Re: [ippm] New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt

Tommaso Pecorella <tommaso.pecorella@unifi.it> Wed, 07 July 2021 13:56 UTC

Return-Path: <tommaso.pecorella@unifi.it>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C28E33A18AA for <ippm@ietfa.amsl.com>; Wed, 7 Jul 2021 06:56:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=unifi.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XuvAgdW5-mU6 for <ippm@ietfa.amsl.com>; Wed, 7 Jul 2021 06:56:14 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02ABB3A18A7 for <ippm@ietf.org>; Wed, 7 Jul 2021 06:56:13 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id k17so3530950edq.2 for <ippm@ietf.org>; Wed, 07 Jul 2021 06:56:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unifi.it; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=KjG/MKcszp3JdPVFOpRdiHJjrdpR6wcyYl17i5GODKI=; b=LSv66btiUKF7NonT58qIP5rffK/bVHrHl/OE1pQ7jL+4ev7GsEIEvvCuqRG+T70FFn 0V7i0FKT8t2K9XT+7MvuFbcjR/bHObWLRlkA+Zs8YF5xT7qvTbmV2julraK/islUaccS CY06oV1BcwIAqv1zgFN1sjl0CrDGiY7++57UBFNAl2Mg0MEiqHLBP2trlf+/VPInJ2FP wdeSzjdU3SEtpQES45lPv21iXEfqw/AHe9IEv1Azl0ZJuew8uLwm2jUqTRpF7pTod9v3 vk4suuVxRuI6voBK6RTzKLeqrpAD9pPGrbLRjwvJLWdoQEDZZ1cKcxtbitLNCDZO4S8o l3gQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=KjG/MKcszp3JdPVFOpRdiHJjrdpR6wcyYl17i5GODKI=; b=gvxU21eTzgqjAyeAv3N+SyUQqk0WBl2xOl9iqoBNz3fLSWpgAO2ymvkXWCsF9F0PEO 6k7cKjkmL+cBTKZnUbJzipx9yWEXmbb/Aq/CjLYz3bpL5/cp5IDGXfBIqsouK3VPrvb6 khBtj6Y/+aol7lXJSAinDx6qCNeUvDUoTmoGOfgjCaUK3XxhkjZ9YrvRSZVDqtxBb21Q cx7Rio1n0NSJfEeLLu4ed5CtoZAEoXRda2C7HZbLIrpv0T7M0CIFaAIbcCeCyVCaJWCG S+/lYD95GsTSdLibGIhd58PXepD5eA5dBahgLelQNf17ZolHHKJtw5J2hgVKHby1RhDV YIDQ==
X-Gm-Message-State: AOAM530Ql7NHCNNCwLFqjb6vUj6mVr7KCyyLNWDGkDqSB5xxSJs9L/7t p1gDH7n94huU/30ATEJgowCiLzqoFUVE2XQ0
X-Google-Smtp-Source: ABdhPJx5QrhldiUpT3F9qpCzSwhoy0nGmU+LuvMW4soNUUGnJWuht0xRR5KoN/eqd3PMlK5KeLUBzQ==
X-Received: by 2002:aa7:d4c2:: with SMTP id t2mr1223686edr.92.1625666171556; Wed, 07 Jul 2021 06:56:11 -0700 (PDT)
Received: from smtpclient.apple ([2001:760:2c05:1002:9ab:da3f:bbda:7cc]) by smtp.gmail.com with ESMTPSA id x3sm7143221ejy.0.2021.07.07.06.56.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Jul 2021 06:56:11 -0700 (PDT)
From: Tommaso Pecorella <tommaso.pecorella@unifi.it>
Message-Id: <9917FA64-8AE3-4884-AD71-E9F53D899894@unifi.it>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9F2B0B77-09E2-4FCC-AAD3-71953B66680C"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Date: Wed, 7 Jul 2021 15:56:09 +0200
In-Reply-To: <1572807293.5736260.1625503961968@mail.yahoo.com>
Cc: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>, Paolo Volpato <paolo.volpato@huawei.com>, Ameya Deshpande <ameyanrd=40yahoo.com@dmarc.ietf.org>, Adnan Rashid <adnan.rashid@unifi.it>
To: "ippm@ietf.org" <ippm@ietf.org>
References: <162256330634.19677.3885804345914692467@ietfa.amsl.com> <28584824.2341925.1622563579715@mail.yahoo.com> <721002155.671981.1625161479360@mail.yahoo.com> <c0651506a3fb437c9300b1fc14206560@cas.org> <1732873610.1690997.1625502432340@mail.yahoo.com> <1402651859.5739390.1625503729029@mail.yahoo.com> <1572807293.5736260.1625503961968@mail.yahoo.com>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/V0XAYC6rxrN5zGB9JPHB0G0IjkI>
Subject: Re: [ippm] New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2021 13:56:20 -0000

Hi all,

I’d like to share my 2cents on some points that have been mentioned about encryption use in PDMv2.

