IETF Logo Mail Archive

Re: [Perc] AD Evaluation of draft-ietf-perc-double-09

Richard Barnes <rlb@ipv.sx> Tue, 16 October 2018 00:41 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFBD8127333 for <perc@ietfa.amsl.com>; Mon, 15 Oct 2018 17:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfVurcMX-ZOd for <perc@ietfa.amsl.com>; Mon, 15 Oct 2018 17:40:59 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0534E126F72 for <perc@ietf.org>; Mon, 15 Oct 2018 17:40:58 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id o14so20810289oth.4 for <perc@ietf.org>; Mon, 15 Oct 2018 17:40:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AKJbCVVekGJ/gf84LFp07XqFAhYZvPVMqIRua52+wPo=; b=fBaBK3qytsj1pldAUkQJEI5xXmJC1F2hOeQQ1OjQenZPj9vltO2AhP4HAQ6Q+a9sJX 3+B4imnGO4yw/K9lPf+v7/k8g8/bQ0UCDXOMuwzTAmGjphVZbmAzvO246+LCHzyD5nmp l6XNlKSQXDWMFb10oQY8sd4xhGj6tvktPMO4HkUTOWXcua6e1KJBnzuD14LM7NrGxfEl 7RypTBMtGagei4Chx0LCiR/qJkMi3e5WmPaWZpY/lK/CvQJsCgQt8EWKALWvAfCuVhF7 5DD959XSF5VOvQADW79HW1YVjzzPeOiiBNnTecWpzA0LG+EZ61zcs54f8z4EA3MSE8i/ jaZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AKJbCVVekGJ/gf84LFp07XqFAhYZvPVMqIRua52+wPo=; b=W0MfnSod4WKg6WapfF1M95Y+hULvn6la67qQtsd6A0j2i6g6qjaMZyeqD72oV+z1Ti PFntYSKgPu4tC1KHncaTDjif+Jnr9HrkunSTdcBz/Z4rhiXozgm1sInpI0s76N6N2KRH adH918Tp2vRg4V7VDQsC56PgQ12rp0jLSsaSvxMoA5vYwRlsHQZOX4SuMZ1IyjHv11SD Z9Y2Jqpwqaofvf75d6h0rbu2bIrv2nHKGT99crthUOzCqNmokU1MMpg0MUuwLsBixoNe JvZ3E9dLUfSVLrQocIr77oylOr3vGVlB9UD623zYezFz5pLkGym7XBFMby7tyeYtUk3M /Ykg==
X-Gm-Message-State: ABuFfohCIiMP7tTvH1sz3ohmIJEMq2yUzlu6f/WVW4ux0tC9ePK8SmWI WbkzOqYIMFUwf74Y/BpgEQPFBs5tvAa63Ximscl6vMJMvg8=
X-Google-Smtp-Source: ACcGV61ZBsi8JAoGTBiO1s6VK87K7OuPLiZGOOz8itesLtzju9Ix+rpYPihByGgI0uF3V69VBU6GviubCglyd/v/Oog=
X-Received: by 2002:a9d:49a9:: with SMTP id g41mr13502534otf.162.1539650458070; Mon, 15 Oct 2018 17:40:58 -0700 (PDT)
MIME-Version: 1.0
References: <5AFC524E-7C2A-4C8F-B66B-7BAA3F048403@nostrum.com> <CAL02cgTXhnqEyY1gDoPK3Dj+YiUDCMRertO8faw5to4rg+dMQA@mail.gmail.com> <095B6E4D-B6DF-4AE9-9853-1D0F87510A14@nostrum.com> <CAL02cgThvR4QkBMaTXBFuq6TbMeGUAAphqrnCSQWgZto5OG5ow@mail.gmail.com> <2AA700F6-A875-469B-8CAF-698930BC3914@nostrum.com>
In-Reply-To: <2AA700F6-A875-469B-8CAF-698930BC3914@nostrum.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 15 Oct 2018 20:40:39 -0400
Message-ID: <CAL02cgT6rbrd3cRkaPaBjv_Ke-kV0sOc0V4-YSbFXxObxU7gKQ@mail.gmail.com>
To: Ben Campbell <ben@nostrum.com>
Cc: perc@ietf.org, draft-ietf-perc-double.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a1c44605784dceca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/-p0rO35KMpmE3RRYeuHlVRUr-Ho>
Subject: Re: [Perc] AD Evaluation of draft-ietf-perc-double-09
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2018 00:41:03 -0000

Oh actually, let's not worry about synchronizing now.  I'm OK to send these
to IETF LC separately; I just think they should all be on the same IESG
telechat.

