Re: [secdir] [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
"MORTON JR., AL" <acmorton@att.com> Fri, 19 May 2023 15:45 UTC
Return-Path: <acmorton@att.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 356EEC151538; Fri, 19 May 2023 08:45:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVjdmvzYeRcl; Fri, 19 May 2023 08:45:13 -0700 (PDT)
Received: from mx0b-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1DFFC151093; Fri, 19 May 2023 08:45:12 -0700 (PDT)
Received: from pps.filterd (m0288869.ppops.net [127.0.0.1]) by m0288869.ppops.net-00191d01. (8.17.1.19/8.17.1.19) with ESMTP id 34JERb2d020226; Fri, 19 May 2023 11:45:11 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0288869.ppops.net-00191d01. (PPS) with ESMTPS id 3qpaw39x2m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 May 2023 11:45:11 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 34JFjA09009170; Fri, 19 May 2023 11:45:11 -0400
Received: from zlp30484.vci.att.com (zlp30484.vci.att.com [135.47.91.179]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 34JFj51q008995 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 19 May 2023 11:45:05 -0400
Received: from zlp30484.vci.att.com (zlp30484.vci.att.com [127.0.0.1]) by zlp30484.vci.att.com (Service) with ESMTP id 2C6D6401E261; Fri, 19 May 2023 15:45:05 +0000 (GMT)
Received: from GAALPA1MSGEX1CE.ITServices.sbc.com (unknown [135.50.89.112]) by zlp30484.vci.att.com (Service) with ESMTP id D614040186B5; Fri, 19 May 2023 15:45:04 +0000 (GMT)
Received: from GAALPA1MSGED2CB.ITServices.sbc.com (135.50.89.133) by GAALPA1MSGEX1CE.ITServices.sbc.com (135.50.89.112) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Fri, 19 May 2023 11:45:04 -0400
Received: from GAALPA1MSGETA02.tmg.ad.att.com (144.160.249.124) by GAALPA1MSGED2CB.ITServices.sbc.com (135.50.89.133) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23 via Frontend Transport; Fri, 19 May 2023 11:45:04 -0400
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.174) by edgeal.exch.att.com (144.160.249.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.23; Fri, 19 May 2023 11:44:59 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aLKJRHiGloX9m9tLGXVWQ0HXD6O40k8bo5tqgdcOTrigGAxZH9cTXLlj9ucZf0oXm3oWXzY3RKhfIJCj+UFtVJRx6hs6XxTFf7DrRowT43fkCa7YQq+aQ7s73QZb5vDyUecgSDM/IR1OlLzbEmSdxvIllwfuWlCNiHLH1+XAB0M97JHjicwwEDDVCwzZH1/UxJ+REU9HOnIkQZRU3g+ekhkt4MF5n3OR0Q5TwY44OBC6jsiq7PduWCnGVRn8hTA+MyaLVucf5gJ9DBcVRbo+VCbuF1fDQCGWT0ZrdGmu88cOCuLthE9RHm5VaJgFLiF1toiPaeoyQWi/dsGtnVhhYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SHGhQjnisP+LzPVug1IIFAZxAJtQlhZRE/nYEN7stMI=; b=edf6PO6lblv2tCK180UCa9szxLIjAf+VYHUCAHKmP+UD3VAyURsdXl8wDt0O6Prr8zwug9QRu4E5h6Ms9XylCbJrPX3JXM0slCqmw6VlhP89AXOOqCDEqo2/bvkGPCz6pDQoC61fdINq+yvVmqaUvpzecchkypYrGg3triGaP6QYRVrJloInTqFNKM1wqu2NBAieHkhrirFEsGiSLZbdF240oI0vqCNPhI8ssvYCYRZLExDrJx/eWkCe6+sJi+BODJvT2Z1uO8AGhuJzLD5LGBfAYF4TiLkySRBmmdt5T8LLDBIFqTFPNo/G+e/Xhlv4qCaaMTDSvPsCmOAUz3x4Iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SHGhQjnisP+LzPVug1IIFAZxAJtQlhZRE/nYEN7stMI=; b=ts4xh5uJlQufDTaqqebRVnS8SNRB3sxpDGyEhwlow7iZwvLSS25gK6WlaeRCbYf2bJ0PLk+ItS738IuGH/g/8ZaSGifHvtEngeOX4kdHWWsYsVbZrwqyBUzs8k15e9rJ1orLt0hMIoTAOvXXBg2dLussYsYffv/tqHbd8T6Tsu4=
