Re: [RTG-DIR] Rtgdir telechat review of draft-ietf-intarea-broadcast-consider-05

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Tue, 16 January 2018 05:44 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C537126B6E; Mon, 15 Jan 2018 21:44:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oWIYX9FahWV1; Mon, 15 Jan 2018 21:44:36 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C7E0124D68; Mon, 15 Jan 2018 21:44:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=84628; q=dns/txt; s=iport; t=1516081476; x=1517291076; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=mUTX+iOavIr6dnNf037n/kLlHHdbCu827ml8FEQ7dAw=; b=VakjXMBsU6E/6XIvK1JMVhnWMRcFxRee2Qudn/Bwt7RbgxCiiZn1YTYR 5tTITp+4UWgwsCaAWIHJ/1D5p1QVdFug3wE9KyGhf/EoacXwa2bCrS3V7 8GTRzbrfn3LWzQdWdbfFOiwKcYaivTt/cz7BB92qMnAehJ/pORGzahDeI 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BBAgAfkF1a/40NJK1SAQkZAQEBAQEBAQEBAQEBBwEBAQEBgkp3ZnQnB4QMmQOCAnyWRIICCiOBXoM6AhqEN0MUAQEBAQEBAQEBayiFJAYaCVYQAgEIOAEGAwICAjAUEQIEDgWJT2QQqDyCJ4lKAQEBAQEBAQEBAQEBAQEBAQEBAQEBHYVKgQeBV4FpKYF3WDaDJAsCAoEzCAEBBwEKAYM2MYI0BZlyiXICiAqDeIlHghlnhTaEFYdFimiCVok6AhEZAYE7AQ8nImBwbxUZTgGBfwmCRgUcgWd4AYsCBwgYgQ2BFwEBAQ
X-IronPort-AV: E=Sophos;i="5.46,366,1511827200"; d="scan'208,217";a="344949799"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jan 2018 05:44:34 +0000
Received: from XCH-RTP-018.cisco.com (xch-rtp-018.cisco.com [64.101.220.158]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id w0G5iYYO001011 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 16 Jan 2018 05:44:34 GMT
Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-018.cisco.com (64.101.220.158) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 16 Jan 2018 00:44:33 -0500
Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1320.000; Tue, 16 Jan 2018 00:44:33 -0500
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Rolf Winter <rolf.winter@hs-augsburg.de>
CC: "rtg-dir@ietf.org" <rtg-dir@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, "draft-ietf-intarea-broadcast-consider.all@ietf.org" <draft-ietf-intarea-broadcast-consider.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: Rtgdir telechat review of draft-ietf-intarea-broadcast-consider-05
Thread-Index: AQHTjjp8Nh00mOJsjEOsbOGvjpHKXqN2UYWA
Date: Tue, 16 Jan 2018 05:44:33 +0000
Message-ID: <4CB9B6C7-0E1F-4E20-AAC9-77AAF66FC757@cisco.com>
References: <151590364970.3170.13650222639051565830@ietfa.amsl.com> <712376b6-103b-fa47-263a-4d575a4d631a@hs-augsburg.de>
In-Reply-To: <712376b6-103b-fa47-263a-4d575a4d631a@hs-augsburg.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.70.231.26]
Content-Type: multipart/alternative; boundary="_000_4CB9B6C70E1F4E20AAC977AAF66FC757ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/58wyn-FP_KCHwe8wA436G7EcWZk>
Subject: Re: [RTG-DIR] Rtgdir telechat review of draft-ietf-intarea-broadcast-consider-05
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 05:44:40 -0000

Hi, Rolf,

On Jan 16, 2018, at 4:53 AM, Rolf Winter <rolf.winter@hs-augsburg.de<mailto:rolf.winter@hs-augsburg.de>> wrote:

Carlos,

thanks for the review. Comments below:

Thanks to you for the quick response, and for the document. Please see inline.


Am 14.01.18 um 05:20 schrieb Carlos Pignataro:
Reviewer: Carlos Pignataro
Review result: Not Ready
 Hello,
I have been selected as the Routing Directorate reviewer for this draft. The
Routing Directorate seeks to review all routing or routing-related drafts as
they pass through IETF last call and IESG review, and sometimes on special
request. The purpose of the review is to provide assistance to the Routing ADs.
For more information about the Routing Directorate, please see
​http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir
Although these comments are primarily for the use of the Routing ADs, it would
be helpful if you could consider them along with any other IETF Last Call
comments that you receive, and strive to resolve them through discussion or by
updating the draft.
Summary:
This document has a set of minor issues, detailed below.
Comments:
1. Target
The document's title targets "IP broadcast and multicast protocol designers",
the Abstract and document throughout about "Therefore, broadcast/multicast
protocol designers". However, upon reading, it becomes clear that the target
audience of this document is not multicast/broadcast protocol designers, but
rather designers (?) of higher-level protocols that use broadcast or multicast.
The Abstract does say "A number of application-layer protocols make use of IP
broadcasts or". This causes major confusion on the first few reads of the doc.
In addition to the target layer, the role is unclear. The document says "Also
application developers use broadcast/multicast messages to implement" in at
least one more instance. Do these considerations target designers, developers,
both? Of multicast protocols? Of application protocols?


