Re: [MSEC] Re: [Rmt] Comments on TESLA source authentication in theALC and NORM protocols: draft-faurite-rmt-tesla-for-alc-norm-00.txt
canetti <canetti@watson.ibm.com> Mon, 01 August 2005 15:43 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DzcRo-0008R4-0f; Mon, 01 Aug 2005 11:43:24 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DzcRl-0008PR-BY for rmt@megatron.ietf.org; Mon, 01 Aug 2005 11:43:22 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA18658 for <rmt@ietf.org>; Mon, 1 Aug 2005 11:43:18 -0400 (EDT)
Received: from igw2.watson.ibm.com ([129.34.20.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Dzcy3-00077M-FA for rmt@ietf.org; Mon, 01 Aug 2005 12:16:44 -0400
Received: from sp1n293en1.watson.ibm.com (sp1n293en1.watson.ibm.com [129.34.20.41]) by igw2.watson.ibm.com (8.13.1/8.13.1/8.13.1-2005-04-25 igw) with ESMTP id j71FihKn016496 for <rmt@ietf.org>; Mon, 1 Aug 2005 11:44:43 -0400
Received: from sp1n293en1.watson.ibm.com (localhost [127.0.0.1]) by sp1n293en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_2) with ESMTP id j71FhA857200 for <rmt@ietf.org>; Mon, 1 Aug 2005 11:43:10 -0400
Received: from mgsmtp00.watson.ibm.com (mgsmtp00.watson.ibm.com [9.2.40.58]) by sp1n293en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_1) with ESMTP id j71Fh9357198 for <rmt@ietf.org>; Mon, 1 Aug 2005 11:43:09 -0400
Received: from prf.watson.ibm.com ([9.2.16.112]) by mgsmtp00.watson.ibm.com (IMF.2005.07.16.1055.haw) with SMTP ID IMFd1122910954.13474; Mon, 01 Aug 2005 11:42:34 -0400
Received: from localhost (canetti@localhost) by prf.watson.ibm.com (AIX5.1/8.11.6p2/8.11.0/03-06-2002) with ESMTP id j71Fh6R36338; Mon, 1 Aug 2005 11:43:06 -0400
Date: Mon, 01 Aug 2005 11:43:06 -0400
From: canetti <canetti@watson.ibm.com>
To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: [MSEC] Re: [Rmt] Comments on TESLA source authentication in theALC and NORM protocols: draft-faurite-rmt-tesla-for-alc-norm-00.txt
In-Reply-To: <13f113bf42cb00fdd2c20aedbe18e424@cisco.com>
Message-ID: <Pine.A41.4.58.0508011142360.41482@prf.watson.ibm.com>
References: <BOEAKHPGPKPMKBEGCKAAAENBCPAA.luby@digitalfountain.com> <Pine.A41.4.58.0508011050490.41482@prf.watson.ibm.com> <13f113bf42cb00fdd2c20aedbe18e424@cisco.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 94902b99ee6852833c9a2b680a1de4d3
Content-Transfer-Encoding: quoted-printable
Cc: msec@securemulticast.org, Michael Luby <luby@digitalfountain.com>, vincent.roca@inrialpes.fr, "Rmt@ietf. org" <rmt@ietf.org>
X-BeenThere: rmt@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Reliable Multicast Transport <rmt.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rmt>, <mailto:rmt-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rmt@ietf.org>
List-Help: <mailto:rmt-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rmt>, <mailto:rmt-request@ietf.org?subject=subscribe>
Sender: rmt-bounces@ietf.org
Errors-To: rmt-bounces@ietf.org
Indeed. My apologies, Elisabetta. Ran On Mon, 1 Aug 2005, Mark Baugher wrote: > > On Aug 1, 2005, at 8:05 AM, canetti wrote: > > > > > > > On Mon, 1 Aug 2005, Michael Luby wrote: > > > >> I'm not understanding something. Why is it appropriate to do > >> TESLA-SRTP in > >> MSEC but TESLA-ALC/NORM in RMT? > > > > because the feeling was that we do have sufficient expertise on SRTP in > > MSEC (Mark Baugher is a cocauthor of both SRTP and TESLA-SRTP). > > So too for Elisabetta Carrara, who kindly agree to help with this work > when Ran, uh, recruited me to do TESLA-SRTP. > > Mark > > > > Lets indeed discuss this issue at RMT and MSEC this week and see what > > the > > feelings are. In any case, this clearly should be a joint venture. > > > >> > >> I'm pretty skeptical of doing this work in RMT, since the expertise > >> is just > >> not there for security and since this draft adds a lot of stuff that > >> seems > >> pretty generic and should be inherent MSEC work, and since the > >> security > >> expert and one of the inventors of TESLA has himself described below > >> that > >> TESLA is a relatively complex and delicate protocol. > > > > I guess this skepticism is natural, in the same way that I'm skeptical > > about developing in MSEC a protocol that would interoperate with other > > RMT protocol. But see below. > > > >> > >> I would really prefer as much of the basic work to be done in MSEC as > >> possible (like the initial bootstrapping to let the receivers have an > >> estimate and delta of the current time at the sender when there are a > >> lot of > >> receivers, which seems pretty generic to me, given that I understand > >> MSEC to > >> mean Multicast SECurity and multicast generally implies lots of > >> receivers), > >> and it still seems to me too much is being done in this draft and not > >> enough > >> of the basic work has been done in MSEC (assuming that the work > >> described in > >> the initial draft that seems to be new has not been done in MSEC). > > > > Practially all these details (bootstrapping, etc) are essentially a > > repetition of the description in RFC 4082. It's ok to repeat (since > > this > > is going to be standards-track), but as I remarked in the previous > > mail it > > should be made explicit that all the details are taken from 4082 (and > > say > > explicitly if there is deviation) > > > >> > >> As a side-remark: I'm a bit disappointed with the approach that MSEC > >> seems > >> to be taking on TESLA, only doing work for an "Informational" RFC, > >> especially for something that involves a relatively complex and > >> delicate > >> protocol that is non-trivial to understand and implement securely. An > >> "Informational" RFC is a good starting point, but if it is delicate > >> and easy > >> to get wrong, it seems like there would be some more rock-solid > >> protocol > >> descriptions in a "Standards" track that are developed as well, at > >> least for > >> all the common cases and some of the basic parts of the protocol. > > > > Well, careful reading may prevent disappointments... :) > > > > The plan is to have not one but (at least) two concrete, standards > > track > > documents: TESLA-SRTP is one, and the future TESLA-ESP is another. > > > > Ran > > > > > >> > >> > >>> -----Original Message----- > >>> From: rmt-bounces@ietf.org [mailto:rmt-bounces@ietf.org]On Behalf Of > >>> canetti > >>> Sent: Sunday, July 31, 2005 9:29 PM > >>> To: George Gross > >>> Cc: msec@securemulticast.org; vincent.roca@inrialpes.fr; Rmt@ietf. > >>> org > >>> Subject: Re: [MSEC] Re: [Rmt] Comments on TESLA source > >>> authentication in > >>> theALC and NORM protocols: > >>> draft-faurite-rmt-tesla-for-alc-norm-00.txt > >>> > >>> > >>> > >>> Faurite, Mike, George, and all - > >>> > >>> A few high-level points regarding the work on standardizing TESLA for > >>> RMT's ALC and NORM: > >>> > >>> First, I agree that this is a very worthwhile endeavor. > >>> > >>> Regarding how/where it should be done. The approach within MSEC so > >>> far > >>> wrt the standardization of TESLA was to have: > >>> (a) a single informational document that describes the principles > >>> and the rationale, but without specifying exact parameters, packet > >>> formats, etc. (This is now RFC 4082). > >>> (b) a number of standards-track documents that specify how to use > >>> TESLA in > >>> specific settings. Here we currently have the TESLA-SRTP rfc-to-be > >>> (together with the bootstrapping TESLA draft). the plan is to have > >>> also a > >>> document that describes how to use TESLA within ESP. (This document > >>> is > >>> long overdue. the dead tesla-spec-00 draft that Faurite mentioned can > >>> be regarded as a first draft of this future document.) > >>> > >>> The rationale behind organizing things this way was that TESLA is a > >>> relatively complex and delicate protocol, with several options > >>> and modes that make it hard to specify a single closed protocol that > >>> is > >>> not too complex and yet applies to all scenarios. Furthermore, the > >>> experience within MSEC was that it is non-trivial to understand the > >>> security of this protocol and to implement it securely. Therefore, a > >>> separate informational document seemed in place. > >>> > >>> Indeed, as Mike pointed out, this approach is different from RMT's > >>> bulding-block approach. In particular, it doesnt allow for easy "cut > >>> and > >>> paste" of a "TESLA block" from one protocol into another. Each > >>> protocol > >>> should define its own version of TESLA. Still, it seems appropriate > >>> given > >>> the complexity and rich number of options in TESLA (eg, > >>> direct/indirect > >>> synchronization, need for chain renewal, method of dealing with > >>> dos/packet > >>> buffering, etc.) > >>> > >>> Regarding