[Perc] Benjamin Kaduk's Discuss on draft-ietf-perc-dtls-tunnel-09: (with DISCUSS and COMMENT)

[Benjamin Kaduk via Datatracker <noreply@ietf.org>]

Benjamin Kaduk has entered the following ballot position for
draft-ietf-perc-dtls-tunnel-09: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-perc-dtls-tunnel/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

(1) I want to check on the DTLS version compatibility of this protocol.  If
there is a DTLS version dependency, as I suspect, then we need to
document it more clearly or remove it.

In particular, the current specification has the Key Distributor sending
the MediaKeys message before it sends the DTLS (server) Finished
message (§5.4), which requires that the HBH keys are available at that
point.  While the TLS exporter interface used by RFC 5764 to output keys
is an interface that DTLS 1.3 also supports, that may not be the whole
story.  In particular, in (D)TLS 1.3 the order of client and server
Finished messages is reversed, so that the server Finished is sent
before the client has authenticated.  When combined with the fact that
the TLS 1.3 exporter interface does not incorporate the transcript hash
of the client's authentication messages, this seems to imply that the
key distributor would be releasing HBH keys prior to the client's
authentication and prior to the completion of the DTLS 1.3 handshake.
The behavior of the TLS 1.3 exporter was considered safe for regular
TLS+TCP since the server will abort the connection and not pass any
application data if the client's Finished or authentication is invalid,
but it poses problems for applications that use only the TLS handshake
and do not use the TLS record protection to cover application data.
(EAP-TLS is a notable recent example where the protocol had to be
modified in order to be secure when used with TLS 1.3.)  DTLS-SRTP is
also an application that uses only the (D)TLS handshake, and I am
worried that releasing HBH keys prior to authenticating the client will
also prove problematic in this situation.

(2) I'll also mention here so that the IESG can talk about it during our
telechat (but with no intent to insist on a change): this document
specifies a versioned protocol and creates a registry.  Are we happy
with the current Informational status, as opposed to Proposed Standard?
I do see that the topic was touched on in the shepherd writeup, but the
treatment there did not feel especially compelling to me.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I have a few general remarks before diving into the section-by-section
commentary (with nits split off into a final section).

It seems like one of the key security-relevant aspects of this setup is
how the information in (unauthenticated) incoming DTLS messages at the
key distributor are mapped up to the existing (or in the process of
establishment?) SDP sessions that describe the expected DTLS
session construction (and the media to be carried over DTLS-SRTP).  It
seems that in the general case, a given Key Distributor will be engaged
in many active and pending sessions, and thus will need to be able to
look up across many clients and sessions which SDP state might be a
match for a given DTLS ClientHello, while avoiding DoS attacks and not
committing any given SDP session to a DTLS association prior to the
completion of the DTLS handshake.  My preference would be to see a lot
more discussion in the document about this type of considerations,
though for an Informational protocol I won't insist on it (this is a
non-blocking comment).

With the media distributor acting as an intermediary that is partially
trusted, the situation is more complicated than usual, and the key
distributor cannot use transport coordinates to identify DTLS
associations, and instead the only index available is the UUID assigned
by the media distributor.  To some extent we rely on the media
distributor to properly map DTLS packets to the UUID identifier, but
AFAICT if the media distributor fails to do so, the DTLS cryptographic
mechanisms will detect such errors and either abort the handshake or
(post-handshake) reject invalid messages.  It might be worth reiterating
that DTLS does provide this form of protection.

Since the UUID is the only index that the key distributor has for DTLS
associations, there does not seem to be any risk of having the media
distributor trick the key distributor into releasing HBH keys from the
"wrong" association -- keys should only be released if the DTLS
handshake will complete successfully (but see the Discuss point #1!),
and the completion of the handshake authenticates the overall exchange
so that it's safe to release keys via the channel that identifies the
handshake (i.e., the UUID).  There does seem to only be very
coarsed-grained "trusted or not" authorization for media servers to
receive keys at all, though -- a malicious-but-trusted media distributor
that had on-path access for some other DTLS flows could relay them to
the key distributor and have the DTLS handshake succeed along that path,
even if it was not the intended path, and would get the HBH keys as a
result.

