Re: [Perc] AD Evaluation of draft-ietf-perc-double-09
Richard Barnes <rlb@ipv.sx> Mon, 15 October 2018 22:43 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15120130DEF for <perc@ietfa.amsl.com>; Mon, 15 Oct 2018 15:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuG9l3DoVPnE for <perc@ietfa.amsl.com>; Mon, 15 Oct 2018 15:43:09 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D09A3130DE4 for <perc@ietf.org>; Mon, 15 Oct 2018 15:43:08 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id e17-v6so16453715oib.4 for <perc@ietf.org>; Mon, 15 Oct 2018 15:43:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jhqBlq6soNOhvJkBUD8umE69ahQHu9z4hgZ4atdoDk0=; b=hCe04kvjV95j5eNHOUoAp61tPOmmIChVrwQGo0AteUqsuJiTfqLQ38ODctprIR5Dsm zgXS0+TS8JNJETrlw/Hrd3aRsSp6RDR3edZe0FnJ1o0IHhpGEwag1JyNOweUj49Dmw50 eoZtSgcl30upH1TJrHkWsoJ/kRDhsl3v6XmzecF1piRxO5TsWkWhflzRnPJHhqNESOIn ULru03Pc8cOSZ1NzQpJHHkP6zuP6/eSvK/ossAY6VYPk6iRhHQRdSD0xXCtVUxd3ioll K4yZ+9xn9HKF/Zwdr18+Lsml9qeqe/fJAliEKnieHzQglTJhwYiZAFBM95sHuGJgeLpq IVSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jhqBlq6soNOhvJkBUD8umE69ahQHu9z4hgZ4atdoDk0=; b=T5rbxEdJEDQXkQPaGchp8AoA8XZZ+G+jHgX/sXIj1PaI9WZSer1XhqWcjBit5WIziv GyrVBsEfTztVm1r4J6Brhk/MRzypHCUP4y2ZmvPZrGiGiaSetXFO3YpZOOIoXBLl3NYR Jbf0j/5tlZ16kYDCZK+AuqkwqKelwPFEu8/4hSgRJbuEBqRcqB3Kheifnhn1s6ApX/cy K5aaF5sAMzgZ/PxhFcE7VHh/JUYRGFnQmtxHC+k5WeRyMk+KHqu6ocACX2+s+NSat9CF 4Y8HB6VjikgsMRn0LVI5ZAMHfpF/fB6macG3esb9Q9a2uHJn5kWDrdVQBM62BVDl3XxP X9lA==
X-Gm-Message-State: ABuFfogHUtq37BfDqecFAVE+G/NtSsy0Q2wv0j8i/52QMQ9AYh3J2pFw Mk7qn9mDykhnUZXxIlxbY3UxKvMfq4sm6qprl684+nV4kWQ=
X-Google-Smtp-Source: ACcGV61OBZz50xJ/xCv2r1j9gBUguxBP9N8ZQwmkYU5EliXfAWvkGiilUfOnHkyXOHpudq0GyJQDuu5eGiIET0tsHjQ=
X-Received: by 2002:aca:d05c:: with SMTP id h89-v6mr9824131oig.199.1539643387967; Mon, 15 Oct 2018 15:43:07 -0700 (PDT)
MIME-Version: 1.0
References: <5AFC524E-7C2A-4C8F-B66B-7BAA3F048403@nostrum.com> <CAL02cgTXhnqEyY1gDoPK3Dj+YiUDCMRertO8faw5to4rg+dMQA@mail.gmail.com> <095B6E4D-B6DF-4AE9-9853-1D0F87510A14@nostrum.com>
In-Reply-To: <095B6E4D-B6DF-4AE9-9853-1D0F87510A14@nostrum.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 15 Oct 2018 18:42:49 -0400
Message-ID: <CAL02cgThvR4QkBMaTXBFuq6TbMeGUAAphqrnCSQWgZto5OG5ow@mail.gmail.com>
To: Ben Campbell <ben@nostrum.com>
Cc: perc@ietf.org, draft-ietf-perc-double.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000388d1f05784c297c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/d3iMBvrHlPSxM2DYwDqCe5K7fPg>
Subject: Re: [Perc] AD Evaluation of draft-ietf-perc-double-09
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Oct 2018 22:43:12 -0000
I would propose we put forward all three documents together. (-double, -ekt-diet, and -framework) They'll be more comprehensible to the ADs that way. On Mon, Oct 15, 2018 at 6:40 PM Ben Campbell <ben@nostrum.com> wrote: > Thanks, the PR looks good to me. Please submit a revision when you are > ready. > > I think that, with the PR applied, it will be ready for IETF LC. That > should probably be done in tandem with the media framework (in my queue to > review in the next couple of days. Authors and chairs: do you think we > should also coordinate with ekt-diet? > > Thanks! > > Ben. > > > On Oct 5, 2018, at 9:48 AM, Richard Barnes <rlb@ipv.sx> wrote: > > Hey Ben, > > After talking with Cullen, I am now the stuckee for this. I've filed a PR > at: > > https://github.com/ietf/perc-wg/pull/160 > > Comments inline below. > > On Tue, Jun 5, 2018 at 12:40 AM Ben Campbell <ben@nostrum.com> wrote: > >> Hi, >> >> This is my AD Evaluation of draft-ietf-perc-double-09. Thanks for this >> work; I think it is important and on the right track, but suffers from some >> readability issues, especially from §7 onwards. I’d like to discuss my >> comments prior to IETF last call. >> >> Thanks! >> >> Ben. >> >> ————————————————— >> >> *** Substantive Comments *** >> >> General: Does it make sense to progress this prior to >> draft-ietf-perc-private-media-framework rather than wait and progress them >> together? it seems like one really needs to read the framework to >> understand at least parts of this draft. (Which would, btw, suggest making >> the framework a normative reference.) >> > > I think at this point, -framework has caught up a bit (I understand it's > awaiting your review), so this seems OBE. I agree that it will make easier > reading for ADs to read the three docs (this, framework, and EKT) on the > same