Point well taken. As the previous reviewer suggested something similar, we changed the title from:

"Privacy considerations for IP broadcast and multicast protocol designers"

to

"Privacy considerations for protocols relying on IP broadcast and multicast""

And made textual changes throughout the document to rephrase "broadcast/multicast protocol" to something along the lines of "protocol making use of broadcast/multicast messages”


Thanks! I believe that change will add much clarity.

We published a new version reflecting that already.

2. Threat model
The document talks about "a passive observer in the same broadcast/multicast
domain". It does not seem to cover, however, how exactly is bcast/mcast
different from unicast, when the passive observer has an interface is
promiscuous mode or has a packet capture library.

But there is a whole section on what boradcast/multicast is being used for and how it differs from unicast. It also details which multicast addresses are most relevant for this work. The key is that the receiver group is much larger and protecting the traffic, with e.g. encryption is much harder.

I think you are pointing to S1.1. In my comment, I was referring more to the characteristics of the user, rather than those of bcast/mcast. Stephane’s email response explained that. Maybe better defining a “passive observer”? “Plugging” into the segment and capturing without any tapping?


The doc then says "can trivially record these messages and analyze their
content". But how trivial or not it is to analyze the message contents seems to
be independent of the means in which they are sent. After captured, how is a
unicast different than a bcast/mcast? The content can have cryptographic
protection, which might make it not trivial to analyze.

That is the whole point and the document I thought is clear about it. In order to being able to even capture a unicast packet, you'd have to be at a special location inside the network such as a router.

“Passive observer” does not specify the attachment characteristics or location of the observing. That’s why I suggested above define the vector with more precision.

Bcast you just have to be connected to the network and then listen. Also, crypto is so much harder. With TLS two parties agree on keys etc. but in multicast it is not necessarily that trivial as more parties are involved. There is a reference regarding this also in the security considerations section.


This also did not directly translate to my reading, hence my comment for your consideration. Sentences like "can trivially record these messages and analyze their content” somewhat merge the two concepts of how to capture and the difficulty of encrypting. Separating the two concepts might provide less aliasing of the qualifier. “Trivial to capture if/because” and “trivial to analyze if/because”.

3. References:
The document says:
"  Most of these items
   are based on protocol behavior observed as part of experiments on
   operational networks [TRAC2016]."
Based on this citation, should [TRAC2016] be Normative? And is it readily
available?

I would think one understands the document without having read the paper, so I would assume informative would be ok?


That’s for you/authors/WG/chairs/AD to discuss. To me, as a “passive observer” of the work, it reads as more normative than informative (since the methods are relevant to the conclusions)

4. Qualification of examples used to derive conclusions.
"of a popular application", "A popular operating system". Which ones?

We discussed it a bit in WG review and later again. We decided we did not want to put "blame" on any app or OS. If you read the paper though, you'll know some ;)


Understood — thank you for explaining that the discussion happened. And agreed.

Further, the document includes the following text:
"  This is
   clearly true for any protocol, but broadcast/multicast is special in
   at least two respects:
   (a)  The aforementioned large receiver group, consisting of receivers
        unknown to the sender.  This makes eavesdropping without special
        privileges or a special location in the network trivial for
        anybody in the broadcast/multicast domain.
   (b)  Encryption is more difficult when broadcast/multicast messages,
        leaving content of these messages in the clear and making it
        easier to spoof and replay them.
   Given the above, privacy protection for protocols based on broadcast
   or multicast communication is significantly more difficult compared
   to unicast communication and at the same time invading the privacy is
   much easier.
"
But I do not directly follow how a large (including unknown) set of receivers
makes eavesdropping "trivial" (and not on unicast). Or how more difficult
encryption is in mcast/bcast to result in only replaying messages.

The size of the receiver group does not make it trivial but how easy it is to just listen to the traffic. Unicast traffic is typically not seen by other hosts on a subnet. You'd have to have access to a router e.g. In other words anybody on the subnet can listen to bcast/mcast but not to unicast.