Received: from CH0PR02MB7980.namprd02.prod.outlook.com (2603:10b6:610:105::17) by CH3PR02MB9446.namprd02.prod.outlook.com (2603:10b6:610:12b::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.21; Fri, 19 May 2023 15:44:57 +0000
Received: from CH0PR02MB7980.namprd02.prod.outlook.com ([fe80::4ee4:9c4a:6c2a:e758]) by CH0PR02MB7980.namprd02.prod.outlook.com ([fe80::4ee4:9c4a:6c2a:e758%7]) with mapi id 15.20.6411.021; Fri, 19 May 2023 15:44:57 +0000
From: "MORTON JR., AL" <acmorton@att.com>
To: Brian Weis <bew.stds@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-ippm-capacity-protocol.all@ietf.org" <draft-ietf-ippm-capacity-protocol.all@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "CIAVATTONE, LEN" <lc9892@att.com>
Thread-Topic: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
Thread-Index: AQHZTuzbYBLPZe9D0kiW5s+CN9dy268CrwaggDaADfCAFqDKcIASYo2Q
Date: Fri, 19 May 2023 15:44:57 +0000
Message-ID: <CH0PR02MB798036C0A94A0084E08EEF79D37C9@CH0PR02MB7980.namprd02.prod.outlook.com>
References: <167797065961.46817.5654760092907121117@ietfa.amsl.com> <CH0PR02MB79807F2F36C90E0C668CF04DD3839@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB79803DDAAF360B4E44E5E5F7D3669@CH0PR02MB7980.namprd02.prod.outlook.com> <CH0PR02MB798059496506CFADD6577240D3709@CH0PR02MB7980.namprd02.prod.outlook.com>
In-Reply-To: <CH0PR02MB798059496506CFADD6577240D3709@CH0PR02MB7980.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR02MB7980:EE_|CH3PR02MB9446:EE_
x-ms-office365-filtering-correlation-id: 9ca5f4c7-a2c7-4943-1564-08db587fffa0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GNux9nNU3+4g016avULOTSMaQo0Kxla8n7SkPPyjdxrQBL3Jqox//VfapnX5VVuGHdQAYXF+c+aHOmCT6+LYaI6bObefqnkjbZHg97Lf0+vmVE1W+gwLwXEJlPNBxn9IOi1cy571PA1T+VMptcvH1Li10UjkOe2zRGel3yE43IjO01WF/S0ZWDMmF9d2lOZEZsEAqgIHOaLkq+VCwsPrvLLt8QnIowK3XvTmBEm0s0fB5B68u8YJuZbHSbDf8uEOR/KfmZaZfQTcsL+JbZvJZLej3ZTLW0G5u0YobxcUzQ2ELa+xcrr+xYz+k1GFa8t7u1+AIT8rgJxwHupE2eF9OBVd8hm3g8+sAbQtJuM5Wlh0xlVMdDuHzof8tG38/UXTUR/OCGrAM3wxAtKhDuRceXtMfdnsi/JZ9Vpqe2CstYGmc+H40aSI3VEk8FLqueM6UpWfsWP9gnlE5w7lGaahlRM1Or6j5OVnZf/NMA2DsCJjEhIAXr+9VT0PP/ErdmOCjHJo66TqAytp961YrlVJprbo5srKGieTKeDyBdKP8jqJ7TZNE/6kEYJ2I6TszLEmptmBlpsa654IjtFrcfr2MIk9HAsxfzw3d47cl7Wbew8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR02MB7980.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(366004)(376002)(396003)(346002)(136003)(451199021)(478600001)(86362001)(38070700005)(33656002)(110136005)(54906003)(316002)(4326008)(66946007)(66556008)(66476007)(66446008)(76116006)(64756008)(966005)(71200400001)(7696005)(55016003)(8936002)(8676002)(41300700001)(52536014)(5660300002)(2906002)(30864003)(38100700002)(122000001)(82960400001)(26005)(53546011)(9686003)(6506007)(186003)(82202003)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oT2A49Co4S6ENwSisi14A/QjI417KdYEVEx3+79eUXp1DEgE/0vnrOA5YcuU1yCcqOHcMi97FnhU2Zq+BNCEX8dPKYq0K4uz3HAKBgZSlN74kayn4kG6i+/QSXjH8ig2I2yEwJ4ummbh2t64K4eI5gy/eeM9DyZ0t+e3lmQ8MLF2Y6DxSxkCa9oT4dy2SdECbOHRHUq08j47a0MHWXcNQeOgu/X4y+gz+5lORVOZA9wbwO7cDvTLvcS3mOUn9hJ9IIWC1w/keetPXtCZwyzzQVi7J93r8LVfzmSWfCV/6lzAIuWk0OMdUpb2vIcLHv3rMJtf/iGhh+hwkfPVqKJYN9ZDXyn0Nli36SJEsR+19vCf5iWPW2NfGJaJ3rruRBU3+qkKFNVbZfVbWz24B6/16SS4FfwaJTsBceOV400yAcWU074W2iMAH04OOWVieq1KrbPQ2Q35rCG+fLKz5IWSg4QehdXCunh71fk20WbzV7kQpmwI55jQ4TN8NSvfU3vNIQhzZNkplCoRaEV7uyFaf3sJsm0UNfA5l01TaGwi2kMejl/tXGPCzTDjLChX7iYXGnM3IzWjNkBfnwNLq21o3X/rYXlpJiydS86db8YyCigOrC27PobSrDI8DzKuynDQQBYY/W5fHU340dA1PsDk4kixa6GhWV7E6ZeX664rvdDzb5TDYfw2PqiogClTWv/4B1fxxHIXJnVkv9eaTgbcFKNRHdoSfScF4lN2EYxRMlm63BJUWd5ze7RoNbMoONmJJnICZEklN7sP3ZHL5JQoZWR2YiuQXUPH8bef0p4tV8jQTJ5oehvMk2yVaOgvbYqhliL700cX/eUr+lwFZqY+TdVdKPa6ooAuiLtTCifT+YEusI19XGRpE7Okqwy4V2ZcXGQ+aSDOeMERAXIH8VJ0nGwbIRVqeEdHBn9d9TeFtWQB6k/EvYajvcRY1HibmmWq7g/J/xu+peHEhQIniAGNNcYOUzEtKK9uApyYwjPupO5TE5hQgJ4GfhE+PcbyemMfaTAE8pdANdPNkIZFTkphq8r+fN0XyFnVBDFZWBKGXOs07hDhF2/qo+TVVJfbAkYh1IvtORLGW58g5UuJxNvGEsNrCFdyQz6/uVFllxeDppL3Br7CQcYs9edsWwRriHTIHbXH/z1MosGadQZOXoOJ6nw1Q5pgiAJdIjKt0+85YfYsIBMSk+Qa6p/Azo9WnI8PQWPAJ3iYHtJ87Nk581V20rmxWMZ+kxJQChu1qZMy8vIOaawW146WoL3Va9eB7kWXOZP4p+9D95eF9d9R+91ICQLv68kBebMjCkUoUxHdH8j98eIKd0/NcocbQ2C0cbhB+CcVkqWsFoTvfP+XpbIZnIuBgsNuULFizBCnFaLjmypLw+zPyJtOdTR8li7C3j4mVYpYW3xszQWYkqlwPBfrjwqHCCsdHFy87tmqCR+sKS+/ZgzgISw+AAr+T+pSeUpUknqjzkcuCndWeXKix0M4VOyX5F0ua0phKCnb/d/C7ut7O0VbPc0yVtw6lVgadxaxaOzEPjNpGbETudEBZaS27AyFviHY73at73XltaIejmI=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR02MB7980.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ca5f4c7-a2c7-4943-1564-08db587fffa0
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2023 15:44:57.5482 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GWouj93+i9K8zdrsGrW2Fzz2qxHWeFJ7mh3sBFATgc8PzG5o1xdF6n5dX1hPf8NJ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR02MB9446
X-TM-SNTS-SMTP: 8BCE7C2941328F4E40A6533864FE2396D84A406D708A39CE7D216BD9ADF63B9B2
X-Proofpoint-ORIG-GUID: 9DeBb9j1lEAcMgQfGqGDLAXYh0hmqcL6
X-Proofpoint-GUID: 9DeBb9j1lEAcMgQfGqGDLAXYh0hmqcL6
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-19_10,2023-05-17_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 clxscore=1015 adultscore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 malwarescore=0 lowpriorityscore=0 phishscore=0 impostorscore=0 priorityscore=1501 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305190134
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/MNJbZemw6sqtGRX8EKuQmXfBpt4>
Subject: Re: [secdir] [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 15:45:17 -0000
Hi Brian, Revising our key question: For Encrypted mode: What if we combined AES-CBC-128 with our current Authentication HASH (SHA-256), for a complete (but two-part) solution? Will this be acceptable, given our plan to use long-lived keys? We would abandon the "authenticated encryption" preference stated earlier. please let us know, thanks, Al > -----Original Message----- > From: MORTON JR., AL > Sent: Sunday, May 7, 2023 6:55 PM > To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org > Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org > Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity-protocol- > 04 > > Hi Brian, reminder of our key question, below, > Al > > > -----Original Message----- > > From: MORTON JR., AL > > Sent: Sunday, April 23, 2023 9:26 AM > > To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org > > Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org > > Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity- > protocol- > > 04 > > > > Hi Brian, > > > > We would like to receive your feedback on our proposal for a replacement > > encryption algorithm: > > > > > Ok. We were attracted to the "authenticated encryption" aspect of GCM, but > > we > > > can get that with AES-CCM too. > > > > Does AES-CCM alleviate the issues