Re: [Lwip] [IPsec] The LWIG WG has placed draft-mglt-lwig-minimal-esp in state "Call For Adoption By WG Issued"

Mohit Sethi <mohit.m.sethi@ericsson.com> Tue, 04 September 2018 08:07 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: lwip@ietfa.amsl.com
Delivered-To: lwip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96528128B14 for <lwip@ietfa.amsl.com>; Tue, 4 Sep 2018 01:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1OjSrdCn5mH for <lwip@ietfa.amsl.com>; Tue, 4 Sep 2018 01:07:05 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E090130DFB for <lwip@ietf.org>; Tue, 4 Sep 2018 01:07:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1536048422; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=wntpDlNLVgn9CyJrUlYpzp9GxJq0Jwpl3VSOxAy9Wu8=; b=GsPdv6XUVoVz0czSNCb43EYoQZYCGPGIqN8YkMS8k2nmZJKa8mEkMF9R84M5NIOA 69aqkvI0B0YtQNP1ZSIi1aGQ89enXGxGQWtzeNGYvXaJQLlkVLHIgl0sGS1mHluG 4m0JMvFzOqrcpgb88+SLfPIyq+R9AXHctwoxeTFHj8A=;
X-AuditID: c1b4fb25-8e7ff700000013ad-ac-5b8e3d267b2d
Received: from ESESBMB505.ericsson.se (Unknown_Domain [153.88.183.118]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id E7.5D.05037.62D3E8B5; Tue, 4 Sep 2018 10:07:02 +0200 (CEST)
Received: from ESESSMB502.ericsson.se (153.88.183.163) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 4 Sep 2018 10:07:02 +0200
Received: from nomadiclab.fi.eu.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.190) with Microsoft SMTP Server id 15.1.1466.3 via Frontend Transport; Tue, 4 Sep 2018 10:07:02 +0200
Received: from nomadiclab.fi.eu.ericsson.se (localhost [127.0.0.1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id 4F03A4821CF; Tue, 4 Sep 2018 11:07:02 +0300 (EEST)
Received: from [127.0.0.1] (localhost [IPv6:::1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id D51024821CB; Tue, 4 Sep 2018 11:07:01 +0300 (EEST)
To: Tero Kivinen <kivinen@iki.fi>, Heinrich Singh <heinrich.ietf@gmail.com>
CC: ipsec@ietf.org, lwip@ietf.org
References: <CAP_kZQqckPJhCn083sg8=PVpiO_+Ke=GhOKre=qujkk4k=dU7A@mail.gmail.com> <CADZyTk=dtJS7bS8oJtSa1bW-Xv3-AkuboX1QoJTFG+DyuN94ow@mail.gmail.com> <CAP_kZQrnmJJaLtzSJ5MeDYSme2mV6sAfGZrE5tnx8P6hbMib7g@mail.gmail.com> <23433.17795.580382.531001@fireball.acr.fi>
From: Mohit Sethi <mohit.m.sethi@ericsson.com>
Message-ID: <e9c80a38-a9c6-0df5-5778-5e744ac8fed0@ericsson.com>
Date: Tue, 04 Sep 2018 11:07:01 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <23433.17795.580382.531001@fireball.acr.fi>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-AV-Checked: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplkeLIzCtJLcpLzFFi42KZGbG9TFfNti/a4H6jpkXTgu1sFvu3vGCz OHr+OZvFvH3CDiweO2fdZfdYsuQnk8fhrwtZApijuGxSUnMyy1KL9O0SuDJmPlzIXHDHpGLN 0UbmBsbZWl2MnBwSAiYSj648Y+li5OIQEjjKKDFn3zpGkISQwFdGiVX3HSASFxglpqycwwrh bGaU6Lu/FcpZyCjxtuUTM0iLsECVxIzrl1lBbBEBb4m+NxPZQWxmAVWJT2/6oHb0MEl8WXiC DSTBJqAn0XnuOFgzr4C9xOO5v4GaOThYBFQkmpeD9YoKREisXv6CFaJEUOLkzCcsIDangIXE sg/dLBDzLSRmzj/PCGFrSyxb+JoZwhaXuPVkPhPEn8oSC1oWQb2mLrG14wDjBEbRWUjGzkIy ahaSUbOQjFrAyLKKUbQ4tTgpN93IWC+1KDO5uDg/Ty8vtWQTIzCSDm75rbqD8fIbx0OMAhyM Sjy8/037ooVYE8uKK3MPMUpwMCuJ8PrxA4V4UxIrq1KL8uOLSnNSiw8xSnOwKInzPjTfHCUk kJ5YkpqdmlqQWgSTZeLglGpgzFgeXvCkM/MC48+Srw95+fXeV6lbT7gatfb6nqnfPiVzLHRa HJa/5/zEe32+MTo22/i32PRveDtJ9LWYsmPWqTsZ88xcrx1O2nCwfcGzGXLnMy6X2t1u+7I0 9c1ha5M7QT8U5J+767VruNnacoUXrhB4U30gINA2LOf1tX+f2D8GR4uemKcbqsRSnJFoqMVc VJwIADrnaLugAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/lwip/SnQwq-B2N_O5QoRwV8vfwd4OLgs>
Subject: Re: [Lwip] [IPsec] The LWIG WG has placed draft-mglt-lwig-minimal-esp in state "Call For Adoption By WG Issued"
X-BeenThere: lwip@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Lightweight IP stack. Official mailing list for IETF LWIG Working Group." <lwip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lwip>, <mailto:lwip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lwip/>
List-Post: <mailto:lwip@ietf.org>
List-Help: <mailto:lwip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lwip>, <mailto:lwip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Sep 2018 08:07:07 -0000

Hi Tero,

You raise some very interesting points here.

