IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-intarea-broadcast-consider-05

Rolf Winter <rolf.winter@hs-augsburg.de> Mon, 15 January 2018 19:21 UTC

Return-Path: <rolf.winter@hs-augsburg.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1457912EB73; Mon, 15 Jan 2018 11:21:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QAizb_hZfK5y; Mon, 15 Jan 2018 11:21:40 -0800 (PST)
Received: from fly2.rz.hs-augsburg.de (fly2.RZ.HS-Augsburg.DE [IPv6:2001:638:102:201::11:24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF48012D850; Mon, 15 Jan 2018 11:21:31 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by fly2.rz.hs-augsburg.de (Postfix) with ESMTP id D71C1120D3E; Mon, 15 Jan 2018 20:21:12 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at hs-augsburg.de
Received: from fly2.rz.hs-augsburg.de ([127.0.0.1]) by localhost (fly2.rz.hs-augsburg.de [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wQxqWCPaCizo; Mon, 15 Jan 2018 20:21:12 +0100 (CET)
Received: from [192.168.178.42] (ppp-212-114-180-26.dynamic.mnet-online.de [212.114.180.26]) by fly2.rz.hs-augsburg.de (Postfix) with ESMTPSA id D55FA120C51; Mon, 15 Jan 2018 20:21:11 +0100 (CET)
To: Vincent Roca <vincent.roca@inria.fr>, IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-intarea-broadcast-consider.all@ietf.org
References: <383EA7C8-CFF0-48AF-AD0C-840545483E94@inria.fr>
From: Rolf Winter <rolf.winter@hs-augsburg.de>
Message-ID: <80beb32b-35fe-9a2d-e951-037a34d81a5f@hs-augsburg.de>
Date: Mon, 15 Jan 2018 20:21:28 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <383EA7C8-CFF0-48AF-AD0C-840545483E94@inria.fr>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/41la96TBGnVc6FzsfOVuLMMxfO0>
Subject: Re: [secdir] Secdir review of draft-ietf-intarea-broadcast-consider-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2018 19:21:43 -0000

Hi Vincent,

thanks for the detailed review and sorry for the belated reply. We have 
submitted a new version based on these comments and recommendations. 
Please see inline:

Am 05.01.18 um 14:26 schrieb Vincent Roca:
> Hello,
> 
> I have reviewed this document as part of the security directorate’s ongoing
> effort to review all IETF documents being processed by the IESG. These
> comments were written primarily for the benefit of the security area
> directors.  Document editors and WG chairs should treat these comments just
> like any other last call comments.
> 
> Summary: *Ready with issues*
> 
> This document lists recommendations concerning the use of
> broadcast/multicast traffic from a privacy point of view, which is
> highly valuable. However I have a certain number of comments.
> (sorry if my email is a bit long…)
> 
> 
> *Main comments:*
> 
> 1) First of all, the focus of this document looks ambiguous.
> The title refers to "IP broadcast and multicast protocol designers"
> which I can understand as those low level protocols for IP broadcast
> and multicast (e.g., IGMP, MLD, and why not various multicast routing
> protocols, etc.). On the opposite, the abstract restricts the focus:
> "application-layer protocols make use of IP broadcasts or multicast
> messages" (1st sentence). Then, when reading the document, I sometimes
> understand that it could also consider lower layer protocols. This
> should be clarified.
> 
> Also, instead of "designers of broadcast/multicast protocols" I'd
> rather say "designers of protocols relying (in parts or totally) on
> broadcast/multicast traffic". This applies to the title (in a
> condensed version) and throughout the core of the document.

Makes complete sense. I hope we have spotted all occurences in the main 
text and also changed the title accordingly:

was: "Privacy considerations for IP broadcast and multicast protocol 
designers"

new: "Privacy considerations for protocols relying on IP broadcast and 
multicast"

> 
> 
> 2) Another point: I'd like to see the item (b) of introduction
> developed as this is the key issue with multicast/broadcast traffic.
> Without encryption, application messages are vulnerable to
> eavesdropping and all kinds of analyses. A group key could be
> negociated and used for encrypting this traffic, but this requires a
> more complex setup mechanism (typically a key management system,
> probably with re-keying and all the stuff) and requires a preliminary
> association of a terminal that is not necessarily compatible with the
> application-layer protocol features.
> The text could say that if possible, multicast/broadcast traffic
> encryption should be used, otherwise risks should be minimised as
> discussed in this document. And of course, it's always good to remind
> the designers that unicast traffic should be always encrypted since
> there's no good reason not to do that.
> 


We talk about this in the security considerations section and come to 
the same conclusion as you do:

"It should be noted that certain applications could make use of
    existing mechanisms to protect multicast traffic such as the ones
    defined in [RFC5374].  Examples of such applications can be found in
    Appendix A. of [RFC5374].  Given the required infrastructure and
    assumptions about these applications and the security infrastructure,
    many applications will not be able to make use of such mechanisms."