Does it only make sense to use this tunneling protocol with a "DOUBLE"
DTLS-SRTP profile?  If so, that might be worth mentioning somewhere more
explicitly.

Section 3

   The Key Distributor is a logical function that might be co-resident
   with a key management server operated by an enterprise, reside in one
   of the endpoints participating in the conference, or elsewhere that
   is trusted with E2E keying material.

Do we want to say something about the Key Distributor acting at a higher
level of trust than the Media Distributor?  (Is that even always true?)

Section 4

Figure 2 seems to show the MediaKeys being delivered to the Media
Distributor after only a single message from the Endpoint (i.e., prior
to the completion of the DTLS handshake).  I don't think that is
accurate, and it seems like that arrow should be moved later in the time
sequence.

Section 5.4

   When processing an incoming endpoint association, the Key Distributor
   MUST extract the "external_session_id" value transmitted in the
   "ClientHello" message and match that against "tls-id" value the
   endpoint transmitted via SDP.  If the values in SDP and the
   "ClientHello" do not match, the DTLS association MUST be rejected.

The Key Distributor might have multiple pending associations, and
potentially only weak bindings to endpoint identities prior to DTLS
establishment, so it's not clear that "match [external_session_id]
against 'tls-id' value the endpoint transmitted via SDP" is entirely
accurate.  I'm implicitly inserting a "the" before "tls-id" to make it
parse, but the implicit "the" is not a good fit since the definite
article implies there is a single one identified but there may be
multiple pending associations.  AFAICT at this point in processing the
only real identifier that the key distributor has for the pending DTLS
association is the UUID from the media distributor and there is no tight
association betwen that identifier and the "tld-id" value that (per the
following paragraph) is conveyed to the key distributor in some
unspecified manner.

   The Key Distributor MUST match the certificate fingerprint and
   "external_session_id" received from endpoint's "ClientHello" message
   with the values received from the SDP transmitted by the endpoint.

This sentence is rather confusing to me, since I don't know of a
certificate fingerprint conveyed in the ClientHello itself (as opposed
to the fingerprint of the certificate contained in the Certificate
message presented during the handshake).

   It is through this process that the Key Distributor can be sure to
   deliver the correct conference key to the endpoint.

Do we need to say anything about how the Key Distributor gets the
fingerprint and external_session_id values from SDP?  (I mean, I assume
that it's the same way that it gets the "tls-id", but the previous
paragraph just talked about "tls-id" and not the other stuff, so
formally it's ambiguous.)

   When sending the "ServerHello" message, the Key Distributor MUST
   insert its own unique identifier in the "external_session_id"
   extension.  This value MUST also be conveyed back to the client via
   SDP as a "tls-id" attribute.

It's not really clear that the binding between the endpoint that is
supposedly presenting the DTLS data and the SDP data has been
established at all here, so the selection of what "tls-id" to use here
feels rather speculative.  I think we should discuss the security
considerations for what is leaked if the key distributor sends the
"wrong" values here...

I'm also not sure if the sequencing of events is properly described
here.  Does the SDP need to complete before the DTLS handshake begins,
or can they proceed in parallel as described here?

Section 6

                                                                Tunnel
   messages are specified using the format described in [RFC5246]
   section 4.  [...]

I think that §3 of RFC 8446 is probably a better reference for TLS
presentation language at this point.

Section 6.5

I'm not sure what purpose sending an empty dtls_message would serve.

   *  "dtls_message": the content of the DTLS message received by the
      endpoint or to be sent to the endpoint.

I recommend saying something about "including record-layer framing" to
reiterate where the boundary is.

Section 9

I strongly recommend upgrading the TLS version between media distributor
and key distributor to be TLS 1.3.  Whether or not to use DTLS 1.2 or
1.3 for the tunneled traffic between endpoint and key distributor is an
orthogonal topic.

