Re: [Perc] AD Evaluation of draft-ietf-perc-srtp-ekt-diet-08
Richard Barnes <rlb@ipv.sx> Tue, 09 October 2018 19:07 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 537C512F1A5 for <perc@ietfa.amsl.com>; Tue, 9 Oct 2018 12:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FYGER1BkRoL for <perc@ietfa.amsl.com>; Tue, 9 Oct 2018 12:07:03 -0700 (PDT)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28D2D12F1A2 for <perc@ietf.org>; Tue, 9 Oct 2018 12:07:03 -0700 (PDT)
Received: by mail-oi1-x22d.google.com with SMTP id p125-v6so2137279oic.3 for <perc@ietf.org>; Tue, 09 Oct 2018 12:07:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AKYb5v3hSZqZVASRlMQRLQfcFviRQGVP7aHp3BvmmsU=; b=HZmdlzrze5R8jBFG39EHJRghumk6hZUgmsFG8szab0fC7g0yX9xcwS6kTh0nMONqm9 uKL6Hl2sHyF7/tPGp6/ILIvxV1fbT9bc0zd4KOUZH9v+O4ZAeJFe6HUhS7Eva5hi8bjo 9l6lUKoQ9MhqJ7sg8gjBIVf1UzX1NbJFeBV5Axhjo2sQn5EwJtCq709YKDL053pmpKt2 sGdmBnMH97x4EbSURPyBUGaNllzDXj+R2oxL9vUh9izSlFUK0gI84QDFTq7ByAsqLngW 6H2QADUa7HYUNAjLy37OVi5LcDUjAJXHPAZ7PJm+N8grfmKS7KyZ3Vz57h4/gR1zZFPm P78Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AKYb5v3hSZqZVASRlMQRLQfcFviRQGVP7aHp3BvmmsU=; b=dGKDUu+OgMFMq2yG+GdVUu2m0mJYXxLQyc5gNaJeEwgEbYhVjJKamLPx3s/5Ap6+XY HV0rGNwEqorMghcafmN2evfmqkOihVCRUMfzi3TomT92b76RmCdAlbl8Rzl91y2QWfG3 2ODndU/hiQgmkLfNkCtx0kddyKqrKXeQ1y1JhdaCA228OSGzFJ2wae8jpxgie4aVv+Hq SnHSl6bo5ZVXuZAE790RylCIVOWxIYjoCvjH6A3jmBcn4UlowjahWpwYiJuVmtHvC7Wp 8Yz4d89UtDMlIgS9TrJf4koj7C3/fO6bFcnJ7bsvy7YTtgTqDzjbYGOfBrzHWfF80wXR P6Aw==
X-Gm-Message-State: ABuFfojkJ0m/PN0bki90riD0MJ2OpKIGGriFJ9pkqRrGXWBPkFAO1jUL XfwCsBlp7RRAw+ZcHgZPwn9uGkjEwlfxh0wgcCBWqyjMPor04w==
X-Google-Smtp-Source: ACcGV63jvEI9ZQhRgxsKxObTk4J5q8LjDAhEAE287GiNcV8u4PvQv8VuHSm7gWfG14lQ2JEgAyYDZWyrNjvydCCzPcs=
X-Received: by 2002:aca:b5c6:: with SMTP id e189-v6mr7283788oif.51.1539112022179; Tue, 09 Oct 2018 12:07:02 -0700 (PDT)
MIME-Version: 1.0
References: <CC46EAEA-3588-41E2-B3A2-5A8C547FA410@nostrum.com>
In-Reply-To: <CC46EAEA-3588-41E2-B3A2-5A8C547FA410@nostrum.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 09 Oct 2018 15:06:46 -0400
Message-ID: <CAL02cgS8FL4g0dpRUFQjPUURgZQsMCiq7eeJTw-UM6--6C3u5w@mail.gmail.com>
To: Ben Campbell <ben@nostrum.com>
Cc: draft-ietf-perc-srtp-ekt-diet.all@ietf.org, perc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005a14d20577d071fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/OnAPML0Re8nG1v3Zyv7e4OO788I>
Subject: Re: [Perc] AD Evaluation of draft-ietf-perc-srtp-ekt-diet-08
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2018 19:07:06 -0000
Thanks for the review, Ben. I've posted a PR with responses; notes inline below... https://github.com/ietf/perc-wg/pull/161 Apropos of your follow-up comment, I have sent a ping to the last address I have for Dan Wing, and will update the PR with whatever I hear back from him. On Thu, Aug 9, 2018 at 6:28 PM Ben Campbell <ben@nostrum.com> wrote: > Hi, > > This is my AD Evaluation of draft-ietf-perc-srtp-ekt-diet-08. > > The document is mostly in good shape. It’s easy to read and understand. > However, I have a few substantive comments/questions and some editorial > comments. I would like to at least discuss the substantive comments before > going to IETF LC. > > Thanks! > > Ben. > > ---------- > > *** Substantive Comments: *** > > > §3: Is there a reason not to use the RFC 8174 boilerplate? There are at > least a few instances of lowercase keywords in places that don’t seem > intended as normative. > Not intentional. I fixed one lower-case "must" and changed over to 8174. > §4.2.1, first paragraph: Is there never a situation where you send neither > version? Also, did I miss a description of the purpose and semantics for > ShortEKTField, other than “send it when you don’t send the full version”? > No, there is never such a situation. EKT always adds at least one byte of overhead to every packet. Because RTP lacks an internal length indicator, the receiver of an EKT-enabled flow needs to know how much EKT data to strip off the end of any given packet. Even if the answer is "zero", you still need a way to signal that, which is what the ShortEKTField does. > §4.2.2, step 3: "If the EKT decryption operation returns an authentication > failure, then the packet processing stops.” > > .... and then what? > Clarified that EKT processing is definitely over, and the packet SHOULD be discarded. > - Step 6: "This applies in transforms such as [ I-D.ietf-perc-double] for > replacing just half the key, but SHOULD return a processing error > otherwise.” > > I don’t understand that sentence. Is the point to say that using a “too > short” key to replace part of the old key is only valid for perc-double or > similar transforms, and receiving one in other contexts is an error? > Revised to clarify and tighten. > - Next Sentence: "Outbound