Yes, encryption will add some delays to the PDM processing. In particular we expect delays in the following points:
- Encryption and decryption time
- Packet transmission
- Key renewal
- Registration phase time

Encryption and decryption time shouldn’t be a major concern since PDMv2 is an end-to-end header, and we assume that end devices will have enough processing power. Moreover, the data to encrypt is small and fixed-length. Hence, the encryption can be considered as a near-constant-time operation (caveats apply, we’ll discuss about them in the presentation). 

Packet transmission (encrypted headers are larger) can be taken into account as well, as the size is known in advance.

Key renewal can be optimized, so that it doesn’t affect the packet processing time.

Registration phase is a one-time phase that should happen very infrequently, and it is not going to affect the actual PDMv2 packet flow.

We do not expect any other significant points of time degradation due to encryption and decryption. Of course we might find something we don’t expect, and that’s why we always welcome comments and suggestions.

Last but not least, even if Encryption is important (for confidentiality and integrity), we want to stress that encryption is optional.
If the network administrator can be reasonably sure that an attacker can not leverage PDMv2 headers to build an attack on the infrastructure, then encryption can be skipped.

In the RFC we will fully describe why confidentiality and integrity are important, what kind of attacks we foresee if the headers are not protected, and what countermeasures the network administrator can use as a substitute of header encryption.

