Re: [Perc] AD Evaluation of draft-ietf-perc-double-09
Richard Barnes <rlb@ipv.sx> Tue, 16 October 2018 00:41 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFBD8127333 for <perc@ietfa.amsl.com>; Mon, 15 Oct 2018 17:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfVurcMX-ZOd for <perc@ietfa.amsl.com>; Mon, 15 Oct 2018 17:40:59 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0534E126F72 for <perc@ietf.org>; Mon, 15 Oct 2018 17:40:58 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id o14so20810289oth.4 for <perc@ietf.org>; Mon, 15 Oct 2018 17:40:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AKJbCVVekGJ/gf84LFp07XqFAhYZvPVMqIRua52+wPo=; b=fBaBK3qytsj1pldAUkQJEI5xXmJC1F2hOeQQ1OjQenZPj9vltO2AhP4HAQ6Q+a9sJX 3+B4imnGO4yw/K9lPf+v7/k8g8/bQ0UCDXOMuwzTAmGjphVZbmAzvO246+LCHzyD5nmp l6XNlKSQXDWMFb10oQY8sd4xhGj6tvktPMO4HkUTOWXcua6e1KJBnzuD14LM7NrGxfEl 7RypTBMtGagei4Chx0LCiR/qJkMi3e5WmPaWZpY/lK/CvQJsCgQt8EWKALWvAfCuVhF7 5DD959XSF5VOvQADW79HW1YVjzzPeOiiBNnTecWpzA0LG+EZ61zcs54f8z4EA3MSE8i/ jaZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AKJbCVVekGJ/gf84LFp07XqFAhYZvPVMqIRua52+wPo=; b=W0MfnSod4WKg6WapfF1M95Y+hULvn6la67qQtsd6A0j2i6g6qjaMZyeqD72oV+z1Ti PFntYSKgPu4tC1KHncaTDjif+Jnr9HrkunSTdcBz/Z4rhiXozgm1sInpI0s76N6N2KRH adH918Tp2vRg4V7VDQsC56PgQ12rp0jLSsaSvxMoA5vYwRlsHQZOX4SuMZ1IyjHv11SD Z9Y2Jqpwqaofvf75d6h0rbu2bIrv2nHKGT99crthUOzCqNmokU1MMpg0MUuwLsBixoNe JvZ3E9dLUfSVLrQocIr77oylOr3vGVlB9UD623zYezFz5pLkGym7XBFMby7tyeYtUk3M /Ykg==
X-Gm-Message-State: ABuFfohCIiMP7tTvH1sz3ohmIJEMq2yUzlu6f/WVW4ux0tC9ePK8SmWI WbkzOqYIMFUwf74Y/BpgEQPFBs5tvAa63Ximscl6vMJMvg8=
X-Google-Smtp-Source: ACcGV61ZBsi8JAoGTBiO1s6VK87K7OuPLiZGOOz8itesLtzju9Ix+rpYPihByGgI0uF3V69VBU6GviubCglyd/v/Oog=
X-Received: by 2002:a9d:49a9:: with SMTP id g41mr13502534otf.162.1539650458070; Mon, 15 Oct 2018 17:40:58 -0700 (PDT)
MIME-Version: 1.0
References: <5AFC524E-7C2A-4C8F-B66B-7BAA3F048403@nostrum.com> <CAL02cgTXhnqEyY1gDoPK3Dj+YiUDCMRertO8faw5to4rg+dMQA@mail.gmail.com> <095B6E4D-B6DF-4AE9-9853-1D0F87510A14@nostrum.com> <CAL02cgThvR4QkBMaTXBFuq6TbMeGUAAphqrnCSQWgZto5OG5ow@mail.gmail.com> <2AA700F6-A875-469B-8CAF-698930BC3914@nostrum.com>
In-Reply-To: <2AA700F6-A875-469B-8CAF-698930BC3914@nostrum.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 15 Oct 2018 20:40:39 -0400
Message-ID: <CAL02cgT6rbrd3cRkaPaBjv_Ke-kV0sOc0V4-YSbFXxObxU7gKQ@mail.gmail.com>
To: Ben Campbell <ben@nostrum.com>
Cc: perc@ietf.org, draft-ietf-perc-double.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a1c44605784dceca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/-p0rO35KMpmE3RRYeuHlVRUr-Ho>
Subject: Re: [Perc] AD Evaluation of draft-ietf-perc-double-09
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 00:41:03 -0000
Oh actually, let's not worry about synchronizing now. I'm OK to send these to IETF LC separately; I just think they should all be on the same IESG telechat. I'll push a new version of this tomorrow, and EKT as soon as I can find a responsive author. --Richard On Mon, Oct 15, 2018 at 7:04 PM Ben Campbell <ben@nostrum.com> wrote: > Works for me. The framework draft review is in my queue for tomorrow. > > Thanks! > > Ben. > > On Oct 15, 2018, at 5:42 PM, Richard Barnes <rlb@ipv.sx> wrote: > > I would propose we put forward all three documents together. (-double, > -ekt-diet, and -framework) They'll be more comprehensible to the ADs that > way. > > On Mon, Oct 15, 2018 at 6:40 PM Ben Campbell <ben@nostrum.com> wrote: > >> Thanks, the PR looks good to me. Please submit a revision when you are >> ready. >> >> I think that, with the PR applied, it will be ready for IETF LC. That >> should probably be done in tandem with the media framework (in my queue to >> review in the next couple of days. Authors and chairs: do you think we >> should also coordinate with ekt-diet? >> >> Thanks! >> >> Ben. >> >> >> On Oct 5, 2018, at 9:48 AM, Richard Barnes <rlb@ipv.sx> wrote: >> >> Hey Ben, >> >> After talking with Cullen, I am now the stuckee for this. I've filed a >> PR at: >> >> https://github.com/ietf/perc-wg/pull/160 >> >> Comments inline below. >> >> On Tue, Jun 5, 2018 at 12:40 AM Ben Campbell <ben@nostrum.com> wrote: >> >>> Hi, >>> >>> This is my AD Evaluation of draft-ietf-perc-double-09. Thanks for this >>> work; I think it is important and on the right track, but suffers from some >>> readability issues, especially from §7 onwards. I’d like to discuss my >>> comments prior to IETF last call. >>> >>> Thanks! >>> >>> Ben. >>> >>> ————————————————— >>> >>> *** Substantive Comments *** >>> >>> General: Does it make sense to progress this prior to >>> draft-ietf-perc-private-media-framework rather than wait and progress them >>> together? it seems like one really needs to read the framework to >>> understand at least parts of this draft. (Which would, btw, suggest making >>> the framework a normative reference.) >>> >> >> I think at this point, -framework has caught up a bit (I understand it's >> awaiting your review), so this seems OBE. I agree that it will make easier >> reading for ADs to read the three docs (this, framework, and EKT) on the >> same telechat. >> >> >> >>> §2, Media Distributor: Should this be defined as switch-based? Otherwise >>> it seems circular. >>> >> >> I've copied down the definition §1, which explicitly says that the MD >> does not need to interpret or change media content. Also added a ref to >> -framework at this point. >> >> >> >>> §5 and subsections: These sections are confusing in the treatment of >>> extensions. §5.1 step 3 says to truncate the header to remove any >>> extensions. Yet other sections of text repeatedly mention the handling of >>> extensions. I think the document needs a paragraph or two to describe the >>> handling of RTP extensions at a high level. >>> >> >> I've added an overview of the transform, including thoughts on >> extensions, to the top of §5. >> >> >> >>> Along those lines, it’s not entirely clear what is meant by putting “ >>> (12 + 4 * CC bytes)” in parentheses after the guidance to truncate in §5.1. >>> Is that the amount to be truncated? Amount left after truncation? (Same >>> question for §5.3) >>> >> >> Clarified that this is the amount left after truncation, i.e., take the >> first N bytes, in both places. >> >> >> >>> §5.2: It would be helpful to include a paragraph or two to describe the >>> impact if multiple MDs modify the same field(s). I can infer that, but it >>> would be better to be explicit. (IIRC, there is a passing mention in the >>> security considerations, but it would be better to have more here.) >>> >> >> Added a paragraph. >> >> >> >>> §8: Can you offer any guidance about selecting 128 vs 256? >>> >> >> I don't really think there's much to say here; it's up to the user of the >> transform. Use 128 unless you're paranoid, then use 256? :) Note that >> RFC 7714, which defines the AES-GCM transforms, does not provide similar >> guidance. >> >> >> >>> §9: >>> >>> - The security considerations mainly summarize the mechanism. I’d like >>> to see a description of the potential attacks or risks and how the double >>> mechanism mitigates them. >>> - “… this shouldn’t typically impact the strength of e2e integrity given >>> the fact that there doesn’t exist header extensions defined today that >>> needs e2e protection. However, if future specifications define header >>> extensions that needs e2e integrity protection, the input to inner >>> transform may be modified to consider including the header.” >>> >>> - 2nd paragraph: Why is the HBH key for an outgoing packet only >>> “typically” different than the key for the incoming packet? Are there >>> security implications if they are the same? >>> >>> - 2nd to last paragraph, last sentence: Please elaborate on those risks? >>> >> >> I agree with your assessment that the existing security considerations >> were not that useful. I've replaced them with an analysis that's more >> focused on what protections are provided with respect to which attackers. >> >> The new version also calls out clearly that when a packet is >> re-encrypted, the outer keys MUST be different. >> >> >> >>> *** Editorial comments and nits *** >>> >>> There are a number of abbreviations that need to be expanded on first >>> use. Please remember that abbreviations should be expanded both in the >>> abstract and the body. >>> >>> - SRTP >>> - SSRC >>> - SEQ >>> - ROC >>> - PRF >>> - PT >>> - SEQ >>> - RTX >>> - RED >>> - FEC >>> >> >> I've expanded most of these. I have left SSRC, SEQ, ROC, and PT, since >> in this context, they are basically opaque labels for RTP header fields. >> >> >> >>> §2: >>> - Please use the boilerplate from RFC8174. There are a number of lower >>> case instances of normative keywords. >>> >> >> Done. >> >> >>> - Please use consistent sentence (or lack of sentence) structure for the >>> definitions in the bullet list. >>> >> >> Done. >> >> >>> §3, >>> >>> - " Generate key and salt values of the length required for the combined >>> inner (end-to-end) and outer (hop-by-hop) algorithms.”: The document is >>> inconsistent in whether it describes a single key with inner and outer >>> halves, or separate inner and outer keys. I realize that this is an >>> artifact of syntax, but it is likely to confuse a reader new to the topic. >>> >> >> The very next bullet says to glue them together. Not sure how else to >> say this. >> >> >>> - Paragraph starting with “Obviously, if the Media Distributor…”: >>> “Obviously” is a null word in