the present draft. > >>> When Faurite asked the RMT and MSEC chairs a few weeks ago whether to > >>> standardize the present draft within RMT or within MSEC, my response > >>> was > >>> that I thought RMT was a more appropriate venue since the main > >>> challenge > >>> is to make TESLA fit well within the RMT protocol suite, and MSEC > >>> had no > >>> expertise in that. This approach was accepted by the RMT chairs, > >>> under the > >>> condition that there will be "security supervision of the draft" by > >>> MSEC > >>> folks. I still think that this is the best way to do things. In > >>> fact, one > >>> may regard the present draft as a "TESLA building block" for the > >>> purpose > >>> of RMT. This would give implementors three alternative ways of using > >>> TESLA: either within SRTP, or within ESP, or as part of the RMT > >>> suite. > >>> > >>> I've only read the draft at a high level, without delving into many > >>> of the > >>> details. Yet all the choices and descriptions that I read in the > >>> draft > >>> were good. One comment is that I'd refer more closely to RFC 4082, > >>> to make > >>> it clear in each part how exacly the principles and guidelines of > >>> RFC 4082 > >>> are implemented. This may give more confidence to readers of this > >>> document > >>> which are not familiar with 4082 and the security of TESLA. > >>> > >>> Best, > >>> > >>> Ran > >>> > >>> > >>> btw, George, there is considerable difference between the key setup > >>> stage > >>> for TESLA alone (ie, for message authentication alone) and session > >>> setup > >>> using GSAKMP and other group key agreement protocols. In particular, > >>> in > >>> the former there is no need to authenticate the receiver, and ther > >>> eis no > >>> need to setup a group key. > >>> > >>> On Fri, 29 Jul 2005, George Gross wrote: > >>> > >>>> Hi, > >>>> > >>>> I've taken a quick look at the NORM/ALC TESLA draft. It makes a > >>>> good starting point for how to apply TESLA in combination with the > >>>> RMT > >>>> work. I did not dive into it to get details, but a few high > >>> level comments > >>>> seemed in order: > >>>> > >>>> 1) I have not identified a compelling architectural reason why > >>>> NORM/ALC > >>>> TESLA needs to be applied in an application specific manner. > >>> Instead, this > >>>> work is a good candidate for inclusion within a set of one or more > >>>> standards track documents that describe how to apply TESLA to > >>> existing and > >>>> emergent MSEC and IPsec standards. In particular, I would > >>> suggest taking a > >>>> look at the draft-ietf-msec-ipsec-extensions-00.txt, particularly > >>>> the > >>>> service models discussion in the appendix. > >>>> > >>>> 2) the bootstrapping phase of the NORM/ALC TESLA bears a strong > >>>> resemblance to the Internet layer group key management protocols > >>>> already > >>>> developed in MSEC: GDOI and GSAKMP. For example, the TESLA > >>>> bootstrap > >>>> information could become a sub-payload within the GSAKMP Key > >>>> DownLoad > >>>> payload. By using an existent MSEC GKMP, the group membership and > >>>> group > >>>> speaker authentication and authorization procedures are largely > >>>> defined > >>>> and the TESLA feature becomes an extension of a framework. As an > >>>> aside, > >>>> GSAKMP has a distributed mode of operation that alleviates the > >>> scalability > >>>> problem, and it also a uni-directional mode too (e.g. for > >>>> satellite). > >>>> > >>>> 3) as part of the same activity, we would need to design a TESLA ESP > >>>> trailer authenticator, with NORM or ALC as the payload. > >>>> > >>>> 4) integration with the MSEC framework has the additional > >>> benefit that the > >>>> unicast NORM repair and congestion notification messages directed > >>>> at the > >>>> group speaker could be both group and source endpoint > >>>> authenticated, the > >>>> source authentication using the RSA signatures scheme now in RFC > >>>> editor > >>>> queue. > >>>> > >>>> 5) The use of one-way hash chains advocated in the NORM/ALC TESLA > >>>> draft > >>>> may have IPR issues. I'm not a patent attornory, YMMV. > >>>> > >>>> The NORM/ALC TESLA draft is on the MSEC agenda for Paris, but I > >>>> won't be > >>>> there. So I would hope these discussions could continue on the > >>> MSEC list. > >>>> > >>>> hth, > >>>> George > >>>> > >>>> On Thu, 28 Jul 2005, faurite wrote: > >>>> > >>>>> Mike, thanks a lot for your constructive remarks. > >>>>> > >>>>> Generally speaking, we do agree with all of them. The choices > >>>>> we made have been done with the goal to bootstrap the work (keep > >>>>> in mind it's only a -00 version) and to fill in some missing > >>>>> aspects in current TESLA documents. > >>>>> > >>>>> > >>>>> Let's go into the details, in particular concerning the > >>>>> "split between MSEC and RMT WG". > >>>>> > >>>>> > >>>>> You're right, our I-D could easily be split into several separate > >>>>> documents, some of them being specified in the MSEC WG, and the > >>>>> ALC/NORM instanciation in the RMT WG. > >>>>> This is not the choice we made for the -00 version because we > >>>>> wanted to put forward all the points we believe are needed (and > >>>>> that are missing in current MSEC TESLA documents). > >>>>> > >>>>> For instance: > >>>>> - boostrap stuff could be moved to a separate "TESLA bootstraping > >>>>> for ALC/NORM" document (or merged with the current "TESLA > >>>>> bootstraping for SRTP" document if the authors believe it's > >>>>> feasible/desireable). > >>>>> > >>>>> - key chain switching: RFC4082 (TESLA introduction) does not > >>>>> discuss > >>>>> this possibility of high practical importance. The same is true > >>>>> for the "TESLA for SRTP" I-D. This is an issue in particular > >>>>> (but > >>>>> not only) with on-demand ALC sessions of non-predefined > >>>>> duration. > >>>>> We tried to fix this, but yes, a better solution would be to > >>>>> have this mechanism described in some MSEC TESLA document since > >>>>> it could then be used not only for ALC/NORM but also for SRTP... > >>>>> > >>>>> - time synchronization stuff: RFC4082 and "TESLA for SRTP" > >>>>> essentially focuss on direct synchronization, which is > >>>>> not necessarily appropriate in case of ALC (scalability/feedback > >>>>> problems). So we tried to further clarify how indirect > >>> synchronization > >>>>> could be done (securely)... > >>>>> But yes, here also, a better solution would be to have it > >>>>> described > >>>>> in an MSEC TESLA document. > >>>>> > >>>>> Having it all in the same -00 document was a deliberate choice, but > >>>>> this is questionable, sure. A direct consequence is that this > >>>>> single > >>>>> I-D could not be submitted to both WGs and we've been adviced to > >>>>> send > >>>>> it to RMT and CC it to MSEC. That's why. > >>>>> > >>>>> BTW, an updated "TESLA spec" along the lines of the (dead) I-D: > >>>>> http://www.ece.cmu.edu/~adrian/tesla/draft-ietf-msec-tesla-spec > >>>>> -00.txt > >>>>> that would incorporate the missing points above is clearly missing. > >>>>> Some parts of our I-D is inspired from it, as we explained. > >>>>> > >>>>> Cheers, > >>>>> > >>>>> Sebastien/Aurelien/Vincent > >>>>> > >>>>> > >>>>> > >>>>>> Comments on TESLA source authentication in the ALC and NORM > >>> protocols: > >>>>>> draft-faurite-rmt-tesla-for-alc-norm-00.txt > >>>>>> > >>>>>> First off, I think that this is a very good thing to try and > >>> standardize, as > >>>>>> TESLA is ideally suited to provide authentication and packet > >>> integrity > >>>>>> protection to ALC and NORM. Unfortunately, I have a lot of > >>> questions and > >>>>>> issues with the draft, and some are basic questions about > >>> where this work > >>>>>> should be done. > >>>>>> > >>>>>> What I was expecting is a document that describes how to > >>> apply TESLA and > >>>>>> related security features that have been developed in MSEC > >>> that have been > >>>>>> developed in the spirit of a building block to ALC and NORM, > >>> where all the > >>>>>> security issues have been addressed in the TESLA work and it > >>> is simply cut > >>>>>> and paste to put that into the ALC and NORM context. What I > >>> see instead is > >>>>>> a document that describes a lot of protocol work that has > >>> security aspects > >>>>>> to it that seems more suitable for MSEC. I’m not sure why > >>> this is, perhaps > >>>>>> because the TESLA specification does not lend itself to > >>> being used as a > >>>>>> building block directly, and perhaps because some of the > >>> other security > >>>>>> protocols have not been addressed by MSEC. It would be good > >>> though if the > >>>>>> basic security work were done in MSEC, and