IETF Logo Mail Archive

Re: [Ppm] taskprov: In-band Task Provision Extension

Tim Geoghegan <timgeog@gmail.com> Wed, 25 October 2023 23:17 UTC

Return-Path: <timgeog@gmail.com>
X-Original-To: ppm@ietfa.amsl.com
Delivered-To: ppm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCC67C1519AE for <ppm@ietfa.amsl.com>; Wed, 25 Oct 2023 16:17:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.103
X-Spam-Level:
X-Spam-Status: No, score=-1.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9IYGmXJf1geY for <ppm@ietfa.amsl.com>; Wed, 25 Oct 2023 16:17:28 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1ABDC137366 for <ppm@ietf.org>; Wed, 25 Oct 2023 16:17:27 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-53e3e7e478bso375862a12.0 for <ppm@ietf.org>; Wed, 25 Oct 2023 16:17:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698275846; x=1698880646; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=429l7DLRDf+Vou/MTFtcR7ZHEqyrqM4CEv9stG6cSNI=; b=kWZ8r0e7arfOBOi3pG/estLCeEuTK4bWD+EGxhiiNSdoS6LDl6VLnTOaywkhZjoZBO F7N2H2x9Vv3WvG8Hq4GudvIkhJ7wsOQ5oe7nQH4GLv71Sg7TAMLlPf3P3z4LtElKPj6c +koQZfLwK15ydjUEOPu2VFJtmlJgvZNF9e+9VO6wgvY7Rtr37iAJj0pM2PcR7Rk2vASw BGKCcPJvXbpl+rc21QalQQJPVf1Li/0yed/9gC4fyrOlRC+KWmvIV8XZGBSpp++kH3mv lh98cMUK5SIpfShoz77dcjh/Q9WB+wYDPpuomX109RwSRXMggGAJHa1XIsZGR5WfZ5kw ZZtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698275846; x=1698880646; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=429l7DLRDf+Vou/MTFtcR7ZHEqyrqM4CEv9stG6cSNI=; b=PG3r1qk+b3ja+YdedLONCCh3fWQ038m9eJg5ik0zgLNeiKzsx0MNot+D5y34R0tq7j WvygjEgvqEbf/MsgGrQUnQ7RaOsURteAjoejZfxVBSSn3Oavwn3u1lABnq75nGUoZjnL tcyh8V4IWre95xqUVhmkA2iHjP75mDYhLYmM0z8lYaA1tH98Obz3LVmTMYx/9Ma3Wpy2 kgT+IaejbqWOwt43boBesUQQKPvsYs2FuVQGvh/eckgjZiL00z6Ufbxf3+lz5w8wGXCw VjMIa43E9hFkb/9b8Eg1kYDSPEHZAe2QCG2M+L3bcpyI5ZHPbLO4KKG6bfepLbdv5kRv s+vg==
X-Gm-Message-State: AOJu0Yw+TiiXjtps8J7ZC119uMM9qZP+OTyAvkAKvbW/KuiCM4ADn1gg D9jTebdebux3cVTpdBn3n8PKNr40wbnqt9qh/0M=
X-Google-Smtp-Source: AGHT+IFwCNIWCmMntxinuVNKg31Oq/hXJm6QpNpMPp2TKbnrmePTZy4O5Fvhv7tdrmWcuq8xDAJ/Oc07U9rhnoKGgBA=
X-Received: by 2002:a05:6402:42c5:b0:540:2ece:79 with SMTP id i5-20020a05640242c500b005402ece0079mr10908771edc.10.1698275845622; Wed, 25 Oct 2023 16:17:25 -0700 (PDT)
MIME-Version: 1.0
References: <235CB38C-ADE7-4F71-81DC-2D8279253AF1@apple.com> <CACsn0cmS_5F_tc88i6oNw_poTGiE746wKac9irk-LddP4LKzsA@mail.gmail.com> <CAG2Zi23OLNF2WPZsJvjOhmNvRcbf1k8qUsoULx_5ib80ZAW1FA@mail.gmail.com> <CACsY-Of-DZ9_OYp--Owd5GtBb3_pv5gj=e5s3Pt-TYTrM+DGkQ@mail.gmail.com> <CAGsvMr670m6soYAvQpbgBgMdMWoj=SG+nSVQejyBUYBnfcT_4g@mail.gmail.com>
In-Reply-To: <CAGsvMr670m6soYAvQpbgBgMdMWoj=SG+nSVQejyBUYBnfcT_4g@mail.gmail.com>
From: Tim Geoghegan <timgeog@gmail.com>
Date: Wed, 25 Oct 2023 16:17:13 -0700
Message-ID: <CACsY-OeN3KSzv+0U6ajGvh+EDEdOpMdPUp9iiRi8vQ3QHy8cDg@mail.gmail.com>
To: David Cook <dcook@divviup.org>
Cc: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, Watson Ladd <watsonbladd@gmail.com>, Shan Wang <shan_wang=40apple.com@dmarc.ietf.org>, ppm@ietf.org
Content-Type: multipart/alternative; boundary="000000000000824eb2060892a8e8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/GkWY8fkfOGlXK0Drt326o9jF1uc>
Subject: Re: [Ppm] taskprov: In-band Task Provision Extension
X-BeenThere: ppm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppm>, <mailto:ppm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm/>
List-Post: <mailto:ppm@ietf.org>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppm>, <mailto:ppm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2023 23:17:31 -0000