Sorry for repeating the same point I made earlier. I understand what you say, but my confusion was because the location and characteristics of the observer, other than being passive, were not fully described. I was drawn to making assumptions against a worst case.

The crypto is more difficult as more parties are involved. You'd need group keys and infrastructure, configuration etc. do this. The "unkown" was based on earlier reviewer feedback. It basically means you have no idea about who is potentially listening in as this is all passive.

Or how the privacy protection for protocols leveraging mcast/bcast is
"significantly more difficult". That would be the case if privacy would depend
only on location preference for eavesdropping and encryption. However, there
are other methods to protect privacy. It seems "trivial" and "significantly"
overexagerate for effect, without granular qualification.

There is a reference in the security considerations section which gives a hint at the complexity involved.

5. I do not understand this sentence:
   In particular, carelessly designed
   broadcast/multicast protocols can break privacy efforts at different
   layers of the protocol stack such as MAC address or IP address
   randomization [RFC4941].
Or at least I do not follow the "how".

Here is an example: if you randomize a MAC address in order to make your device not easily traceable, but then you send a broadcast once every minute with a persistent identifier, the change of MAC address did nothing to protect your traceability as the persitent identifier gives your identity away.

Right, and that’s the type of example I thought that “break privacy efforts” was alluding to. But the text said "carelessly designed broadcast/multicast protocols”, and then I did not follow. I see revision -06 fixed this. Although the next text:

   In particular, carelessly designed
   protocols that use broadcast/multicast can break privacy efforts at
   different layers of the protocol stack such as MAC address or IP
   address randomization [RFC4941].

Could be improved as:

   In particular, carelessly designed application-layer
   protocols that use broadcast/multicast and embed persistent identifiers
   can negate outcome of privacy efforts at
   different layers of the protocol stack, such as MAC address or IP
   address randomization [RFC4941], and allow traceability even in the
   presence of other privacy protections.

Just a thought for your consideration.


6. Applicability.
The great majority of the content in the Section titled "Message frequency"
seems applicable to unicast as well.
That said, the assumption that when a protocol sends packets a user is playing
seems quite weak. In protocol design, there is a tradeoff.

Not given the special nature of bcast/mcast.


There is the assumption in the text that protocol verbosity or timing is (always) directly related or consequential to user action. That does not seem to be the case, even for applications mentioned in the paper.

7. More applicability.
Section 2.2 starts with:
"   A few broadcast/multicast protocols observed in the wild make use of
   persistent identifiers.  This includes the use of host names or more
   abstract persistent identifiers such as a universally unique
   identifiers (UUID) or similar.  These IDs, which e.g. identify the
   installation of a certain application might not change across updates
   of the software and are therefore extremely long lived. "
However, it is not clear to me what these application level identifier design
choices have to do with the IP layer or link-layer multi/uni-cast choice.
How does it follow that these considerations are for "bcast/mcast" (other than
the fact that were seen in an application that is not mentioned)?

We clarified that the document really cares about protocols making use of bcast/mcast. That should deal with this, right?

Indeed. Thank you.


8. Operational suggestions.
I really appreciate a document including operational considerations. The value
of Section 3 is not clear to me. This section now targets "network
administrators/operators" as opposed to designers or developers and how to
design and develop (at the same time) operational and privacy-aware application
protocols.
The advice of "filtering mcast/bcast in access points" is a bit puzzling. The
double negative ("not uncommonly") seems unhelpful. What is the value of config
advice for an access point, in a (ideally) broadly scoped guidance for protocol
designers and developers? Do developers control all operational deployments?

This is really just for completeness sake. Of course this is outside of the protocol designers control but we thought this is worth mentioning.

9. Summary
There is a change of tone in Section 4, from "protocols SHOULD" to "you
SHOULD". It is potentially difficult to evaluate the applicability of some of
these statements:
"   o  If you really must use a broadcast/multicast protocol and cannot
      use an IETF-specified protocol, then:"
Or, what does this mean?
"      *  You SHOULD let the user configure safe environments if possible
         (e.g. based on the SSID)"

We can change this to "the protocol SHOULD". We will update the draft accordingly.

Thank you. My concern was three-fold, and mostly around:
1. how to know if someone "really must use”,
2. what “IETF-specified protocols” have to do in the mix, and
3. What is a “safe environment” and how it relates to “SSID” for a doc scope more broadly than WiFi.
Not really the grammar.

Thanks again for the consideration to the review and the very quick round-trip!

Best,

Carlos.



Best,

Rolf


Thanks,
Carlos.


—
Carlos Pignataro, carlos@cisco.com<mailto:carlos@cisco.com>

“Sometimes I use big words that I do not fully understand, to make myself sound more photosynthesis."