and fit our plans to use long-lived keys, > > etc.? > > > > With this feedback, we can proceed with updates to the draft. > > thanks, > > Al > > > > > -----Original Message----- > > > From: MORTON JR., AL > > > Sent: Sunday, March 19, 2023 5:08 PM > > > To: Brian Weis <bew.stds@gmail.com>; secdir@ietf.org > > > Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org > > > Subject: RE: [ippm] Secdir early review of draft-ietf-ippm-capacity- > > protocol- > > > 04 > > > > > > Hi Brian, > > > > > > Thanks for your reply on the second SEC-DIR early review! > > > > > > We have summarized the topics for reply, below. Your review is appended. > > > > > > Al and Len > > > > > > > > > # Key comments and replies for discussion: > > > > > > > — The use of AES-GCM with a long-lived symmetric key (such as one > > > > on an RFC 7210 key chain) is not safe. ... (suggests a CBC mode) ... > > > and > > > > — Unauthenticated encryption is generally seen as risky, so when... > > > > > > Ok. We were attracted to the "authenticated encryption" aspect of GCM, but > > we > > > can get that with AES-CCM too. The Initialization Vector (IV) will be > > > generated by a pseudo-random generator with unique seed for each session, > > and > > > have sufficient size to avoid duplication over the life of a long-lived > key. > > > The IV can be communicated in the clear, so we will. > > > > > > > — Also, there are some additional parameters that need to determined > > > > to guarantee interoperability. For example, which octets are > > > > encrypted, if a partial block needs to be encrypted how is it padded > > > > out before encryption to make a full block, and requirements on IV > > > > generation (e.g., that is must be from a good quality random number > > > > generator). > > > > > > We need to check if padding is needed for any of our PDUs, but the PDUs > will > > > be fixed size so it's a static fix. > > > We'll specify the IV generation method. > > > > > > > > > > > > # Tension between Security and Measurement operation: > > > > > > > — Section 5.1.1 doesn’t say the network addresses and headers are > > > > included in the digest. It’s generally good practice to include > (them)... > > > > > > Our test scope includes ISP Subscribers, so NAPT transversal is critical > and > > > precludes including the addresses. > > > > > > > ... a valid message > > > > (e.g., Setup Request) can be extracted and placed in a different > > > > measurement flow that is not intended by the original sender. This is > > > > a substitution attack. > > > > > > All of the IPPM test protocols are susceptible to the substitution attack, > > and > > > there is no thorough mitigation that we know-of (including time in the > > digest > > > is a partial mitigation). > > > > > > Packet De-duplication, in DTLS and IPsec: > > > > This is generally seen as a feature for network > > > > encryption methods. > > > Right, but measurement systems expect to observe packet duplication when > it > > > occurs. A trade-off is required, and the primary goal is measurement. > > > > > > > > > # Edits and Nits: > > > We will take care of other requests for clarifications requested > > > - digest coverage > > > - MBZ definition > > > - “Support for client-server authentication ….”