Best regards,

Tommaso and Adnan



> On 5 Jul 2021, at 18:52, Ameya Deshpande <ameyanrd=40yahoo.com@dmarc.ietf.org> wrote:
> 
> Hi Paolo,
> 
> Thanks for your comments. Please check the inline reply.
> 
> > Also,  I assume that PDMv2 is mainly used by end stations (e.g. hosts instead of routers). If this is the case, then I don’t expect that the performance degradation due to encryption is a serious issue. Do you see other different cases where instead degradation may be a concern? 
> 
> When using encrypted PDMv2, we have a bigger packet to send as
> the size of encrypted data is more than the corresponding plaintext data.
> This can increase the timing slightly as the packet size has increased.
> 
> For using encrypted PDMv2, we have an initial registration phase where
> we negotiate the shared secret (using KEM). We have also given a registration
> mechanism for enterprises with many servers and clients. However, this will
> be done before transmitting PDMv2 packets.
> 
> We intend to have a side-meeting where we will explain HPKE and be able
> to thoroughly discuss these points.  When we are able to schedule it, we will
> let you know.  The registration to schedule side meetings has not yet opened.
> 
> Thanks,
> Ameya Deshpande
> On Monday, 5 July, 2021, 10:19:21 pm IST, Ameya Deshpande <ameyanrd=40yahoo.com@dmarc.ietf.org> wrote:
> 
> 
> Hi Robert,
> 
> Thanks for your comments. Please check the inline comments.
> 
> > - The latest HPKE draft expired just last week. That means it's some time before general implementation. I'm a mainframer, mostly, so I suspect that makes it even longer before I'll see implementation for _production_ use. Further, I don't want the implementation of PDM in more secure environments delayed because of encryption-method concerns. 
> 
> We have kept an option for no-encryption in PDMv2 as well. And it is kept exactly for
> the same reason you mentioned. Connections over encrypted medium (say VPN tunnels),
> link-local network, or any secured company domain can choose to use PDMv2 unencrypted.
> 
> > - When we generate the PDM structure and determine the timing, we want that to be as close to the wire as possible. The PDM timing was very granular, so this will add a variable amount of time to the time the packet is determined to be spending in transmission; the encryption delay is now part of the transmission time.
> 
> Yes, for a PDM-to-PDM machine, the round trip time, a.k.a DELTATLS, will include the two encryption
> and two decryption times. We are trying our best to minimize any added timing due to the encryption
> in PDMv2, but we feel that encryption is important, so we're trying to achieve a correct balance.
> 
> Thanks,
> Ameya Deshpande
> 
> On Monday, 5 July, 2021, 9:57:51 pm IST, nalini.elkins@insidethestack.com <nalini.elkins@insidethestack.com> wrote:
> 
> 
> Hi Robert,
> [Posting for some of the co-authors.]
> We fully agree with your concerns. However, we’re confident that HPKE will reach the RFC status soon. Moreover, also other protocols (e.g., MLS, see https://www.ietf.org/archive/id/draft-ietf-mls-architecture-06.txt <https://www.ietf.org/archive/id/draft-ietf-mls-architecture-06.txt>) are using it.
> About HPKE itself, there are two different aspects to consider: HPKE (as an architecture, API, etc.) and the cryptographic functions used by HKPE. While HPKE is still in draft, the cryptographic functions are well-known and proven. Hence, we don’t expect any concern related to the encryption methods used by HPKE.
> The fact that Tommy confirms that it is being implemented and deployed reinforces our confidence on the fact that its availability is not going to be a critical point.
> 
> In any case, we will take this point into consideration, as it is a valid concern.
> 
> Best regards,
> 
> Nalini, Tom, and Adnan
> 
>  
> 
> 
> On Thursday, July 1, 2021, 02:05:31 PM PDT, Hamilton, Robert <rhamilton=40cas.org@dmarc.ietf.org> wrote:
> 
> 
> I am interested in the encryption of the PDM header, just because I've done symmetric-key encryption with pseudorandom numbers and pseudorandom obfuscation algorithms for key management. I see that we are interested in using HPKE. I have just a few concerns:
> 
> - The latest HPKE draft expired just last week. That means it's some time before general implementation. I'm a mainframer, mostly, so I suspect that makes it even longer before I'll see implementation for _production_ use. Further, I don't want the implementation of PDM in more secure environments delayed because of encryption-method concerns.
> 
> - When we generate the PDM structure and determine the timing, we want that to be as close to the wire as possible. The PDM timing was very granular, so this will add a variable amount of time to the time the packet is determined to be spending in transmission; the encryption delay is now part of the transmission time.
> 
> Still reviewing; I'll be back with more thoughts.
> 
> R;
> 
> 
> Rob Hamilton
> Infrastructure Engineer
> Chemical Abstracts Service
> 
> -----Original Message-----
> From: ippm <ippm-bounces@ietf.org <mailto:ippm-bounces@ietf.org>> On Behalf Of nalini.elkins@insidethestack.com <mailto:nalini.elkins@insidethestack.com>
> Sent: Thursday, July 1, 2021 1:45 PM
> To: IETF IPPM WG <ippm@ietf.org <mailto:ippm@ietf.org>>
> Cc: draft-elkins-ippm-encrypted-pdmv2@ietf.org <mailto:draft-elkins-ippm-encrypted-pdmv2@ietf.org>
> Subject: [EXT] Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt
> 
> [Actual Sender is ippm-bounces@ietf.org <mailto:ippm-bounces@ietf.org>]
> 
> IPPM,
> 
> Please do take a look at this draft.
> 
> I think that iOAM will need encryption as well.   We have spent quite a bit of time thinking over these issues.  We even have 2 cryptographers from Italy involved as co-authors.   I want to do a side meeting where we can have quite a bit more time to discuss this but would love to have comments from the group on the list.
