[saag] (no subject)

Eric Rescorla <ekr@rtfm.com> Mon, 07 October 2019 23:18 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 785BB120044 for <saag@ietfa.amsl.com>; Mon, 7 Oct 2019 16:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mAwvD2k7Qn25 for <saag@ietfa.amsl.com>; Mon, 7 Oct 2019 16:18:13 -0700 (PDT)
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 280ED120019 for <saag@ietf.org>; Mon, 7 Oct 2019 16:18:13 -0700 (PDT)
Received: by mail-lf1-x143.google.com with SMTP id w6so10484238lfl.2 for <saag@ietf.org>; Mon, 07 Oct 2019 16:18:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=DQdB6rvV+miY2Q1dge3i3aSc/OIK7bAkkvwriEX+M3c=; b=bT7hez/aPSZ+sAjRJD21IrXO8bwHJoxU5jRfFWDQNLMJThkZ9ulpAm9uAG0fjHptrO X52+0xuj1DFaS/QCppEWoJ0a6fIiF8WmHbJGdh2xSpN5iMpaYf0Fdr7wbzFw6C1pMvDr XdjnlF6txMaD5K3Dkbd/NR+19HYXvTrBjDcVyGqPw4yiIJ/EytU5sA8z++dL8HCJqxBq 1H1H0xvj9bhVuNSNiFW+s53+I8g08Ixxvz9YJwtwQzx+vQw8eWPmoxsSgBiZ7bOY6KHe /0wK5zlHvPoA6CYbF0HoY0B3NBboLJzf6Huw7onW8fnlgt5UPukT7PVW34G2CpFb+frM dTaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=DQdB6rvV+miY2Q1dge3i3aSc/OIK7bAkkvwriEX+M3c=; b=GQmwQCRCvbah7jRTXK2GnaelmP4qNEm36MoB9dw+EUPsMCkd5VgmQh1psKQxIrQXSB 4Hv8t5PF6J6lX5aAJjZTHb1HNbh35rF0i8c4fIvy0+J4maRHMB1hvIdUxo9TsaFY/HuZ sgvkowZTa7/dVmJZGcIL70wE/UAwG+KFDtA+pAd6janeO28fW1Iu+5jvoaEqR3LizyCn Kf6vmD4pyNSDk55o/u7T6gVrYGx/kREvdyi2v9MllrDxeAWV7sTEYrIjQFoFendgmYwA cLZQuJ6nLpuqLxIa5E1FPuiq4xzMXMBgxNPt/C2GrX/tqhLPxHylrCrbkE0sHO4appwM 1D3w==
X-Gm-Message-State: APjAAAXaVcq1N7+0DgQ/17I5oe0sP1ZA/5pz7ngv1S/YZ3XRQWA4ZcxD Wy7bKd5jjKmIkFQg072/86jFxkt40TepV7+sB0l17Q==
X-Google-Smtp-Source: APXvYqzjghYdfyGOj0m32DQdHyhO1hsR5Wv8Hkv9YA94Tdu7hCEjU14i6o2Vt+zxHm1AioD+X5QvP9/YkcIFWeEPENY=
X-Received: by 2002:a19:c80b:: with SMTP id y11mr19175739lff.184.1570490291052; Mon, 07 Oct 2019 16:18:11 -0700 (PDT)
MIME-Version: 1.0
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 7 Oct 2019 16:17:34 -0700
Message-ID: <CABcZeBP+fxZEW21pnmu8P3_L9ScjtmaSEPe4xDTRTiG=zqKtmQ@mail.gmail.com>
To: draft-ietf-taps-transport-security.all@ietf.org, taps@ietf.org, saag@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ebf84505945a43b0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/mt2kP7zDcP64RvFUqXA0YrjbgyE>
Subject: [saag] (no subject)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 23:18:17 -0000

Document: draft-ietf-taps-transport-security-09.txt

I've reviewed this document and I do not think it should be published
in its current form.