I'll push a new version of this tomorrow, and EKT as soon as I can find a
responsive author.

--Richard

On Mon, Oct 15, 2018 at 7:04 PM Ben Campbell <ben@nostrum.com> wrote:

> Works for me. The framework draft review is in my queue for tomorrow.
>
> Thanks!
>
> Ben.
>
> On Oct 15, 2018, at 5:42 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
> I would propose we put forward all three documents together.  (-double,
> -ekt-diet, and -framework)  They'll be more comprehensible to the ADs that
> way.
>
> On Mon, Oct 15, 2018 at 6:40 PM Ben Campbell <ben@nostrum.com> wrote:
>
>> Thanks, the PR looks good to me. Please submit a revision when you are
>> ready.
>>
>> I think that, with the PR applied, it will be ready for IETF LC.  That
>> should probably be done in tandem with the media framework (in my queue to
>> review in the next couple of days. Authors and chairs: do you think we
>> should also coordinate with ekt-diet?
>>
>> Thanks!
>>
>> Ben.
>>
>>
>> On Oct 5, 2018, at 9:48 AM, Richard Barnes <rlb@ipv.sx> wrote:
>>
>> Hey Ben,
>>
>> After talking with Cullen, I am now the stuckee for this.  I've filed a
>> PR at:
>>
>> https://github.com/ietf/perc-wg/pull/160
>>
>> Comments inline below.
>>
>> On Tue, Jun 5, 2018 at 12:40 AM Ben Campbell <ben@nostrum.com> wrote:
>>
>>> Hi,
>>>
>>> This is my AD Evaluation of draft-ietf-perc-double-09. Thanks for this
>>> work; I think it is important and on the right track, but suffers from some
>>> readability issues, especially from §7 onwards. I’d like to discuss my
>>> comments prior to IETF last call.
>>>
>>> Thanks!
>>>
>>> Ben.
>>>
>>> —————————————————
>>>
>>> *** Substantive Comments ***
>>>
>>> General: Does it make sense to progress this prior to
>>> draft-ietf-perc-private-media-framework rather than wait and progress them
>>> together? it seems like one really needs to read the framework to
>>> understand at least parts of this draft. (Which would, btw, suggest making
>>> the framework a normative reference.)
>>>
>>
>> I think at this point, -framework has caught up a bit (I understand it's
>> awaiting your review), so this seems OBE.  I agree that it will make easier
>> reading for ADs to read the three docs (this, framework, and EKT) on the
>> same telechat.
>>
>>
>>
>>> §2, Media Distributor: Should this be defined as switch-based? Otherwise
>>> it seems circular.
>>>
>>
>> I've copied down the definition §1, which explicitly says that the MD
>> does not need to interpret or change media content.  Also added a ref to
>> -framework at this point.
>>
>>
>>
>>> §5 and subsections: These sections are confusing in the treatment of
>>> extensions. §5.1 step 3 says to truncate the header to remove any
>>> extensions. Yet other sections of text repeatedly mention the handling of
>>> extensions. I think the document needs a paragraph or two to describe the
>>> handling of RTP extensions at a high level.
>>>
>>
>> I've added an overview of the transform, including thoughts on
>> extensions, to the top of §5.
>>
>>
>>
>>> Along those lines, it’s not entirely clear what is meant by putting “
>>> (12 + 4 * CC bytes)” in parentheses after the guidance to truncate in §5.1.
>>> Is that the amount to be truncated? Amount left after truncation? (Same
>>> question for §5.3)
>>>
>>
>> Clarified that this is the amount left after truncation, i.e., take the
>> first N bytes, in both places.
>>
>>
>>
>>> §5.2: It would be helpful to include a paragraph or two to describe the
>>> impact if multiple MDs modify the same field(s). I can infer that, but it
>>> would be better to be explicit. (IIRC, there is a passing mention in the
>>> security considerations, but it would be better to have more here.)
>>>
>>
>> Added a paragraph.
