Re: [secdir] [EXT] Secdir early review of draft-ietf-dtn-bpsec-default-sc-02
"Birrane, Edward J." <Edward.Birrane@jhuapl.edu> Mon, 29 March 2021 03:06 UTC
Return-Path: <Edward.Birrane@jhuapl.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25BD83A2E3B; Sun, 28 Mar 2021 20:06:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.4
X-Spam-Level:
X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQemrYLLA-Xp; Sun, 28 Mar 2021 20:06:44 -0700 (PDT)
Received: from aplegw01.jhuapl.edu (aplegw01.jhuapl.edu [128.244.251.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FD003A2E36; Sun, 28 Mar 2021 20:06:44 -0700 (PDT)
Received: from pps.filterd (aplegw01.jhuapl.edu [127.0.0.1]) by aplegw01.jhuapl.edu (8.16.0.43/8.16.0.43) with SMTP id 12T36ewo013673; Sun, 28 Mar 2021 23:06:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=JHUAPLDec2018; bh=2g8WIHk+lVfEeyZCgOsXrKlNdAHb2payaulJZojWpeE=; b=X3MaO6YfuzsUTyyzAAy/vkyWmtItEfaW7e//tWut5WJk7uyBAXvtOffTKxM9sR83yFOa NbB+143V4uEWKRlsEI0gnOKxcLk3KcifqyvZ8bMdRAWmcUnQW1Xg186Ho+JJltetgDwj guvi664flUdQ1mKpPkCclqTibpydQgZ7RPObXpEGJwbooNGR+LtwvRB2wziSg4JyAnN+ ++RMrhqtQvhELyzRJocnC2CeS5Klbz3mgwz7sLxUsvgnecddUZY/YuxzUr5BzVwWl3J9 bH1z4tnizKWM1PAlONIJ43oRZvWZ3hhVW3y3nI+yJDPPveEmtuqPY/FfuWbBnM+k7e7D FA==
Received: from aplex01.dom1.jhuapl.edu (aplex01.dom1.jhuapl.edu [128.244.198.5]) by aplegw01.jhuapl.edu with ESMTP id 37hwr90xea-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 28 Mar 2021 23:06:40 -0400
X-CrossPremisesHeadersFilteredBySendConnector: aplex01.dom1.jhuapl.edu
Received: from aplex01.dom1.jhuapl.edu (128.244.198.5) by aplex01.dom1.jhuapl.edu (128.244.198.5) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 28 Mar 2021 23:06:39 -0400
Received: from aplex01.dom1.jhuapl.edu ([fe80::19f5:dcc5:c696:1a50]) by aplex01.dom1.jhuapl.edu ([fe80::19f5:dcc5:c696:1a50%25]) with mapi id 15.00.1497.012; Sun, 28 Mar 2021 23:06:39 -0400
From: "Birrane, Edward J." <Edward.Birrane@jhuapl.edu>
To: Christian Huitema <huitema@huitema.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-dtn-bpsec-default-sc.all@ietf.org" <draft-ietf-dtn-bpsec-default-sc.all@ietf.org>, "dtn@ietf.org" <dtn@ietf.org>
Thread-Topic: [EXT] Secdir early review of draft-ietf-dtn-bpsec-default-sc-02
Thread-Index: AQHXHF7Ddo4z96DY4Ey55zJNNRc1HqqaUgaw
Date: Mon, 29 Mar 2021 03:06:39 +0000
Message-ID: <0807ea6d35fa4788ad6ce12480f1a78c@aplex01.dom1.jhuapl.edu>
References: <161611713427.19367.10392386702864224514@ietfa.amsl.com>
In-Reply-To: <161611713427.19367.10392386702864224514@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [128.244.198.169]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OrganizationHeadersPreserved: aplex01.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-28_14:2021-03-26, 2021-03-28 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/QDsIh8WlfJi3TMV2wqrzuwvE4I8>
Subject: Re: [secdir] [EXT] Secdir early review of draft-ietf-dtn-bpsec-default-sc-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2021 03:06:49 -0000
Christian, Thank you so much for this early security review! My responses to your comments are included below and enumerated with the convention C# for clarity. > The first nit regards the table of BIB-HMAC-SHA2 Security Parameters in > section 3.3.4. The default value for the SHA Variant is specified as "256", but > section > 3.3.1 only defines values 5, 6 and 7 for that parameter. I assume that the > intent is to default to HMAC256/SHA256, but in that case the default should > be 5, not 256. C1: Agreed, this is an error in the -02 version of the document, which has been corrected in the -03 version. > The second nit regards the discussion of authentication and confidentiality in > section 4.1. AEAD algorithms distinguish between authenticated data and > encrypted data. The text expresses a different concept,separate definitions > of "scope of confidentiality" and "scope of authentication". I suggest that > these paragraphs be rewrittent to specify that "the scope of authentication is > always the union of the additional data and the scope of confidentiality." C2: Agreed. The -03 version of the document includes a clarification that the "scope of authentication" to