It's probably most useful to start with the objective of this
document. Here's what the abstract says:

   This document provides a survey of commonly used or notable network
   security protocols, with a focus on how they interact and integrate
   with applications and transport protocols.  Its goal is to supplement
   efforts to define and catalog transport services by describing the
   interfaces required to add security protocols.  This survey is not
   limited to protocols developed within the scope or context of the
   IETF, and those included represent a superset of features a Transport
   Services system may need to support.  Moreover, this document defines
   a minimal set of security features that a secure transport system
   should provide.

First off, I should say that I am generally skeptical of the goal
of defining a "secure transport system", at least if we mean by
that something encompassing protocols as diverse as TLS, DTLS,
QUIC, and IPsec. Even though these are built on largely similar
cryptographic cores (in the case of TLS, DTLS, and QUIC, essentially
identical handshakes) and offer relatively similar security
record formats (AEAD-protected records), their actual notional
service interfaces are quite different. As a few examples:

- TLS depends on reliable transport services, DTLS ignores
  them, QUIC offers its own built-in reliable transport abstraction,
  and IPsec has no notion of transport at all, and relies on
  L4 transport protocols to provide any notion of application
  reliability semantics (not too dissimilar to the relationship
  between DTLS and SCTP in WebRTC).

- Despite the above, these protocols actually aren't 1-1 with
  deployment models, so for instance DTLS used to provide a VPN is
  really much more like IPsec than TLS is. So gluing DTLS
  for IoT and DTLS-VPNs together doesn't make sense.

- Although based on the same underlying authorization mechanisms,
  these protocols have different naming models (QUIC, TLS,
  and (mostly) DTLS) talking mostly in terms of domain names
  and IPsec talking mostly in terms of IP addresses (this also
  goes to whether you have a dependency on DNSSEC).

- These protocols have totally different scopes, with the application
  protocols thinking in terms of host/port quarters and IPsec thinking
  in terms of all traffic between two devices.

So, I don't think it's really possible to talk about all of these
as if they were somehow even partially interchangeable instances
of a class of protocols.

Even if we ignore this, I don't feel like the document does a very
good job of achieving this goal. A huge fraction of this document is
taken up by fairly detailed survey of the properties of each of the
relevant protocols. To the extent to which it is meaningful to do a
comparison between these protocol instances, this document seems to me
to focus largely on the wrong pieces, which is to say the
cryptographic details rather than the exposed interface
semantics. Here's a concrete example:

   IKEv2 is a control protocol that runs on UDP ports 500 or 4500 and
   TCP port 4500.  Its primary goal is to generate keys for Security
   Associations (SAs).  An SA contains shared (cryptographic)
   information used for establishing other SAs or keying ESP; See
   Section 4.4.2.  IKEv2 first uses a Diffie-Hellman key exchange to
   generate keys for the "IKE SA", which is a set of keys used to
   encrypt further IKEv2 messages.  IKE then performs a phase of
   authentication in which both peers present blobs signed by a shared
   secret or private key that authenticates the entire IKE exchange and
   the IKE identities.  IKE then derives further sets of keys on demand,
   which together with traffic policies are referred to as the "Child
   SA".  These Child SA keys are used by ESP.

   IKEv2 negotiates which protocols are acceptable to each peer for both
   the IKE and Child SAs using "Proposals".  Each proposal specifies an
   encryption and authentication algorithm, or an AEAD algorithm, a
   Diffie-Hellman group, and (for IKE SAs only) a pseudorandom function
   algorithm.  Each peer may support multiple proposals, and the most
   preferred mutually supported proposal is chosen during the handshake.

How is any of this detail relevant? Suppose that IKEv2 were replaced
with a totally different handshake (IKEv1, DTLS, QUIC crypto), how
would the external behavior of the system be interestingly different?
>From the perspective of the consumer of such a system, the way to
think about this is that there is a handshake protocol which spits out
keys which are then fed into the IP-level packet protection machinery
(note that this is effectively what OpenVPN is, and to some extent
Wireguard, though Wireguard uses different packet protection).

