Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
Brian Weis <bew.stds@gmail.com> Thu, 25 May 2023 04:27 UTC
Return-Path: <bew.stds@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37FD0C14CF05; Wed, 24 May 2023 21:27:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sSch-E__fj4d; Wed, 24 May 2023 21:27:04 -0700 (PDT)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9E5AC14CE40; Wed, 24 May 2023 21:26:07 -0700 (PDT)
Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1ae65e44536so2393195ad.0; Wed, 24 May 2023 21:26:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684988767; x=1687580767; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=d8ggxU67KsP25j7k/kUwZ7zH0G1+/3UgQqMHIdxw7l0=; b=bENL7bbNZo+TDWBkppGX30hOJ26IiTMrfjxjA4handzy3U4sjq92o+9fGHpiqctcWM d5CLHspFtnSA+irMqV9uxXOMj7uncxa8k1jSvl04Ig0Oby84Xs2gvbsVeFBgMfG8ueNC QydFIxhdl6bX/0JOqsa8RukqZQKYxo9AxBinLGPkcQKMK9Dn/Ci743rpgSURbc0mBjd2 hOwVhnvbUaZcZZvQWFmJ8BThj+64hZftqMUQ2gzmPp26tDLcyYaXcU0icHubBp46mnDf CVJpUX/iAO1G7ugQ+5A4oQTzhc5stWxtwKT0/jgZ+Eb9flow7l9gkJ09sTp71g8sYjyd LgUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684988767; x=1687580767; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d8ggxU67KsP25j7k/kUwZ7zH0G1+/3UgQqMHIdxw7l0=; b=adwx2IJrqDEPfaaopuG5DJ8nJ3ff8ZcP8PB++gnboKSwYKeuJhDTQc431zbOGIY+Dj RLXAW4om2O9R5AA6wWU6VT4sOGl2MHCNjLfyimU8UkzWQ8tFcDHVfofOi1iN5cuX06i8 MaO3qmM9POnVHgqZu0B2qItDfi1YJCEJDLkCC+A4oBClMIdI1dAq6shNwg8t4rD9hMQc zMRqIHz4MCnxuexOAItqwMGFmXLeK1iND5ShWTr5WL7NWTLenfTv8nju7Nm8rFgXDqNH 8EntUuKnUHiDq34bHb8T55WPCEGwH0y9TSHPikeEKV8IXIQfwr0gb/VW/t8W8Uf5FBQQ MR4A==
X-Gm-Message-State: AC+VfDwMZ/spYOIZKNqYBepdeLvC2PnstL/KWZ5z9uX71HNxx5WgdaEl EPgCviR2C8251yjCXmp1ZrUuh2k5EEfK8A==
X-Google-Smtp-Source: ACHHUZ5Mjy2VX9dOWC8lbKaZmnHzd163wZK6Dh5IidnzJpZBLkzYvuhFBPGv0cuPOYVau79ysFYZGg==
X-Received: by 2002:a17:90b:1a8e:b0:252:b342:a84a with SMTP id ng14-20020a17090b1a8e00b00252b342a84amr21519421pjb.0.1684988766701; Wed, 24 May 2023 21:26:06 -0700 (PDT)
Received: from smtpclient.apple ([2603:3024:151c:c200:4aa:e77a:aaf9:a44b]) by smtp.gmail.com with ESMTPSA id q89-20020a17090a756200b002508f0ac3edsm2229977pjk.53.2023.05.24.21.26.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 May 2023 21:26:06 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\))
From: Brian Weis <bew.stds@gmail.com>
In-Reply-To: <CH0PR02MB798036C0A94A0084E08EEF79D37C9@CH0PR02MB7980.namprd02.prod.outlook.com>
Date: Wed, 24 May 2023 21:26:04 -0700
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-ippm-capacity-protocol.all@ietf.org" <draft-ietf-ippm-capacity-protocol.all@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "CIAVATTONE, LEN" <lc9892@att.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6F266168-74B9-4397-8A26-5AFDD9CA4ABD@gmail.com>
References: <167797065961.46817.5654760092907121117@ietfa.amsl.com> <CH0PR02MB79807F2F36C90E0C668CF04DD3839@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB79803DDAAF360B4E44E5E5F7D3669@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798059496506CFADD6577240D3709@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798036C0A94A0084E08EEF79D37C9@CH0PR02MB7980.namprd02.prod.outlook.com>
To: "MORTON JR., AL" <acmorton@att.com>
X-Mailer: Apple Mail (2.3696.120.41.1.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/ZB3KixON_zdwf4nZjYAFjRxZ2i0>
Subject: Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 04:27:08 -0000