telechat. > > > >> §2, Media Distributor: Should this be defined as switch-based? Otherwise >> it seems circular. >> > > I've copied down the definition §1, which explicitly says that the MD does > not need to interpret or change media content. Also added a ref to > -framework at this point. > > > >> §5 and subsections: These sections are confusing in the treatment of >> extensions. §5.1 step 3 says to truncate the header to remove any >> extensions. Yet other sections of text repeatedly mention the handling of >> extensions. I think the document needs a paragraph or two to describe the >> handling of RTP extensions at a high level. >> > > I've added an overview of the transform, including thoughts on extensions, > to the top of §5. > > > >> Along those lines, it’s not entirely clear what is meant by putting “ (12 >> + 4 * CC bytes)” in parentheses after the guidance to truncate in §5.1. Is >> that the amount to be truncated? Amount left after truncation? (Same >> question for §5.3) >> > > Clarified that this is the amount left after truncation, i.e., take the > first N bytes, in both places. > > > >> §5.2: It would be helpful to include a paragraph or two to describe the >> impact if multiple MDs modify the same field(s). I can infer that, but it >> would be better to be explicit. (IIRC, there is a passing mention in the >> security considerations, but it would be better to have more here.) >> > > Added a paragraph. > > > >> §8: Can you offer any guidance about selecting 128 vs 256? >> > > I don't really think there's much to say here; it's up to the user of the > transform. Use 128 unless you're paranoid, then use 256? :) Note that > RFC 7714, which defines the AES-GCM transforms, does not provide similar > guidance. > > > >> §9: >> >> - The security considerations mainly summarize the mechanism. I’d like to >> see a description of the potential attacks or risks and how the double >> mechanism mitigates them. >> - “… this shouldn’t typically impact the strength of e2e integrity given >> the fact that there doesn’t exist header extensions defined today that >> needs e2e protection. However, if future specifications define header >> extensions that needs e2e integrity protection, the input to inner >> transform may be modified to consider including the header.” >> >> - 2nd paragraph: Why is the HBH key for an outgoing packet only >> “typically” different than the key for the incoming packet? Are there >> security implications if they are the same? >> >> - 2nd to last paragraph, last sentence: Please elaborate on those risks? >> > > I agree with your assessment that the existing security considerations > were not that useful. I've replaced them with an analysis that's more > focused on what protections are provided with respect to which attackers. > > The new version also calls out clearly that when a packet is re-encrypted, > the outer keys MUST be different. > > > >> *** Editorial comments and nits *** >> >> There are a number of abbreviations that need to be expanded on first >> use. Please remember that abbreviations should be expanded both in the >> abstract and the body. >> >> - SRTP >> - SSRC >> - SEQ >> - ROC >> - PRF >> - PT >> - SEQ >> - RTX >> - RED >> - FEC >> > > I've expanded most of these. I have left SSRC, SEQ, ROC, and PT, since in > this context, they are basically opaque labels for RTP header fields. > > > >> §2: >> - Please use the boilerplate from RFC8174. There are a number of lower >> case instances of normative keywords. >> > > Done. > > >> - Please use consistent sentence (or lack of sentence) structure for the >> definitions in the bullet list. >> > > Done. > > >> §3, >> >> - " Generate key and salt values of the length required for the combined >> inner (end-to-end) and outer (hop-by-hop) algorithms.”: The document is >> inconsistent in whether it describes a single key with inner and outer >> halves, or separate inner and outer keys. I realize that this is an >> artifact of syntax, but it is likely to confuse a reader new to the topic. >> > > The very next bullet says to glue them together. Not sure how else to say > this. > > >> - Paragraph starting with “Obviously, if the Media Distributor…”: >> “Obviously” is a null word in context. >> > > Deleted. > > >> §3.1: This section would be much more approachable if you defined the >> terms (such as n, k, and x), rather than forcing readers to look them up in >> 3711. Also, the doubled crypto suite IDs are likely to be