I personally think that the draft can benefit from more information 
about existing implementations of ESP. For example, documenting the fact 
that many implementations do not send dummy packets or which 
implementations use TFC. Adding specific example of  802.15.4 TSCH 
networks and how synchronized time is available would also be helpful.

Of course, this could be done before or after its adoption.

--Mohit


On 08/31/2018 04:41 PM, Tero Kivinen wrote:
> Heinrich Singh writes:
>> Text saying that you would loose some privacy by using fixed number
>> of SPI does not absolve your responsibility. It should not recommend
>> that.
> There is no requirement for SPI to be random and originally it was
> written that way so implementations can use whatever method to
> allocate SPIs they like. For example they can use index to the SPI
> table or whatever instead of allocating random SPI, or they could even
> use pointer to the SPI structure in memory as SPI value (would of
> course need some kind of checks that address is in area allocated for
> SPIs and is aligned properly).
>
> Adding requirement that SPI needs to be random would be modifying the
> base ESP, and is not in the scope of draft trying to define minimal
> ESP. Saying that in contrained devices which have very few SPIs the
> SPIs can be allocated using some other method than random is in scope
> of the this draft.
>
> Also most of the constrained devices do not care about privacy as they
> have fixed hardware address, stable IPv6 address and are not
> associated with any person. Sensor sending wind speed, or temperature
> to the cloud service does not have privacy requirements, sensors
> sending temperature inside your house might have (as it might leak out
> information whether you are home or not), but even in that case the
> fact that it is your sensor sending information every 60 seconds does
> not, only the data inside.
>
> Privacy requirements are not something that are always there, they
> always depend heavily about what you do with the protocol. I.e., in
> some cases the IP addresses, hardware addresses, SPIs etc need to be
> protected against tracking, but in many cases they do not need to be.
>
> This document gives recommendation that in some cases it might be good
> idea to use fixed SPI as it might make implementations smaller. I.e.,
> if the option is either not to use IPsec at all, as it is too big, or
> to use IPsec with fixed SPI and other limitations that make it small,
> I think the option with IPsec is better.
>
>> I do not know 802.15. Others can also say what they feel but from my
>> experience simple monotonic sequence numbers are more easier than
>> having a clocks.
> True. But for example 802.15.4 TSCH (i.e., the protocol over which
> 6TiSCH is working) does have globally shared clock which is kept in
> sync with everybody. So in that kind of situations using clock as
> monotonically incrementing counter and using that as sequence number
> might save resources in constrained device.
>
>> This I think is a not a good idea. Sender and receiver can easily
>> get out of sync because your rate of sending packets is not
>> proportional to time. The receiver would need to allow very large
>> window. The sender would still need to store time to flash in-case
>> there is need for sync after device reset.
> Sequence numbers are in one direction, i.e., I need to use
> monotonically incrementing sequence number when I send, but that
> sequence number does not have anything to do with other ends sequence
> number. Also window size is need only if you have out of order
> packets, and you care about replay protection. Both of them are
> something that might not be something that constrained device cares.
>
> For example it might have internal replay protection for the messages
> it sends, so it does not need to care whether there is replays on the
> IPsec level, thus it can drop the whole replay protection checks
> completely. Or it might work on the environment where out of order
> deliver is not possible, thus it can just keep window size to 1.
>
> Also recipient cannot know which method other end is using when
> generating sequence numbers, so it needs to do the replay protection
> checking using whatever method it wants. It might need to store the
> last received sequence number to the flash if it cares about replay
> protections, or it can simply drop replay protection completely.
>
> On the other hand sender is REQUIRED to send sequence numbers in such
> way they are monotonically incrementing (not necessarely by one), and
> if it has any kind of other monotonically incrementing counter like
> clock, it can use that to generate the sequence numbers and get rid of
> the requirement to store outgoing sequence number to the flash.
>
>> What you mean implementations must discard dummy packets? Even
>> non-constrained implementations must discard dummy packets so what
>> is new here?
> Yes. And that quite often happens automatically as there is nobody in
> the device that wants to get packets with that protocol number.
>
> I have not actually never seen anybody sending dummy packets or TFC
> padding packets in any implementations. I guess most of them know how
> to ignore them, but sending them is not something people do. And I am
> not even sure which implementation support for sending dummy packets.
> TFC is most likely supported in some implementations (libreswan at
> least seems to support it) as it is much easier to configure, just pad
> all packets to fixed length. When sending dummy packets configuration
> is much more complicated, as you need to configure what kind of
> traffic pattern you want to maintain.
>
> So as those are not really used in non-constrained devices, I do not
> think there is that big different in constrained devices. Again all of
> this depends on the environment. For example some kind of door sensor
> might want to keep sending packets every n seconds just not to leak
> out when the door was opened and closed, but it might just use real
> packets instead of dummy packets. I.e., it might be configured to send
> the door status every 30 seconds, and in that packet it tells whether
> door is now open or closed, and whether what transitions happened
> during last 30 seconds.
>
> Privacy is so hard topic to solve that it always requires you to check
> out the actual environment and use case where the protocol is used
> before you can decide what kind of protections are needed. There is no
> this thing solves all issues solution there.