Hi Al, Many apologies for the late response. Yes, combining AES-CBC-128 ad SHA-256 is a reasonable solution. They are often used together, and are safe to use with long-lived keys. I notice that some of the PDUs defined in -04 (e.g., Figure 2) have a field defined as "authDigest[AUTH_DIGEST_LENGTH](256 bits) or Initialization Vector (IV)”, but actually both fields are needed: an IV for AES-CBC-128, and the authDigest for SHA-256. Hope that helps, Brian > On May 19, 2023, at 8:44 AM, MORTON JR., AL <acmorton@att.com> wrote: > > Hi Brian, > > Revising our key question: > > For Encrypted mode: What if we combined AES-CBC-128 with our current Authentication HASH (SHA-256), for a complete (but two-part) solution? > > Will this be acceptable, given our plan to use long-lived keys? > > We would abandon the "authenticated encryption" preference stated earlier. > > please let us know, thanks, > Al > > >> -----Original Message----- >> From: MORTON JR., AL >> Sent: Sunday, May 7, 2023 6:55 PM >> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org >> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org >> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol- >> 04 >> >> Hi Brian, reminder of our key question, below, >> Al >> >>> -----Original Message----- >>> From: MORTON JR., AL >>> Sent: Sunday, April 23, 2023 9:26 AM >>> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org >>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org >>> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity- >> protocol- >>> 04 >>> >>> Hi Brian, >>> >>> We would like to receive your feedback on our proposal for a replacement >>> encryption algorithm: >>> >>>> Ok. We were attracted to the "authenticated encryption" aspect of GCM, but >>> we >>>> can get that with AES-CCM too. >>> >>> Does AES-CCM alleviate the issues and fit our plans to use long-lived keys, >>> etc.? >>> >>> With this feedback, we can proceed with updates to the draft. >>> thanks, >>> Al >>> >>>> -----Original Message----- >>>> From: MORTON JR., AL >>>> Sent: Sunday, March 19, 2023 5:08 PM >>>> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org >>>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org >>>> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity- >>> protocol- >>>> 04 >>>> >>>> Hi Brian, >>>> >>>> Thanks for your reply on the second SEC-DIR early review! >>>> >>>> We have summarized the topics for reply, below. Your review is appended. >>>> >>>> Al and Len >>>> >>>> >>>> # Key comments and replies for discussion: >>>> >>>>> — The use of AES-GCM with a long-lived symmetric key (such as one >>>>> on an RFC 7210 key chain) is not safe. ... (suggests a CBC mode) ... >>>> and >>>>> — Unauthenticated encryption is generally seen as risky, so when... >>>> >>>> Ok. We were attracted to the "authenticated encryption" aspect of GCM, but >>> we >>>> can get that with AES-CCM too. The Initialization Vector (IV) will be >>>> generated by a pseudo-random generator with unique seed for each session, >>> and >>>> have sufficient size to avoid duplication over the life of a long-lived >> key. >>>> The IV can be communicated in the clear, so we will. >>>> >>>>> — Also, there are some additional parameters that need to determined >>>>> to guarantee interoperability. For example, which octets are >>>>> encrypted, if a partial block needs to be encrypted how is it padded >>>>> out before encryption to make a full block, and requirements on IV >>>>> generation (e.g., that is must be from a good quality random number >>>>> generator). >>>> >>>> We need to check if padding is needed for any of our PDUs, but the PDUs >> will >>>> be fixed size so it's a static fix. >>>> We'll specify the IV generation method. >>>> >>>> >>>> >>>> # Tension between Security and Measurement operation: >>>> >>>>> — Section 5.1.1 doesn’t say the network addresses and headers are >>>>> included in the digest. It’s generally good practice