>>
>>
>>
>>> §8: Can you offer any guidance about selecting 128 vs 256?
>>>
>>
>> I don't really think there's much to say here; it's up to the user of the
>> transform.  Use 128 unless you're paranoid, then use 256?  :)  Note that
>> RFC 7714, which defines the AES-GCM transforms, does not provide similar
>> guidance.
>>
>>
>>
>>> §9:
>>>
>>> - The security considerations mainly summarize the mechanism. I’d like
>>> to see a description of the potential attacks or risks  and how the double
>>> mechanism mitigates them.
>>> - “… this shouldn’t typically impact the strength of e2e integrity given
>>> the fact that there doesn’t exist header extensions defined today that
>>> needs e2e protection.  However, if future specifications define header
>>> extensions that needs e2e integrity protection, the input to inner
>>> transform may be modified to consider including the header.”
>>>
>>> - 2nd paragraph: Why is the HBH key for an outgoing packet only
>>> “typically” different than the key for the incoming packet? Are there
>>> security implications if they are the same?
>>>
>>> - 2nd to last paragraph, last sentence: Please elaborate on those risks?
>>>
>>
>> I agree with your assessment that the existing security considerations
>> were not that useful.  I've replaced them with an analysis that's more
>> focused on what protections are provided with respect to which attackers.
>>
>> The new version also calls out clearly that when a packet is
>> re-encrypted, the outer keys MUST be different.
>>
>>
>>
>>> *** Editorial comments and nits ***
>>>
>>> There are a number of abbreviations that need to be expanded on first
>>> use. Please remember that abbreviations should be expanded both in the
>>> abstract and the body.
>>>
>>> - SRTP
>>> - SSRC
>>> - SEQ
>>> - ROC
>>> - PRF
>>> - PT
>>> - SEQ
>>> - RTX
>>> - RED
>>> - FEC
>>>
>>
>> I've expanded most of these.  I have left SSRC, SEQ, ROC, and PT, since
>> in this context, they are basically opaque labels for RTP header fields.
>>
>>
>>
>>> §2:
>>> - Please use the boilerplate from RFC8174. There are a number of lower
>>> case instances of normative keywords.
>>>
>>
>> Done.
>>
>>
>>> - Please use consistent sentence (or lack of sentence) structure for the
>>> definitions in the bullet list.
>>>
>>
>> Done.
>>
>>
>>> §3,
>>>
>>> - " Generate key and salt values of the length required for the combined
>>> inner (end-to-end) and outer (hop-by-hop) algorithms.”: The document is
>>> inconsistent in whether it describes a single key with inner and outer
>>> halves, or separate inner and outer keys. I realize that this is an
>>> artifact of syntax, but it is likely to confuse a reader new to the topic.
>>>
>>
>> The very next bullet says to glue them together.  Not sure how else to
>> say this.
>>
>>
>>> - Paragraph starting with “Obviously, if the Media Distributor…”:
>>> “Obviously” is a null word in context.
>>>
>>
>> Deleted.
>>
>>
>>> §3.1: This section would be much more approachable if you defined the
>>> terms (such as n, k, and x), rather than forcing readers to look them up in
>>> 3711. Also, the doubled crypto suite IDs are likely to be confusing to the
>>> reader who sees them here without the explanation later in the draft.
>>>
>>
>> Done.
>>
>>
>>> §5.2, step 2: “Change any parts of the RTP packet…” -The MS is limited
>>> to changing the 3 fields defined for the OHB, right, at least as defined in
>>> this draft? Not just anything it wants?
>>>
>>
>> Correct.  Done.
>>
>>
>>> §5.3, last two paragraphs: It’s sort of an odd construction to talk
>>> about “any of the following” with a single entry list..
>>>
>>
>> Revised to clarify.
>>
>>
>>> §7 and subsections: These could use another proofreading pass. In
