Re: [Lwip] [IPsec] The LWIG WG has placed draft-mglt-lwig-minimal-esp in state "Call For Adoption By WG Issued"
Daniel Migault <daniel.migault@ericsson.com> Wed, 29 August 2018 16:17 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13437130DE6; Wed, 29 Aug 2018 09:17:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fs_4iWQWwvMY; Wed, 29 Aug 2018 09:17:23 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00412130DD9; Wed, 29 Aug 2018 09:17:22 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id f1-v6so4856236ljc.9; Wed, 29 Aug 2018 09:17:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=6uEuJrESKcyzCwWv4Xim7lLPRa9Ekn35MFR2g0llsIQ=; b=XM3HmsGoIWMc4EBipSUUePLijDnce3sONzxEWx6C8PuSlo+0+J4UJILF5jaLaUSEzo JW9vuYqqrJ5snAvNVjpAo25OIMR/IHB/f8fap1SLi4BCqm1DKcJUem+mKvLy0zRd90BC xAfWoB+UzzSdnomePu203DFoPP6Nlgd1TzHpfrKJ+YrTqG1nwFRCWD8426aBHAZyd++/ +0SrLbmiL0KSsM8bAeDAsqekqr2PYfntxQRQ6Wg+/mBT8kT9/kMvUDwgnd2WEH0x5FyD tTQ+JqEw5RZ+kOD2n2zcs+ZQq79GKqxejUoMg818wJ+Q3zfIxuWER7OWX5ax8lPSN5Yy 0yjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=6uEuJrESKcyzCwWv4Xim7lLPRa9Ekn35MFR2g0llsIQ=; b=nCVq0cSxllsjUfH56MYDOx97gaInaN/sR57xSqZJx1jdxWGrGKwn0ZZwOkGjJYB8F6 dGV3xn+x3YnHHJO6hOp1kChQJufF+4N9scfGPh49mAvRqKB74Y2MlCXT6h+xM8z/GtE7 qHVVVvR4d5hYJfCnGOhPLO8adpV5rj/yb81CuPwCSnuPs57GBG59iGonXYTWv8sW/Ivc CUuNP4Va7w4pM4h616csGlreSyxKBsXbEXKbeDto/4ZZ0JtvHvq0vMyUA+Hq8hfM7x62 fe9a0PFZ6pGDOG2z7eTUqYDrMKCp1x6uqRsZ56z3WYthY5sKSbdv1CJlNDwuoVZd1tqx Rubw==
X-Gm-Message-State: APzg51B4tIRZmhHEVCM3LZtz/bFcxweF5GDoTO9TLyInEkQtgkYFf1zJ U+GsLkAa1L2+m3pVThk7mhM3/uB3n1xCyIrmuPQ=
X-Google-Smtp-Source: ANB0VdZQF6OYPiyYKBjdR6f0Qj1lh5ScD8Tfm64YqcS66YRx3/JZSz5Y2JmEinQ+BLhxBBfMHH3qH027WoeYeKcgNCY=
X-Received: by 2002:a2e:5d57:: with SMTP id r84-v6mr4647576ljb.89.1535559441038; Wed, 29 Aug 2018 09:17:21 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 2002:a2e:912:0:0:0:0:0 with HTTP; Wed, 29 Aug 2018 09:17:20 -0700 (PDT)
In-Reply-To: <CAP_kZQqckPJhCn083sg8=PVpiO_+Ke=GhOKre=qujkk4k=dU7A@mail.gmail.com>
References: <CAP_kZQqckPJhCn083sg8=PVpiO_+Ke=GhOKre=qujkk4k=dU7A@mail.gmail.com>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Wed, 29 Aug 2018 12:17:20 -0400
X-Google-Sender-Auth: ufcMMfKfA_w2Xrd0A027IfbgMXM
Message-ID: <CADZyTk=dtJS7bS8oJtSa1bW-Xv3-AkuboX1QoJTFG+DyuN94ow@mail.gmail.com>
To: Heinrich Singh <heinrich.ietf@gmail.com>
Cc: lwip@ietf.org, IPsecME WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000003c1000574954bb0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/6vnEEBvPK3Q-ozuQwqrd1JIdVv8>
Subject: Re: [Lwip] [IPsec] The LWIG WG has placed draft-mglt-lwig-minimal-esp in state "Call For Adoption By WG Issued"
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 16:17:27 -0000
Hi Heinrich, Thank you for reviewing the draft. Please find my response inline. I believe your concerns are addressed in the draft within the scope of the draft. The work you are mostly looking at would be an efficient TFC / dummy packet policy. This would more probably be in scope of ipsecme WG. Yours, Daniel On Thu, Aug 23, 2018 at 2:32 PM, Heinrich Singh <heinrich.ietf@gmail.com> wrote: > Hello IETF, > > I am new to LWIP/IPSEC. I read draft-mglt-lwig-minimal-esp. Here is my > summary: > > > 1. Don't use random SPI because getting randomness on small devices is > expensive. This will of course leak privacy. If a vendor/app uses fixed SPI > for his devices, then someone on the network can find out info of > vendor/app. > > <mglt> This is correct and I believe this statement is provided in the draft. Is there, in your opinion, anything we should add in the text below: The use of a limited number of fix SPI also come with security or privacy drawbacks. Typically, a passive attacker may derive information such as the number of constrained devices connecting the remote peer, and in conjunction with data rate, the attacker may eventually determine the application the constrained device is associated to. In addition, if the fix value SPI is fixed by a manufacturer or by some software application, the SPI may leak in an obvious way the type of sensor, the application involved or the model of the constrained device. As a result, the use of a unpredictable SPI is preferred to provide better privacy. As far as security is concerned, revealing the type of application or model of the constrained device could be used to