Re: [Pearg] I-D Action: draft-irtf-pearg-numeric-ids-generation-02.txt

[Christopher Wood <caw@heapingbits.net>]

I reviewed this document with no hats on. My feedback is below (I hope it's useful)! 

In general, this is a nicely written document with clear structure and guidance. I think there are some issues with the details, and perhaps a bit too much redundancy, but overall it's heading in the right direction. I especially like the appendix, which captures our lessons learned the hard way.

Before progressing this draft further, is it possible to get feedback from folks in the transport area? We might also try and request an additional review from secdir, if they're willing.

Best,
Chris

~~~

Document: https://datatracker.ietf.org/doc/html/draft-irtf-pearg-numeric-ids-generation-02

Summary: Has Issues

Comments:

- Section 1. I'd suggest rephrasing this text:

   Recent history indicates that when new protocols are standardized or
   new protocol implementations are produced, the security and privacy
   properties of the associated identifiers tend to be overlooked, and
   inappropriate algorithms to generate transient numeric identifiers
   are either suggested in the specification or selected by
   implementers.

to something that emphasizes these problems in the past. Certainly, modern protocols such as QUIC paid very close attention to these details.

- Section 2. The terminology is duplicated in the ids-history draft. Perhaps we can note this?

- Section 3. Can the attacker generate traffic at will, or modify existing traffic? I would reference RFC3552 for the threat model here. (The same should probably go for the ids-history draft.)

- Section 4. This seems largely redundant with the history draft, no? Can we remove this section entirely?

- Section 7. I would drop either 7.1.1 or 7.1.2. We don't need two algorithms for generating random identifiers, do we? (7.1.2 seems simpler to reason about, given that it calls random during each loop iteration.) Can we also clarify the failure probability of this algorithm? 

- Section 7.3. Is "F() must be a cryptographically-secure hash function" correct? What we really want, I think, is for F to be a PRF keyed on "secret_key". RFC6528 uses a PRF here, for example (https://tools.ietf.org/html/rfc6528). Similar to the comment above, can we clarify the failure probability?

- Section 7.3. The "check_suitable_id" function is described inline here, yet is referenced in prior sections. Can we lift the utility functions used in these algorithms to a prior section to simplify the text that goes along with each function?

- Section 7.4.1. Code nit (inconsistent whitespace between comments and the next expression, and inconsistent spacing around braces

       /* Initialization code */
       id_inc = 1;

       /* Numeric ID selection function */
//---->
       count = max_id - min_id + 1;

        ...

       if(lookup_counter(CONTEXT) == ERROR){ <--- insert spaces between "if" and "(", for example

This should also apply to other code blocks, too. :-)

- Section 7.4.1. id_inc seems like it should be a parameter, rather than baked into the algorithm. 

- Section 7.4.2. Again, I think we need a PRF here for F().

- Section 7.4.3. I would remove this section. Do any implementations use this particular algorithm? 

- Section 8/9. I wonder if these sections in their entirety should be moved to the ids-sec-considerations draft, if only because they help motivate the need for these considerations. (In contrast, I see this document focusing on the *mechanisms* by which these considerations can be addressed.) What do you think?

On Thu, May 14, 2020, at 6:09 PM, internet-drafts@ietf.org wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories.
> This draft is a work item of the Privacy Enhancements and Assessments 
> Research Group RG of the IRTF.
> 
>         Title           : On the Generation of Transient Numeric Identifiers
>         Authors         : Fernando Gont
>                           Ivan Arce
> 	Filename        : draft-irtf-pearg-numeric-ids-generation-02.txt
> 	Pages           : 34
> 	Date            : 2020-05-14
> 
> Abstract:
>    This document performs an analysis of the security and privacy
>    implications of different types of "numeric identifiers" used in IETF
>    protocols, and tries to categorize them based on their
>    interoperability requirements and the associated failure severity
>    when such requirements are not met.  Subsequently, it provides advice
>    on possible algorithms that could be employed to satisfy the
>    interoperability requirements of each identifier category, while
>    minimizing the security and privacy implications, thus providing
>    guidance to protocol designers and protocol implementers.  Finally,
>    this describes a number of algorithms that have been employed in real
>    implementations to generate transient numeric identifiers and
>    analyzes their security and privacy properties.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-irtf-pearg-numeric-ids-generation/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-irtf-pearg-numeric-ids-generation-02
> https://datatracker.ietf.org/doc/html/draft-irtf-pearg-numeric-ids-generation-02
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-irtf-pearg-numeric-ids-generation-02
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> 
> -- 
> Pearg mailing list
> Pearg@irtf.org
> https://www.irtf.org/mailman/listinfo/pearg
>