confusing to the >> reader who sees them here without the explanation later in the draft. >> > > Done. > > >> §5.2, step 2: “Change any parts of the RTP packet…” -The MS is limited to >> changing the 3 fields defined for the OHB, right, at least as defined in >> this draft? Not just anything it wants? >> > > Correct. Done. > > >> §5.3, last two paragraphs: It’s sort of an odd construction to talk about >> “any of the following” with a single entry list.. >> > > Revised to clarify. > > >> §7 and subsections: These could use another proofreading pass. In >> particular, it is imprecise about inner vs outer encryption, which actors >> do what, and has a number of pronouns with ambiguous antecedents. The heavy >> use of passive voice obscures the actors in multiple places. I will call >> out some specifics, but please do not treat my comments as exhaustive. >> > > Did a revision pass, let me know what you think. > > >> §7: “ The repair mechanism, when used with double, typically operates on >> the double encrypted data and encrypts >> them using only the HBH key.” Does “double encrypted” mean “outer >> encrypted”? Also, while I recognize “data” as plural, it’s plural in a >> non-countable sense; that is, s / them / it. >> >> §7.1: >> - “ … cached payloads MUST be the encrypted packets …” - Inner or outer? >> What device enforces this? (Consider active voice.) >> - Which element represents “the other side”? Are we talking about an >> endpoint or MD? (Please stick to the defined terminology) >> - “ When encrypting a retransmission packet, it MUST be encrypted the >> packet in repair mode.” - I can’t parse the phrase after the comma. Also, >> what device MUST encrypt it? >> >> §7.2: >> - “the primary encoding MAY contain…” - Is that MAY a grant of permission >> or a statement of fact? >> >> - " The sender takes encrypted payload from the cached packets”- Missing >> article for encrypted payload? Or should this say “… takes encrypted >> packets from the cached payload…”? >> >> - “ Any header extensions from the primary encoding are copied to the RTP >> packet that will carry the RED payload and the other RTP header information >> such as SSRC, SEQ, CSRC, etc are set to the same as the primary payload. >> The RED RTP packet is then encrypted in repair mode and sent.”: This is >> confusing; parts are copied from the primary encoding and others are the >> same as in the primary encoding? Don’t both of those mean the same thing? >> >> - “ The receiver decrypts the payload…”: Endpoint or MD? Is this inner or >> outer encryption? >> >> - Last paragraph: Seems like that belongs in the FEC section. Also, does >> this document really need to make that sort of recommendation? It seems >> like a general statement about RED and FEC that is not specific to double. >> >> >> §7.3: >> >> - "When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with >> double, the negotiation of double for the crypto is the out of band >> signaling that indicates that the repair packets MUST use the order of >> operations of SRTP followed by FEC when encrypting.” - The sentence is hard >> to parse. Also, is MUST a normative requirement or a statement of fact? (It >> seems odd to signal that you MUST do something). >> > - “… data, which is already encrypted, it MUST be encrypted in repair >> mode packet.” s/ “, which” / “that”. Also, what actor MUST encrypt the data >> in repair mode? (Consider active voice.) >> >> - “ The algorithm recommend…” s / recommend / recommended >> > > Done. > > >> §7.4: >> - s/ "sent with [RFC4733]” / “sent using the mechanism in [RFC4733]” >> - “ and the relay can not read it so it cannot be used” - missing comma >> between “it” and “so”. >> > > Done. > > >> §8, last paragraph: “ For packets in repair mode, the data they are >> caring is often already encrypted further increasing the size.” - I assume >> “caring” is not the intended word. Did you mean “carrying”? If so, consider >> s / “data they are carrying” / “data they carry” > > > Revised. > _______________________________________________ > Perc mailing list > Perc@ietf.org > https://www.ietf.org/mailman/listinfo/perc > > >
- [Perc] AD Evaluation of draft-ietf-perc-double-09 Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Richard Barnes
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Richard Barnes
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Ben Campbell
- Re: [Perc] AD Evaluation of draft-ietf-perc-doubl… Richard Barnes