Re: [P2PSIP] AD evaluation: draft-ietf-p2psip-share-07

Alissa Cooper <alissa@cooperw.in> Wed, 23 March 2016 20:51 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: p2psip@ietfa.amsl.com
Delivered-To: p2psip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F23D12D8DD for <p2psip@ietfa.amsl.com>; Wed, 23 Mar 2016 13:51:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cooperw.in header.b=SfWaP4nI; dkim=pass (1024-bit key) header.d=messagingengine.com header.b=G0xeBCiy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g4xZzlHWRnGb for <p2psip@ietfa.amsl.com>; Wed, 23 Mar 2016 13:51:09 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7832512D8FF for <p2psip@ietf.org>; Wed, 23 Mar 2016 13:51:02 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id DBE5020DA5 for <p2psip@ietf.org>; Wed, 23 Mar 2016 16:51:01 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Wed, 23 Mar 2016 16:51:01 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=OI102qHG6iFLAPq/HCEbKRhHhH8=; b=SfWaP4 nIA4uUrYee9K0igmwZwO9aX0LCu82qB7+e13teucSWfCl5oQMxLSWCUB1MSA/Cd3 Y5SI4dTH/wCweGYshiCpgtkTHQ6zskh1ngwUFezu1owh66fqK4v5hU0Frc06lnKm fjexqZzaZbA7LYoE4MZIZxFI4cFdIEk8Wfg74=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=OI102qHG6iFLAPq /HCEbKRhHhH8=; b=G0xeBCiy1LkwDkb4w/aj9xWPOhV5gII+sPZ/f0EgdcrcADB asmJfWs1L5nEcLbujvVyWu1BcZY4gDTWli7c5eLxehh2/Pom3OzwE8KSFO38Eq8h f7/AWpu5Bvg6Sp784ks6VEB7tDxq+7Wk1l6yuFqhYbDU+kseQijsUMQcOtx4=
X-Sasl-enc: NOcKa/LTwEzfS2Cw1m3KBlqIZRCqL3c2Md+HETPfbN3U 1458766261
Received: from dhcp-171-68-122-59.cisco.com (dhcp-171-68-122-59.cisco.com [171.68.122.59]) by mail.messagingengine.com (Postfix) with ESMTPA id 1F3E2680230; Wed, 23 Mar 2016 16:51:01 -0400 (EDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <488F2FA5-D434-49F5-8A83-7B4C33423971@cooperw.in>
Date: Wed, 23 Mar 2016 13:51:20 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <60A5B521-1593-405B-8104-F1AACCD951F2@cooperw.in>
References: <e41784d379854608bb9a6e027848cee3@HUB01.mailcluster.haw-hamburg.de> <56EF3475.2040009@haw-hamburg.de> <488F2FA5-D434-49F5-8A83-7B4C33423971@cooperw.in>
To: "Thomas C. Schmidt" <t.schmidt@haw-hamburg.de>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/p2psip/C9F-go5fXNmR9W3DZSs0zJQlOps>
Cc: P2PSIP WG <p2psip@ietf.org>
Subject: Re: [P2PSIP] AD evaluation: draft-ietf-p2psip-share-07
X-BeenThere: p2psip@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Peer-to-Peer SIP working group discussion list <p2psip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/p2psip>, <mailto:p2psip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/p2psip/>
List-Post: <mailto:p2psip@ietf.org>
List-Help: <mailto:p2psip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 20:51:11 -0000

That should say secdir@ietf.org.

> On Mar 23, 2016, at 1:21 PM, Alissa Cooper <alissa@cooperw.in>; wrote:
> 
> Thanks, the changes look good and the explanations make sense. Marc should go ahead and request the early secdir review by sending mail to sector@ietf.org.
> 
> Alissa
> 
>> On Mar 20, 2016, at 4:38 PM, Thomas C. Schmidt <t.schmidt@haw-hamburg.de>; wrote:
>> 
>> Hi Alissa,
>> 
>> many thanks for the careful review. We have revised and resubmitted the document accordingly.
>> 
>> For the details, please see our comments inline.
>> 
>> On 15.01.2016 00:03, Alissa Cooper wrote:
>>> I have reviewed this document in preparation for IETF last call. I have
>>> a number of comments and questions that need to be resolved before last
>>> call can be initiated. I’ve also included some nits below that should be
>>> resolved together with last call comments.
>>> 
>>> Given the nature of this document, I’d like for the shepherd to request
>>> an early SECDIR review after the comments below have been resolved so
>>> that the authors and WG can receive security feedback before the
>>> document progresses to IESG evaluation.
>>> 
>> 
>> I assume this needs to be initiated by Marc (Petit-Huguenin) right away?
>> 
>>> 
>>> == Substantive comments and questions ==
>>> 
>>> = Section 3.1 =
>>> 
>>> I think this section requires clarification.
>>> 
>>> How is the index value supposed to be initialized? Is it supposed to be
>>> chosen at random or set to 0 (or 1, as in the figure)?