identify the vulnerabilities the constrained device is subject to. This is especially sensitive for constrained device where patches or software updates will be challenging to operate. As a result, these devices may remain vulnerable for relatively long period. In addition, predictable SPI enable an attacker to forge packets with a valid SPI. Such packet will not be rejected due to an SPI mismatch, but instead after the signature check which requires more resource and thus make DoS more efficient, especially for devices powered by batteries. </mglt> Also, why a device can generate random number for doing IKEv2, nonces etc. but not for generating SPI? <mglt> I am reading your text as if the draft were recommending the use of non random SPI, while you would expect the draft to recommend a random generation of the SPI. I think the draft address your comment by recommending a random generation of the SPI with the text below: It is RECOMMENDED to randomly generate the SPI indexing each inbound session. A random generation provides a stateless way to generate the SPIs, while keeping the probability of collision between SPIs relatively low. In case of collision, the SPI is simply re- generated. We could have hardly go further for example by saying SPI MUST be randomly generated as this is not required by RFC4303. Such requirement woudl have been out of scope of the draft as the purpose of the draft is not to update the standard ESP and become a replacement of RFC4303. instead, its purpose is to implement a minimal version of RFC 4303. SPI randomness is not required by RFC4303, so this document cannot mandate SPI generation to be random. The draft also clearly stated that non compromise on random generator should mad for random used for cryptographic purpose. This is not the case for SPI, and some device may, when necessary, use this to save cycles. </mglt> > > 1. Storing sequence numbers is difficult so devices can use time. > Getting time on small devices is actually much harder. Also is there some > hard info that reading time is cheaper than reading sequence number from > memory? I can also look at packets much later and tell when you sent a > packet. > > <mglt> We received this example from people following IEEE802.15. It would be good you share your information why reading time is much harder, so the discussion can happen on the mailing list. From my perspective the main idea was to explain that you could take advantage of an already existing "always increasing" function set on your device. Typically, the time is shared across the device and can be used by ALL session, instead of having multiple Sequence numbers. As a side note, if your cases does not fit this, you do not necessarily need to follow this implementation ;-). However, I am happy if your are proposing text to make this more accurate. </mglt> > > 1. Don't use Traffic Flow Confidentiality again loosing privacy. > > <mglt> I believe this is what the current version of the draft says. However, as mentioned before, this draft is not updating RFC4303 and as such cannot make this feature mandatory. In addition, TFC is *really* not the kind of feature we expect for a minimal implementation in constrint devices. Typically it consists in adding extra bytes while this is precisely the tasks that consumes the more resource for most of the constraint devices. In addition, managing TFC to avoid creating a new pattern is neither trivial, nor widely used. It woudl be mostly based on statistics, and such functionalities are not expected to be found on constraint device. It is not obvious also that such option could introduce specific patterns which could also loose privacy. Again if you find the text misleading, I am happy you propose text to improve it. ESP [RFC4303 <https://tools.ietf.org/html/rfc4303>] also provides Traffic Flow Confidentiality (TFC) as a way to perform padding to hide traffic characteristics, which differs from respecting a 32 bit alignment. TFC is not mandatory and MUST be negotiated with the SA management protocol. As a result, TFC is not expected to be supported by a minimal ESP implementation. On the other hand, disabling TFC should be carefully measured and understood as it exposes the node to traffic shaping. This could expose the application as well as the devices used to a passive monitoring attacker. Such