple.com [10.225.203.152]) by ma-mailsvcp-mx-lapp03.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RW700KQC9H5K710@ma-mailsvcp-mx-lapp03.apple.com> for ippm@ietf.org; Tue, 13 Jun 2023 09:22:22 -0700 (PDT)
X-Proofpoint-ORIG-GUID: ZEXLVSJslAMVkIr371IDEOP2eF1Ma3Dv
X-Proofpoint-GUID: ZEXLVSJslAMVkIr371IDEOP2eF1Ma3Dv
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.942 definitions=2023-05-10_04:2023-05-05, 2023-05-10 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 suspectscore=0 spamscore=0 adultscore=0 bulkscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305100143
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=DBw0f75iw5I+PgsZLSj62rfv3p1IXObf4NDxgXlOQNU=; b=CsqZGfyiYASHr8x1y+aUvSTmOjVAJeeGjqXsRMYmJNrfMdwlyj2SqB11pEhdEJaMgUXz s/+U3krtHiQcaQrCRIx08BHKpBjRSWz6EcFLXuKpDzLNuqtaMB/a5uMqCowYtmJfifoF KAF/c+h+BO3OLwq512FHB3qjWmh56GTt/JSSIKvutMWeF8D0lSJ8SrNr/4i/NcFDB9T9 WP/RZbQKV1Vf1K7yJ/U1RUumRKBUUEcFOVLH3yIvqPAy0ia4WAfrkOyb/2bWWYDd4U9n P1GntYF/6XLdlD+YAO4a+h/aSXHZKaADSowtfsqOFShTXfeNhxkv1A13a6xBbqPfODRE zg==
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RW700JH49H83RE0@rn-mailsvcp-mta-lapp04.rno.apple.com>; Tue, 13 Jun 2023 09:22:20 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0RW70060093LPH00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Tue, 13 Jun 2023 09:22:20 -0700 (PDT)
X-Va-A:
X-Va-T-CD: e6091e616f2742cf5fde7f1935bb449e
X-Va-E-CD: 0bcc6c31f70f3dc7506ef096334b6f2f
X-Va-R-CD: d80fc7e42aa726f61d7c73ea7bd4fd87
X-Va-ID: 1553cc23-62e7-4b8b-bd67-6eaa45327990
X-Va-CD: 0
X-V-A:
X-V-T-CD: e6091e616f2742cf5fde7f1935bb449e
X-V-E-CD: 0bcc6c31f70f3dc7506ef096334b6f2f
X-V-R-CD: d80fc7e42aa726f61d7c73ea7bd4fd87
X-V-ID: f0bf431e-080d-44a9-8cea-abf2bd529617
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.957 definitions=2023-06-13_18:2023-06-12, 2023-06-13 signatures=0
Received: from smtpclient.apple (unknown [17.11.55.22]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0RW700G6J9H8YB00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Tue, 13 Jun 2023 09:22:20 -0700 (PDT)
Content-type: text/plain; charset="utf-8"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3731.600.5\))
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <bd1ed58e-0ff5-98f3-0e6b-abea7439a363@uliege.be>
Date: Tue, 13 Jun 2023 09:22:10 -0700
Cc: IETF IPPM WG <ippm@ietf.org>, IPPM Chairs <ippm-chairs@ietf.org>, draft-ietf-ippm-ioam-data-integrity@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <F7F0508E-D85C-43E8-A267-2F90ABC61E3E@apple.com>
References: <bd1ed58e-0ff5-98f3-0e6b-abea7439a363@uliege.be>
To: Justin Iurman <justin.iurman@uliege.be>
X-Mailer: Apple Mail (2.3731.600.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/SkK2RrUlUEwrjuk6noTX5RAp1PI>
Subject: Re: [ippm] draft-ietf-ippm-ioam-data-integrity
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2023 16:22:43 -0000
Hi Justin, Thanks for highlighting this to the group. I think defining only the symmetric key solution in this document still achieves the goal of adding integrity to IOAM data, and should be sufficient. Since the document establishes a registry for algorithms, can we define things such that this document only adds a symmetric algorithm, but leaves it open for future documents to add asymmetric if necessary (and discuss the difficulties around asymmetric currently, but mention that new documents could define it)? We’ll also want to get more security area reviews on this, but this sounds like a good starting place to me. Best, Tommy > On May 31, 2023, at 7:32 AM, Justin Iurman <justin.iurman@uliege.be> wrote: > > Hi ippm, chairs, > > Today, we (the authors) discussed an important section of the draft and found an issue with our asymmetric key-based signature algorithm (i.e., ECDSA p256 with SHA256). Indeed, it looks like it is way too complicated to end up with a working solution, not to say maybe even impossible for the use case. This observation is also based on the feedback received from an implementer. Very briefly, the issue comes from the signature chain. A node's signature would be over (a) the previous signature and (b) the (hashed) inserted data by the node. We *cannot* afford to hash the whole thing (which is usually the case for a signature), since we need a way to "go back" (i.e., to check the signature chain in the reverse order, with public keys). Therefore, we need the previous signature to stay outside of the hash. But if we do so, the input size (provided to the signature algorithm) would be too big. As a consequence, we don't believe there is a good solution for this. Note that, on second thought, ECDSA is not used for encryption and is "only" a signature algorithm, which might not be the perfect fit for what we want (i.e., to decrypt/retrieve data). A possibility would be to use something else (e.g., RSA), without the certainty that it would even work (and the signature size would be much bigger in that case). > > TL;DR > > What we propose here is to not over complicate things unnecessarily and have only the symmetric key-based signature algorithm defined in the draft (i.e., remove the problematic asymmetric key-based signature algorithm). After all, asymmetric algorithms are usually used to safely exchange (symmetric/shared) keys, which makes us think that it's probably not worth it. If anyone thinks otherwise, please say so. If you're a security expert and think we're wrong, please speak up. We hope for feedback from the WG. > > Thanks, > The authors > > _______________________________________________ > ippm mailing list > ippm@ietf.org > https://www.ietf.org/mailman/listinfo/ippm
- [ippm] draft-ietf-ippm-ioam-data-integrity Justin Iurman
- Re: [ippm] draft-ietf-ippm-ioam-data-integrity Tommy Pauly
- Re: [ippm] draft-ietf-ippm-ioam-data-integrity Justin Iurman