IETF Logo Mail Archive

[Perc] AD Evaluation of draft-ietf-perc-srtp-ekt-diet-08

Ben Campbell <ben@nostrum.com> Thu, 09 August 2018 22:28 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E0D12D949; Thu, 9 Aug 2018 15:28:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2QBTSxOhtb90; Thu, 9 Aug 2018 15:28:44 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91505130DEA; Thu, 9 Aug 2018 15:28:41 -0700 (PDT)
Received: from [10.0.1.95] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w79MSaP7048455 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 9 Aug 2018 17:28:40 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.95]
From: Ben Campbell <ben@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_912B9659-E4CD-47EF-83EC-4B51CDD49520"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Message-Id: <CC46EAEA-3588-41E2-B3A2-5A8C547FA410@nostrum.com>
Date: Thu, 09 Aug 2018 17:28:35 -0500
Cc: perc@ietf.org
To: draft-ietf-perc-srtp-ekt-diet.all@ietf.org
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/GCCKwQ-DjBGt4EtjHRs6Q67cuKo>
Subject: [Perc] AD Evaluation of draft-ietf-perc-srtp-ekt-diet-08
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2018 22:28:47 -0000

Hi,

This is my AD Evaluation of draft-ietf-perc-srtp-ekt-diet-08.

The document is mostly in good shape. It’s easy to read and understand. However, I have a few substantive comments/questions and some editorial comments. I would like to at least discuss the substantive comments before going to IETF LC.

Thanks!

Ben.

----------

*** Substantive Comments: ***


§3: Is there a reason not to use the RFC 8174 boilerplate? There are at least a few instances of lowercase keywords in places that don’t seem intended as normative.

§4.2.1, first paragraph: Is there never a situation where you send neither version?  Also, did I miss a description of the purpose and semantics for ShortEKTField, other than “send it when you don’t send the full version”?

§4.2.2, step 3: "If the EKT decryption operation returns an authentication failure, then the packet processing stops.”

... and then what?

- Step 6: "This applies in transforms such as [ I-D.ietf-perc-double] for replacing just half the key, but SHOULD return a processing error otherwise.”

I don’t understand that sentence. Is the point to say that using a “too short” key to replace part of the old key is only valid for perc-double or similar transforms, and receiving one in other contexts is an error?

- Next Sentence: "Outbound packets SHOULD continue to use the old SRTP Master Key for 250 ms after” Does that imply a normative requirement for recipients to keep old keys around for at least that long? There’s currently an implementation suggestion about that, but it doesn’t use MUST or SHOULD.
(Editorial: The sentence seems to belong in the “outbound” section, not the “inbound” section.)

§4.3:

- “ This ciphertext value MAY be cached by an SRTP
   receiver to minimize computational effort by noting when the SRTP
   master key is unchanged and avoiding repeating the steps defined in .”

Are we really talking about the recipient? How would the recipient know that the key has not changed without processing the ciphertext value? (Also, the sentence is unfinished--maybe the answer would be clear if the rest of the sentence came out of hiding :-) )

- “ The receiver may want to have a sliding window to retain old SRTP
   Master Keys (and related context) for some brief period of time, so
   that out of order packets can be processed as well as packets sent
   during the time keys are changing.”

See comment to §4.2.2, step 6. “may want” seems weak given that the sender SHOULD keep using the old key for a period of time.

§4.7: “A new sender SHOULD send a packet containing the FullEKTField as soon as possible...”

Why not MUST? Would it ever make sense not to do this? It seems like the mechanism doesn’t work very well otherwise.

§6, first paragraph: “or other” - what other?

- paragraph 8: “ An endpoint MUST NOT encrypt more than T different FullEKTField values using the same EKTKey.”

Is there a reciprocal requirement for decryption?

- last paragraph: “...SHOULD be limited using the ekt_ttl”

Why not MUST?

§7.3: Should this cite RFC 5246 instead of RFC 4366?

*** Editorial Comments: ***

§2: “...each endpoint picks there own SRTP master key...:
s/their/its

§4.1, first paragraph: Please reference figures by number. I can imagine some future RFC rendering failing to  maintain the relative positions.  (This occurs a few times throughout the document.)

§4.2.2, step 3:
Should "The EKTCiphertext authentication is checked and is decrypted” be something like “
The EKTCiphertext field authentication is checked and its contents decrypted” I assume you don’t mean to say its authentication is decrypted.

Also, there’s a number of occurrences of “The [fieldname]...” that should probably say “The [fieldname] field...”

- Step 6: s/crypto/cryptographic

- Step 7: is the replay protection part relevant to the step?

§4.3, third paragraph: This is the first mention of ekt_ttl. It would help to have a brief explanation or at least a forward reference.

§4.6: s/ “other specification” / “another specification” ; or “other specifications”

§4.7, third paragraph: Both occurrences of “which” need preceding commas.

§5.2, paragraph after figure 4: “ ... the extensions defined in this session allows the DTLS server...”
Defined in this “session” or this “section”?

§, paragraph 7: “... causing the receiving system will decrypt...”
s/will/to

v2.23.0 | Report a Bug | By Email