Re: [secdir] Secdir last call review of draft-weis-gdoi-rekey-ack-05
"Brian Weis (bew)" <bew@cisco.com> Thu, 24 August 2017 16:48 UTC
Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 528FE1321E6; Thu, 24 Aug 2017 09:48:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snEwJxGAH0UH; Thu, 24 Aug 2017 09:48:49 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F1511320DC; Thu, 24 Aug 2017 09:48:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=23668; q=dns/txt; s=iport; t=1503593329; x=1504802929; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=BERowRZUQNpkCHnjy9j3ZLnmRKUygJmU5eJ59Bj8LTY=; b=VYpqSA2QB2meyqaZay+c4daSgYh1mQF179WjkKHsymOPT758A2aRZAuM ou7vedVDtEdcrP5g35QVzLbEWRaMIUrPgb0EGR1re8mLM10FDX9S1XGTx UOZnNrragDBAk0AloNZNO5tKqAAlOIE+KFtDsipjQY0P4C5yc3ioI62Lw 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BjAQDlAZ9Z/4UNJK1TBwMaAQEBAQIBAQEBCAEBAQGCb2tkgRUHgy1Dih2QFoFOiFuIL4U9DoIELIFggzsCGoQ2PxgBAgEBAQEBAQFrKIUZBgwXVhACAQYCPwMCAgIfERQRAgQOBYlNTAMVEJEenWaCJ4c4DYQRAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWDKoICgy8rC4FlgQyCV4FpAQcLAQktChURgkwwgjEFoB08AodUh3mEdgyCBoVjim+JcIJRiW4BHzh/C3cVWwGFAwEcgWd2iGEGAQgXgQyBDwEBAQ
X-IronPort-AV: E=Sophos;i="5.41,422,1498521600"; d="scan'208,217";a="286941280"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 24 Aug 2017 16:48:48 +0000
Received: from XCH-RTP-003.cisco.com (xch-rtp-003.cisco.com [64.101.220.143]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id v7OGmlqC005783 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 24 Aug 2017 16:48:47 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-003.cisco.com (64.101.220.143) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 24 Aug 2017 12:48:46 -0400
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1210.000; Thu, 24 Aug 2017 12:48:46 -0400
From: "Brian Weis (bew)" <bew@cisco.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-weis-gdoi-rekey-ack.all@ietf.org" <draft-weis-gdoi-rekey-ack.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: Secdir last call review of draft-weis-gdoi-rekey-ack-05
Thread-Index: AQHTDgJglUgJl63bZkSkx0TnTx/5x6KUGN4A
Date: Thu, 24 Aug 2017 16:48:46 +0000
Message-ID: <E61F05DB-EEB0-4140-A2D4-DB11163C4E13@cisco.com>
References: <150194814585.18635.3104789196001873381@ietfa.amsl.com>
In-Reply-To: <150194814585.18635.3104789196001873381@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.19.191.173]
Content-Type: multipart/alternative; boundary="_000_E61F05DBEEB04140A2D4DB11163C4E13ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1aDxvDdF4pcMObs57aJC3lHpIW8>
Subject: Re: [secdir] Secdir last call review of draft-weis-gdoi-rekey-ack-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2017 16:48:52 -0000
Hi Yaron, Thanks for the review. We’ve added some clarification below, and made some changes in -06 to address your comments. Please let us know if we did not address them satisfactorily. On Aug 5, 2017, at 8:49 AM, Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> wrote: Reviewer: Yaron Sheffer Review result: Has Issues Summary: this reviewer is not clear about the value of the push-ack (compared to a pull) and about the strategy that was chosen. In a group key management system either a “pull” (triggered by a group member) or a “push” (by the key server)" could be used to provide updates to the group. However, a “pull” by the group member implies a polling method, which has the deficiency that the key server cannot cause a policy replacement any sooner than the polling method by the group members. Also “polling” can cause additional unnecessary traffic. So is is better for any update on the group policy or renewal of group keys to be distributed by the GCKS using a PUSH message. The ACK-message is used to offer a feedback mechanism to a policy update for the PUSH exchange. * "For example, a GCKS policy can use the acknowledgements to determine [...] which members may no longer be members of the group." This sentence is very confusing: when are members not members? We’ve reworded this text. It’s trying to convey that a missing ACK message (or a certain number of it) can be used to identify that a group member is no longer receiving group traffic, and is now may be considered an ex-group member. For example, it could be a multicast receiver that is no longer interested in being a receiver for the group. But it could also be that a network event has caused it to be unavailable for a sufficient length of time such that it doesn’t have current keying material and therefore can’t be considered a current group member. There is no reliable “I’m leaving the group” message flow, and of course in my second example no such messages would have been intended by the group member. * The new protocol