. > > > - four Security modes, but encrypted tunnel makes five - becomes a > paragraph > > > - mismatch > > > > > > > -----Original Message----- > > > > From: ippm <ippm-bounces@ietf.org> On Behalf Of Brian Weis via > Datatracker > > > > Sent: Saturday, March 4, 2023 5:58 PM > > > > To: secdir@ietf.org > > > > Cc: draft-ietf-ippm-capacity-protocol.all@ietf.org; ippm@ietf.org > > > > Subject: [ippm] Secdir early review of draft-ietf-ippm-capacity- > protocol- > > 04 > > > > > > > > Reviewer: Brian Weis > > > > Review result: Has Issues > > > > > > > > I have reviewed this document as part of the security directorate's > > > > ongoing effort to review all IETF documents being processed by the > > > > IESG. These comments were written primarily for the benefit of the > > > > security area directors. Document editors and WG chairs should treat > > > > these comments just like any other last call comments. > > > > > > > > General comments > > > > > > > > (1) The guidance of what bytes are included in the SHA-256 calculation > > > > and result placed in the authDigest field might need some enhancement. > > > > > > > > — Some places say that the authDigest field is zeroed (e.g., Section > > > > 4.2.2 ) and some says “The SHA-256 calculation SHALL cover all the > > > > preceding fields.”, which seems to omit the auhDigest field. I guess > > > > these aren't mutually exclusive statements, but it would be cleaner > > > > to have all of the description in one place so it is clear. > > > > > > > > — Section 5.1.1 doesn’t say the network addresses and headers are > > > > included in the digest. It’s generally good practice to include > > > > more context into the digest calculation so that a valid message > > > > (e.g., Setup Request) can’t be extracted and placed in a different > > > > measurement flow that is not intended by the original sender. This is > > > > a substitution attack. > > > > > > > > — If network addresses and headers aren’t included in the digest, > > > > then it will be important to describe why the substitution attack > > > > isn’t a threat. I understand that if NAT on the client that including > > > > it's network address is not possible, but there's still an issue. > > > > > > > > — Note that the inclusion of authUnixTime with the receiver > > > > checking “acceptable immediacy” is only a partial mitigation for a > > > > substitution attack, since the receiver’s notion of “acceptable > > > > immediacy” is apparently quite long from an attacker's perspective > > > > “(+/- 2.5 minutes)” and any other message including this PDU sent > > > > fron an attacker (e.g., with different network headers) during this > > > > period will be acceptable to the receiver. Reducing the window > > > > size won’t completely mitigate this attack either. > > > > > > > > (2) There doesn’t seem to be a definition for the MBZ octets and > > > > remainder bits, or a description of their purpose. (I’m guessing > > > > it’s “must be zero” but even that should be defined for the reader.) > > > > > > > > Specific comments > > > > > > > > Section 4.2.4. > > > > > > > > — The use of AES-GCM with a long-lived symmetric key (such as one > > > > on an RFC 7210 key chain) is not safe. The IV used by GCM is not a > > > > random IV such as used by some other modes of which you might be > > > > aware (e.g., CBC), but rather it is a counter that must NEVER > > > > repeat