to include >> (them)... >>>> >>>> Our test scope includes ISP Subscribers, so NAPT transversal is critical >> and >>>> precludes including the addresses. >>>> >>>>> ... a valid message >>>>> (e.g., Setup Request) can be extracted and placed in a different >>>>> measurement flow that is not intended by the original sender. This is >>>>> a substitution attack. >>>> >>>> All of the IPPM test protocols are susceptible to the substitution attack, >>> and >>>> there is no thorough mitigation that we know-of (including time in the >>> digest >>>> is a partial mitigation). >>>> >>>> Packet De-duplication, in DTLS and IPsec: >>>>> This is generally seen as a feature for network >>>>> encryption methods. >>>> Right, but measurement systems expect to observe packet duplication when >> it >>>> occurs. A trade-off is required, and the primary goal is measurement. >>>> >>>> >>>> # Edits and Nits: >>>> We will take care of other requests for clarifications requested >>>> - digest coverage >>>> - MBZ definition >>>> - “Support for client-server authentication ….”. >>>> - four Security modes, but encrypted tunnel makes five - becomes a >> paragraph >>>> - mismatch >>>> >>>>> -----Original Message----- >>>>> From: ippm <ippm-bounces@ietf.org> On Behalf Of Brian Weis via >> Datatracker >>>>> Sent: Saturday, March 4, 2023 5:58 PM >>>>> To: secdir@ietf.org >>>>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org >>>>> Subject: [ippm] Secdir early review of draft-ietf-ippm-capacity- >> protocol- >>> 04 >>>>> >>>>> Reviewer: Brian Weis >>>>> Review result: Has Issues >>>>> >>>>> I have reviewed this document as part of the security directorate's >>>>> ongoing effort to review all IETF documents being processed by the >>>>> IESG. These comments were written primarily for the benefit of the >>>>> security area directors. Document editors and WG chairs should treat >>>>> these comments just like any other last call comments. >>>>> >>>>> General comments >>>>> >>>>> (1) The guidance of what bytes are included in the SHA-256 calculation >>>>> and result placed in the authDigest field might need some enhancement. >>>>> >>>>> — Some places say that the authDigest field is zeroed (e.g., Section >>>>> 4.2.2 ) and some says “The SHA-256 calculation SHALL cover all the >>>>> preceding fields.”, which seems to omit the auhDigest field. I guess >>>>> these aren't mutually exclusive statements, but it would be cleaner >>>>> to have all of the description in one place so it is clear. >>>>> >>>>> — Section 5.1.1 doesn’t say the network addresses and headers are >>>>> included in the digest. It’s generally good practice to include >>>>> more context into the digest calculation so that a valid message >>>>> (e.g., Setup Request) can’t be extracted and placed in a different >>>>> measurement flow that is not intended by the original sender. This is >>>>> a substitution attack. >>>>> >>>>> — If network addresses and headers aren’t included in the digest, >>>>> then it will be important to describe why the substitution attack >>>>> isn’t a threat. I understand that if NAT on the client that including >>>>> it's network address is not possible, but there's still an issue. >>>>> >>>>> — Note that the inclusion of authUnixTime with the receiver >>>>> checking “acceptable immediacy” is only a partial mitigation for a >>>>> substitution attack, since the receiver’s notion of “acceptable >>>>> immediacy” is apparently quite long from an attacker's perspective >>>>> “(+/- 2.5 minutes)” and any other message including this PDU sent >>>>> fron an attacker (e.g., with different network headers) during this >>>>> period will be acceptable to the