Re: [Perc] Benjamin Kaduk's Discuss on draft-ietf-perc-dtls-tunnel-10: (with DISCUSS and COMMENT)
"Paul E. Jones" <paulej@packetizer.com> Sun, 31 October 2021 17:41 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43DC03A101A; Sun, 31 Oct 2021 10:41:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=packetizer.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qw13hXqpPjab; Sun, 31 Oct 2021 10:41:48 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [IPv6:2600:1f18:24d6:2e01:e842:9b2b:72a2:d2c6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 062893A1013; Sun, 31 Oct 2021 10:41:47 -0700 (PDT)
Received: from authuser (localhost [127.0.0.1])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetizer.com; s=dublin; t=1635702100; bh=TjTdNbkwQoOPBKBqqrFPgph6MiWDDKThtClzr8Nc+RE=; h=From:To:Subject:Cc:Date:In-Reply-To:References:Reply-To; b=K4hv18sRvL8SoW35816SXrVyEuNSst6fPgJ2vR8qLJ5nNklbjUySGkagFObc0+qMB WnyQ+v1Ky8J2aNVCwui1WS6iXIm+oxje9dTSyAcZ9OpTucWkT7HRxClFVOjKwgOFAq OBgf6IAHkUii6qf0oBkFf3xLRtmDJ1QDfRhlBRjM=
From: "Paul E. Jones" <paulej@packetizer.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-perc-dtls-tunnel@ietf.org, perc-chairs@ietf.org, perc@ietf.org, suhasietf@gmail.com
Date: Sun, 31 Oct 2021 17:41:36 +0000
Message-Id: <em10ad3111-5dbf-4e0b-a268-52f89eb923cb@sydney>
In-Reply-To: <20211028232213.GX54936@kduck.mit.edu>
References: <163423899560.11624.17767066695024804386@ietfa.amsl.com> <em3d81a846-2e4d-49b9-92d7-a4d651eff2e9@sydney> <20211028232213.GX54936@kduck.mit.edu>
Reply-To: "Paul E. Jones" <paulej@packetizer.com>
User-Agent: eM_Client/8.2.1659.0
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/NSlngbnw8X_AqI_0G-8OXE7UNJ8>
Subject: Re: [Perc] Benjamin Kaduk's Discuss on draft-ietf-perc-dtls-tunnel-10: (with DISCUSS and COMMENT)
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Oct 2021 17:41:53 -0000
Ben,
>> >As far as I can tell, the certificate fingerprint is in the
>> >"external_id_hash" TLS extension in the ClientHello, but this document
>> >does not mention that extension name in any location. I strongly
>> >suggest noting somewhere (possibly earlier) that the fingerprint hash
>> >used here is conveyed in the "external_id_hash" extension. (Also, 4752
>> >is obsoleted by 8122, and does not cover the TLS conveyance of the
>> >fingerprint at all.) One way to do that would be
>> >
>> >NEW:
>> >
>> > The Key Distributor MUST match the certificate fingerprint [RFC8122]
>> > and unique session identifier received in the "external_id_hash"
>> > [RFC8844] and "external_session_id" [RFC8844] TLS extensions
>> > (respectively) of the endpoint's ClientHello message with the values
>> > received from the SDP transmitted by the endpoint [RFC8122].
>>
>> Actually, that was not the intended behavior. The intent was for the Key
>> Distributor to match what it sees from the endpoint via DTLS with the
>> expected values received via SDP.
>
>Hmm, okay. I admite that I do not have all of WebRTC in my head, so I may
>well just be wrong, but I had thought that the "tls-id" values from SDP
>were themselves sent in a TLS extension per RFC 8844, as a way to
>authenticate the binding between the SDP exchange and the TLS handshake.
The "tls-id" is first sent in SDP from the endpoint as it tries to
establish a call or join a conference. The endpoint will receive an
answer to that SDP containing, among other things, the transport
address(es) to which DTLS packets should be sent. The initiating
endpoint then initiates a DTLS handshake and includes the "TLS ID" value
in the "external_session_id" extension. This is how the Key Distributor
is able to differentiate between a plurality of "calls" that might be
initiated at or about the same time from the same endpoint. (There are
perhaps other security benefits described in the associated RFCs, but
this is the primary benefit for the tunnel draft). I think this is all
correct, but if you or others see a glaring hole or error, I'm happy to
correct it. Maybe the language still is not clear enough.
>
>> I modified the text as follows, including repeated references to
>> hopefully make this clearer:
>>
>> The Key Distributor **MUST** match the certificate fingerprint and
>> `external_session_id` [@!RFC8844] received from endpoint via DTLS
>> with the
>> expected fingerprint [@!RFC8122] and `tls-id` [@!RFC8842] values
>> received via
>> SDP. It is through this process that the Key Distributor can be
>> sure to
>> deliver the correct conference key to the endpoint.
>>
>> Hopefully this helps. The certificate fingerprint is computed by the
>> KD, but using the same method as would have been performed in generating
>> the "fingerprint" SDP value described in RFC 8122.
>
>This helps in that it removes mention of the ClientHello (if the
>fingerprint isn't in an extension, it's not available from just the
>ClientHello). This formulation is still not very satisfying for me (in a
>rather pedantic way that probably doesn't bother many people), since the
>certificate is what's received via DTLS, and the fingerprint is computed
>from the certificate. If you're up for more changes, I would propose "MUST
>match the fingerprint of the certificate, and the "external_session_id"
>[RFC8844], received from the endpoint via DTLS".
I'm always open to improvements. How is this?
The Key Distributor **MUST** match the fingerprint of the
certificate and
`external_session_id` [@!RFC8844] received from endpoint via DTLS
with the
expected fingerprint [@!RFC8122] and `tls-id` [@!RFC8842] values
received via
SDP. It is through this process that the Key Distributor can be
sure to
deliver the correct conference key to the endpoint.
Paul
- [Perc] Benjamin Kaduk's Discuss on draft-ietf-per… Benjamin Kaduk via Datatracker
- Re: [Perc] Benjamin Kaduk's Discuss on draft-ietf… Paul E. Jones
- Re: [Perc] Benjamin Kaduk's Discuss on draft-ietf… Paul E. Jones
- Re: [Perc] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Perc] Benjamin Kaduk's Discuss on draft-ietf… Paul E. Jones