> 
> I am very reluctant to push PDM out to the wider world without encryption.  I feel that we will become the attacker's best friend.
> We have modified the Linux kernel to include PDM but as I say, without encryption, we do not wish to release.
> 
> 
> Thanks,
> 
> Nalini Elkins
> CEO and Founder
> Inside Products, Inc.
> https://smex12-5-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702 <https://smex12-5-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702>
> (831) 659-8360
> 
> 
> 
> 
> 
> 
> On Tuesday, June 1, 2021, 09:06:39 AM PDT, nalini.elkins@insidethestack.com <mailto:nalini.elkins@insidethestack.com> <nalini.elkins@insidethestack.com <mailto:nalini.elkins@insidethestack.com>> wrote: 
> 
> 
> 
> 
> 
> Hello IPPMers!
> 
> We have just posted a new draft to encrypt PDM data.   We feel that this is an important feature to add before promoting widespread adoption of PDM.
> 
> We would appreciate any thoughts or comments from the group.
> 
> Thanks,
> 
> Nalini Elkins
> CEO and Founder
> Inside Products, Inc.
> https://smex12-5-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702 <https://smex12-5-en-ctp.trendmicro.com/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702>
> (831) 659-8360
> 
> 
> 
> 
> 
> 
> ----- Forwarded Message -----
> 
> From: "internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>" <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
> To: mackermann@bcbsm.com <mailto:mackermann@bcbsm.com> <mackermann@bcbsm.com <mailto:mackermann@bcbsm.com>>; Adnan Rashid <adnan.rashid@unifi.it <mailto:adnan.rashid@unifi.it>>; Ameya Deshpande <ameyanrd@gmail.com <mailto:ameyanrd@gmail.com>>; Michael Ackermann <mackermann@bcbsm.com <mailto:mackermann@bcbsm.com>>; Nalini Elkins <nalini.elkins@insidethestack.com <mailto:nalini.elkins@insidethestack.com>>; Tommaso Pecorella <tommaso.pecorella@unifi.it <mailto:tommaso.pecorella@unifi.it>>
> Sent: Tuesday, June 1, 2021, 12:01:47 PM EDT
> Subject: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt
> 
> 
> 
> A new version of I-D, draft-elkins-ippm-encrypted-pdmv2-00.txt
> has been successfully submitted by Nalini Elkins and posted to the
> IETF repository.
> 
> Name:        draft-elkins-ippm-encrypted-pdmv2
> Revision:    00
> Title:        Encrypted IPv6 Performance and Diagnostic Metrics Version 2 (EPDMv2) Destination Option
> Document date:    2021-06-01
> Group:        Individual Submission
> Pages:        16
> URL:            https://www.ietf.org/archive/id/draft-elkins-ippm-encrypted-pdmv2-00.txt <https://www.ietf.org/archive/id/draft-elkins-ippm-encrypted-pdmv2-00.txt>
> Status:        https://datatracker.ietf.org/doc/draft-elkins-ippm-encrypted-pdmv2/ <https://datatracker.ietf.org/doc/draft-elkins-ippm-encrypted-pdmv2/>
> Htmlized:      https://datatracker.ietf.org/doc/html/draft-elkins-ippm-encrypted-pdmv2 <https://datatracker.ietf.org/doc/html/draft-elkins-ippm-encrypted-pdmv2>
> 
> 
> Abstract:
>   RFC8250 describes an optional Destination Option (DO) header embedded
>   in each packet to provide sequence numbers and timing information as
>   a basis for measurements.  As this data is sent in clear- text, this
>   may create an opportunity for malicious actors to get information for
>   subsequent attacks.  This document defines PDMv2 which has a
>   lightweight handshake (registration procedure) and encryption to
>   secure this data.  Additional performance metrics which may be of use
>   are also defined.
> 
>                                                                                   
> 
> 
> The IETF Secretariat
> 
> 
> 
> 
> _______________________________________________
> ippm mailing list
> ippm@ietf.org <mailto:ippm@ietf.org>
> https://www.ietf.org/mailman/listinfo/ippm <https://www.ietf.org/mailman/listinfo/ippm>
> 
> _______________________________________________
> ippm mailing list
> ippm@ietf.org <mailto:ippm@ietf.org>
> https://www.ietf.org/mailman/listinfo/ippm <https://www.ietf.org/mailman/listinfo/ippm>
> Confidentiality Notice: This electronic message transmission, including any attachment(s), may contain confidential, proprietary, or privileged information from CAS, a division of the American Chemical Society ("ACS"). If you have received this transmission in error, be advised that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. Please destroy all copies of the message and contact the sender immediately by either replying to this message or calling 614-447-3600.
> 
> _______________________________________________
> ippm mailing list
> ippm@ietf.org <mailto:ippm@ietf.org>
> https://www.ietf.org/mailman/listinfo/ippm <https://www.ietf.org/mailman/listinfo/ippm>
> _______________________________________________
> ippm mailing list
> ippm@ietf.org <mailto:ippm@ietf.org>
> https://www.ietf.org/mailman/listinfo/ippm <https://www.ietf.org/mailman/listinfo/ippm>
> _______________________________________________
> ippm mailing list
> ippm@ietf.org <mailto:ippm@ietf.org>
> https://www.ietf.org/mailman/listinfo/ippm <https://www.ietf.org/mailman/listinfo/ippm>
> _______________________________________________
> ippm mailing list
> ippm@ietf.org
> https://www.ietf.org/mailman/listinfo/ippm

--------------------------------------------------------------

When life gives you lemons, don’t make lemonade.
Make life take the lemons back! Get mad!
-- Cave Johnson

--------------------------------------------------------------

Tommaso Pecorella - Ph.D.

Assistant professor
Dpt. Ingegneria dell'Informazione
Università di Firenze

CNIT - Università di Firenze Unit

via di S. Marta 3
50139, Firenze
ITALY

email: tommaso.pecorella@unifi.it
       tommaso.pecorella@cnit.it

phone : +39-055-2758540
mobile: +39-320-4379803
fax   : +39-055-2758570