IETF Logo Mail Archive

Re: [Perc] AD Evaluation of draft-ietf-perc-double-09

Richard Barnes <rlb@ipv.sx> Mon, 15 October 2018 22:43 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15120130DEF for <perc@ietfa.amsl.com>; Mon, 15 Oct 2018 15:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuG9l3DoVPnE for <perc@ietfa.amsl.com>; Mon, 15 Oct 2018 15:43:09 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D09A3130DE4 for <perc@ietf.org>; Mon, 15 Oct 2018 15:43:08 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id e17-v6so16453715oib.4 for <perc@ietf.org>; Mon, 15 Oct 2018 15:43:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jhqBlq6soNOhvJkBUD8umE69ahQHu9z4hgZ4atdoDk0=; b=hCe04kvjV95j5eNHOUoAp61tPOmmIChVrwQGo0AteUqsuJiTfqLQ38ODctprIR5Dsm zgXS0+TS8JNJETrlw/Hrd3aRsSp6RDR3edZe0FnJ1o0IHhpGEwag1JyNOweUj49Dmw50 eoZtSgcl30upH1TJrHkWsoJ/kRDhsl3v6XmzecF1piRxO5TsWkWhflzRnPJHhqNESOIn ULru03Pc8cOSZ1NzQpJHHkP6zuP6/eSvK/ossAY6VYPk6iRhHQRdSD0xXCtVUxd3ioll K4yZ+9xn9HKF/Zwdr18+Lsml9qeqe/fJAliEKnieHzQglTJhwYiZAFBM95sHuGJgeLpq IVSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jhqBlq6soNOhvJkBUD8umE69ahQHu9z4hgZ4atdoDk0=; b=T5rbxEdJEDQXkQPaGchp8AoA8XZZ+G+jHgX/sXIj1PaI9WZSer1XhqWcjBit5WIziv GyrVBsEfTztVm1r4J6Brhk/MRzypHCUP4y2ZmvPZrGiGiaSetXFO3YpZOOIoXBLl3NYR Jbf0j/5tlZ16kYDCZK+AuqkwqKelwPFEu8/4hSgRJbuEBqRcqB3Kheifnhn1s6ApX/cy K5aaF5sAMzgZ/PxhFcE7VHh/JUYRGFnQmtxHC+k5WeRyMk+KHqu6ocACX2+s+NSat9CF 4Y8HB6VjikgsMRn0LVI5ZAMHfpF/fB6macG3esb9Q9a2uHJn5kWDrdVQBM62BVDl3XxP X9lA==
X-Gm-Message-State: ABuFfogHUtq37BfDqecFAVE+G/NtSsy0Q2wv0j8i/52QMQ9AYh3J2pFw Mk7qn9mDykhnUZXxIlxbY3UxKvMfq4sm6qprl684+nV4kWQ=
X-Google-Smtp-Source: ACcGV61OBZz50xJ/xCv2r1j9gBUguxBP9N8ZQwmkYU5EliXfAWvkGiilUfOnHkyXOHpudq0GyJQDuu5eGiIET0tsHjQ=
X-Received: by 2002:aca:d05c:: with SMTP id h89-v6mr9824131oig.199.1539643387967; Mon, 15 Oct 2018 15:43:07 -0700 (PDT)
MIME-Version: 1.0
References: <5AFC524E-7C2A-4C8F-B66B-7BAA3F048403@nostrum.com> <CAL02cgTXhnqEyY1gDoPK3Dj+YiUDCMRertO8faw5to4rg+dMQA@mail.gmail.com> <095B6E4D-B6DF-4AE9-9853-1D0F87510A14@nostrum.com>
In-Reply-To: <095B6E4D-B6DF-4AE9-9853-1D0F87510A14@nostrum.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 15 Oct 2018 18:42:49 -0400
Message-ID: <CAL02cgThvR4QkBMaTXBFuq6TbMeGUAAphqrnCSQWgZto5OG5ow@mail.gmail.com>
To: Ben Campbell <ben@nostrum.com>
Cc: perc@ietf.org, draft-ietf-perc-double.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000388d1f05784c297c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/d3iMBvrHlPSxM2DYwDqCe5K7fPg>
Subject: Re: [Perc] AD Evaluation of draft-ietf-perc-double-09
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Oct 2018 22:43:12 -0000

I would propose we put forward all three documents together.  (-double,
-ekt-diet, and -framework)  They'll be more comprehensible to the ADs that
way.

