IETF Logo Mail Archive

Re: [ippm] WGLC for draft-ietf-ippm-twamp-06.txt

"Murtaza Chiba (mchiba)" <mchiba@cisco.com> Mon, 31 March 2008 17:24 UTC

Return-Path: <ippm-bounces@ietf.org>
X-Original-To: ippm-archive@megatron.ietf.org
Delivered-To: ietfarch-ippm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D9D0C28C340; Mon, 31 Mar 2008 10:24:36 -0700 (PDT)
X-Original-To: ippm@core3.amsl.com
Delivered-To: ippm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AE65D3A6E2E for <ippm@core3.amsl.com>; Mon, 31 Mar 2008 10:24:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.888
X-Spam-Level:
X-Spam-Status: No, score=-3.888 tagged_above=-999 required=5 tests=[AWL=2.711, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JARYbX++GABU for <ippm@core3.amsl.com>; Mon, 31 Mar 2008 10:24:33 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id EC05528C340 for <ippm@ietf.org>; Mon, 31 Mar 2008 10:24:32 -0700 (PDT)
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 31 Mar 2008 10:24:31 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m2VHOV09009034; Mon, 31 Mar 2008 10:24:31 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m2VHOV5s008413; Mon, 31 Mar 2008 17:24:31 GMT
Received: from xmb-sjc-21b.amer.cisco.com ([171.70.151.143]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 31 Mar 2008 10:24:31 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 31 Mar 2008 10:24:21 -0700
Message-ID: <D492339CC466C84EA5E0AF1CECB20081056841F9@xmb-sjc-21b.amer.cisco.com>
In-Reply-To: <F4C4A17D-3B2D-4A35-8F18-071218D1DF5D@internet2.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [ippm] WGLC for draft-ietf-ippm-twamp-06.txt
thread-index: AciSrbFSsVCqv7H0SvKW6aTBZLe3ZAApS+OA
References: <47C2C60C.9070807@ripe.net> <47DE8A2D.40409@ripe.net> <D492339CC466C84EA5E0AF1CECB200810561CCB4@xmb-sjc-21b.amer.cisco.com> <D492339CC466C84EA5E0AF1CECB2008105683E2F@xmb-sjc-21b.amer.cisco.com> <90EB10B5-EB5F-4364-910C-5E3ED6F607F4@internet2.edu> <D492339CC466C84EA5E0AF1CECB2008105683F23@xmb-sjc-21b.amer.cisco.com> <EDB3E3AC-CF06-4629-BCB4-7A45585E16F0@internet2.edu> <D492339CC466C84EA5E0AF1CECB2008105684036@xmb-sjc-21b.amer.cisco.com> <F4C4A17D-3B2D-4A35-8F18-071218D1DF5D@internet2.edu>
From: "Murtaza Chiba (mchiba)" <mchiba@cisco.com>
To: "Jeff W. Boote" <boote@internet2.edu>
X-OriginalArrivalTime: 31 Mar 2008 17:24:31.0161 (UTC) FILETIME=[14908290:01C89354]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=8554; t=1206984271; x=1207848271; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mchiba@cisco.com; z=From:=20=22Murtaza=20Chiba=20(mchiba)=22=20<mchiba@cisco.c om> |Subject:=20RE=3A=20[ippm]=20WGLC=20for=20draft-ietf-ippm-t wamp-06.txt |Sender:=20; bh=j36bw9GrLMDA3omQQZDSV7fPtwgiKC3h7A8N7Rx/RUk=; b=C4M1P/7OfJUoRFOqYmGXLtFs4fODlKrF6xnsUb7T1pwenmGU/q1LgRJHAL jArBi1lRb/0Wz7ErPLL+m/ce31Egr0LR6NMEJK22Wxp7xgibP8wSc1m/e9RU PzD+I0MkWdWLetvqqzN5OQ6tBSQAd0daE/4DtQ2EgsbJzH1n+p7lU=;
Authentication-Results: sj-dkim-1; header.From=mchiba@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: Henk Uijterwaal <henk@ripe.net>, IETF IPPM WG <ippm@ietf.org>
Subject: Re: [ippm] WGLC for draft-ietf-ippm-twamp-06.txt
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ippm-bounces@ietf.org
Errors-To: ippm-bounces@ietf.org