information could be used by the attacker in case a vulnerability is disclosed on the specific device. In addition, some application use - such as health applications - may also reveal important privacy oriented informations. Some constrained nodes that have limited battery life time may also prefer avoiding sending extra padding bytes. However the same nodes may also be very specific to an application and device. As a result, they are also likely to be the main target for traffic shaping. In most cases, the payload carried by these nodes is quite small, and the standard padding mechanism may also be used as an alternative to TFC, with a sufficient trade off between the require energy to send additional payload and the exposure to traffic shaping attacks. </mglt> > > 1. Don't use dummy packets again loosing privacy. > > <mglt> The draft does not prevent the use of dummy packets. Instead implementation must be able to discard received dummy packet.. I believe the issue you are raising is that RECOMMEND be changed in MUST. Thanks for raising this I will update the draft. What the draft says is rather setting a widely used policies for generating dummy packets, i.e. that is generating none. I do not think we expect more from a minimal implementation. Similarly, handling dummy packet is not obvious, and maybe not expected to be treated correctly by constrained devices. The draft also mention the privacy issues associated to not generating dummy packets. Is there any text you woudl like to propose ? The ability to generate and receive dummy packet is required by [RFC4303 <https://tools.ietf.org/html/rfc4303>]. For interoperability, it is RECOMMENDED a minimal ESP implementation discards dummy packets. Note that such recommendation only applies for nodes receiving packets, and that nodes designed to only send data may not implement this capability. As the generation of dummy packets is subject to local management and based on a per-SA basis, a minimal ESP implementation may not generate such dummy packet. More especially, in constrained environments sending dummy packets may have too much impact on the device life time, and so may be avoided. On the other hand, constrained nodes may be dedicated to specific applications, in which case, traffic pattern may expose the application or the type of node. For these nodes, not sending dummy packet may have some privacy implication that needs to be measured. </mglt> > > 1. Reference rfc 8221 for IoT related crypto suites. > > <mglt> The draft provide the reference at least 5 times. </mglt> > > 1. > > I don't know why IETF would publish this document when they have rfc 6973. > I want to see some actual performance from a real ESP implementation where privacy is protected and energy is saved by tweaking the TFC and how often dummy packet is sent. <mglt> I agree that would be an interesting topic, but outside teh scope of defining a minimal implementation for the current ESP. I believe the work you are expecting is the definition of an efficient TFC / dummy packet policies. This is currently more a research project. This may be a link of interest: https://www.researchgate.net/publication/224720331_Traffic_masking_in_IPsec_architecture_and_implementation </mglt> > > Ciao > Heinrich > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > >
- [Lwip] The LWIG WG has placed draft-mglt-lwig-min… Heinrich Singh
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Heinrich Singh
- Re: [Lwip] The LWIG WG has placed draft-mglt-lwig… Zhen Cao
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Tero Kivinen
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Michael Richardson
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Paul Wouters
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Mohit Sethi
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] The LWIG WG has placed draft-mglt-lwig… Heinrich Singh
- Re: [Lwip] The LWIG WG has placed draft-mglt-lwig… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Mohit Sethi M
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Paul Wouters
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Valery Smyslov
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Paul Wouters
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Daniel Migault
- Re: [Lwip] [IPsec] The LWIG WG has placed draft-m… Mohit Sethi M