On Mon, Oct 15, 2018 at 6:40 PM Ben Campbell <ben@nostrum.com> wrote:

> Thanks, the PR looks good to me. Please submit a revision when you are
> ready.
>
> I think that, with the PR applied, it will be ready for IETF LC.  That
> should probably be done in tandem with the media framework (in my queue to
> review in the next couple of days. Authors and chairs: do you think we
> should also coordinate with ekt-diet?
>
> Thanks!
>
> Ben.
>
>
> On Oct 5, 2018, at 9:48 AM, Richard Barnes <rlb@ipv.sx> wrote:
>
> Hey Ben,
>
> After talking with Cullen, I am now the stuckee for this.  I've filed a PR
> at:
>
> https://github.com/ietf/perc-wg/pull/160
>
> Comments inline below.
>
> On Tue, Jun 5, 2018 at 12:40 AM Ben Campbell <ben@nostrum.com> wrote:
>
>> Hi,
>>
>> This is my AD Evaluation of draft-ietf-perc-double-09. Thanks for this
>> work; I think it is important and on the right track, but suffers from some
>> readability issues, especially from §7 onwards. I’d like to discuss my
>> comments prior to IETF last call.
>>
>> Thanks!
>>
>> Ben.
>>
>> —————————————————
>>
>> *** Substantive Comments ***
>>
>> General: Does it make sense to progress this prior to
>> draft-ietf-perc-private-media-framework rather than wait and progress them
>> together? it seems like one really needs to read the framework to
>> understand at least parts of this draft. (Which would, btw, suggest making
>> the framework a normative reference.)
>>
>
> I think at this point, -framework has caught up a bit (I understand it's
> awaiting your review), so this seems OBE.  I agree that it will make easier
> reading for ADs to read the three docs (this, framework, and EKT) on the
> same telechat.
>
>
>
>> §2, Media Distributor: Should this be defined as switch-based? Otherwise
>> it seems circular.
>>
>
> I've copied down the definition §1, which explicitly says that the MD does
> not need to interpret or change media content.  Also added a ref to
> -framework at this point.
>
>
>
>> §5 and subsections: These sections are confusing in the treatment of
>> extensions. §5.1 step 3 says to truncate the header to remove any
>> extensions. Yet other sections of text repeatedly mention the handling of
>> extensions. I think the document needs a paragraph or two to describe the
>> handling of RTP extensions at a high level.
>>
>
> I've added an overview of the transform, including thoughts on extensions,
> to the top of §5.
>
>
>
>> Along those lines, it’s not entirely clear what is meant by putting “ (12
>> + 4 * CC bytes)” in parentheses after the guidance to truncate in §5.1. Is
>> that the amount to be truncated? Amount left after truncation? (Same
>> question for §5.3)
>>
>
> Clarified that this is the amount left after truncation, i.e., take the
> first N bytes, in both places.
>
>
>
>> §5.2: It would be helpful to include a paragraph or two to describe the
>> impact if multiple MDs modify the same field(s). I can infer that, but it
>> would be better to be explicit. (IIRC, there is a passing mention in the
>> security considerations, but it would be better to have more here.)
>>
>
> Added a paragraph.
>
>
>
>> §8: Can you offer any guidance about selecting 128 vs 256?
>>
>
> I don't really think there's much to say here; it's up to the user of the
> transform.  Use 128 unless you're paranoid, then use 256?  :)  Note that
> RFC 7714, which defines the AES-GCM transforms, does not provide similar
> guidance.
>
>
>
>> §9:
>>
>> - The security considerations mainly summarize the mechanism. I’d like to
>> see a description of the potential attacks or risks  and how the double
>> mechanism mitigates them.
>> - “… this shouldn’t typically impact the strength of e2e integrity given
>> the fact that there doesn’t exist header extensions defined today that
>> needs e2e protection.  However, if future specifications define header
>> extensions that needs e2e integrity protection, the input to inner
>> transform may be modified to consider including the header.”
>>
>> - 2nd paragraph: Why is the HBH key for an outgoing packet only
>> “typically” different than the key for the incoming packet? Are there
>> security implications if they are the same?
>>
>> - 2nd to last paragraph, last sentence: Please elaborate on those risks?
>>
>
> I agree with your assessment that the existing security considerations
> were not that useful.  I've replaced them with an analysis that's more
> focused on what protections are provided with respect to which attackers.
>
> The new version also calls out clearly that when a packet is re-encrypted,
> the outer keys MUST be different.
>
>
>
>> *** Editorial comments and nits ***
>>
>> There are a number of abbreviations that need to be expanded on first
>> use. Please remember that abbreviations should be expanded both in the
>> abstract and the body.
>>
>> - SRTP
>> - SSRC
>> - SEQ
>> - ROC
>> - PRF
>> - PT
>> - SEQ
>> - RTX
>> - RED
>> - FEC
>>
>
> I've expanded most of these.  I have left SSRC, SEQ, ROC, and PT, since in
> this context, they are basically opaque labels for RTP header fields.
>
>
>
>> §2:
>> - Please use the boilerplate from RFC8174. There are a number of lower
>> case instances of normative keywords.