packets SHOULD continue to use the old SRTP > Master Key for 250 ms after” Does that imply a normative requirement for > recipients to keep old keys around for at least that long? There’s > currently an implementation suggestion about that, but it doesn’t use MUST > or SHOULD. > (Editorial: The sentence seems to belong in the “outbound” section, not > the “inbound” section.) > Yeah, moved this to the outbound section. Added MAY-level inbound considerations to the implementation notes -- either the receiver can accept packet loss or do trial decryption. > §4.3: > > - “ This ciphertext value MAY be cached by an SRTP > receiver to minimize computational effort by noting when the SRTP > master key is unchanged and avoiding repeating the steps defined in ..” > > Are we really talking about the recipient? How would the recipient know > that the key has not changed without processing the ciphertext value? > (Also, the sentence is unfinished--maybe the answer would be clear if the > rest of the sentence came out of hiding :-) ) > The unclear ending is a missing cross-reference to Section 4.2. I think the receiver optimization here is that if you cache the tag, you can memcmp instead of decrypting. Same on the sender side, memcpy vs. encrypt. Updated to reflect that. > - “ The receiver may want to have a sliding window to retain old SRTP > Master Keys (and related context) for some brief period of time, so > that out of order packets can be processed as well as packets sent > during the time keys are changing.” > > See comment to §4.2.2, step 6. “may want” seems weak given that the sender > SHOULD keep using the old key for a period of time. > Revised this as noted above, though note that MAY WISH TO is defined in RFC 6919. > §4.7: “A new sender SHOULD send a packet containing the FullEKTField as > soon as possible...” > > Why not MUST? Would it ever make sense not to do this? It seems like the > mechanism doesn’t work very well otherwise. > How would you comply with a "MUST ... as soon as possible"? I don't think we want to dictate a schedule here, but I've added a note that packet loss can result if you don't. > §6, first paragraph: “or other” - what other? > Clarified. > - paragraph 8: “ An endpoint MUST NOT encrypt more than T different > FullEKTField values using the same EKTKey.” > > Is there a reciprocal requirement for decryption? > No. The risk attaches once the ciphertext is transmitted. > - last paragraph: “...SHOULD be limited using the ekt_ttl” > > Why not MUST? > Upgraded. > §7.3: Should this cite RFC 5246 instead of RFC 4366? > You mean RFC 8446? Actually this line and the similar one below it are both unnecessary, so I've deleted them. > *** Editorial Comments: *** > > §2: “...each endpoint picks there own SRTP master key...: > s/their/its > Done. > §4.1, first paragraph: Please reference figures by number. I can imagine > some future RFC rendering failing to maintain the relative positions. > (This occurs a few times throughout the document.) > > §4.2.2, step 3: > Should "The EKTCiphertext authentication is checked and is decrypted” be > something like “ > The EKTCiphertext field authentication is checked and its contents > decrypted” I assume you don’t mean to say its authentication is decrypted. > "The EKTCiphertext is authenticated and decrypted..." -- since these operations are combined in many SRTP transforms. > Also, there’s a number of occurrences of “The [fieldname]...” that should > probably say “The [fieldname] field...” > This doesn't seem like a bad ambiguity to me. > - Step 6: s/crypto/cryptographic > Disagree. > - Step 7: is the replay protection part relevant to the step? > Deleted. Added a note about replay to the security considerations. > §4.3, third paragraph: This is the first mention of ekt_ttl. It would help > to have a brief explanation or at least a forward reference. > Added a forward reference > §4.6: s/ “other specification” / “another specification” ; or “other > specifications” > Revised. > §4.7, third paragraph: Both occurrences of “which” need preceding commas. > Done. > §5.2, paragraph after figure 4: “ ... the extensions defined in this > session allows the DTLS server...” > Defined in this “session” or this “section”? > Actually, "in this document" > §, paragraph 7: “... causing the receiving system will decrypt...” > s/will/to > Done > > > > _______________________________________________ > Perc mailing list > Perc@ietf.org > https://www.ietf.org/mailman/listinfo/perc >
- [Perc] AD Evaluation of draft-ietf-perc-srtp-ekt-… Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-srtp-… Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-srtp-… Richard Barnes
- Re: [Perc] AD Evaluation of draft-ietf-perc-srtp-… Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-srtp-… Ben Campbell