IETF Logo Mail Archive

Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04

Brian Weis <bew.stds@gmail.com> Thu, 25 May 2023 04:27 UTC

Return-Path: <bew.stds@gmail.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37FD0C14CF05; Wed, 24 May 2023 21:27:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sSch-E__fj4d; Wed, 24 May 2023 21:27:04 -0700 (PDT)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9E5AC14CE40; Wed, 24 May 2023 21:26:07 -0700 (PDT)
Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1ae65e44536so2393195ad.0; Wed, 24 May 2023 21:26:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684988767; x=1687580767; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=d8ggxU67KsP25j7k/kUwZ7zH0G1+/3UgQqMHIdxw7l0=; b=bENL7bbNZo+TDWBkppGX30hOJ26IiTMrfjxjA4handzy3U4sjq92o+9fGHpiqctcWM d5CLHspFtnSA+irMqV9uxXOMj7uncxa8k1jSvl04Ig0Oby84Xs2gvbsVeFBgMfG8ueNC QydFIxhdl6bX/0JOqsa8RukqZQKYxo9AxBinLGPkcQKMK9Dn/Ci743rpgSURbc0mBjd2 hOwVhnvbUaZcZZvQWFmJ8BThj+64hZftqMUQ2gzmPp26tDLcyYaXcU0icHubBp46mnDf CVJpUX/iAO1G7ugQ+5A4oQTzhc5stWxtwKT0/jgZ+Eb9flow7l9gkJ09sTp71g8sYjyd LgUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684988767; x=1687580767; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d8ggxU67KsP25j7k/kUwZ7zH0G1+/3UgQqMHIdxw7l0=; b=adwx2IJrqDEPfaaopuG5DJ8nJ3ff8ZcP8PB++gnboKSwYKeuJhDTQc431zbOGIY+Dj RLXAW4om2O9R5AA6wWU6VT4sOGl2MHCNjLfyimU8UkzWQ8tFcDHVfofOi1iN5cuX06i8 MaO3qmM9POnVHgqZu0B2qItDfi1YJCEJDLkCC+A4oBClMIdI1dAq6shNwg8t4rD9hMQc zMRqIHz4MCnxuexOAItqwMGFmXLeK1iND5ShWTr5WL7NWTLenfTv8nju7Nm8rFgXDqNH 8EntUuKnUHiDq34bHb8T55WPCEGwH0y9TSHPikeEKV8IXIQfwr0gb/VW/t8W8Uf5FBQQ MR4A==
X-Gm-Message-State: AC+VfDwMZ/spYOIZKNqYBepdeLvC2PnstL/KWZ5z9uX71HNxx5WgdaEl EPgCviR2C8251yjCXmp1ZrUuh2k5EEfK8A==
X-Google-Smtp-Source: ACHHUZ5Mjy2VX9dOWC8lbKaZmnHzd163wZK6Dh5IidnzJpZBLkzYvuhFBPGv0cuPOYVau79ysFYZGg==
X-Received: by 2002:a17:90b:1a8e:b0:252:b342:a84a with SMTP id ng14-20020a17090b1a8e00b00252b342a84amr21519421pjb.0.1684988766701; Wed, 24 May 2023 21:26:06 -0700 (PDT)
Received: from smtpclient.apple ([2603:3024:151c:c200:4aa:e77a:aaf9:a44b]) by smtp.gmail.com with ESMTPSA id q89-20020a17090a756200b002508f0ac3edsm2229977pjk.53.2023.05.24.21.26.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 May 2023 21:26:06 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.3\))
From: Brian Weis <bew.stds@gmail.com>
In-Reply-To: <CH0PR02MB798036C0A94A0084E08EEF79D37C9@CH0PR02MB7980.namprd02.prod.outlook.com>
Date: Wed, 24 May 2023 21:26:04 -0700
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-ippm-capacity-protocol.all@ietf.org" <draft-ietf-ippm-capacity-protocol.all@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "CIAVATTONE, LEN" <lc9892@att.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6F266168-74B9-4397-8A26-5AFDD9CA4ABD@gmail.com>
References: <167797065961.46817.5654760092907121117@ietfa.amsl.com> <CH0PR02MB79807F2F36C90E0C668CF04DD3839@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB79803DDAAF360B4E44E5E5F7D3669@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798059496506CFADD6577240D3709@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798036C0A94A0084E08EEF79D37C9@CH0PR02MB7980.namprd02.prod.outlook.com>
To: "MORTON JR., AL" <acmorton@att.com>
X-Mailer: Apple Mail (2.3696.120.41.1.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/ZB3KixON_zdwf4nZjYAFjRxZ2i0>
Subject: Re: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2023 04:27:08 -0000