Interesting! I think that cross-protocol attack can also be ruled out by
having an aggregator require that task IDs are _always_ generated from a
TaskConfig and never directly chosen by any task author. Further,
aggregators could provide an endpoint where they advertise parameters for
the tasks they have configured, much like they already advertise HPKE
configs. Then peer aggregators and even clients could check what parameters
an aggregator is using for some task ID before they consent to upload or
run aggregation jobs.

Tim

On Wed, Oct 25, 2023 at 3:40 PM David Cook <dcook@divviup.org> wrote:

> Tim,
> There is a cross-protocol attack on the parameter binding version of the
> strawman protocol. The client cannot know whether each aggregator derived
> its task ID from the task's parameters in TaskConfig form, or if it
> accepted a task ID verbatim and a different set of parameters from a
> dishonest task author, using a different task provisioning protocol. This
> can be addressed by adding a DAP extension to reports (with a payload of
> zero length) that serves as an indication that the corresponding task
> should have been set up with this particular provisioning protocol. If an
> aggregator that doesn't support the protocol receives such a report, it
> must refuse to process the report, since it contains an unsupported
> extension. If an aggregator that does support the provisioning protocol
> receives such a report, they should check that the task was set up with
> that provisioning protocol, or alternatively re-derive the task ID from the
> task's parameters and confirm that it matches. In effect, the presence of
> the report extension binds the report to the intent that the task ID should
> be bound to the task parameters.
>
> See https://github.com/wangshan/draft-wang-ppm-dap-taskprov/issues/39 for
> a similar conversation as applied to Taskprov. The same zero-length report
> extension fix has been applied to the taskprov editor's copy.
>
> Beyond this issue, the strawman provisioning flow makes sense. I think
> separating out the commitment to/transparency of task parameters from the
> actual provisioning of tasks is a useful distinction, and the commitment
> property could be useful to a broader set of deployment scenarios.
>
> --David
>
> On Wed, Oct 25, 2023 at 5:03 PM Tim Geoghegan <timgeog+ietf@gmail.com>
> wrote:
>
>> Hi all,
>>
>> Thanks for sharing this updated draft. When a previous iteration of
>> taskprov was discussed on the list ([1]), I noted two drawbacks to the
>> design:
>>
>> 1. There is a significant amount of bandwidth wasted, because a
>> `TaskConfig` structure will be transmitted for every single report in the
>> task, although it's only acted upon once in each aggregator (the first time
>> the leader sees a report with a given `TaskConfig` and the first time the
>> helper sees an `AggregationJobInitReq` with the `TaskConfig`).
>>
>> 2. Aggregators are forced to allow data plane components to configure
>> themselves (and in the leader case, this may be based on _untrusted_
>> inputs). Generally, I believe it is a design error to put control plane
>> concerns into a system's data plane, as this ends up introducing awkward
>> constraints for implementations. For example, with taskprov, it's no longer
>> possible to run an aggregator that has a read-only view of what tasks it
>> runs because it might need to expand that list in response to data plane
>> traffic.
>>
>> (1) has gotten much better since November 2022: the `TaskConfig`
>> structure is no longer replicated as an extension in each report share in
>> an `AggregationJobInit`. But there's still waste there: a single task could
>> see many aggregation jobs over its lifetime, and the `TaskConfig` is
>> useless every time past the first. And of course there's still the
>> per-report waste of including `TaskConfig` in uploads. (2) remains a
>> problem in the current draft.
>>
>> Everything in engineering is a tradeoff, so these problems aren't
>> necessarily disqualifying. Maybe it's worth eating the bandwidth overhead
>> and security risk in exchange for taskprov's upsides. But it's been
>> difficult thus far to weigh the tradeoffs because taskprov's goals have not
>> been clearly articulated.
>>
>> Exactly what threats does taskprov mitigate? In what ways does taskprov
>> simplify the operation of DAP? Most importantly: can we achieve taskprov's
>> wins without incurring its downsides?
>>
>> I've been thinking about taskprov for a while now, have talked to its
