Re: [Rmt] Last Call: draft-ietf-rmt-bb-norm-revised (Multicast Negative-Acknowledgment (NACK) Building Blocks) to Proposed Standard

Hi Brian and Pekka, 

With regard to this thread, the relevant draft to cite is the MSEC work item 
for IPsec multicast extensions: draft-ietf-msec-ipsec-extensions-08.txt (and 
its successors). It is currently in IESG review as a proposed standard. v09 
will be out shortly. 

A few observations: 

1) The appendix A-2 specifically speaks to the NORM protocol service model 
and how to handle it in unison with multicast IPsec. 

2) The issue of scalable group member authentication on the NORM unicast 
flow has tradeoffs. The data origin authentication issue is discussed in 
section 4.3. The tradeoffs are discussed in the "Security Considerations" 
section 6.2.2. Regarding Group Sender authentication of an arbitrary Group 
Receiver unicast transmission, if you really need individual host 
authentication then the Group Receiver could use a digital signature on the 
ESP payload. Either an identity-based signature system or a group-specific 
public key infrastructure could avoid per Group Receiver state at the Group 
Sender endpoint. 

3) GSAKMP offers a mode wherein pre-shared secrets allow a member to acquire 
the group keying materials by receiving and interpreting the group rekey 
event multicast, without the overhead of a registration exchange (RFC 4535 
section 5.2.3). This capability was originally motivated by uni-directional 
satellite systems. 

I would suggest referencing both RFC 4301 and this document in the context 
of your security considerations. 

hth, 

  George 

 ------------------------ 

Date: Mon, 14 Apr 2008 14:34:49 -0400
From: Brian Adamson <adamson@itd.nrl.navy.mil>
To: Pekka Savola <pekkas@netcore.fi>
Cc: macker@itd.nrl.navy.mil, ietf@ietf.org, rmt@ietf.org
Subject: Re: [Rmt] Last Call: draft-ietf-rmt-bb-norm-revised (Multicast
Negative-Acknowledgment (NACK) Building Blocks) to Proposed Standard 

Pekka, 

I will provide an updated draft to address your issues below as best
possible. The principal challenge is related to security and most
notably key management. I hope we can avoid waiting on the more
comprehensive "RMT Security Discussion" document? I agree that it
would be _nice_ to be able to reference the "RMT Security Discussion"
document that is in development. However it doesn't yet provide all
the answers either. We have some other documents coming along, too.
The most relevant is a draft describing "Simple Authentication"
schemes for the RMT protocols. 

Our focus in RMT has been on "reliabilty" and "congestion control"
for multicast which were hard problems on their own ;-). Key
management, etc adds a new dimension to our transport working group,
but I understand the need for it. 

I guess my question is whether it is acceptable to suggest a baseline
"out of band" (wr2 the NACK RMT protocol) key management scheme to
establish/maintain the Security Associations, keys, etc for the
unicast feedback from the receivers to the sender? I.e., the
sender would establish trust relationships with the receivers (and
provide them with the key for the sender multicast transmission). 

BTW, I have actually run transport mode IPsec (w/ Linux and MacOS
hosts) for multicast sender->receivers and unicast receivers->sender
with 2 Security Associations configured at each node, one for the
sender->receiver traffic and a common SA that all of the the
receivers use for feedback to the sender. In this case, all of the
receivers use a common key for the unicast feedback to the sender.
The issue here is if one receiver decides to be malicious, he might
generate traffic using another receiver's source address and make it
hard to identify the bad behaving node. 

I have also tested use of transport mode IPsec with multiple unicast
flows (each source with its own SA/key) multiplexed to a single
receiving UDP socket (This would be analogous to a multicast sender
getting unicast feedback from multiple, separately authenticated
receivers). The stock IPsec implementations support this. 

So, the basic mechanisms to do this _exist_ providing the Security
Association and key information can be put into place ... My question
is if identifying an approach along these lines (IPsec with
out-of-band key mgmnt) is sufficient for the NACK base reliable
multicast building block? I.e., if pre-placed certificates/keys
isn't good enough? In the NORM "Protocol Instantiation" document
(based on this NACK building block), I do describe in more detail how
to use IPsec for this as a "baseline" secure mode of operation ...
some of that discussion could be moved to or duplicated in this NACKK
Building Block document. 

Also, I think there are multiple approaches possible to address
security for these protocols, depending upon how they are deployed.
For example, I have also played with the MSEC GDOI key management
stuff a little bit (it's a little immature still wr2 implementation)
and Brian Weis indicated it might be possible that the GDOI
GROUPKEY-PUSH key update message might be passed as an inband message
within the reliable multicast protocol ... but there is more work to
be done there. And as mentioned above, we have a couple of non-IPsec
approaches in the works (TESLA and "Simple Authentication") 