Hi Al,

Many apologies for the late response. Yes, combining AES-CBC-128 ad SHA-256 is a reasonable solution. They are often used together, and are safe to use with long-lived keys. I notice that some of the PDUs defined in -04 (e.g., Figure 2) have a field defined as "authDigest[AUTH_DIGEST_LENGTH](256 bits)  or  Initialization Vector (IV)”, but actually both fields are needed: an IV for AES-CBC-128, and the authDigest for SHA-256.

Hope that helps,
Brian

> On May 19, 2023, at 8:44 AM, MORTON JR., AL <acmorton@att.com> wrote:
> 
> Hi Brian,
> 
> Revising our key question:
> 
> For Encrypted mode:  What if we combined AES-CBC-128 with our current Authentication HASH (SHA-256), for a complete (but two-part) solution?
> 
> Will this be acceptable, given our plan to use long-lived keys?
> 
> We would abandon the "authenticated encryption" preference stated earlier.
> 
> please let us know, thanks,
> Al
> 
> 
>> -----Original Message-----
>> From: MORTON JR., AL
>> Sent: Sunday, May 7, 2023 6:55 PM
>> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org
>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org
>> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-
>> 04
>> 
>> Hi Brian, reminder of our key question, below,
>> Al
>> 
>>> -----Original Message-----
>>> From: MORTON JR., AL
>>> Sent: Sunday, April 23, 2023 9:26 AM
>>> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org
>>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org
>>> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity-
>> protocol-
>>> 04
>>> 
>>> Hi Brian,
>>> 
>>> We would like to receive your feedback on our proposal for a replacement
>>> encryption algorithm:
>>> 
>>>> Ok. We were attracted to the "authenticated encryption" aspect of GCM, but
>>> we
>>>> can get that with AES-CCM too.
>>> 
>>> Does AES-CCM alleviate the issues and fit our plans to use long-lived keys,
>>> etc.?
>>> 
>>> With this feedback, we can proceed with updates to the draft.
>>> thanks,
>>> Al
>>> 
>>>> -----Original Message-----
>>>> From: MORTON JR., AL
>>>> Sent: Sunday, March 19, 2023 5:08 PM
>>>> To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org
>>>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org
>>>> Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity-
>>> protocol-
>>>> 04
>>>> 
>>>> Hi Brian,
>>>> 
>>>> Thanks for your reply on the second SEC-DIR early review!
>>>> 
>>>> We have summarized the topics for reply, below. Your review is appended.
>>>> 
>>>> Al and Len
>>>> 
>>>> 
>>>> # Key comments and replies for discussion:
>>>> 
>>>>> — The use of AES-GCM with a long-lived symmetric key (such as one
>>>>> on an RFC 7210 key chain) is not safe. ... (suggests a CBC mode) ...
>>>> and
>>>>> — Unauthenticated encryption is generally seen as risky, so when...
>>>> 
>>>> Ok. We were attracted to the "authenticated encryption" aspect of GCM, but
>>> we
>>>> can get that with AES-CCM too. The Initialization Vector (IV) will be
>>>> generated by a pseudo-random generator with unique seed for each session,
>>> and
>>>> have sufficient size to avoid duplication over the life of a long-lived
>> key.
>>>> The IV can be communicated in the clear, so we will.
>>>> 
>>>>> — Also, there are some additional parameters that need to determined
>>>>> to guarantee interoperability. For example, which octets are
>>>>> encrypted, if a partial block needs to be encrypted how is it padded
>>>>> out before encryption to make a full block, and requirements on IV
>>>>> generation (e.g., that is must be from a good quality random number
>>>>> generator).
>>>> 
>>>> We need to check if padding is needed for any of our PDUs, but the PDUs
>> will
>>>> be fixed size so it's a static fix.
