Re: [Lake] draft-ietf-lake-reqs-02
Göran Selander <goran.selander@ericsson.com> Tue, 24 March 2020 16:50 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 680573A0C8A for <lake@ietfa.amsl.com>; Tue, 24 Mar 2020 09:50:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oRwVYprLNhHA for <lake@ietfa.amsl.com>; Tue, 24 Mar 2020 09:50:07 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80059.outbound.protection.outlook.com [40.107.8.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43A273A0A1D for <lake@ietf.org>; Tue, 24 Mar 2020 09:50:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e2e6UFNhsjsbfg830I504YfIz0MDACUHEvAUeABGJKuhYcTpprGy9OdvktIa9Z3lQ4rM77NQgnFfkr5bBdwokbrTdmR/tLDQXCaymJwDwNG37sbWHoaamzvqc2se0sKSvOTOT/GhgfMOq96KAv7orPqRRqVci2RsS3GT8t+HY4DZfrUFt9hmGyV3+9NBnIMhMQPpWPsutznqH6bvor9W47Byu3bfOSJrXvd0LatNsXUMvfc2MuICc43GAA+Sp66kZWQOjX2cGPz85IssP4CPXu4mQaH/+7HsK05MyHOJE5LMkEUCj5iQXJAFTaOBEZvTyjs5Kmy1IPxeh14k/vPWMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7hc+slRxmuSWnBQHybamtVh/yAgTeiYh82RBfPb4HhU=; b=EckCirOSIRXo89GdiAv0r8mG8jGoLk1itae8Hjbr0d/CcrKJOYKThHlQR+q77qnITCbUqfdNvzKbGZOiG1qsqps3HRECe123mVmjGcjaoGuunxEnP/7yyl+51z0aG2ace4NsVc86+BqwCWuTcGb3uHTVUPZ3H7rIVpSBpVt4d8hMEdllYlXPVnGi9L0rnCt9rgYFF9+QGYKv/uVWudacL0uElMC/nGuPFyDm8B5tW+bby/ZPRhbqtfzLSDTWHtNAHZu56g5KVCovBi0+JLHpPagPxCc+IhZlYRiElG++CECTH9Em0bXPbfQUbFQ9A7UEqCWWGbS6RxXk95NBj8b8Yw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7hc+slRxmuSWnBQHybamtVh/yAgTeiYh82RBfPb4HhU=; b=X56aUcbjdU7oQzWxVTca41CuUp8MCVZjeBZ+yXG2ZQlwWNAgE8IDZJXrGPLAmu/jrX0diIZH12Z33Oe3x+/moeye+ggG7cWS0oLHsUMJU495Ki58Sj3xIitenavBlBb6TisHSQPXsVGqN9AHxWqnzx4/4QNk8ytp/IxjkzP9kA8=
Received: from HE1PR0701MB2217.eurprd07.prod.outlook.com (10.168.35.12) by HE1PR0701MB2860.eurprd07.prod.outlook.com (10.168.94.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.15; Tue, 24 Mar 2020 16:50:03 +0000
Received: from HE1PR0701MB2217.eurprd07.prod.outlook.com ([fe80::c086:6c8b:520f:6de6]) by HE1PR0701MB2217.eurprd07.prod.outlook.com ([fe80::c086:6c8b:520f:6de6%11]) with mapi id 15.20.2856.012; Tue, 24 Mar 2020 16:50:03 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [Lake] draft-ietf-lake-reqs-02
Thread-Index: AQHWAfxCML09pakPO0uXY6SDC1Pjwg==
Date: Tue, 24 Mar 2020 16:50:02 +0000
Message-ID: <05744E65-B4CB-41DF-A276-FCFA51A24251@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.35.20030802
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [213.89.246.8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 03d2355e-6e6c-4ce5-5d7b-08d7d01365fc
x-ms-traffictypediagnostic: HE1PR0701MB2860:
x-microsoft-antispam-prvs: <HE1PR0701MB2860BF1EDCBD043EA7A92F8FF4F10@HE1PR0701MB2860.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03524FBD26
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(39860400002)(136003)(396003)(366004)(76116006)(8936002)(64756008)(81166006)(66476007)(66946007)(36756003)(6486002)(86362001)(110136005)(8676002)(85202003)(85182001)(6506007)(6512007)(33656002)(66446008)(66556008)(53546011)(81156014)(26005)(2906002)(966005)(2616005)(30864003)(66574012)(316002)(478600001)(186003)(71200400001)(5660300002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2860; H:HE1PR0701MB2217.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 192KUocSCfahdw+E3nfKS5xWLiBmdTMYpJbKv9Ro4loom86lW1j3ZZn5XEL4nNe7fRIoS01XS8SLoyBsiHLx0pJV7XAAvajNh4TAeAI002UpWIRMUb65zmsOgx5rNYheCQP9G7HDxMoemoggi0MHjJwz+AClwpEoKcOszG6NeVc6gLEnRC9EN/mko6mXRBEFxoxMbtYFFdFeiDqf35fChqKOH6/Hc0BxUyiOZsEWfNl2SwTO12+A/bpTy3KlQGrjAwcVyblElvOj4eewTWAHQQkaPXjC7cdH/5lICzL9+UBz1raN0qgamiHA2wie8z/EyYrs1Cgyaxxg39ARiW/uh3KAmLs9hv7zfF+R4RG3gHLIWJRoHEtKZyDOPYyB/nOKCvyusXF94dFGlX0H7mKM/ortSqYaZ9JxCBQc9jUtEKcWiSI+ijajDdgMt4mCPL7orVUJOJ4O4UsVb54lNKzIQLplGPaNWzD2+wcfC8VDD1M+mVE2GmA7ZTNvRDCnw6zIze1uWhuU6JznQAqdKVmeqg==
x-ms-exchange-antispam-messagedata: gHgnJU7ViKINr9GgCOwuF7ztfI8x7E1MAgSxW0dcoZA8XSARckzyg/PkuV0ryxvLJtznToOnpL2WrGwnovHfItJh4sL7P63u+ofUbreMUSr7q9qCzcBcBWYWIODfnBN+6O/g28BM0pz1XqLod7dt8w==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_05744E65B4CB41DFA276FCFA51A24251ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 03d2355e-6e6c-4ce5-5d7b-08d7d01365fc