Here's another example:

   Tcpcrypt extends TCP to enable opportunistic encryption between the
   two ends of a TCP connection [RFC8548].  It is a family of TCP
   encryption protocols (TEP), distinguished by key exchange algorithm.
   The use of a TEP is negotiated with a TCP option during the initial
   TCP handshake via the mechanism described by TCP Encryption
   Negotiation Option (ENO) [RFC8547].  In the case of initial session
   establishment, once a tcpcrypt TEP has been negotiated the key
   exchange occurs within the data segments of the first few packets
   exchanged after the handshake completes.  The initiator of a
   connection sends a list of supported AEAD algorithms, a random nonce,
   and an ephemeral public key share.  The responder typically chooses a
   mutually-supported AEAD algorithm and replies with this choice, its
   own nonce, and ephemeral key share.  An initial shared secret is
   derived from the ENO handshake, the tcpcrypt handshake, and the
   initial keying material resulting from the key exchange.  The traffic
   encryption keys on the initial connection are derived from the shared
   secret.  Connections can be re-keyed before the natural AEAD limit
   for a single set of traffic encryption keys is reached.

   Each tcpcrypt session is associated with a ladder of resumption IDs,
   each derived from the respective entry in a ladder of shared secrets.
   These resumption IDs can be used to negotiate a stateful resumption
   of the session in a subsequent connection, resulting in use of a new
   shared secret and traffic encryption keys without requiring a new key
   exchange.  Willingness to resume a session is signaled via the ENO
   option during the TCP handshake.  Given the length constraints
   imposed by TCP options, unlike stateless resumption mechanisms (such
   as that provided by session tickets in TLS) resumption in tcpcrypt
   requires the maintenance of state on the server, and so successful
   resumption across a pool of servers implies shared state.

How does all this detail help someone understand the role that tcpcrypt
plays in the ecosystem. Suppose, for instance, that tcpcrypt didn't
have resumption at all (not a totally absurd design decision), how would
that meaningfully affect the consumer's experience of using it in a

Partly my complaint here is about presentation: a flat list of protocols
complete with a lot of detail serves to obscure the high order
architectural ideas. However, I think it's also a conceptual issue,
which is that this document focuses on the security services provided
(PFS, unilateral authentication, etc.) but that's actually a way in
which these protocols are quite similar, deriving as they mostly do
from the same few underlying cryptographic handshake shapes, with the
differences to a great extent depending on in which era the protocols
were designed (e.g., AES-CTR/HMAC versus AES-GCM), and where even
those properties are to some extent subject to negotiation. It's
also not uncommon to see features migrate between protocols, but that
doesn't change the basic architectural properties.

Instead, I think this document -- if it is to exist at all -- should
focus on the architectural position that these protocols occupy
in the stack rather than on the details of the protocol. This
would give you something that looked like this:

- Generic application-layer channel security protocols
  - TLS
  - DTLS
  - QUIC* [Plus some other stuff]
  - CurveCP (?)

- Transport-level security
  - tcpcrypt
  - MinimaLT (?)

- IP-layer VPN protocols
  - IKEv2,
  - OpenVPN
  - WireGuard

- Application-bound protocols

And then I would have each of these start by emphasizing the common
features of these protocols and how they fit into the ecosystem, and
only briefly cover differences in the protocols to the extent to which
they were meaningfully observable (usually barely at all).

One thing I would emphasize in this context is that the protocol
differences are far less relevant from this perspective. For instance,
OpenVPN and IKEv2/IPsec use totally different cryptographic handshakes
but from an architectural perspective they fit into the same basic
box, which is part of why OpenVPN is such an easy drop-in for
IPsec-style systems.

Another example along these lines is TLS: SSLv2, SSLv3/TLS1.0-1.2, and
TLS 1.3 are really quite different protocols, but they all occupy
the same basic position in the stack and serve the same purposes,
which is why it has been (relatively) easy to just drop newer
versions of TLS into the system.

Once you do this, I think you will also need to radically rework
S 6, but I'm willing to withold judgement.

I made a number of more detailed comments on my copy, but upon
looking back, I think they mostly apply to sections I think
you should cut.