Re: [Network-tokens] [TLS] Network Tokens I-D and TLS / ESNI

[Yiannis Yiakoumis <yiannis@selfienetworks.com>]

(cross-posting to network-tokens@ as this is the first related topic - apologies for any duplicates)

Hi Erik,

Thanks for the comments. That's a good point, and wanted to clarify the reasoning around binding fields in general, as well as  binding tokens to IP addresses specifically.

Unlike access and security tokens, network tokens are not protected by a secure TLS connection and can be read by any intermediary node. Therefore, they are open to replay attacks, and unless  used in a fully trusted environment, one should take measures against such attacks. There are two main approaches here:

* Limit a token's lifetime, to make replay attacks hard. The extreme here is to make tokens single use (e.g., through a nonce), and reject tokens with previously seen nonces (within a time window).

* Bind the token to a field that limits the scope it can be used (e.g., a user, a device, a set of exit gateways, etc). The network should be able to separately verify that the token is used within this scope. A binding field can be in an IP address, an IMSI, or any other field the network operator may use to limit the scope of a token.

Note that the binding value matters only at the point of enforcement ( the place where the network checks the scope). It doesn't play any role on the client, the server, or other network nodes.  Moreover, when tokens are encrypted, the binding field itself is not visible to anyone other than the network that issued the token, which should cover privacy concerns.

Two use cases where binding tokens to IP addresses should be fine are i) when users (a home or a mobile subscriber) are assigned a static IP address ( or a DHCP lease that lasts beyond a token's expiration time), and ii) for public IP addresses. Consider the following scenario:

home device → home NAT → operator network (static IP addresses) → operator NAT → Internet .

Despite multiple NATs, the operator can bind the token to the IP address it assigns to the modem and not worry about the downstream and upstream NAT.

As you mentioned, there will be cases where IP binding won't work, either because the endpoint that gets the token doesn't have an assigned IP address, because the enforcement point is behind a NAT, or because of heavy use of proxies etc. In such cases one could bind tokens to a different field, or use short-lived tokens and/or nonces to prevent replay attacks. The overall benefit of binding tokens to certain fields is that they can have a longer lifetime and require less state in the network.

Does this address your concern? Also, any ideas/references on how common it is to have static/long-leased IP addresses in different scenarios (e.g., residential networks and mobile networks)?

Thanks,

Yiannis

On Thu, Jun 25, 2020 at 4:29 PM, Erik Nygren < erik+ietf@nygren.org > wrote:

> 
> One quick comment is that binding tokens to IP addresses is strongly
> counter-recommended.
> 
> It doesn't survive NATs or proxies, mobility, and it is especially
> problematic in IPv6+IPv4 dual-stack environments.
> 
> (Even in IPv6-only, privacy addressing causes problems here.)  Even if you
> have a way to convert tokens over
> 
> for your set of IP addresses (eg, to deal with dual-stack) that still may
> not help enough with NAT environments.
> 
> 
> 
> Erik
> 
> 
> 
> 
> On Thu, Jun 25, 2020 at 4:29 PM Yiannis Yiakoumis < yiannis@ selfienetworks.
> com ( yiannis@selfienetworks.com ) > wrote:
> 
> 
>> Hi all,
>> 
>> 
>> 
>> I wanted to briefly introduce network tokens ( https://networktokens.org )
>> into this list, how they relate with TLS and ESNI, and kindly ask anyone
>> that is interested to share feedback and join the discussion.
>> 
>> 
>> 
>> Network tokens is a method for endpoints to explicitly and securely
>> coordinate with networks about how their traffic is treated. They are
>> inserted by endpoints in existing protocols, interpreted by trusted
>> networks, and may be signed or encrypted to meet security and privacy
>> requirements. Network tokens provide a means for network operators to
>> expose datapath services (such as a zero-rating service, a user-driven QoS
>> service, or a firewall whitelist), and for end users and application
>> providers to access such services. Network tokens are inspired and derived
>> by existing security tokens (like JWT and CWT), borrowing several of their
>> security and privacy properties, and adjusting them for use in a
>> networking context.
>> 
>> 
>> 
>> There are two ways that network tokens relate with TLS:
>> 
>> * They can support ESNI adoption: in a world where ESNI is widely adopted,
>> network tokens can enable use cases where endpoint-network coordination is
>> required, without having to go back to plaintext SNI that everyone can
>> read.
>> 
>> * Network tokens are embedded as TLS handshake extensions (among others).
>> 
>> We are shooting for a BoF in November, and are very much interested into
>> feedback around the concept, use cases, what we need to do to make network
>> tokens adopted as a TLS handshake extension, and folks that are interested
>> to get involved in the effort!
>> 
>> 
>> 
>> Links to an IETF I-D, a mailing list, and initial implementation are
>> available at https:/ / networktokens. org ( https://networktokens.org/ ).
>> 
>> 
>> 
>> Best,
>> 
>> Yiannis
>> 
>> 
>> =====================
>> 
>> Yiannis Yiakoumis
>> Co-Founder & CEO
>> 
>> https:/ / selfienetworks. com ( https://selfienetworks.com ) |
>> +1-650-644-7857
>> 
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ ietf. org ( TLS@ietf.org )
>> https:/ / www. ietf. org/ mailman/ listinfo/ tls (
>> https://www.ietf.org/mailman/listinfo/tls )
> 
> 
>