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2020 16:50:02.8709 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nf3bOo1c+Hf0u2stmiF6j2YisDRCnvbs1CTE+VZHnHQ9UK7bDLTBfH6qWbSLy4a6Gc5BHqyoVErzjqn3KXhIJkB5oPymVQ03rwTxy5S76GE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2860
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/ZkkbuZ_coLQ4w_ZLn0-s0r2L7FE>
Subject: Re: [Lake] draft-ietf-lake-reqs-02
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 16:50:11 -0000
Hi Hannes From: Lake <lake-bounces@ietf.org> on behalf of Hannes Tschofenig <Hannes.Tschofenig@arm.com> Date: Saturday, 21 March 2020 at 10:05 To: "lake@ietf.org" <lake@ietf.org> Subject: [Lake] draft-ietf-lake-reqs-02 Hi all, Given the WGLC I reviewed this document and below are a few comments. The introduction lists of number of specifications that reference OSCORE. I know that the authors are super keen in having those listed and hence I would argue for only one change: The text on LwM2M says " * OMA Specworks LwM2M version 1.1 [LwM2M] defines bindings to two challenging radio technologies where OSCORE will be deployed: LoRaWAN and NB-IoT. " Just because something is in a spec does not imply that it will get deployed (or even widely implemented). The jury is still out and let's wait and see how successful OSCORE will be for LwM2M. GS: This statement is based on intents expressed by companies and there has already been trials, but it is changed from “will be” to “is planned to” since this seems to be a sensitive point for you. A remark regarding the following two paragraphs: OSCORE was tailored for use with lightweight primitives that are likely to be implemented in the device, specifically CoAP [RFC7252], CBOR [RFC7049] and COSE [RFC8152]. The AKE shall specify how COSE can be reused for identification of credentials and algorithms of OSCORE and the AKE, as extension point for new schemes, and to avoid duplicated maintenance of crypto library. In embedded crypto implementations there are typically several layers, namely * the implementation of cryptographic algorithms (AES, SHA256, etc.) * an encoding scheme for transmission over the wire (e.g. COSE, TLS Record Layer, X.509 certificates, etc.) * the actual key exchange protocol The different layers may be used by different components and different requirements may exist for them. For example, the stage 1 bootloader may be implemented in ROM, may only use a signature verification function, and is probably optimized for code size and fast signature verification but does not care about RAM usage (because there is no other program running at that time). A device management solution, code that is running when the device is working under normal conditions, will have different requirements. Furthermore, the code for these two systems may actually be written by different parties and re-use & maintenance may actually be more complex than it looks like. GS: The analogy to consider is with the handshake and the record protocol. Would you consider design a TLS handshake that doesn’t support the same algorithms as the TLS record protocol, have encryption algorithms in different IANA registers, different encodings etc.? From our investigations the biggest code size impact is actually with the cryptographic algorithms. Hence, I disagree that there is a requirement for the AKE to use COSE. (I understand that OSCORE uses COSE but only requires a small sub-set of it. In general, it seems that everyone just implements a subset of COSE..) If I develop an AKE that is good for low end IoT devices but it does not use COSE why would that be a problem? (Note that I have seen IoT devices implementing different CBOR parsers as well. The reason is the same why developers pick and choose certain COSE components.) GS: See response to Richard on this topic. I wonder how the following two paragraphs