Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdmv2-05
"Hamilton, Robert" <RHamilton@cas.org> Thu, 25 January 2024 16:01 UTC
Return-Path: <RHamilton@cas.org>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CDC2C14F6B5 for <ippm@ietfa.amsl.com>; Thu, 25 Jan 2024 08:01:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.406
X-Spam-Level:
X-Spam-Status: No, score=-4.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cas.org header.b="ZhtCDcj2"; dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=americanchemicalsociety.onmicrosoft.com header.b="emtwuFsM"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKxGSocyG_Pi for <ippm@ietfa.amsl.com>; Thu, 25 Jan 2024 08:01:53 -0800 (PST)
Received: from esa4.hc2953-94.iphmx.com (esa4.hc2953-94.iphmx.com [68.232.148.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73A03C14F697 for <ippm@ietf.org>; Thu, 25 Jan 2024 08:01:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cas.org; i=@cas.org; q=dns/txt; s=CASCMH20200214; t=1706198513; x=1737734513; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=6W8bSBa5FKtU6Lg9ZaqebPVLVZP8IssNqvB5lAkOrHQ=; b=ZhtCDcj25WVtvDGoPpOshLftmWzSob198aeWxQbA3rh9vjybsDlsRgP8 YH5YUsZ9hmuMi+nW6zxERZG2vSqBImRNaeWoG6NuqxSAPv3ojBnmX3z45 ZeATi6qp0MX6KmX6nds2VPdMB14g1/Zs+qwiOMT/musCnodKHk5UG2M4q H/IXQ96Xf7rSHnPHMYOjy5vAyWjL5cq3GkvM/yNZG/NcVt6rZuAQbGd6c dMio3w1emd0cdjlETIuWo65iPt4TbMq2GraWh2G9/xNp/gT8tpQaF4sKx +YqKZ6+OJOJYy7/02t8twL+stZbxKEa8+rvXwpfhd5Xh8rW9Oen6Pr4aU g==;
X-CSE-ConnectionGUID: fQhPU/eLSAKMrNuxfY9nVQ==
X-CSE-MsgGUID: V9iafW12Tr++N8MgaFVEeA==
X-IronPort-RemoteIP: 104.47.55.169
X-IronPort-MID: 29103816
X-IronPort-Reputation: None
X-IronPort-Listener: OutgoingMail
X-IronPort-SenderGroup: RELAY_O365
X-IronPort-MailFlowPolicy: $RELAYED
X-IronPort-AV: E=Sophos;i="6.05,216,1701111600"; d="scan'208,217";a="29103816"
Received: from mail-bn8nam12lp2169.outbound.protection.outlook.com (HELO NAM12-BN8-obe.outbound.protection.outlook.com) ([104.47.55.169]) by ob1.hc2953-94.iphmx.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 25 Jan 2024 21:01:52 +0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UY7ehtb5ZZWIFleenl0qnSczngke2s58gNE0cJO8Kj9xHHzHHBx98cCYAaUFWZE5gfBIhU5F5ERTMPQdV71xfJLMAUMNtIW5npTSHhmBeCOMbs3WZpdkNHkVG/rIq0QGuM6gnnxu9cLBDTxwA3RyXqIXyJY6ZJeWJa/FzVK1pNZO7fFnfKTvz3YMNMTzJYUMDPCmjPyZlnl5kBsr8nud6pYswiYAmF4d2LvcXEhtVDH6WbIiTc8QFXZPfA+wS7BRbL8OyJzHn0VuCGmoEdiyx6o4mpVHWlN3/Tb0+ad3UOtaOlPsv0qxf82kE6xLePeWf3ulT1g4vFWTYuric45Agw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=upTibC18RswAx32p4BqNk5bXQuvaO3XBmZVqlKyouAE=; b=fJ3Dxkfw0tbtjI7u6j1+3wZV3iC2fWIyGsFIGlZpFxr+UqZkgYtnuvMahKgW4G4Ear3Y94frxc5I88WTVshSRf4zI9B9obUTzt/wLAkM5cIaJKYU56a0lxpU+oHUR2Ul9F3rmwB9vsh9S1bmhSrSlNTx9l4MAnQKArQItnO6nEmHpNG3DES1UQi1QDyt7WJ08bmLcbi/D4CH2IZFso/mC4+DaB0oLPEo+/+obQwPwGwwK6yspFNXZX3kStDoa8CdOxfHdfFJDIsIxcBxePTRvNpYwU7YiGc1yoC47llcSck5aR2iPJ1ZEli3sRxOuyWzolvn/9UzR+7S/la6+RgTZA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cas.org; dmarc=pass action=none header.from=cas.org; dkim=pass header.d=cas.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=americanchemicalsociety.onmicrosoft.com; s=selector2-americanchemicalsociety-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=upTibC18RswAx32p4BqNk5bXQuvaO3XBmZVqlKyouAE=; b=emtwuFsMeOZH9WeeABC1NsCt5QDulFU2V48u5JPH4SDy0l1vpk9k7oPUplWxrMkyngayK2+x6sylZjOwfEhmHdG0RPkgYUQdcBq6p6tS8ee4QrYh6cH3A6u7apAScvQYjtOB/0JNiZOlkaIcxW/9Q1uxSFjggHnqsV4KHNM3MdfzBGmkhxQjNrT0L7HxUNPgckJunihHRWqeEaB+DYRpxSC2V3C/YEThUQsuZamfEfstrNuvetdWFvKSrr3ba08qfBe9iDNANkrm/05DclP8aESk+leXJtHLVKfYOdFk526jPW8hxfWs4QmGkV4aO75AtpDzePpdIM7Sz++nYKDnEg==
