[secdir] secdir review of draft-ietf-dtn-bpsec-06
Dan Harkins <dharkins@lounge.org> Wed, 30 May 2018 18:45 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FE0F12EA52; Wed, 30 May 2018 11:45:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_FAIL=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m0K5rBrijT0m; Wed, 30 May 2018 11:45:13 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 4FDA012E8D6; Wed, 30 May 2018 11:45:13 -0700 (PDT)
Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id 75E8FA888020; Wed, 30 May 2018 11:45:12 -0700 (PDT)
To: secdir@ietf.org, "iesg@ietf.org" <iesg@ietf.org>
Cc: draft-ietf-dtn-bpsec.all@ietf.org
From: Dan Harkins <dharkins@lounge.org>
Message-ID: <3e8f4b68-f4af-00e8-293b-e2adbc3f1798@lounge.org>
Date: Wed, 30 May 2018 11:45:10 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------0AEA476AFDA53DBF7C4335C2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/HVdtxXzoZdIPQfukRyIs0-rBzeQ>
Subject: [secdir] secdir review of draft-ietf-dtn-bpsec-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2018 18:45:16 -0000
Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of my review is: Almost-Ready. This draft describes a protocol called BPSec which "provides end-to-end integrity and confidentiality services for BP bundles." But it doesn't really define a security protocol because it leaves key establishment and the actual ciphers used to afford end-to-end protection to bundles to different documents. So it's sort of like EAP in that respect. 1. Issues with encryption and integrity protection There are 2 different blocks defined, a Block Integrity Block (BIB) that provides integrity protection and a Block Confidentiality Block (BCB) that encrypts the block. Apparently, the BCB does not also provide integrity protection of its ciphertext since the draft says that, while multiple security operations on the same block are invalid, doing integrity protection and confidentiality on the same block is valid. This opens up some insecure options that don't need to be allowed, like integrity protect then encrypt, or integrity protect and encrypt. I think it would be a good idea to mandate that whatever ciphersuite is used for a BCB (again, the draft does not specify ciphersuites) that it provides authenticated encryption. Then update the uniqueness requirement in section 3.2. The example in figure 3 does authenticate-then-encrypt which is not robust. This needs to change. The processing order in 5.1 states "BCBs MUST be evaluated first and BIBs second." This is wrong, it's mandating a fragile construct whose security depends on the cipher mode and that is dangerous. Strongly suggest changing this and using and AEAD cipher. Also in 5.1: "If an encrypted payload block cannot be decrypted...." How would you know? As long as it's the right size it will decrypt into something. That something might be garbage but decryption was successful. This is another reason to mandate AEAD. If it fails, it fails hard, no two step required. My suggestion to use an AEAD cipher seems to conflict somewhat with the fragmentation/reassembly text which says that application of a confidentiality cipher suite MUST NOT alter the size of the payload. That is going to have to be reconciled somehow. This document should not allow anything other than encrypt-then-authenticate (and it should do so by mandating AEAD ciphers) and if that requires some rewrite of the fragmentation/reassembly text then so be it. II. Issues with RFC 2119 words I hate to be a stickler on stuff like this but... Section 2.2 which begins, "A bundle MAY have multiple security blocks and these blocks MAY have different security sources." Now, to me, MAY means it's optional and that if I don't implement it I can still stay compliant. But that's not how I'm reading this. What I'm reading is an admonition to not assume uniformity in bundles, which seems like an important statement that is the opposite of the literal MAY text. It's really you MUST NOT assume that a bundle has uniform security. Section 3.3: "A set of security operations may be represented by a single security block if and only if the following conditions are true...." That sounds kind of normative. Do the authors mean "A set of security operations SHALL be represented by a single security block...."? Regarding the optional "Security Source" in the Abstract Security Block in section 3.6: "If the security source field is not present then the ource MAY be inferred from other information...." And that means I can choose to not implement this optional inference. In which case, what do I do? I think some instruction to implementers is needed but I'm not sure what it is. Basically, I think the whole document should be searched for "may" (case insensitively) and each instance looked at closely. III. Security Considerations The security considerations are thorough and well done although the first three paragraphs in section 8 seem to boil down to the fact that the DTN is assumed to be completely under the control of an attacker. I think that's all that needs to be said there. regards, Dan.