In which way would you expand on this?

> 
> 3) I'd like to suggest another recommendation: when applicable, limit
> or avoid user-originated broadcast/multicast messages, preferring
> infrastructure originated messages.
> An example: in a discovery mechanism, avoid terminal sollicitation as
> much as possible and limit oneself to infrastructure announcement
> broadcast messages, even if it can include some extra delay (controled
> with the announcement frequency). This is exactly what happened in
> Wifi AP discovery, where the passive discovery scheme, AP based, is
> now prefered to the active scheme.
> Said differently, multicast/broadcast is not per se the issue, when
> originating from the infrastructure it is generaly safe.
> 
> 

I think I disagree somewhat (and it is not a generally applicable use 
case, e.g. if resources on a host are offered there is no general way to 
delegate announcements of these to the infrastructure). Saying that 
infrastructure announcements are generally safe requires that a receiver 
can validate that a message came from the infrastructure which is a 
problem (e.g. rogue DHCP servers). A lot of deployments solve some of 
this through infrastructure means (e.g. DHCP snooping), but we have 
documented that. Also, whatever comes from the infrastructure requires a 
standard so that devices/apps understand it. We have text around that, too.


> 4) A more general comment, related to item (a) of intro:
> Broadcast/multicast can simplify user surveillance, I agree. However,
> when I'm looking at all the practicies of companies working in the
> advertising area (in particular A&A companies, sitting between
> smartphone users and advertisers, domain that I know a little bit),
> the techniques deployed are incredibly smart, some of them bypassing
> technical protections set up by the OS manufacturers, others relying
> on hidden technical features. It's impressive how inventive those
> companies can be.
> My point is that even if traffic is 100% unicast, as long as a
> wireless medium is used, anyone wanting to monitor users in order to
> profile them will set up the required hardware/software configuration.
> This is trivial and extremely cheap nowadays (except perhaps for 4G
> connections), and most of the time this is a purely passive
> monitoring. The unicast/multicast/broadcast nature of traffic has no
> importance as long as you are within wireless network range.


I think there is little that the IETF can do about that. Also "bypassing 
technical protection" and using "hidden technical features" is nothing 
you can protect against in general and I assume is often not by design.

> 
> 
> *Clarification needed:*
> 
> ** section 4: I cannot understand the meaning of "information" in:
>          "* You SHOULD try to design the protocol in a way that the
>           information cannot be correlated with other information in
>           broadcast/multicast messages"
> What does the first instance of "information" refer to?


Clarified.

> 
> 
> ** Last but one sentence of section 2.2: Why do you say "or at least
> much more difficult"? Without encryption, a persistant application
> layer identifier voids any lower layer attempt. I'd remove this
> comment altogether.


Done.


> 
> 
> *Various:*
> 
> ** the authors use the term "host name" to refer to a higher layer
> name of a device. To me this term refers to the DNS notion of
> "hostname", i.e. something different, hence confusion. I'd recommend
> to use "device name" in order to avoid it.

Well, RFC 7719 even admits the term is ill defined and does refer to 
various things. Also, for the protocols we looked at and OS 
configurations, sometimes there are different host namens being used for 
different purposes. We would like to stick with host names (also since 
RFC8117 useses the term which is highly relevant in this context).

> 
> ** section 2.3: instead of:
>          "If only a persistent ID is needed, this can be generated
>          randomly. »
> I'd rather say:
>          "Persistent identifiers SHOULD be avoided (section 2.2), but
>          if one is absolutely needed and if the devide name is not
>          required, then the identifier SHOULD be generated randomly."
> 

That would have not read nicely with the sentence before that. We made 
adjustments to that passage, based on this suggestion.

> 
> *Typos:*
> 
> ** section 4: s/broad-/broadcast/ in:
>          "because of the special nature of broad- and multicast."
> 
> ** section 5: "are" is missing in:
>          ...for another class of attacks that not related to privacy."
> 
> 

Nice catch.


Best,

Rolf

> Regards,
> 
>    Vincent

v2.23.0 | Report a Bug | By Email