>>
>
> Done.
>
>
>> - Please use consistent sentence (or lack of sentence) structure for the
>> definitions in the bullet list.
>>
>
> Done.
>
>
>> §3,
>>
>> - " Generate key and salt values of the length required for the combined
>> inner (end-to-end) and outer (hop-by-hop) algorithms.”: The document is
>> inconsistent in whether it describes a single key with inner and outer
>> halves, or separate inner and outer keys. I realize that this is an
>> artifact of syntax, but it is likely to confuse a reader new to the topic.
>>
>
> The very next bullet says to glue them together.  Not sure how else to say
> this.
>
>
>> - Paragraph starting with “Obviously, if the Media Distributor…”:
>> “Obviously” is a null word in context.
>>
>
> Deleted.
>
>
>> §3.1: This section would be much more approachable if you defined the
>> terms (such as n, k, and x), rather than forcing readers to look them up in
>> 3711. Also, the doubled crypto suite IDs are likely to be confusing to the
>> reader who sees them here without the explanation later in the draft.
>>
>
> Done.
>
>
>> §5.2, step 2: “Change any parts of the RTP packet…” -The MS is limited to
>> changing the 3 fields defined for the OHB, right, at least as defined in
>> this draft? Not just anything it wants?
>>
>
> Correct.  Done.
>
>
>> §5.3, last two paragraphs: It’s sort of an odd construction to talk about
>> “any of the following” with a single entry list..
>>
>
> Revised to clarify.
>
>
>> §7 and subsections: These could use another proofreading pass. In
>> particular, it is imprecise about inner vs outer encryption, which actors
>> do what, and has a number of pronouns with ambiguous antecedents. The heavy
>> use of passive voice obscures the actors in multiple places. I will call
>> out some specifics, but please do not treat my comments as exhaustive.
>>
>
> Did a revision pass, let me know what you think.
>
>
>> §7: “ The repair mechanism, when used with double, typically operates on
>> the double encrypted data and encrypts
>>    them using only the HBH key.” Does “double encrypted” mean “outer
>> encrypted”? Also, while I recognize “data” as plural, it’s plural in a
>> non-countable sense; that is, s / them / it.
>>
>> §7.1:
>> - “ … cached payloads MUST be the encrypted packets …” - Inner or outer?
>> What device enforces this? (Consider active voice.)
>> - Which element represents “the other side”? Are we talking about an
>> endpoint or MD? (Please stick to the defined terminology)
>> - “ When encrypting a retransmission packet, it MUST be encrypted the
>> packet in repair mode.” - I can’t parse the phrase after the comma. Also,
>> what device MUST encrypt it?
>>
>> §7.2:
>> - “the primary encoding MAY contain…” - Is that MAY a grant of permission
>> or a statement of fact?
>>
>> - " The sender takes encrypted payload from the cached packets”- Missing
>> article for encrypted payload? Or should this say “… takes encrypted
>> packets from the cached payload…”?
>>
>> - “ Any header extensions from the primary encoding are copied to the RTP
>> packet that will carry the RED payload and the other RTP header information
>> such as SSRC, SEQ, CSRC, etc are set to the same as the primary payload.
>> The RED RTP packet is then encrypted in repair mode and sent.”: This is
>> confusing; parts are copied from the primary encoding and others are the
>> same as in the primary encoding? Don’t both of those mean the same thing?
>>
>> - “ The receiver decrypts the payload…”: Endpoint or MD? Is this inner or
>> outer encryption?
>>
>> - Last paragraph: Seems like that belongs in the FEC section. Also, does
>> this document really need to make that sort of recommendation? It seems
>> like a general statement about RED and FEC that is not specific to double.
>>
>>
>> §7.3:
>>
>> - "When using Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with
>> double, the negotiation of double for the crypto is the out of band
>> signaling that indicates that the repair packets MUST use the order of
>> operations of SRTP followed by FEC when encrypting.” - The sentence is hard
>> to parse. Also, is MUST a normative requirement or a statement of fact? (It
>> seems odd to signal that you MUST do something).
>>
> - “…  data, which is already encrypted, it MUST be encrypted in repair
>> mode packet.” s/ “, which” / “that”. Also, what actor MUST encrypt the data
>> in repair mode? (Consider active voice.)
>>
>> - “ The algorithm recommend…” s / recommend / recommended
>>
>
> Done.
>
>
>> §7.4:
>> - s/ "sent with [RFC4733]” / “sent using the mechanism in [RFC4733]”
>> - “ and the relay can not read it so it cannot be used” - missing comma
>> between “it” and “so”.
>>
>
> Done.
>
>
>> §8, last paragraph: “ For packets in repair mode, the data they are
>> caring is often already encrypted further increasing the size.” - I assume
>> “caring” is not the intended word. Did you mean “carrying”? If so, consider
>> s / “data they are carrying” / “data they carry”
>
>
> Revised.
> _______________________________________________
> Perc mailing list
> Perc@ietf.org
> https://www.ietf.org/mailman/listinfo/perc
>
>
>

v2.23.0 | Report a Bug | By Email