Received: from PH7PR17MB6081.namprd17.prod.outlook.com (2603:10b6:510:1fb::18) by LV3PR17MB7117.namprd17.prod.outlook.com (2603:10b6:408:195::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7228.26; Thu, 25 Jan 2024 16:01:48 +0000
Received: from PH7PR17MB6081.namprd17.prod.outlook.com ([fe80::2d03:2d12:1196:2c2b]) by PH7PR17MB6081.namprd17.prod.outlook.com ([fe80::2d03:2d12:1196:2c2b%4]) with mapi id 15.20.7202.035; Thu, 25 Jan 2024 16:01:48 +0000
From: "Hamilton, Robert" <RHamilton@cas.org>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, IETF IPPM WG <ippm@ietf.org>
Thread-Topic: [EXT] [ippm] WGLC for draft-ietf-ippm-encrypted-pdmv2-05
Thread-Index: AQHaQyD6bXeiTajhL0+kFlqZVcZ4MrDqxFXA
Date: Thu, 25 Jan 2024 16:01:48 +0000
Message-ID: <PH7PR17MB6081363D1FC8375ABBC6AC52B97A2@PH7PR17MB6081.namprd17.prod.outlook.com>
References: <61AC7432-55A9-4E65-A1FE-CB23B3B414B0@apple.com>
In-Reply-To: <61AC7432-55A9-4E65-A1FE-CB23B3B414B0@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cas.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH7PR17MB6081:EE_|LV3PR17MB7117:EE_
x-ms-office365-filtering-correlation-id: dca8874c-2d4e-4f53-c972-08dc1dbeefdf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: L3h4llsbePTaYWUpLhxa1E8YtscUdOtxNO2MTk0SMfOFlrX5CB8+3mEY6dBgqvUggAhrUjbmzfKh/ZE7fpU2t+5TDhVVG/zBnrfQ0sPnpAP47n8OIJOspMbKb0o/+HsZS9/rjZc9AHhxT8Qc1CzyCnias4nbY9S3vE6W3B4hl7So7oj+Eq8y6f2snO2ImWhsrdBRq+/9MAgatZkbJoo0RvEvfLpz4LsDYncVwLjG65uupIT32xzZtE50UdnYPvkMHydQYHBTeR7T4MWYAWzANXtEInwLSF6tBMZifFI4uL9+BKomIK5+WMB3Jg7ljcu36B2ge1OSnLlt/9ix6NaECESoJzaJJXuPeQNhHVVBEYP1xa1z8GOpH+LjXeIYhNsWjK93qtIUGS6jAhHYzH+KVAszv+gTpXR8eq+JqGOxw9bFRey91Vska1qNe4P3Pt0QuLdVHiTHNWcTaucHbRdaIcqhOaD7x2r0MG04HB9GgZogAjggBy6ox+2J6JuGGrg4hZQLmaeUNghHCg9ShSN7dWGZWK9FcdDco1+xp4ZY/8pri9s5hZ/tSkYN3rbolRPxo54/RmZtIrAYcBfMp7sKYdM/c/pXYdfJOCFJzqRUZ/g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR17MB6081.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(366004)(136003)(396003)(376002)(346002)(230922051799003)(1800799012)(451199024)(64100799003)(186009)(33656002)(86362001)(110136005)(41300700001)(478600001)(966005)(2906002)(8936002)(8676002)(52536014)(66556008)(5660300002)(66446008)(64756008)(76116006)(66946007)(66476007)(316002)(122000001)(83380400001)(26005)(38070700009)(9686003)(71200400001)(166002)(6506007)(53546011)(7696005)(38100700002)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8p3QvmHfgYOyKpJYxuxIuVCV+2G6trmRd8G/zFuDj3o9b0j0JOtA+sfeOlBodnNzBlmybo2NwLnfmA64ark+XFkXaLsE7LBFJ1go8lLhdnAgIKp1ntNnG8vaiF9npVbIncm4J+dvaxGTch9Q79FMFFckmRaTFiNHtnxLjOahPl1rGMuYFQO/N/ZrfALK9Bg+eWGytb2sgoC0jiae/wccnZ6Jew/u2GGTfSCdDc1ysIR9q2xWci4GVvCAwhEe8PeDW5lYEEuou55gS1RRXF9bVYJHHKkWxnT1OtQJPs/9ATHlYzofqo+529s2l7RQJ4hbwgJSVzZML75CUb+tWoIsvF+Z2CZnfrcFtdB+qZGov+Bj0FprXC0qWqRN76mq2jYDFPUceNKm1sPKdQtBipKRvKyKp2zIsyBtqNebb4IXAbfMlYcIZo/470qWxVgX0PY/Uehnw+PdmG/cUb7rh5kC6H0bnftZHOIUZu85J/QhE5frgCWmQ/ECp096hTOvQkpg4udNx6vHRAOHkNLFsCFyxAVsdj3YwGMlczNXXZkrYdK+C8o4To8okZc+tgQq4FwEdrJ4IjWwIRvxXdIz+zsQyMVCed9P1OOVmvyhjDMX0aZcd2SQ7932Xa56dZXNU9U0uJ1ihs5jdNDsE/4iG6nHCOajn79U/nBSeHzJZH1ar9KdjB2Q2derlDJFtP6yFSv4jwBgl+1gfAdNkJLkNIeyBTZZA/s0MYoPbVcwjXrUvYUQIT2Pvj+ZmhHd5oMYD0wmfZxhisLseBdfGrzBmroCn/eUA1eiROZkjgsCPYeTpWGo1CN6+aWDvmHIYb7Qik/6OPzpGqTU3FHA7cwRiXczgBCFNd22dkmnycmBI2XFVmAzT20N0GEAzZhOTFXdHy542LAzbCtv+vNwlsaLNQ1BX6Y2VeA0XWSsc3g7AnRcoORNO17Ous+j9v31touzyLk2lKRB3oN7Ou2ofhtubN76boZycYWkhcFrD0AYE//F1jFkbQHhHkjwXJ3ofyjtFJd9N5YX3x7b1KCqnLr/Mj0jvczXyRI5k93BQV3x+/047oDx+6IZffIBiOfeMYa4E6NMEG0SuAdkncLGad3AED5aeXFXgT2PL+3HvxfLdapXQij6msSfSCJkBAr7qCL76ma2a019r1CA/vygjzGCBu9AgvhJCZMssSdoBm3EKdxF40bgjR5ygGP/HAR2y8ZnTUbrzku8QsdWdTHhaMO+K2xco0FE/DCqfPgsl4ZtmqOziET/S9y81KKn6v3IJH9UC9aL5GYxXqSUw9KUwRm4sDbmkhNi2xh8TbM5NFYhkLczQ/2GotbUpVKW7xvIkPyqP2S8IelUC9w6ubeDxp9ZNnoRNVlTO3IeHQdZfgnfG6mKBOHMwFiRdPQsOB7P3QGvXmF1HEew9hxNUs/JxHhiPzK8p5hKiibC/u1cGlxRKgnHIku/QslrGSnEYyuYHnWbRSe3twDRszdgBLKr52lT0hBgTbd3cuTUqaWi8TqKRcryyv8K/MkC7f8o8b38SSHf3Dj6uRPuAsVKqHEOOmsQ20I0xfA2Dszcyp2q4bZy1OPTtbcsAyzqpW4uoBUhhUGxFE+z
Content-Type: multipart/alternative; boundary="_000_PH7PR17MB6081363D1FC8375ABBC6AC52B97A2PH7PR17MB6081namp_"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: eoGMCLGalhDhlbSnYnSJyENqtCD0UdEMAJhKAAcI/MsVYPgZNLMpnLG4VwdjgsndbclxpQRPBF0x6a2UTBLdRTkePmUhGhPmP8YlsrHJRJ1XTsvqKGISdCNC3KMNkdutShiVVV7Y4U9RNJPkyd8b8X0sDMIk3PPrMZLdpYD7aJBrsVmv3vwxFRxIl2VO8ztYBFc85hbMgT19JlpFBZzAXOm9Jn164D6tJAPjpaeuXgkADwOXNcKoRXunMlLktyvEQRaoeULZMEDUZtHk1X0ioydI6rkTTO30fBdCK5oWIbovYgVNBvJfPod5r1/f6a6nZejdjKWNjeO79qIoxfCwJzbEk15CgDNaOkKTgohrQ1CXNyhKZ63Bf9Y55TbOeg+h47JuKxAHvi+CFe1lrMIuumy65AMn6tmgrylU7E67AJmw7zjgsr6gUolDokfbdStHWEycONz68Vdd+1W+V1SQMax9dZXwr3pRnZ3axHXI+fHYSiBN6yZcUct7ySLT2Gi3/a/A4fVGILl++0GVRIhyAt4/vwkRlfTam3kb4Y5t9hVf4zwUB9GUG72pWVOL71qYVIFMMpDdK8zAt7QGaYu7qxDG4ftBynVtSORl3P+GP5DJd6Y2bAJN42zDM2Nhp9DAMKPmn17BlPCQjR5X70opx2l5S+2UIIH3nGEeyfgVwjc=
X-OriginatorOrg: CAS.ORG
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH7PR17MB6081.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dca8874c-2d4e-4f53-c972-08dc1dbeefdf
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jan 2024 16:01:48.5081 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c3b1a832-5c87-461e-afab-7913bd34cba9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VtSv4kIj9KOS2yMsNdlr3BQ1ZNaWEw2uxk0EaYyozmotZMK6jWW4lYsgrbNg9LvhmuEK3EWRQiE5V++mh+panw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV3PR17MB7117
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/ulU19mQIkQusIoZ70SXxmuWswKM>
Subject: Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdmv2-05
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2024 16:01:57 -0000