receiver. Reducing the window >>>>> size won’t completely mitigate this attack either. >>>>> >>>>> (2) There doesn’t seem to be a definition for the MBZ octets and >>>>> remainder bits, or a description of their purpose. (I’m guessing >>>>> it’s “must be zero” but even that should be defined for the reader.) >>>>> >>>>> Specific comments >>>>> >>>>> Section 4.2.4. >>>>> >>>>> — The use of AES-GCM with a long-lived symmetric key (such as one >>>>> on an RFC 7210 key chain) is not safe. The IV used by GCM is not a >>>>> random IV such as used by some other modes of which you might be >>>>> aware (e.g., CBC), but rather it is a counter that must NEVER >>>>> repeat with that key. Ensuring no repeats is not operationally >>>>> feasible for a key kept on a key chain. I.e., The counter must keep >>>>> incrementing between packets, reliably stored over a reboot so that >>>>> it isn't used again, and when the counter reaches the maximum value >>>>> the key is not longer usable. I would recommend specifying CBC mode >>>>> and a randomly chosen IV. >>>>> >>>>> — Also, there are some additional parameters that need to determined >>>>> to guarantee interoperability. For example, which octets are >>>>> encrypted, if a partial block needs to be encrypted how is it padded >>>>> out before encryption to make a full block, and requirements on IV >>>>> generation (e.g., that is must be from a good quality random number >>>>> generator). >>>>> >>>>> — Unauthenticated encryption is generally seen as risky, so when >>>>> encryption is included the the authDigest should also be used as >>>>> it is in the other modes. Figure 2 should have both authDigest AND >>>>> IV fields. >>>>> >>>>> Section 4.2.5. This section mentions that DTLS is not useful because >>>>> “The replay protection would remove duplicated packets and prevent >>>>> transparent measurement of this impairment.”. IPsec will also >>>>> transparently remove duplicate packets, and since TLS is based on >>>>> TCP, which has duplicate segment protection, I would expect that >>>>> the application would also never see duplicate measurement PDUs >>>>> from TLS either. This is generally seen as a feature for network >>>>> encryption methods. >>>>> >>>>> Section 10. “Client-server authentication and integrity protection >>>>> for feedback messages conveying measurements is REQUIRED.” Since >>>>> one of the methods allows “unauthenticated mode for all messages”, >>>>> I think this is meant to start with “Support for client-server >>>>> authentication ….”. That is, the REQUIRED language means >>>>> it must be implemented, but not used. >>>>> >>>>> Nits >>>>> >>>>> — Section 4.2 says “There are four security modes of operation”, >>>>> which is also stated elsewhere, but there seems to actually be five. >>>>> I understand that the fifth one is actually an external security >>>>> mode that can be combined with one of the four modes (e.g., >>>>> “unauthenticated mode for all messages”) in the PDU. It might be >>>>> clearer to take the fifth one out of the list and just make it a >>>>> paragraph. >>>>> >>>>> — Section 4.2.1 s/miss-match/mismatch/ >>>>> >>>>> >>>>> _______________________________________________ >>>>> ippm mailing list >>>>> ippm@ietf.org >>>>> >>>> >>> >> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ippm__;!!Bhd >>>>> T!lLiKK4svDahYLFenpa6d7FQa-qA1f4ltd7wjaRx1S- >>>> YZCr9cEveGl5UOAc3B7KuEPYEWE3uif4c$
- [ippm] Secdir early review of draft-ietf-ippm-cap… Brian Weis via Datatracker
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL
- Re: [ippm] Secdir early review of draft-ietf-ippm… Brian Weis
- Re: [ippm] Secdir early review of draft-ietf-ippm… MORTON JR., AL