Hi Jeff, 

> 
> Hi Murtaza,
> 
> On Mar 29, 2008, at 6:21 PM, Murtaza Chiba (mchiba) wrote:
> >
> > In all cases in the specification HMAC is computed before 
> encrypting 
> > blocks (this is only stated earlier in the specification 
> when talking 
> > about the control communication, but is standard for HMAC use).
> >
> > MSC> Since the Control exchange uses stream encryption it makes most
> > sense that the HMAC is calculated before encrypting.   
> However, for  
> > Test
> > packets, since only part of the packet is being encrypted it is not 
> > clear whether the HMAC is a check for the encrypted packet 
> (that is it 
> > is calculated after encryption) or for the packet before encryption.
> > If it is a signature for the encrypted packet then one can check 
> > integrity before decrypting and that speeds-up processing, that is
> > reverse of the process for Control packets.   The other way 
> round, the
> > packet has to be decrypted first (a more expensive process) 
> and then 
> > the signature needs to be verified.
> 
> The optimization you suggest is not without a cost. If the 
> data going into the HMAC and the result of the HMAC are both 
> transmitted in the clear, the HMAC hash function is more 
> susceptible to attack. If this level of optimization is 
> required, I suggest using open mode.
> 

I agree that when using encrypted mode there is a reason to be paranoid
and hence it is preferable to authenticate before encryption.   
How about the authenticated mode?   The reason to use an authenticated
mode could be less to do with security (and hence susceptibility) and
more to do with data integrity.

