IETF Logo Mail Archive

Re: [Ppm] taskprov: In-band Task Provision Extension

David Cook <dcook@divviup.org> Wed, 25 October 2023 22:40 UTC

Return-Path: <dcook@divviup.org>
X-Original-To: ppm@ietfa.amsl.com
Delivered-To: ppm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 309A1C180DF5 for <ppm@ietfa.amsl.com>; Wed, 25 Oct 2023 15:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=divviup.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o0Bls7Cz4XTX for <ppm@ietfa.amsl.com>; Wed, 25 Oct 2023 15:40:12 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDC45C151991 for <ppm@ietf.org>; Wed, 25 Oct 2023 15:40:11 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-99bdeae1d0aso45608366b.1 for <ppm@ietf.org>; Wed, 25 Oct 2023 15:40:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=divviup.org; s=google; t=1698273610; x=1698878410; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6+B2vTWT1KrD+4FhZ6mg34LJkty9hTjpc3ji3NbKK50=; b=VTcsJ5gveK3g0suS2Y5+MmD19uIvctM/tKVisxeC7noPAarBI8uqn3xL8vlavbsN1J wdPaLbWvTv4vU4a2vYCtIAwAo3ZV4Gf14oV23AB1MkrsBrhOQAk2gNPWWUt9a4FBqZVL uvk8Giwlme+2Ms2rmw8sFGEiL67eqH0Bbk8wZCYtBeSjat8UHVYAnrLvqiPHCg1J4YKv eqAHyKQEBW6A03c6OmRnhmetGiNFKH5UIhIPRNGavHhLuSJFEwZm3AU6Gqh6LLYaHkst hMqN7AL4X/97gQgWkX5gepGdNEz3KFYdM6iABOp4rdZ17dgdPHNEndOlrAovEJCvWCKw oD5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698273610; x=1698878410; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6+B2vTWT1KrD+4FhZ6mg34LJkty9hTjpc3ji3NbKK50=; b=nCIRdINd2AXcl/rBU0J8T2OX/hpkM+xHMuzlhA2zCeIAdA6s+OeK1CLdzSQIgANMKI /HHFeHlHEKqMgP7jn+5+5c0cRSEfAnuUp4oCm39EAcevzMMyQRlbbQjhp4gfkKowb38F 1TvBUNbapEpm41ar9vw+ZjoFq8ql+R5q2O5F951BC/XH2Z62uFaguM2xXNups2EhH2te k7t0A7/Hx9tpbvrSiSgsYd+KvIstrKLBdPZwoviQPqSh9okPhJq3atqmnU6s4fNiDCY7 zotne9Pp6p4NL7Dg/0epvQ8wQW7QEtescRHAE7nln8lo8QqoC9wIbH4Ue3i4fkzKX4Cf hJzg==
X-Gm-Message-State: AOJu0Yxaa/HAxyPuVPz/9rw09cDs2/MnWJ0+hFlYx5PkqnYdfwr+A71G x2/F7CIbETYGtqjiVf5k3ZMn1FgWf5ZNC2q48e2hAg==
X-Google-Smtp-Source: AGHT+IFw9iIsN83BXeIAbUpjHPzqhLIUAE2aI3ydFX3eJ33/IlxipPDWyV6Uw4SpyEFUYD/p26WYiw1ipwCll3e8A9A=
X-Received: by 2002:a17:907:9727:b0:9bf:5696:9153 with SMTP id jg39-20020a170907972700b009bf56969153mr13548195ejc.57.1698273609940; Wed, 25 Oct 2023 15:40:09 -0700 (PDT)
MIME-Version: 1.0
References: <235CB38C-ADE7-4F71-81DC-2D8279253AF1@apple.com> <CACsn0cmS_5F_tc88i6oNw_poTGiE746wKac9irk-LddP4LKzsA@mail.gmail.com> <CAG2Zi23OLNF2WPZsJvjOhmNvRcbf1k8qUsoULx_5ib80ZAW1FA@mail.gmail.com> <CACsY-Of-DZ9_OYp--Owd5GtBb3_pv5gj=e5s3Pt-TYTrM+DGkQ@mail.gmail.com>
In-Reply-To: <CACsY-Of-DZ9_OYp--Owd5GtBb3_pv5gj=e5s3Pt-TYTrM+DGkQ@mail.gmail.com>
From: David Cook <dcook@divviup.org>
Date: Wed, 25 Oct 2023 17:39:58 -0500
Message-ID: <CAGsvMr670m6soYAvQpbgBgMdMWoj=SG+nSVQejyBUYBnfcT_4g@mail.gmail.com>
To: Tim Geoghegan <timgeog+ietf@gmail.com>
Cc: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, Watson Ladd <watsonbladd@gmail.com>, Shan Wang <shan_wang=40apple.com@dmarc.ietf.org>, ppm@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004094ce060892235c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/Epl1Y9u4iewNHmrZPYj7U7ET8UI>
Subject: Re: [Ppm] taskprov: In-band Task Provision Extension
X-BeenThere: ppm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppm>, <mailto:ppm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm/>
List-Post: <mailto:ppm@ietf.org>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppm>, <mailto:ppm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2023 22:40:16 -0000