capability is defined as optional, but really isn't. "A GM receiving the KEK_ACK_REQUESTED attribute can choose to ignore it, thus appearing as if it does not support the KEK_ACK_REQUESTED attribute. However, GCKS policy may consider a non-responsive GM to no longer desire to be a member of the group." So if you want to play the game, you MUST support the new attribute. Point taken. We’ve changed the text to reflect this. * I'm puzzled at the overall protocol. Being able to send ACKs is a GM software capability. Why not have the GM announce this capability when it initially registers to the GCKS? Then the GCKS would know what to expect, whereas with the current protocol it is left waiting for an ACK that may never come, either because the GM is dead or because it just doesn't feel like responding. Add the long waits (jitter of "a few seconds" and potential retries), and this looks like a far from optimal management experience. Indeed a GM could announce its capability, but whether or not ACKs are desired is a component of the group policy. In the context of GDOI the GCKS is the entity that defines the group policy. There can be groups where the ACK is used, whereas others do not. The capabilities announcement you suggest could certainly help the KS to know whether or not to expect the ACK from a particular GM, but the focus of this I-D is on the the declaration of the request for ACKs by the GCKS and the format of the ACK. * 2.2: "This is a private key" - to avoid confusion, I suggest: "This is a secret symmetric key" (if this is indeed the case). Obviously using the same key for encryption and for HMAC is not a best practice. We’ve made this change. * Sec. 5: ACK messages can also be duplicated in the network. I suggest to add a sentence describing what the GCKS should do in this case. The Security Considerations (section 7.3) describes a method for the GCKS to detect replays. This is arguably better placed in this section, so we’ve moved it here.. * Sec. 6: I am confused about the notion of "jitter" here. If the PUSH messages are sent as multicast (the recommended alternative AFAICT), I'm not sure about the benefit of using multicast, given that each recipient responds with a unicast ACK. And if the PUSH is unicast, there should be no reason for a jitter as the sender can throttle the PUSH messages as necessary. The concept of “jitter” is most valuable for responses to a multicast PUSH message. The use of a multicast PUSH message lower processing on the GCKS. Since each GM can e given the exact same policy, there’s no call to send it out as a unicast message. The jitter helps spread out the replies a bit to avoid inundating the GCKS. * Moreover, everything would be much more predictable if the GCKS could indicate if a jitter is expected and how much of a jitter (based on size of the group, network throughput, and queue length). Specifically, this would allow the GCKS to tell how long it should wait for an ACK. This would be somewhat useful, but in practice might not help the GCKS as much as it seems. The jitter value provided would also be dependent on several network parameters that aren’t under the control of the GCKS or the GM. Even when the GM does not add any jitter to the ACK, the underlying network may delay the PUSH and/or for the ACK. And as stated in Section 6, the GCKS may be configured with additional policy actions like retransmissions to overcome lost ACKs. Altogether to add jitter to the ACK is not a must, it is a way to help the GCKS deal with a huge number of GMs. In practice, we’ve found that having the GMs choose the jitter has worked well, even when the GMs are different implementations. * Cryptographic agility: this document specifies only one algorithm for the HASH value, and says that if a new algorithm is needed, there will be a new KEK_ACK_REQUESTED payload defined. However to make sure that this really "works", we need to define whether multiple such payloads can be sent simultaneously (if e.g. some GMs still support the old algorithm) and what's the expected behavior. I would suggest to define an additional SHA-512 payload just to make for a concrete example. This is a good suggestion. We’ve added SHA-512 versions of the existing KEK_ACK_REQUESTED values. See <https://tools.ietf.org/html/draft-weis-gdoi-rekey-ack-06> Thanks, Brian -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com<mailto:bew@cisco.com>
- [secdir] Secdir last call review of draft-weis-gd… Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-wei… Brian Weis (bew)
- Re: [secdir] Secdir last call review of draft-wei… Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-wei… Brian Weis (bew)
- Re: [secdir] Secdir last call review of draft-wei… Yaron Sheffer