>> authors, have reviewed its implementation in Janus ([2]) and have built and
>> deployed an alternate, OOB task provisioning scheme that has been working
>> quite well for us so far ([3], [4]) so I'm going to try to try to produce a
>> list of taskprov's goals as I understand them. I hope taskprov's editors
>> will let me know whether I have stated them correctly and completely.
>>
>> But first, to contextualize this discussion, I want to propose a strawman
>> for an out-of-band task provisioning system, so that we can compare
>> taskprov to it.
>>
>> # Strawman: naive OOB task provisioning
>>
>> Aggregators are required to expose an HTTP endpoint `PUT
>> {aggregator}/tasks/{task-id}`. The request of that body is taskprov's
>> `TaskConfig` message, with one extra field in it to indicate whether the
>> recipient is meant to act as the task's Leader or Helper. Upon receipt, the
>> aggregator provisions the task into itself and responds with 201 Created.
>> Subsequently DAP API requests may be made that reference the task ID.
>>
>> In this setting, creating a new task looks like:
>>
>> 1. Task author chooses task parameters and `task-id` and constructs a
>> `TaskConfig`.
>> 2. Task author does `PUT {leader}/tasks/{task-id}` to send `TaskConfig`
>> to the leader.
>> 3. Task author does `PUT {helper}/tasks/{task-id}` to send `TaskConfig`
>> to the helper.
>> 4. Having verified that the task is provisioned into both aggregators,
>> the task author distributes task ID and `TaskConfig` to many clients.
>> 5. (DAP protocol begins) Clients begin uploading reports by doing `PUT
>> {leader}/tasks/{task-id}/reports`.
>> 6. Aggregation and collection protocol continues.
>>
>> Now, let's use that baseline to consider taskprov's goals as I understand
>> them.
>>
>> # In-band task provisioning
>>
>> draft-wang-ppm-dap-taskprov-05's introduction states: "[taskprov's] key
>> feature is that task configuration is performed completely in-band, via
>> HTTP request headers." ([5]). And in prior messages to the list, taskprov's
>> editors have stressed that taskprov is in-band. But it's not explained why
>> in-band task provisioning is inherently desirable. Maybe it'd be
>> inappropriate for a standards document which ought to be concerned mainly
>> with "how" to discuss "why". But at least in this side discussion, could
>> the editors please clarify what's so bad about out-of-band mechanisms?
>> Especially since the introduction soon after states: "There is no need for
>> out-of-band task orchestration between Leader and Helpers, therefore making
>> adoption of DAP easier." ([6])
>>
>> ... and that is not true! taskprov itself tells us that "[t]he
>> Aggregators are presumed to have securely exchanged a pre-shared secret
>> out-of-band" ([7]; this is the `verify_key_init` used to derive VDAF
>> verification keys). Further, in any real deployment, I'd expect the leader
>> and aggregator to have to coordinate so that the leader can authenticate
>> the requests it makes to the helper. This would involve exchanging bearer
>> tokens, or deploying a PKI together, or something. So even with taskprov,
>> you absolutely need to coordinate between aggregators, and you'll need
>> _ongoing_ coordination to do things like rotate credentials and bill each
>> other.
>>
>> I suspect that what the introduction meant to say is that "there is no
>> need for out-of-band *per-*task orchestration between Leader and Helpers".
>> i.e., you coordinate once and then past that you can create however many
>> tasks you want via taskprov. Having conceded that, let's dig into what does
>> have to happen for each new task in taskprov. Assuming that
>> `verify_key_init` has already been distributed to the aggregators:
>>
>> 1. Task author chooses task parameters and constructs a `TaskConfig`.
>> 2. Task author distributes `TaskConfig` to many clients.
>> 3. (DAP protocol begins) Clients begin uploading reports by doing `PUT
>> {leader}/tasks/{task-id}/reports`; `TaskConfig` is in an HTTP header.
>> 4. Leader provisions itself with a task derived from the `TaskConfig`.
>> 5. Leader begins aggregation sub-protocol with helper; transmits
>> `TaskConfig` in an `AggregationJobInitReq`.
>> 6. Helper provisions itself with a task derived from the `TaskConfig`.
>> 7. Aggregation and collection protocol continues.
>>
>> The difference between this and the strawman OOB task provisioning is
>> that the task author is spared two HTTP requests to provision the task into
>> the aggregators. Why is that desirable? In taskprov, the task author has to