Tim,
There is a cross-protocol attack on the parameter binding version of the
strawman protocol. The client cannot know whether each aggregator derived
its task ID from the task's parameters in TaskConfig form, or if it
accepted a task ID verbatim and a different set of parameters from a
dishonest task author, using a different task provisioning protocol. This
can be addressed by adding a DAP extension to reports (with a payload of
zero length) that serves as an indication that the corresponding task
should have been set up with this particular provisioning protocol. If an
aggregator that doesn't support the protocol receives such a report, it
must refuse to process the report, since it contains an unsupported
extension. If an aggregator that does support the provisioning protocol
receives such a report, they should check that the task was set up with
that provisioning protocol, or alternatively re-derive the task ID from the
task's parameters and confirm that it matches. In effect, the presence of
the report extension binds the report to the intent that the task ID should
be bound to the task parameters.

See https://github.com/wangshan/draft-wang-ppm-dap-taskprov/issues/39 for a
similar conversation as applied to Taskprov. The same zero-length report
extension fix has been applied to the taskprov editor's copy.

Beyond this issue, the strawman provisioning flow makes sense. I think
separating out the commitment to/transparency of task parameters from the
actual provisioning of tasks is a useful distinction, and the commitment
property could be useful to a broader set of deployment scenarios.

--David

On Wed, Oct 25, 2023 at 5:03 PM Tim Geoghegan <timgeog+ietf@gmail.com>
wrote:

> Hi all,
>
> Thanks for sharing this updated draft. When a previous iteration of
> taskprov was discussed on the list ([1]), I noted two drawbacks to the
> design:
>
> 1. There is a significant amount of bandwidth wasted, because a
> `TaskConfig` structure will be transmitted for every single report in the
> task, although it's only acted upon once in each aggregator (the first time
> the leader sees a report with a given `TaskConfig` and the first time the
> helper sees an `AggregationJobInitReq` with the `TaskConfig`).
>
> 2. Aggregators are forced to allow data plane components to configure
> themselves (and in the leader case, this may be based on _untrusted_
> inputs). Generally, I believe it is a design error to put control plane
> concerns into a system's data plane, as this ends up introducing awkward
> constraints for implementations. For example, with taskprov, it's no longer
> possible to run an aggregator that has a read-only view of what tasks it
> runs because it might need to expand that list in response to data plane
> traffic.
>
> (1) has gotten much better since November 2022: the `TaskConfig` structure
> is no longer replicated as an extension in each report share in an
> `AggregationJobInit`. But there's still waste there: a single task could
> see many aggregation jobs over its lifetime, and the `TaskConfig` is
> useless every time past the first. And of course there's still the
> per-report waste of including `TaskConfig` in uploads. (2) remains a
> problem in the current draft.
>
> Everything in engineering is a tradeoff, so these problems aren't
> necessarily disqualifying. Maybe it's worth eating the bandwidth overhead
> and security risk in exchange for taskprov's upsides. But it's been
> difficult thus far to weigh the tradeoffs because taskprov's goals have not
> been clearly articulated.
>
> Exactly what threats does taskprov mitigate? In what ways does taskprov
> simplify the operation of DAP? Most importantly: can we achieve taskprov's
> wins without incurring its downsides?
>
> I've been thinking about taskprov for a while now, have talked to its
> authors, have reviewed its implementation in Janus ([2]) and have built and
> deployed an alternate, OOB task provisioning scheme that has been working
> quite well for us so far ([3], [4]) so I'm going to try to try to produce a
> list of taskprov's goals as I understand them. I hope taskprov's editors
> will let me know whether I have stated them correctly and completely.
>
> But first, to contextualize this discussion, I want to propose a strawman
> for an out-of-band task provisioning system, so that we can compare
> taskprov to it.
>
> # Strawman: naive OOB task provisioning
>
> Aggregators are required to expose an HTTP endpoint `PUT
> {aggregator}/tasks/{task-id}`. The request of that body is taskprov's
> `TaskConfig` message, with one extra field in it to indicate whether the
> recipient is meant to act as the task's Leader or Helper. Upon receipt, the
> aggregator provisions the task into itself and responds with 201 Created.
> Subsequently DAP API requests may be made that reference the task ID.
>
> In this setting, creating a new task looks like:
>
> 1. Task author chooses task parameters and `task-id` and constructs a
> `TaskConfig`.
> 2. Task author does `PUT {leader}/tasks/{task-id}` to send `TaskConfig` to
> the leader.
> 3. Task author does `PUT {helper}/tasks/{task-id}` to send `TaskConfig` to
> the helper.
> 4. Having verified that the task is provisioned into both aggregators, the
> task author distributes task ID and `TaskConfig` to many clients.
> 5. (DAP protocol begins) Clients begin uploading reports by doing `PUT
> {leader}/tasks/{task-id}/reports`.
> 6. Aggregation and collection protocol continues.
>
> Now, let's use that baseline to consider taskprov's goals as I understand
> them.
>
> # In-band task provisioning
>
> draft-wang-ppm-dap-taskprov-05's introduction states: "[taskprov's] key
> feature is that task configuration is performed completely in-band, via
> HTTP request headers." ([5]). And in prior messages to the list, taskprov's
> editors have stressed that taskprov is in-band. But it's not explained why
> in-band task provisioning is inherently desirable. Maybe it'd be
> inappropriate for a standards document which ought to be concerned mainly
> with "how" to discuss "why". But at least in this side discussion, could
> the editors please clarify what's so bad about out-of-band mechanisms?
> Especially since the introduction soon after states: "There is no need for
> out-of-band task orchestration between Leader and Helpers, therefore making
> adoption of DAP easier." ([6])
>
> ... and that is not true! taskprov itself tells us that "[t]he Aggregators
> are presumed to have securely exchanged a pre-shared secret out-of-band"
> ([7]; this is the `verify_key_init` used to derive VDAF verification keys).
> Further, in any real deployment, I'd expect the leader and aggregator to
> have to coordinate so that the leader can authenticate the requests it
> makes to the helper. This would involve exchanging bearer tokens, or
> deploying a PKI together, or something. So even with taskprov, you
> absolutely need to coordinate between aggregators, and you'll need
> _ongoing_ coordination to do things like rotate credentials and bill each
> other.
>
> I suspect that what the introduction meant to say is that "there is no
> need for out-of-band *per-*task orchestration between Leader and Helpers".