I support the adoption of this draft, with just a few comments. I noted in section 7.1.4: Encrypted PDMv2 provides inherent protection against active attacks like Message Modification by providing integrity. If either of the sequence number or encrypted PDMv2 contents are modified then decryption will fail. I suspect that the decryption function will actually work, but it will result in a garbled message instead of the original open text. If the PDM(v2) conversation stream is corrupted like this, I’m not sure there’s a way to reestablish it without reinitializing the secret, which I think is what you had in mind with: When the Epoch rolls over, the SharedSecret SHOULD be re-negotiated. in Section 4.1; potentially that could signal to the legitimate partner that there is an issue, but it would signal to the MITM that the real partners know he’s there, and could permit the MITM to observe the SharedSecret setup. It may be necessary simply to disable the PDM conversation instead. What happens when one partner discovers the traffic has been corrupted or intercepted, or otherwise appears suspect? Can the PDM conversation be reinitiated safely at that point? Or should there be some kind of banditry notification and/or session termination? Thanks, R; Rob Hamilton Infrastructure Engineer Chemical Abstracts Service From: ippm <ippm-bounces@ietf.org> On Behalf Of Tommy Pauly Sent: Tuesday, January 9, 2024 12:26 PM To: IETF IPPM WG <ippm@ietf.org> Subject: [EXT] [ippm] WGLC for draft-ietf-ippm-encrypted-pdmv2-05 [Actual Sender is forwardingalgorithm@ietf.org<mailto:forwardingalgorithm@ietf.org>] Hello IPPM, This email starts a Working Group Last Call for "IPv6 Performance and Diagnostic Metrics Version 2 (PDMv2) Destination Option”, draft-ietf-ippm-encrypted-pdmv2-05. https://datatracker.ietf.org/doc/draft-ietf-ippm-encrypted-pdmv2/ https://datatracker.ietf.org/doc/html/draft-ietf-ippm-encrypted-pdmv2-05 Please review the document and send your comments in response to this email, along with whether you think the document is ready to progress. This last call will be three weeks long, and end on Tuesday, January 30. In parallel, we have requested another SECDIR review. Best, Tommy & Marcus Confidentiality Notice: This electronic message transmission, including any attachment(s), may contain confidential, proprietary, or privileged information from CAS, a division of the American Chemical Society ("ACS"). If you have received this transmission in error, be advised that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. Please destroy all copies of the message and contact the sender immediately by either replying to this message or calling 614-447-3600.
- [ippm] WGLC for draft-ietf-ippm-encrypted-pdmv2-05 Tommy Pauly
- Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdm… Tommy Pauly
- Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdm… Mohit P. Tahiliani
- Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdm… Dhruv Dhody
- Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdm… nalini.elkins@insidethestack.com
- Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdm… Tommy Pauly
- Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdm… nalini.elkins@insidethestack.com
- Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdm… Hamilton, Robert
- Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdm… nalini.elkins@insidethestack.com
- Re: [ippm] WGLC for draft-ietf-ippm-encrypted-pdm… nalini.elkins@insidethestack.com