>>> 
>> 
>> It is now clarified that the (8 bit individual) index is under sole control of the writing peer. The peer is free to use these bits according to application needs. No interoperability issue, as the key only requires uniqueness, no further semantic attached to it.
>> 
>>> I don’t understand how this mechanism relates to how SSRCs are chosen.
>>> In fact RFC 3550 doesn’t specify a particular algorithm to use, but
>>> merely provides one example.
>> 
>> The mechanism to build the keys is now more explicitly stated. The pointer to RFC 3550 refers only to a method for  calculating the collision probability, no reference to assignment algorithms.
>> 
>>> Furthermore, I don’t see how the collision
>>> probably for the array index value, which selects the least significant
>>> three bytes from a cryptographically random Node-Id that must be 16
>>> bytes or longer, would be the same as for a randomly chosen 32-bit
>>> integer. Could you explain?
>>> 
>> 
>> The formula presented in RFC 3550 has a length parameter (L) and we added that L=24 must be chosen in the present case. Otherwise, the argument is that the selected 24 bits from a (cryptographically random) Node-Id also form uniform pseudo-random numbers, since the selection mechanism does not produce a bias.
>> 
>>> = Section 5 =
>>> 
>>> Are variable resource names expected to be UTF-8 strings? I think
>>> somewhere in this section the internationalization expectations for
>>> these strings need to be specified.
>>> 
>> 
>> Resource names correspond to regular Reload resource names, thus opaque (ASCII-encoded) strings of variable length up to 254 bytes. We are not touching this here.
>> 
>>> = Section 5.3 =
>>> 
>>> (1)
>>> I think this section needs to specify normative requirements on the
>>> pattern construction to avoid duplicative or substring names as
>>> described in 5.1
>>> 
>> 
>> Yes, we've included
>> 
>> "variable parts in <pattern> elements defined in the overlay configuration document MUST remain syntactically separated from the user name part (e.g., by a dedicated delimiter) to prevent collisions with other names of other users."
>> 
>>> (2)
>>> "Configurations in this overlay document MUST adhere in syntax and
>>> semantic of names as defined by the context of use. For example, syntax
>>> restrictions apply when using P2PSIP[I-D.ietf-p2psip-sip], while a more
>>> general naming is feasible in plain RELOAD."
>>> 
>>> I don’t understand what the normative requirement is here or why it is
>>> needed. How is “the context of use” defined? Shouldn’t it be up to the
>>> specific protocol documents to define the required syntax and semantics
>>> for specific usages (e.g., the way draft-ietf-p2psip-sip does)?
>>> 
>> 
>> Right, this was misleading. We changed to
>> 
>> "It is noteworthy that additional constraints on the syntax and semantic of names can apply according to specific Usages."
>> 
>> 
>>> (3)
>>> "In the absence of a <variable-resource-names> element for a Kind using
>>> the USER-CHAIN-ACL access policy (see Section 6.6
>>> <https://tools.ietf.org/html/draft-ietf-p2psip-share-07#section-6.6>),
>>> implementors SHOULD assume this default value."
>>> 
>>> Why is this SHOULD and not MUST? Shouldn’t implementations
>>> conservatively assume that variable names are not allowed unless
>>> explicitly specified?
>>> 
>> 
>> We agree - changed to MUST.
>> 
>>> (4)
>>> "If no pattern is defined for a Kind or the "enable" attribute is false,
>>> allowable Resource Names are restricted to the username of the signer
>>> for Shared Resource.”
>>> 
>>> I think this needs to account for an error condition where the pattern
>>> does not meet the pattern construction requirements, e.g.:
>>> 
>>> ""If no pattern is defined for a Kind, if the "enable" attribute is
>>> false, or if the regular expression does not meet the requirements
>>> specified in this section, the allowable Resource Names are restricted
>>> to the username of the signer for Shared Resource.”
>>> 
>> 
>> Thanks, we forgot this - changed now.
>> 
>>> = Section 6.2 =
>>> 
>>> For privacy reasons, wouldn’t it be better to overwrite every entry in a
>>> subtree when the root of the subtree gets overwritten? Otherwise the
>>> list of users who were given write access may remain long after their
>>> access has been revoked.
>>> 
>> 
>> Yes in general, but there are two constraints.
>> 
>> (a) Only the Resource Owner can overwrite all entries of a subtree (entries of which may have different owners). Periodic checks of the Owner may produce an unwanted extra load.
>> (b) There may be use cases, where a subtree shall be temporarily invalidated, but reactivated later (e.g., some behavioral monitoring puts some peer under suspect, but later releases this).
>> 
>> For these reasons, we argue for a "SHOULD" here:
>> 
>> "To protect the privacy of the users, the Resource Owner SHOULD overwrite all subtrees that have been invalidated."
>> 
>>> = Section 6.3 =
>>> 
>>> How strings are to be compared (e.g., as binary objects or whatever it
>>> is) needs to be normatively specified.
>>> 
>> 
>> Yes, comparing binary objects is added, now.
>> 
>>> It is confusing to use normative language only in step 5 here. I would
>>> suggest either normatively defining each action or not using SHALL here.