>>>> We'll specify the IV generation method.
>>>> 
>>>> 
>>>> 
>>>> # Tension between Security and Measurement operation:
>>>> 
>>>>> — Section 5.1.1 doesn’t say the network addresses and headers are
>>>>> included in the digest. It’s generally good practice to include
>> (them)...
>>>> 
>>>> Our test scope includes ISP Subscribers, so NAPT transversal is critical
>> and
>>>> precludes including the addresses.
>>>> 
>>>>> ... a valid message
>>>>> (e.g., Setup Request) can be extracted and placed in a different
>>>>> measurement flow that is not intended by the original sender. This is
>>>>> a substitution attack.
>>>> 
>>>> All of the IPPM test protocols are susceptible to the substitution attack,
>>> and
>>>> there is no thorough mitigation that we know-of (including time in the
>>> digest
>>>> is a partial mitigation).
>>>> 
>>>> Packet De-duplication, in DTLS and IPsec:
>>>>> This is generally seen as a feature for network
>>>>> encryption methods.
>>>> Right, but measurement systems expect to observe packet duplication when
>> it
>>>> occurs. A trade-off is required, and the primary goal is measurement.
>>>> 
>>>> 
>>>> # Edits and Nits:
>>>> We will take care of other requests for clarifications requested
>>>> - digest coverage
>>>> - MBZ definition
>>>> -  “Support for client-server authentication ….”.
>>>> - four Security modes, but encrypted tunnel makes five - becomes a
>> paragraph
>>>> - mismatch
>>>> 
>>>>> -----Original Message-----
>>>>> From: ippm <ippm-bounces@ietf.org> On Behalf Of Brian Weis via
>> Datatracker
>>>>> Sent: Saturday, March 4, 2023 5:58 PM
>>>>> To: secdir@ietf.org
>>>>> Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org
>>>>> Subject: [ippm] Secdir early review of draft-ietf-ippm-capacity-
>> protocol-
>>> 04
>>>>> 
>>>>> Reviewer: Brian Weis
>>>>> Review result: Has Issues
>>>>> 
>>>>> I have reviewed this document as part of the security directorate's
>>>>> ongoing effort to review all IETF documents being processed by the
>>>>> IESG. These comments were written primarily for the benefit of the
>>>>> security area directors. Document editors and WG chairs should treat
>>>>> these comments just like any other last call comments.
>>>>> 
>>>>> General comments
>>>>> 
>>>>> (1) The guidance of what bytes are included in the SHA-256 calculation
>>>>> and result placed in the authDigest field might need some enhancement.
>>>>> 
>>>>> — Some places say that the authDigest field is zeroed (e.g., Section
>>>>> 4.2.2 ) and some says “The SHA-256 calculation SHALL cover all the
>>>>> preceding fields.”, which seems to omit the auhDigest field. I guess
>>>>> these aren't mutually exclusive statements, but it would be cleaner
>>>>> to have all of the description in one place so it is clear.
>>>>> 
>>>>> — Section 5.1.1 doesn’t say the network addresses and headers are
>>>>> included in the digest. It’s generally good practice to include
>>>>> more context into the digest calculation so that a valid message
>>>>> (e.g., Setup Request) can’t be extracted and placed in a different
>>>>> measurement flow that is not intended by the original sender. This is
>>>>> a substitution attack.
>>>>> 
>>>>> — If network addresses and headers aren’t included in the digest,
>>>>> then it will be important to describe why the substitution attack
>>>>> isn’t a threat. I understand that if NAT on the client that including
>>>>> it's network address is not possible, but there's still an issue.
>>>>> 
>>>>> — Note that the inclusion of authUnixTime with the receiver
>>>>> checking “acceptable immediacy” is only a partial mitigation for a
>>>>> substitution attack, since the receiver’s notion of “acceptable