-Murtaza

> If you believe others could be confused by the fact that it 
> is not explicitly stated that the HMAC is computed on the 
> non-encrypted message contents first (in this part of the 
> RFC), then I would suggest submitting an errata for the RFC.
> 
> jeff
> 
> 
> >
> >
> > -Murtaza
> >
> > So, for the test packets: In authenticated mode, only the 
> first block 
> > is used to generate the HMAC, and then only the first block is 
> > encrypted.
> > In encrypted mode, the HMAC is computed using the first two blocks, 
> > and both of those blocks are encrypted. In both of these cases the 
> > HMAC field is set to the result of hashing the HMAC key 
> with the data 
> > in the blocks using the HMAC-SHA1 algorithm as specified.
> >
> > jeff
> >
> >>
> >> -----Original Message-----
> >> From: Jeff W. Boote [mailto:boote@internet2.edu]
> >> Sent: Friday, March 28, 2008 1:01 PM
> >> To: Murtaza Chiba (mchiba)
> >> Cc: Henk Uijterwaal; IETF IPPM WG
> >> Subject: Re: [ippm] WGLC for draft-ietf-ippm-twamp-06.txt
> >>
> >>
> >> On Mar 28, 2008, at 1:15 PM, Murtaza Chiba (mchiba) wrote:
> >>> Another clarification question.
> >>>
> >>> For Test packets the draft is not clear on the order of 
> encryption 
> >>> and
> >>> authentication.   One can assume that the intent was to first  
> >>> encrypt
> >>> and then authenticate the fields which is the reverse of Control
> >>> packets.   It would be nice to see clarification text in 
> the section
> >>> 4.2.1 of TWAMP and section 4.1.2 of OWAMP.
> >>
> >> I did not go read the TWAMP section to see if the situation is the 
> >> same, but for OWAMP there is no order at all. There are 3 different
> >> 'modes':
> >>
> >> open, encrypted, authenticated.
> >>
> >> These modes are negotiated in the control connection, and which 
> >> process the individual packets go through is defined based on the 
> >> selected mode.
> >> They are independent - there is no order to consider.
> >>
> >> The difference between authenticated and encrypted is that the 
> >> timestamp information is sent unencrypted in authenticated mode to 
> >> reduce the amount of time from when the timestamp was 
> retrieved and 
> >> the packet is actually sent. In encrypted mode, the entire data 
> >> segment is encrypted including the timestamp.
> >>
> >> Perhaps I'm completely missing the point?
> >>
> >> jeff
> >>
> >>
> >>
> >>> -Murtaza
> >>>
> >>> -----Original Message-----
> >>> From: ippm-bounces@ietf.org 
> [mailto:ippm-bounces@ietf.org] On Behalf 
> >>> Of Murtaza Chiba (mchiba)
> >>> Sent: Tuesday, March 25, 2008 1:10 PM
> >>> To: Henk Uijterwaal
> >>> Cc: IETF IPPM WG
> >>> Subject: Re: [ippm] WGLC for draft-ietf-ippm-twamp-06.txt
> >>>
> >>>
> >>>
> >>> Some more questions on TWAMP draft.
> >>>
> >>> Q1) Section 3.8 Stop Sessions mentions that command can 
> only be sent 
> >>> by
> >>> the Session-Sender.   I believe the authors meant 
> Control-Client as
> >>> the
> >>> Session-Sender does not exchange a control command.
> >>>
> >>> Q2) In the same section it mentions that NO session description 
> >>> record
> >>
> >>> can be sent, however, it also mentions that the Next SeqNo and 
> >>> Number
> >
> >>> of Skip Ranges MUST be set to 0 and those are part of the session
> >>> description record!   I am assuming the authors ONLY meant to  
> >>> exclude
> >>> the no. Skip Ranges record.
> >>>
> >>> Q3) Is it possible to add a SID to a Start-Sessions 
> message?   That
> >>> would help limit the meaning of Active to be per SID allowing for
> >>> different SIDs to be started and stopped on demand.   
> Sometimes one
> >>> may
> >>> want to start a Test Stream in response to an observed network 
> >>> behaviour.
> >>>
> >>> Q4) If the above is acceptable then I propose adding a 
> >>> Control-Command-type field to all response messages and hence the 
> >>> Accept field should be the second field.  It also entails 
> adding a 
> >>> SID
> >>
> >>> in the Requests and Responses.
> >>>
> >>> -Murtaza
> >>>
> >>> -----Original Message-----
> >>> From: ippm-bounces@ietf.org 
> [mailto:ippm-bounces@ietf.org] On Behalf 
> >>> Of Henk Uijterwaal
> >>> Sent: Monday, March 17, 2008 8:12 AM
> >>> To: Henk Uijterwaal
> >>> Cc: IETF IPPM WG
> >>> Subject: Re: [ippm] WGLC for draft-ietf-ippm-twamp-06.txt
> >>>
> >>> IPPM Group,
> >>>
> >>>> This is a WGLC for the draft: draft-ietf-ippm-twamp-06.txt
> >>>>
> >>>> The draft has been discussed extensively in this group 
> and appears 
> >>>> to
> >>
> >>>> to be stable by now.  We like to start a WGLC in order to move it
> >>> forward.
> >>>> Please raise any remaining issues by Friday, March 14, 9:00 UTC.
> >>>>
> >>>> An URL for the draft is:
> >>>>
> >>>> http://www.ietf.org/internet-drafts/draft-ietf-ippm-twamp-06.txt
> >>>
> >>> This concludes the WGLC for this draft.  Two issues were 
> raised on 
> >>> the
> >>
> >>> list.  We'll ask the authors to respond to those on the 
> list and to 
> >>> include fixes in the draft.  After that we'll move the document 
> >>> forward.
> >>>
> >>> Matt & Henk
> >>>
> >>>
> >>> --
> >>> 
> --------------------------------------------------------------------
> >>> -
> >>> -
> >>> --
> >>> ------
> >>> Henk Uijterwaal                           Email:
> >>> henk.uijterwaal(at)ripe.net
> >>> RIPE Network Coordination Centre
> >>> http://www.amsterdamned.org/~henk
> >>> P.O.Box 10096          Singel 258         Phone: +31.20.5354414
> >>> 1001 EB Amsterdam      1016 AB Amsterdam  Fax: +31.20.5354445
> >>> The Netherlands        The Netherlands    Mobile: +31.6.55861746
> >>> 
> --------------------------------------------------------------------
> >>> -
> >>> -
> >>> --
> >>> ------
> >>>
> >>> Is one of the choices leaving the office open?
> >>>                                     Alan Greenspan on the next 
> >>> elections _______________________________________________
> >>> ippm mailing list
> >>> ippm@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/ippm
> >>> _______________________________________________
> >>> ippm mailing list
> >>> ippm@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/ippm
> >>> _______________________________________________
> >>> ippm mailing list
> >>> ippm@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/ippm
> >>
> >> jeff
> >> --
> >> Jeff W. Boote
> >> boote@internet2.edu
> >>
> >>
> >>
> >
> > jeff
> > --
> > Jeff W. Boote
> > boote@internet2.edu
> >
> >
> >
> 
> jeff
> --
> Jeff W. Boote
> boote@internet2.edu
> 
> 
> 
> 
> 
_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm

v2.23.0 | Report a Bug | By Email