relate to each other. The first paragraph appears to be saying that reliable transport cannot be assumed. The second transport says that it has to be assumed. The AKE cannot rely on messages being exchanged in both directions after the AKE has completed, because CoAP/OSCORE requests may not have a response [RFC7967]. Moreover, the AKE must support transport over CoAP. Since the AKE messages most commonly will be encapsulated in CoAP, the AKE must not duplicate functionality provided by CoAP, or at least not duplicate functionality in such a way that it adds extra costs in terms of code size, code maintenance, etc. It is therefore assumed that the AKE is being transported in a protocol that provides reliable transport, that can preserve packet ordering and handle message duplication, that can perform fragmentation and protect against denial of service attacks, such as provided by the CoAP Echo option [I-D.ietf-core-echo-request-tag]. GS: The first paragraph is speaking of what may happen (or not happen) after the AKE is completed, exemplified with the use of the no-response option. This is on CoAP layer and not related to underlying transport. The second paragraph speaks of transport of AKE over CoAP, so from the point of view of the AKE the transport is reliable. Is there some confusion here? You may need to indicate what exactly you mean by “CoAP” because CoAP is in the meanwhile a long, long list of specifications adding pretty much every functionality you can imagine. GS: CoAP here refers to RFC7252, RFC7959, and draft-ietf-core-echo-request-tag. We clarified this. Furthermore, I don’t see a problem of adding features to an AKE even if they are available in CoAP or in a CoAP extension. The reason is that the AKE may therefore be run on top of a wider range of underlying protocols. It may also make the AKE more robust and easier to use for developers. GS: Of course it is a problem adding functionality for the same reason as your previous statement about CoAP. Duplicating functionality generally has a cost, in terms of complexity etc., in this case to handle packet ordering, message duplication, message fragmentation, cookie-based denial of service mitigation etc. Since the AKE must be able to run on top of CoAP there is also the potential issue of such mechanisms in the AKE and the corresponding at CoAP layer interfering with each other resulting in bad performance, race conditions or other quirks. Could you elaborate a bit more on this sentence? I am also wondering what the AKE design implications of the non-CoAP-based transport are? > The AKE may use other transport than CoAP. GS: See response to Richard. I don't think there is a good understanding in the industry about the reasons why companies deploying IoT systems prefer one credential type over the other. Hence, I would omit this statement. > PSKs are often used in a first deployment because of their perceived simplicity. GS: It is not uncommon to hear that PSK is perceived as simple (which still may just be a perception), but since there is no reference provided “often” is replaced with “sometimes”. You may want to make references here to justify the statement of the massive breaches of PSK-based provisioning systems in IoT environments. (Not that PKI-based systems have been free of problems either....) > However, PSK-based provisioning has inherent weaknesses. There has > been reports of massive breaches of PSK provisioning systems, GS: The text speaks about weakness in PSK-based provisioning in general, not necessarily in IoT environments. If breaches of this kind can happen, then they can happen in particular to IoT environments. A reference is added. I would delete the sentence below because (a) many IoT devices have some form of user interface, and (b) the lack of a user interface is not necessarily relevant to the need for different credential provisioning schemes. > The common lack of a user interface in constrained devices leads to > various credential provisioning