>> initiate the provisioning of each task anyway, so what difference do those
>> two requests make to the automation-friendliness of task provisioning?
>>
>> (n.b. This has been a long-winded restatement of Watson Ladd's succinct
>> question upthread but I hope laboriously spelling all this out makes the
>> comparison between taskprov and other approaches to task provisioning more
>> clear.)
>>
>> # Cryptographic binding to task parameters
>>
>> The idea is that since the task ID is derived from the task parameters,
>> then participation in a task is evidence that a client or aggregator has
>> seen the task parameters and consented to them. That's a desirable
>> property, but it's not clear to me that an in-band mechanism for task
>> provisioning is required to achieve this. To be clear, I don't think the
>> taskprov editors have ever claimed that it is, it's just that this binding
>> scheme has always been discussed in the context of the taskprov draft.
>>
>> Let's return to the OOB strawman task provisioning flow from above and
>> see if we can tack on parameter binding:
>>
>> 1. Task author chooses task parameters and constructs a `TaskConfig`.
>> 2. Task author does `PUT {leader}/tasks` to send `TaskConfig` to the
>> leader.
>> 3. Leader derives a task ID from `TaskConfig` and provisions that task
>> into itself.
>> 4. Task author does `PUT {helper}/tasks` to send `TaskConfig` to helper.
>> 5. Helper derives a task ID from `TaskConfig` and provisions that task
>> into itself.
>> 6. Having verified that the task is provisioned into both aggregators,
>> the task author distributes `TaskConfig` to many clients.
>> 7. Clients derive task ID from `TaskConfig` and begin uploading reports
>> by doing `PUT {leader}/tasks/{task-id}/reports`. No `TaskConfig` is
>> included in the upload.
>> 8. Aggregation and collection protocol continues.
>>
>> Now, just as in taskprov, we are assured that all participants are using
>> the same task parameters, because otherwise they wouldn't have converged on
>> the same task ID. And we can infer that all participants consent to those
>> task parameters because otherwise they wouldn't have uploaded, or sent an
>> aggregation job request (depending on which participant we're talking
>> about).
>>
>> In summary: it seems to me that if we take the parameter
>> commitment/transparency bits from taskprov and combine them with an OOB
>> task provisioning mechanism, we achieve all the wins of taskprov without
>> its downsides. What am I wrong about? Are there attacks I'm not seeing that
>> are mitigated by taskprov? Operational considerations that I have missed?
>>
>> Thanks,
>> Tim
>>
>> [1]:
>> https://mailarchive.ietf.org/arch/msg/ppm/4nceGeK6noA1a9eRR_xK6aQr_Ys/
>> [2]: https://github.com/divviup/janus
>> [3]: https://github.com/divviup/janus/issues/1486
>> [4]: https://github.com/divviup/janus/tree/main/aggregator_api
>> [5]:
>> https://datatracker.ietf.org/doc/html/draft-wang-ppm-dap-taskprov-05#section-1-2
>> [6]:
>> https://datatracker.ietf.org/doc/html/draft-wang-ppm-dap-taskprov-05#section-1-3
>> [7]:
>> https://datatracker.ietf.org/doc/html/draft-wang-ppm-dap-taskprov-05#section-3.2
>>
>> On Mon, Oct 23, 2023 at 4:36 PM Christopher Patton <cpatton=
>> 40cloudflare.com@dmarc.ietf.org> wrote:
>>
>>> HI Watson, that's not exactly the problem we're solving here. The main
>>> goal is an automated mechanism by which all parties can be configured
>>> in-band. There are many ways to do this, this draft being one of them.
>>>
>>> A nice feature of this draft is the manner in which the task ID is
>>> derived. Basically, agreement on the task parameters is enforced by the
>>> cryptography, not an out-of-band mechanism. See
>>> https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/issues/500 for
>>> additional discussion.
>>>
>>> Chris P.
>>>
>>> On Fri, Oct 20, 2023 at 1:34 PM Watson Ladd <watsonbladd@gmail.com>
>>> wrote:
>>>
>>>> Dear Shan,
>>>>
>>>> I read the draft and I don't understand why you need this. Why is it
>>>> hard to update the Collector and Leader with the tasks before handing
>>>> it out to the clients?
>>>>
>>>> Sincerely,
>>>> Watson
>>>>
>>>>
>>>>
>>>> --
>>>> Astra mortemque praestare gradatim
>>>>
>>>> --
>>>> Ppm mailing list
>>>> Ppm@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ppm
>>>>
>>> --
>>> Ppm mailing list
>>> Ppm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ppm
>>>
>> --
>> Ppm mailing list
>> Ppm@ietf.org
>> https://www.ietf.org/mailman/listinfo/ppm
>>
>

v2.23.0 | Report a Bug | By Email