> i.e., you coordinate once and then past that you can create however many
> tasks you want via taskprov. Having conceded that, let's dig into what does
> have to happen for each new task in taskprov. Assuming that
> `verify_key_init` has already been distributed to the aggregators:
>
> 1. Task author chooses task parameters and constructs a `TaskConfig`.
> 2. Task author distributes `TaskConfig` to many clients.
> 3. (DAP protocol begins) Clients begin uploading reports by doing `PUT
> {leader}/tasks/{task-id}/reports`; `TaskConfig` is in an HTTP header.
> 4. Leader provisions itself with a task derived from the `TaskConfig`.
> 5. Leader begins aggregation sub-protocol with helper; transmits
> `TaskConfig` in an `AggregationJobInitReq`.
> 6. Helper provisions itself with a task derived from the `TaskConfig`.
> 7. Aggregation and collection protocol continues.
>
> The difference between this and the strawman OOB task provisioning is that
> the task author is spared two HTTP requests to provision the task into the
> aggregators. Why is that desirable? In taskprov, the task author has to
> initiate the provisioning of each task anyway, so what difference do those
> two requests make to the automation-friendliness of task provisioning?
>
> (n.b. This has been a long-winded restatement of Watson Ladd's succinct
> question upthread but I hope laboriously spelling all this out makes the
> comparison between taskprov and other approaches to task provisioning more
> clear.)
>
> # Cryptographic binding to task parameters
>
> The idea is that since the task ID is derived from the task parameters,
> then participation in a task is evidence that a client or aggregator has
> seen the task parameters and consented to them. That's a desirable
> property, but it's not clear to me that an in-band mechanism for task
> provisioning is required to achieve this. To be clear, I don't think the
> taskprov editors have ever claimed that it is, it's just that this binding
> scheme has always been discussed in the context of the taskprov draft.
>
> Let's return to the OOB strawman task provisioning flow from above and see
> if we can tack on parameter binding:
>
> 1. Task author chooses task parameters and constructs a `TaskConfig`.
> 2. Task author does `PUT {leader}/tasks` to send `TaskConfig` to the
> leader.
> 3. Leader derives a task ID from `TaskConfig` and provisions that task
> into itself.
> 4. Task author does `PUT {helper}/tasks` to send `TaskConfig` to helper.
> 5. Helper derives a task ID from `TaskConfig` and provisions that task
> into itself.
> 6. Having verified that the task is provisioned into both aggregators, the
> task author distributes `TaskConfig` to many clients.
> 7. Clients derive task ID from `TaskConfig` and begin uploading reports by
> doing `PUT {leader}/tasks/{task-id}/reports`. No `TaskConfig` is included
> in the upload.
> 8. Aggregation and collection protocol continues.
>
> Now, just as in taskprov, we are assured that all participants are using
> the same task parameters, because otherwise they wouldn't have converged on
> the same task ID. And we can infer that all participants consent to those
> task parameters because otherwise they wouldn't have uploaded, or sent an
> aggregation job request (depending on which participant we're talking
> about).
>
> In summary: it seems to me that if we take the parameter
> commitment/transparency bits from taskprov and combine them with an OOB
> task provisioning mechanism, we achieve all the wins of taskprov without
> its downsides. What am I wrong about? Are there attacks I'm not seeing that
> are mitigated by taskprov? Operational considerations that I have missed?
>
> Thanks,
> Tim
>
> [1]:
> https://mailarchive.ietf.org/arch/msg/ppm/4nceGeK6noA1a9eRR_xK6aQr_Ys/
> [2]: https://github.com/divviup/janus
> [3]: https://github.com/divviup/janus/issues/1486
> [4]: https://github.com/divviup/janus/tree/main/aggregator_api
> [5]:
> https://datatracker.ietf.org/doc/html/draft-wang-ppm-dap-taskprov-05#section-1-2
> [6]:
> https://datatracker.ietf.org/doc/html/draft-wang-ppm-dap-taskprov-05#section-1-3
> [7]:
> https://datatracker.ietf.org/doc/html/draft-wang-ppm-dap-taskprov-05#section-3.2
>
> On Mon, Oct 23, 2023 at 4:36 PM Christopher Patton <cpatton=
> 40cloudflare.com@dmarc.ietf.org> wrote:
>
>> HI Watson, that's not exactly the problem we're solving here. The main
>> goal is an automated mechanism by which all parties can be configured
>> in-band. There are many ways to do this, this draft being one of them.
>>
>> A nice feature of this draft is the manner in which the task ID is
>> derived. Basically, agreement on the task parameters is enforced by the
>> cryptography, not an out-of-band mechanism. See
>> https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/issues/500 for
>> additional discussion.
>>
>> Chris P.
>>
>> On Fri, Oct 20, 2023 at 1:34 PM Watson Ladd <watsonbladd@gmail.com>
>> wrote:
>>
>>> Dear Shan,
>>>
>>> I read the draft and I don't understand why you need this. Why is it
>>> hard to update the Collector and Leader with the tasks before handing
>>> it out to the clients?
>>>
>>> Sincerely,
>>> Watson
>>>
>>>
>>>
>>> --
>>> Astra mortemque praestare gradatim
>>>
>>> --
>>> Ppm mailing list
>>> Ppm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ppm
>>>
>> --
>> Ppm mailing list
>> Ppm@ietf.org
>> https://www.ietf.org/mailman/listinfo/ppm
>>
> --
> Ppm mailing list
> Ppm@ietf.org
> https://www.ietf.org/mailman/listinfo/ppm
>

v2.23.0 | Report a Bug | By Email