note that it includes the scope of confidentiality in addition to other data. > These are small issues. My real concern with this document is the overall > complexity of the Bundle Protocol and the Security specification. The > protocols appear specified for maximum flexibility. Messages can be relayed. > Relays can add their own security blocks to the bundle. Authentication and > encryption can apply to different blocks in the bundle. Messages can be > fragmented. Nodes can choose to apply different level of security to > different bundles, or to different blocks in the same bundle. I suppose that > these choices are justified by application requirements, but all this > complexity may end up causing interoperability issues, and potential security > failures. C3: Agreed - there is additional complexity in the DTN security suite in general. I see this as more of a comment on the overall DTN ecosystem and not a recommended action on the default security context document. > The way CBOR encoding are used brings another source of complexity. CBOR > allows for different ways of encoding the same data. The bundle security > document and this algorithm specification document request that some data > parts be re-encoded in the "canonical" CBOR format before authentication > tags are computed or verified. Experience in other domains shows that > relying on canonization before authentication is very fragile, and a source of > interoperability failures. It would be much more robust to assume that > authenticated objects are immutable, and that the wire format of these > objects is fed directly into the hash algorithm. C4: The default security context does not, itself, impose stricter canonicalization algorithms as they relate to CBOR - that is done by the BPSec specification. I see this as more of a comment on the BPSec document and not a recommended action on the default security context document. > To mitigate the risk of interoperability failures, I suggest adding test vectors > to the specification. Each test case should start with a clear text test bundle, > apply either authentication or authenticated encryption according to some > variations of the authentication or AAD scope flags, and produce a result. > Different test vectors might start with different mode of CBOR encoding, to > test the canonization process. This kind of investment might save a lot of > time to future developers! C5: I agree that a variety of CBOR representations of bundles, blocks, security blocks, and parameter/result combinations would be welcomed by future developers! Since this default security context document uses well-known algorithms I think repeating AES and HMAC/SHA test vectors are not necessary for this document, and general test vectors related to populating security blocks should not be present (and thus, repeated) for all other security context documents being considered. Instead of adding test vectors to this document, I propose taking the request to the DTN WG for how this more largely-scoped information could be best documented. > Not a comment on this draft, but I see lot of potential issues with > fragmentation. I understand that in a Delay Tolerant Network,relays need to > be able to fragment messages. The draft correctly points out that if an > authenticated message is fragmented, authentication can only be received > while all fragments are received. However, this would not protect from > attacks against fragmentation similar to those seen in IP, IPv6 and TCP. I think > that some kind of secure fragmentation protocol need to be studied and > specified by the working group. > C6: Similar to C5, I think this topic is larger in scope than the default security context document and agree it, like C5, should be brought to the DTN WG. -Ed --- Edward J. Birrane, III, Ph.D. Embedded Applications Group Supervisor Space Exploration Sector Johns Hopkins Applied Physics Laboratory (W) 443-778-7423 / (F) 443-228-3839
- [secdir] Secdir early review of draft-ietf-dtn-bp… Christian Huitema via Datatracker
- Re: [secdir] Secdir early review of draft-ietf-dt… Benjamin Kaduk
- Re: [secdir] [EXT] Secdir early review of draft-i… Birrane, Edward J.