with that key. Ensuring no repeats is not operationally > > > > feasible for a key kept on a key chain. I.e., The counter must keep > > > > incrementing between packets, reliably stored over a reboot so that > > > > it isn't used again, and when the counter reaches the maximum value > > > > the key is not longer usable. I would recommend specifying CBC mode > > > > and a randomly chosen IV. > > > > > > > > — Also, there are some additional parameters that need to determined > > > > to guarantee interoperability. For example, which octets are > > > > encrypted, if a partial block needs to be encrypted how is it padded > > > > out before encryption to make a full block, and requirements on IV > > > > generation (e.g., that is must be from a good quality random number > > > > generator). > > > > > > > > — Unauthenticated encryption is generally seen as risky, so when > > > > encryption is included the the authDigest should also be used as > > > > it is in the other modes. Figure 2 should have both authDigest AND > > > > IV fields. > > > > > > > > Section 4.2.5. This section mentions that DTLS is not useful because > > > > “The replay protection would remove duplicated packets and prevent > > > > transparent measurement of this impairment.”. IPsec will also > > > > transparently remove duplicate packets, and since TLS is based on > > > > TCP, which has duplicate segment protection, I would expect that > > > > the application would also never see duplicate measurement PDUs > > > > from TLS either. This is generally seen as a feature for network > > > > encryption methods. > > > > > > > > Section 10. “Client-server authentication and integrity protection > > > > for feedback messages conveying measurements is REQUIRED.” Since > > > > one of the methods allows “unauthenticated mode for all messages”, > > > > I think this is meant to start with “Support for client-server > > > > authentication ….”. That is, the REQUIRED language means > > > > it must be implemented, but not used. > > > > > > > > Nits > > > > > > > > — Section 4.2 says “There are four security modes of operation”, > > > > which is also stated elsewhere, but there seems to actually be five. > > > > I understand that the fifth one is actually an external security > > > > mode that can be combined with one of the four modes (e.g., > > > > “unauthenticated mode for all messages”) in the PDU. It might be > > > > clearer to take the fifth one out of the list and just make it a > > > > paragraph. > > > > > > > > — Section 4.2.1 s/miss-match/mismatch/ > > > > > > > > > > > > _______________________________________________ > > > > ippm mailing list > > > > ippm@ietf.org > > > > > > > > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ippm__;!!Bhd > > > > T!lLiKK4svDahYLFenpa6d7FQa-qA1f4ltd7wjaRx1S- > > > YZCr9cEveGl5UOAc3B7KuEPYEWE3uif4c$
- [secdir] Secdir early review of draft-ietf-ippm-c… Brian Weis via Datatracker
- Re: [secdir] [ippm] Secdir early review of draft-… MORTON JR., AL
- Re: [secdir] [ippm] Secdir early review of draft-… MORTON JR., AL
- Re: [secdir] [ippm] Secdir early review of draft-… MORTON JR., AL
- Re: [secdir] [ippm] Secdir early review of draft-… MORTON JR., AL
- Re: [secdir] [ippm] Secdir early review of draft-… Brian Weis
- Re: [secdir] [ippm] Secdir early review of draft-… MORTON JR., AL