only applications > >>> of that work > >>>>>> that have no potential to introduce weaknesses in security > >>> were described in > >>>>>> the RMT work that describes how these protocols are applied > >>> to ALC and NORM. > >>>>>> I have been informed that this is the approach taken with > >>> SRTP, i.e., the > >>>>>> work to apply TESLA to SRTP is being done within MSEC, and not > >>>>>> AVT. > >>>>>> > >>>>>> As an example, Section 2 describes protocols for time > >>>>>> synchronization > >>>>>> between the sender and receivers. Since the security of > >>> TESLA entirely > >>>>>> relies on time synchronization, the security of this > >>> protocol is of crucial > >>>>>> importance. Furthermore, it seems that time synchronization > >>> would be a > >>>>>> basic primitive of any protocol that uses TESLA. Thus, it > >>> seems like the > >>>>>> time synchronization protocols should be work done within > >>> the MSEC group > >>>>>> that can then be leveraged for application work done in RMT, > >>> and it seems > >>>>>> inappropriate for this work to be done in RMT since the > >>> security protocol > >>>>>> experts aren’t there. > >>>>>> > >>>>>> Section 3 on setting TESLA parameters seems to be the type > >>> of thing that one > >>>>>> would expect in this draft. However, even in this section, > >>> there is very > >>>>>> little reference and tie-in with the TESLA RFC, and thus it > >>> would be good to > >>>>>> tighten this section up and refer to the appropriate sections and > >>>>>> definitions used in TESLA in this section and use the > >>> protocols that have > >>>>>> been standardized in TESLA. A related comment is that it > >>> should be said > >>>>>> somewhere in this draft incorporates the TESLA RFC and > >>> inherits all of the > >>>>>> terminology of the TESLA RFC. > >>>>>> > >>>>>> The bulk of Section 3 defines the format of bootstrap > >>> information signature > >>>>>> fields and authentication tags, and many related parameters. > >>> It seems like > >>>>>> this format and information should all be defined in the > >>> TESLA RFC, or if > >>>>>> not in a related RFC within MSEC. If this is all new to > >>> this draft and not > >>>>>> described in the TESLA RFC then this seems like a lot of new > >>>>>> formatting/information to be adding beyond TESLA, and I > >>> would feel a lot > >>>>>> more comfortable if this work were done in MSEC. > >>>>>> > >>>>>> There are a number of other technical comments that could be > >>> made, but I > >>>>>> think the high level issue of how to split the work between > >>> MSEC and RMT > >>>>>> should be solved before addressing lower level technical issues. > >>>>>> > >>>>>> Regards, > >>>>>> Michael Luby > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Rmt mailing list > >>>>>> Rmt@ietf.org > >>>>>> https://www1.ietf.org/mailman/listinfo/rmt > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> msec mailing list > >>>>> msec@securemulticast.org > >>>>> http://six.pairlist.net/mailman/listinfo/msec > >>>>> > >>>> > >>>> _______________________________________________ > >>>> msec mailing list > >>>> msec@securemulticast.org > >>>> http://six.pairlist.net/mailman/listinfo/msec > >>>> > >>>> > >>>> > >>> > >>> _______________________________________________ > >>> Rmt mailing list > >>> Rmt@ietf.org > >>> https://www1.ietf.org/mailman/listinfo/rmt > >>> > >> > >> > >> > > _______________________________________________ > > msec mailing list > > msec@securemulticast.org > > http://six.pairlist.net/mailman/listinfo/msec > > > > _______________________________________________ Rmt mailing list Rmt@ietf.org https://www1.ietf.org/mailman/listinfo/rmt
- [Rmt] Comments on TESLA source authentication in … Michael Luby
- Re: [Rmt] Comments on TESLA source authentication… faurite
- Re: [MSEC] Re: [Rmt] Comments on TESLA source aut… George Gross
- Re: [MSEC] Re: [Rmt] Comments on TESLA source aut… canetti
- RE: [MSEC] Re: [Rmt] Comments on TESLA source aut… Michael Luby
- RE: [MSEC] Re: [Rmt] Comments on TESLA source aut… canetti
- Re: [MSEC] Re: [Rmt] Comments on TESLA source aut… canetti
- RE: [MSEC] Re: [Rmt] Comments on TESLA source aut… George Gross
- RE: [MSEC] Re: [Rmt] Comments on TESLA source aut… canetti
- RE: [MSEC] Re: [Rmt] Comments on TESLA source aut… Michael Luby
- RE: [MSEC] Re: [Rmt] Comments on TESLA source aut… canetti