schemes. GS: Done. I think you are downplaying the importance of unlinkability with your statement on identity protection for connection identifier. There has been a lot of work in the TLS and the QUIC working groups on this topic.. Happy to provide details. > Other identifying information that needs to be transported in plain > text is cipher suites and connection identifiers. GS: This part is rewritten and connection identifier is not included in the current text. Let’s return to this in the solution discussion. I think you should also mention that the use of OSCORE and an AKE at the CoAP level provides different privacy features than using the protection at a layer below. This may be important in light of the development of QUIC (and consequently in TLS) where a lot of attention was paid to offer confidentiality protection of information like the FQDN/URL. GS: A note added to the privacy considerations. Regarding "Auxiliary Data": I don't think it is appropriate to refer to access tokens as auxiliary data given that those, particularly when used as PoP token, are actually closer to certificates or Kerberos tickets. GS: This document defines the term “auxiliary data” (out of lack of better terms) as a particular message field in the AKE. I don’t see the problem with transporting, say, a reference token in the auxiliary data field of message 1. But the explicit mentioning of access token is not essential so is removed. In the same section you are then talking about the idea of sending CSR messages. I think those are very different use cases and the implications for the design of the AKA should better be separated. To me it appears that the ability convey a CSR/Cert exchange falls more under the category of "early data" (and could be very similar to sending data along-side the exchange before the AKA has been finished) while the access token use is an alternative certificate format. GS: Sending CSR is a different example of using auxiliary data. We included an example of how these different cases relate. Denial of Service: We have seen that developers have problems with using a denial of service mechanism when it is not built into the AKA. Even with CoAP deployments developers ran into problems with reflection attacks. In your design you push this DDoS mitigation outside the AKA and I think that's a bad design approach because application developers will get it wrong (from what we know so far). GS: If you are using CoAP, you need to use available DoS mitigation techniques even if not using an AKE. So, indeed, we need to help developers use the available tools. Unfortunately, just pointing at the security protocol may lead to a false sense of security. People generally believed that using CoAP with DTLS solved all potential issues which turned out to not be correct [draft-ietf-core-echo-request-tag]. Ekr talked about the performance aspects already and this has been fuzzy all along. I would like to understand whether there are "hard bounds" or whether this is just something in the line of "We would like to have an AKE with all the features of TLS but with a few bytes less overhead". GS: Have a look at the updated section 2.10.4. I’m afraid that just a few bytes off TLS wouldn’t make much of a difference. But it is possible for an AKE to be significantly more compact: https://tools.ietf.org/html/draft-ietf-lwig-security-protocol-comparison-04#section-2.1 Out of curiosity, I am wondering which features of the TLS protocol have not yet been covered in form of requirements. For example, I am not seeing functionality like: * OCSP stapling, indication with CAs a client supports, * post handshake client authentication, * ticket-based resumption, * the ability to use server-side authentication only (with client side authentication happening later) GS: None of these have been requested. Let’s return to those questions in the solution phase. Göran
- [Lake] draft-ietf-lake-reqs-02 Hannes Tschofenig
- Re: [Lake] draft-ietf-lake-reqs-02 Göran Selander