I'd also reiterate that the media distributor has access to metadata
about the endpoint/key distributor communications, even though the main
content and key information is encrypted.

I'd also consider calling out that the media distributor could generate
false EndpointDisconnect messages, but that this is essentially the same
capability afforded by just not forwarding media anymore.

   A requirement in this document is that a TLS connection between the
   Media Distributor and the Key Distributor be mutually authenticated.
   The reason for this requirement is to ensure that only an authorized
   Media Distributor receives the HBH keying material.  [...]

Can we say anything about what the Key Distributor's authorization
policy might be, using the authenticated identity of the TLS peer as
input?  "Any authenticated identity is granted all access" is not a
great authorization policy :)

NITS

Abstract

   This document defines a DTLS tunneling protocol for use in multimedia

I think the hyphenated "DTLS-tunneling" would clarify that DTLS is being
tunneled (as opposed to the mechanism used to tunnel other things).
A slightly more intrusive change would be "protocol for tunneling DTLS
traffic" but that might be confusing in the terse setting of the
Abstract.

Section 1

   By establishing this TLS tunnel between the Media Distributor and Key
   Distributor and implementing the protocol defined in this document,
   it is possible for the Media Distributor to facilitate the
   establishment of a secure DTLS association between an endpoint and
   the Key Distributor in order for the endpoint to receive E2E and HBH
   keying material.  [...]

I think "receive" might not be the best word here, since the key
material should incorporate contributions from both parties; the "arrive
at" language used in the previous paragraph was good.

Section 4

   As DTLS messages are received from the endpoint by the Media
   Distributor, they are forwarded to the Key Distributor encapsulated
   inside a "TunneledDtls" message.  Likewise, as "TunneledDtls"
   messages are received by the Media Distributor from the Mey
   Distributor, the encapsulated DTLS packet is forwarded to the
   endpoint.

s/Mey/Key/

Section 5.1

   The endpoint MUST include a unique identifier in the "tls-id" SDP
   [RFC4566] attribute sent by the endpoint in both offer and answer
   [RFC3264] messages as per [RFC8842].  Further, the endpoint MUST
   include this same unique identifier in the "external_session_id"
   extension [RFC8844] in the "ClientHello" message when establishing a
   DTLS association.

Since this is the section about the endpoint procedures (the key
distributor's behavior is discussed later), I think we might avoid
phrasing that implies a linked offer/answer pair, and instead say
something like "in all offer and answer messages that it generates".

Section 5.4

   The Key Distributor MUST encapsulate any DTLS message it sends to an
   endpoint inside a "TunneledDtls" message (see Section 6).  The Key
   Distributor is not required to transmit all messages a given DTLS
   association through the same tunnel if more than one tunnel has been
   established between it and a Media Distributor.

I suggest "a given Media Distributor", since the current phrasing seems
to allow sending to a different media distributor entirely, which seems
unlikely to work since the UUID identifying the DTLS association will
not be recognized there.

   The Key Distributor MUST select a cipher that is supported by both
   the endpoint and the Media Distributor to ensure proper HBH
   operations.

(It also has to pick a cipher that it itself supports...)

Section 5.5

   "UnsupportedVersion".  The Media Distributor can determine from the
   first two octets received what the version number is and that the
   message is "UnsupportedVersion".  The rest of the data received, if

I think that the "two" should be either "one" or "four", as the actual
message structure has two octets of length between the message type and
the unsupported_version structure.  One octet is needed to determine
that it is an unsupported-version message, and four to determine the
highest supported version number.

Section 6.2

   struct {
       uint8 version;
       SRTPProtectionProfile protection_profiles<0..2^16-1>;
   } SupportedProfiles;

The presentation language allows an empty list of profiles; is that
intended to be allowed?  (What happens if an empty list is sent?)

   *  "version": indicates the version of the protocol to use (0x00).

I suggest "this document specifies version 0x00" rather than the
parenthetical.