context. >>> >> >> Deleted. >> >> >>> §3.1: This section would be much more approachable if you defined the >>> terms (such as n, k, and x), rather than forcing readers to look them up in >>> 3711. Also, the doubled crypto suite IDs are likely to be confusing to the >>> reader who sees them here without the explanation later in the draft. >>> >> >> Done. >> >> >>> §5.2, step 2: “Change any parts of the RTP packet…” -The MS is limited >>> to changing the 3 fields defined for the OHB, right, at least as defined in >>> this draft? Not just anything it wants? >>> >> >> Correct. Done. >> >> >>> §5.3, last two paragraphs: It’s sort of an odd construction to talk >>> about “any of the following” with a single entry list.. >>> >> >> Revised to clarify. >> >> >>> §7 and subsections: These could use another proofreading pass. In >>> particular, it is imprecise about inner vs outer encryption, which actors >>> do what, and has a number of pronouns with ambiguous antecedents. The heavy >>> use of passive voice obscures the actors in multiple places. I will call >>> out some specifics, but please do not treat my comments as exhaustive. >>> >> >> Did a revision pass, let me know what you think. >> >> >>> §7: “ The repair mechanism, when used with double, typically operates on >>> the double encrypted data and encrypts >>> them using only the HBH key.” Does “double encrypted” mean “outer >>> encrypted”? Also, while I recognize “data” as plural, it’s plural in a >>> non-countable sense; that is, s / them / it. >>> >>> §7.1: >>> - “ … cached payloads MUST be the encrypted packets …” - Inner or outer? >>> What device enforces this? (Consider active voice.) >>> - Which element represents “the other side”? Are we talking about an >>> endpoint or MD? (Please stick to the defined terminology) >>> - “ When encrypting a retransmission packet, it MUST be encrypted the >>> packet in repair mode.” - I can’t parse the phrase after the comma. Also, >>> what device MUST encrypt it? >>> >>> §7.2: >>> - “the primary encoding MAY contain…” - Is that MAY a grant of >>> permission or a statement of fact? >>> >>> - " The sender takes encrypted payload from the cached packets”- Missing >>> article for encrypted payload? Or should this say “… takes encrypted >>> packets from the cached payload…”? >>> >>> - “ Any header extensions from the primary encoding are copied to the >>> RTP packet that will carry the RED payload and the other RTP header >>> information such as SSRC, SEQ, CSRC, etc are set to the same as the primary >>> payload. The RED RTP packet is then encrypted in repair mode and sent.”: >>> This is confusing; parts are copied from the primary encoding and others >>> are the same as in the primary encoding? Don’t both of those mean the same >>> thing? >>> >>> - “ The receiver decrypts the payload…”: Endpoint or MD? Is this inner >>> or outer encryption? >>> >>> - Last paragraph: Seems like that belongs in the FEC section. Also, does >>> this document really need to make that sort of recommendation? It seems >>> like a general statement about RED and FEC that is not specific to double. >>> >>> >>> §7.3: >>> >>> - "When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with >>> double, the negotiation of double for the crypto is the out of band >>> signaling that indicates that the repair packets MUST use the order of >>> operations of SRTP followed by FEC when encrypting.” - The sentence is hard >>> to parse. Also, is MUST a normative requirement or a statement of fact? (It >>> seems odd to signal that you MUST do something). >>> >> - “… data, which is already encrypted, it MUST be encrypted in repair >>> mode packet.” s/ “, which” / “that”. Also, what actor MUST encrypt the data >>> in repair mode? (Consider active voice.) >>> >>> - “ The algorithm recommend…” s / recommend / recommended >>> >> >> Done. >> >> >>> §7.4: >>> - s/ "sent with [RFC4733]” / “sent using the mechanism in [RFC4733]” >>> - “ and the relay can not read it so it cannot be used” - missing comma >>> between “it” and “so”. >>> >> >> Done. >> >> >>> §8, last paragraph: “ For packets in repair mode, the data they are >>> caring is often already encrypted further increasing the size.” - I assume >>> “caring” is not the intended word. Did you mean “carrying”? If so, consider >>> s / “data they are carrying” / “data they carry” >> >> >> Revised. >> _______________________________________________ >> Perc mailing list >> Perc@ietf.org >> https://www.ietf.org/mailman/listinfo/perc >> >> >> >
- [Perc] AD Evaluation of draft-ietf-perc-double-09 Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Richard Barnes
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Richard Barnes
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Richard Barnes