>>> particular, it is imprecise about inner vs outer encryption, which actors
>>> do what, and has a number of pronouns with ambiguous antecedents. The heavy
>>> use of passive voice obscures the actors in multiple places. I will call
>>> out some specifics, but please do not treat my comments as exhaustive.
>>>
>>
>> Did a revision pass, let me know what you think.
>>
>>
>>> §7: “ The repair mechanism, when used with double, typically operates on
>>> the double encrypted data and encrypts
>>>    them using only the HBH key.” Does “double encrypted” mean “outer
>>> encrypted”? Also, while I recognize “data” as plural, it’s plural in a
>>> non-countable sense; that is, s / them / it.
>>>
>>> §7.1:
>>> - “ … cached payloads MUST be the encrypted packets …” - Inner or outer?
>>> What device enforces this? (Consider active voice.)
>>> - Which element represents “the other side”? Are we talking about an
>>> endpoint or MD? (Please stick to the defined terminology)
>>> - “ When encrypting a retransmission packet, it MUST be encrypted the
>>> packet in repair mode.” - I can’t parse the phrase after the comma. Also,
>>> what device MUST encrypt it?
>>>
>>> §7.2:
>>> - “the primary encoding MAY contain…” - Is that MAY a grant of
>>> permission or a statement of fact?
>>>
>>> - " The sender takes encrypted payload from the cached packets”- Missing
>>> article for encrypted payload? Or should this say “… takes encrypted
>>> packets from the cached payload…”?
>>>
>>> - “ Any header extensions from the primary encoding are copied to the
>>> RTP packet that will carry the RED payload and the other RTP header
>>> information such as SSRC, SEQ, CSRC, etc are set to the same as the primary
>>> payload.  The RED RTP packet is then encrypted in repair mode and sent.”:
>>> This is confusing; parts are copied from the primary encoding and others
>>> are the same as in the primary encoding? Don’t both of those mean the same
>>> thing?
>>>
>>> - “ The receiver decrypts the payload…”: Endpoint or MD? Is this inner
>>> or outer encryption?
>>>
>>> - Last paragraph: Seems like that belongs in the FEC section. Also, does
>>> this document really need to make that sort of recommendation? It seems
>>> like a general statement about RED and FEC that is not specific to double.
>>>
>>>
>>> §7.3:
>>>
>>> - "When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with
>>> double, the negotiation of double for the crypto is the out of band
>>> signaling that indicates that the repair packets MUST use the order of
>>> operations of SRTP followed by FEC when encrypting.” - The sentence is hard
>>> to parse. Also, is MUST a normative requirement or a statement of fact? (It
>>> seems odd to signal that you MUST do something).
>>>
>> - “…  data, which is already encrypted, it MUST be encrypted in repair
>>> mode packet.” s/ “, which” / “that”. Also, what actor MUST encrypt the data
>>> in repair mode? (Consider active voice.)
>>>
>>> - “ The algorithm recommend…” s / recommend / recommended
>>>
>>
>> Done.
>>
>>
>>> §7.4:
>>> - s/ "sent with [RFC4733]” / “sent using the mechanism in [RFC4733]”
>>> - “ and the relay can not read it so it cannot be used” - missing comma
>>> between “it” and “so”.
>>>
>>
>> Done.
>>
>>
>>> §8, last paragraph: “ For packets in repair mode, the data they are
>>> caring is often already encrypted further increasing the size.” - I assume
>>> “caring” is not the intended word. Did you mean “carrying”? If so, consider
>>> s / “data they are carrying” / “data they carry”
>>
>>
>> Revised.
>> _______________________________________________
>> Perc mailing list
>> Perc@ietf.org
>> https://www.ietf.org/mailman/listinfo/perc
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email