>>> 
>> 
>> Yes, agreed and changed to:
>> 
>> "This final ACL item is expected to be the root item of this ACL which MUST be further validated by verifying that the root item was signed by the owner of the ACL Resource."
>> 
>>> = Section 6.6 =
>>> 
>>> "Otherwise, the value MUST be written if the certificate of the signer
>>> contains a username that matches to one of the variable resource name
>>> pattern (c.f. Section 5
>>> <https://tools.ietf.org/html/draft-ietf-p2psip-share-07#section-5>)
>>> specified in the configuration document"
>>> 
>>> It seems to me that matching the pattern is not sufficient — isn’t it
>>> the case that both the user and domain portions of the user name in the
>>> certificate need to match the user and domain name portions present in
>>> the resource name?
>> 
>> Yes, this is made clearer now:
>> 
>> "contains a username that matches to the user and domain portion in one of the variable resource name patterns"
>> 
>>> In general, the document seems to be missing
>>> discussion of the implications of having the user name and the resource
>>> name diverge. I think this affects every operation that involves
>>> comparing the two (or the Resource-Id, right?).
>>> 
>> 
>> The logic is as follows: Store if (a) a regular USER-MATCH or USER-NODE-MATCH works (we are regular owner), or if (b) a variable resource name is successfully authenticated (we are owner using variable naming - this includes matching of username *and* resource name), or if (c) ACL authorization is in effect (we harvest trust delegation) for this resource.
>> 
>> Otherwise, the store request must be denied, which we added explicitly, now.
>> 
>>> I’m also unclear about why policy for allowing access to shared
>>> resources is being strictly coupled with policy for allowing variable
>>> resource names. Might there be cases where it makes sense to authorize
>>> one but not the other?
>>> 
>> 
>> I don't see the strict coupling, here: First the check is done to store based on USER-MATCH or USER-NODE-MATCH, which do not work with variable resource names, then ... It is rather that USER-CHAIN-ACL grants storing rights in both cases, variable naming and trust delegation. This makes IMO sense, as it abstracts from the strict naming authorities of USER-MATCH or USER-NODE-MATCH.
>> 
>>> = Section 8.2 =
>>> 
>>> This section misses the threat of a misbehaving peer who is delegated
>>> write access — that seems like an important case to cover.
>>> 
>> 
>> O.K., we added a subsection on that.
>> 
>>> = Section 8.3 =
>>> 
>>> By “publicly readable” do you mean “readable by any node in the
>>> overlay”? Admission to the overlay would still be access controlled,
>>> correct?
>>> 
>> 
>> Yes, of course. We clarified.
>> 
>>> = Section 9.2 =
>>> 
>>> What is the significance of 17, other than that it is in the unassigned
>>> range?
>>> 
>> None, I guess it was just free. We changed to 'TBD'.
>> 
>>> 
>>> == Nits ==
>>> 
>>> = Section 1 =
>>> 
>>> The reference to I-D.ietf-p2psip-disco should be removed given that the
>>> document is several years old and not expected to advance as far as I know.
>>> 
>> 
>> Yup, this document died with the working group.
>> 
>>> s/from one authorized to another (previously unauthorized) user/from one
>>> authorized user to another (previously unauthorized) user/
>>> 
>> Thanks, fixed.
>> 
>>> = Section 2 =
>>> 
>>> s/the peer-to-peer SIP concepts draft [I-D.ietf-p2psip-concepts
>>> <https://tools.ietf.org/html/draft-ietf-p2psip-share-07#ref-I-D.ietf-p2psip-concepts>]/[I-D.ietf-p2psip-concepts
>>> <https://tools.ietf.org/html/draft-ietf-p2psip-share-07#ref-I-D.ietf-p2psip-concepts>]/
>>> 
>> 
>> Thanks, fixed.
>> 
>>> = Section 3.1 =
>>> 
>>> s/Append an 8 bit long short individual index value/Append an 8-bit
>>> individual index value/
>>> 
>> 
>> O.K., done.
>> 
>>> = Section 4.1 =
>>> 
>>> s/an Access Control including/an Access Control List including/
>>> 
>> Thanks, done.
>> 
>>> = Section 5.1 =
>>> 
>>> Same comment about I-D.ietf-p2psip-disco
>>> <https://tools.ietf.org/html/draft-ietf-p2psip-share-07#ref-I-D.ietf-p2psip-disco> as
>>> in Section 1.
>>> 
>> Done.
>> 
>> Thanks,
>> Thomas
>> 
>> -- 
>> 
>> Prof. Dr. Thomas C. Schmidt
>> ° Hamburg University of Applied Sciences                   Berliner Tor 7 °
>> ° Dept. Informatik, Internet Technologies Group    20099 Hamburg, Germany °
>> ° http://www.haw-hamburg.de/inet                   Fon: +49-40-42875-8452 °
>> ° http://www.informatik.haw-hamburg.de/~schmidt    Fax: +49-40-42875-8409 °
> 
> _______________________________________________
> P2PSIP mailing list
> P2PSIP@ietf.org
> https://www.ietf.org/mailman/listinfo/p2psip