At 9:35 AM +0300 4/14/08, Pekka Savola wrote:
>Hi Brian, 
>
>On Fri, 11 Apr 2008, Brian Adamson wrote:
>>I appreciate your comments here. I plan to issue a new version of
>>the draft that addresses these to the extent I can. I have some
>>questions about your concerns with comments in-line below:
>
>Thanks for your quick response. Below I won't quote all the text if
>additional clarification doesn't seem warranted. 
>
>>But this is certainly not a "fully-baked" area. So [router
>>assistance] discussion _could_ be removed ... I suppose it will
>>persist in the RFC 3941 for historical purposes until there is
>>further interest in the area?
>
>That would be my preference. 
>
>>In fact, the U.S. Postal Service has used a NACK-based protocol to
>>deliver bulk data content to a group of 10,000 - 20,000 receivers
>>in a single multicast group over a fairly limited IP-based VSAT
>>delivery system. This system was (and still is as far as I know)
>>been used operationally on a daily basis for more than 5 years. 
>>
>>One of the references for this document is some work I did to
>>assess (and to predict) the volume of feedback of these types of
>>protocols with group sizes through this scale. 
>>
>>I can probably provide more clarification on the impact ... erring
>>on the large size may add some extra latency to the NACK-based
>>reliability process and require more buffering in the
>>implementation to maintain state.
>
>Some clarification would be great, as well as an explicit reference
>as, if you say, this number has already been tested and found to be
>working, and have caused no ill effects in other scales. 
>
>>>The details how one might apply IPsec to the unicast channel are absent.
>>>I'm not commenting on the multicast delivery part because that is somewhat
>>>covered though details are fuzzy. Unicast has two major issues that I did
>>>not see clearly addressed: 
>>>
>>> 1) malicious, misconfigured or under-performing (beyond small capacity
>>> links etc.) receivers. Is there even a way to differentiate between
>>> these classes of receivers? When these send a lot of NACK feedback,
>>> progress of the stream is deterred. How do you deal with this issue
>>> (this is partly operations, protocol, and security problem)?
>> 
>>
>>This is an issue. I did try to point out that (but perhaps still
>>too subtly) in the "Security Considerations" section. The idea in
>>the text there was to point out that SSM operation eliminates
>>direct receiver<->receiver messaging, simplifying security such
>>that only the sender need to authenticate/trust receiver
>>operations. For the case of IPsec, that means the sender
>>implementation may have alot of Security Association state
>>depending upon group size. But I thought it beyond the scope of
>>this "Building Block" document to go into the details of this. It
>>should more thoroughly addressed in any "Protocol Instantiations"
>>that are made.
>
>I have a bad feeling that protocol instatiations will not be able to
>develop a deployable security model based on this approach, or if
>it's done, the security models will be different for each protocol
>instantiation... 
>
>>> 2) receiver authentication for the feedback back-channel; how could you
>>> do it? This seems unfeasible in practise if the expected default
>>> group sizes (e.g. the recommended default of 10,000 receivers) would
>>> be realized.
>>
>>There indeed may be practical limitations on group size due to
>>security. I suppose it is comparable to a server that would need
>>maintain alot of simultaneous secure TCP connections? But again I
>>am not sure it is in the scope of the NACK Building Block document
>>to predict scalability limits of IPsec implementations? But I
>>suppose that some language could be added to point out these
>>issues. Would that address your concerns here?
>
>While the number of 10,000 IPsec SAs already seems to be a
>significant number, I'm more concerned about what else is required,
>especially what's required to bring up these SAs. You will need
>some key exchange protocol, like IKEv2. That's probably around 4-10
>round trips per receiver to signal the SAs (and more to keep it
>running). But even more challenging, you will require some mechanism
>to identify the good receivers (and the receivers need to identify
>the sources, but that's likely easier) and tie that to the security
>association. What would be that mechanism? Each source having a
>shared secret with each receiver would likely could prove a
>provisioning challenge. Or you could generate each receiver a
>certificate and build a local certificate authority but that only
>works if all the receivers are under your management. Or there
>could be some other mechanism. 
>
>draft-ietf-rmt-sec-discussion already provides a lot of good
>analysis on security aspects of RMT work. Too bad it isn't
>referenced here and that it isn't finished yet. Yet, when
>draft-ietf-rmt-sec-discussion discusses solutions, I don't see how
>it addresses some of the problems specific to this document, e.g.,
>receiver-based attacks (authenticating and securing the feedback
>return channel; how to ensure the reports are valid even if they
>come from an authenticated receiver). 
>
>I'd like to see that draft referenced here. It's not clear to me
>whether it would be reasonable to ask that this document should not
>go forward until sec-discussion goes forward; if that is not
>reasonable, I believe this document's security considerations needs
>some additional work especially wrt the unicast feedback channel;
>section 6.1.1 and its subsections already discusses the multicast
>part in some detail (I'm not qualified to evaluate whether that's
>sufficient), but while the first paragraph mentions unicast, it is
>not obvious whether it's fully covered in the text that follows. 
>
>--
>Pekka Savola "You each name yourselves king, yet the
>Netcore Oy kingdom bleeds."
>Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

-- 
Brian
__________________________________
Brian Adamson
<mailto:adamson@itd.nrl.navy.mil>
_______________________________________________
Rmt mailing list
Rmt@ietf.org 

_______________________________________________
Rmt mailing list
Rmt@ietf.org
https://www.ietf.org/mailman/listinfo/rmt