>>>>> immediacy” is apparently quite long from an attacker's perspective
>>>>> “(+/- 2.5 minutes)” and any other message including this PDU sent
>>>>> fron an attacker (e.g., with different network headers) during this
>>>>> period will be acceptable to the receiver.  Reducing the window
>>>>> size won’t completely mitigate this attack either.
>>>>> 
>>>>> (2) There doesn’t seem to be a definition for the MBZ octets and
>>>>> remainder bits, or a description of their purpose. (I’m guessing
>>>>> it’s “must be zero” but even that should be defined for the reader.)
>>>>> 
>>>>> Specific comments
>>>>> 
>>>>> Section 4.2.4.
>>>>> 
>>>>> — The use of AES-GCM with a long-lived symmetric key (such as one
>>>>> on an RFC 7210 key chain) is not safe. The IV used by GCM is not a
>>>>> random IV such as used by some other modes of which you might be
>>>>> aware (e.g., CBC), but rather it is a counter that must NEVER
>>>>> repeat with that key. Ensuring no repeats is not operationally
>>>>> feasible for a key kept on a key chain. I.e., The counter must keep
>>>>> incrementing between packets, reliably stored over a reboot so that
>>>>> it isn't used again, and when the counter reaches the maximum value
>>>>> the key is not longer usable. I would recommend specifying CBC mode
>>>>> and a randomly chosen IV.
>>>>> 
>>>>> — Also, there are some additional parameters that need to determined
>>>>> to guarantee interoperability. For example, which octets are
>>>>> encrypted, if a partial block needs to be encrypted how is it padded
>>>>> out before encryption to make a full block, and requirements on IV
>>>>> generation (e.g., that is must be from a good quality random number
>>>>> generator).
>>>>> 
>>>>> — Unauthenticated encryption is generally seen as risky, so when
>>>>> encryption is included the the authDigest should also be used as
>>>>> it is in the other modes. Figure 2 should have both authDigest AND
>>>>> IV fields.
>>>>> 
>>>>> Section 4.2.5. This section mentions that DTLS is not useful because
>>>>> “The replay protection would remove duplicated packets and prevent
>>>>> transparent measurement of this impairment.”. IPsec will also
>>>>> transparently remove duplicate packets, and since TLS is based on
>>>>> TCP, which has duplicate segment protection, I would expect that
>>>>> the application would also never see duplicate measurement PDUs
>>>>> from TLS either. This is generally seen as a feature for network
>>>>> encryption methods.
>>>>> 
>>>>> Section 10. “Client-server authentication and integrity protection
>>>>> for feedback messages conveying measurements is REQUIRED.” Since
>>>>> one of the methods allows “unauthenticated mode for all messages”,
>>>>> I think this is meant to start with “Support for client-server
>>>>> authentication ….”. That is, the REQUIRED language means
>>>>> it must be implemented, but not used.
>>>>> 
>>>>> Nits
>>>>> 
>>>>> — Section 4.2 says “There are four security modes of operation”,
>>>>> which is also stated elsewhere, but there seems to actually be five.
>>>>> I understand that the fifth one is actually an external security
>>>>> mode that can be combined with one of the four modes (e.g.,
>>>>> “unauthenticated mode for all messages”) in the PDU. It might be
>>>>> clearer to take the fifth one out of the list and just make it a
>>>>> paragraph.
>>>>> 
>>>>> — Section 4.2.1 s/miss-match/mismatch/
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> ippm mailing list
>>>>> ippm@ietf.org
>>>>> 
>>>> 
>>> 
>> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ippm__;!!Bhd
>>>>> T!lLiKK4svDahYLFenpa6d7FQa-qA1f4ltd7wjaRx1S-
>>>> YZCr9cEveGl5UOAc3B7KuEPYEWE3uif4c$

v2.23.0 | Report a Bug | By Email