IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-weis-gdoi-rekey-ack-05

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 26 August 2017 15:34 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E952613234B; Sat, 26 Aug 2017 08:34:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WU83E-tSM5k0; Sat, 26 Aug 2017 08:34:53 -0700 (PDT)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE74C132328; Sat, 26 Aug 2017 08:34:49 -0700 (PDT)
Received: by mail-wm0-x22b.google.com with SMTP id z132so10828225wmg.1; Sat, 26 Aug 2017 08:34:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=+1ycyli6gJov2aWsTXJ/uYpEg5xLm1LJk9PHltLjdqE=; b=MbZ70t8FomQOYBo45BZoAAMb3wHlQsGlutlUfwNhbHewrSOrX3gq5Ck5Eh4VtbkP88 ArJcobV2szxGaGhfBR5IUzWBIUew1qp3Q3/y4sOjDy8xJ8aIW8Hf49FOMgraFzyMBRas vXHF5cX/Jn7C2IdfRPScbU2xaeoZjywo0hV0uD5iMoR8y4jDU3pNKlDgZWafBdOTs3SW 5Bnu+rbFXNSWExOOGPW07X1T3mCln90Fk0cHsQJnu+YADFEU+gIv7leXoczHkBndQkw4 M4X9q5l8WIdYSHCNeyNIpX0Ji9I3xwnWA/gW4lPb+JOYiakNG7n0elZ9uaKeq9vRZNbT JoWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=+1ycyli6gJov2aWsTXJ/uYpEg5xLm1LJk9PHltLjdqE=; b=giCKZYFe6E/2DBgXqtzTB9Wrl1za3rU7AlEU9C7Ad+TQvhvTEw7TViqUCchBbpNNOG 6gAE3ys0LeMEfTgTTQ2weoGN3NObip7qdBwPit4ENBg9oksNLVR/krNH9Xc+DnCIHsM/ BLq6P8EXksifemPzzCkt0g5vIetyr3p9P96Mk2Aedd0TuWk+Y4mJy4XlCpeSqpxaL9e/ 9BOff9E9Mn3fp6Z/hF4GINkVzKBlwZLjiEWyr3UXAD/ItmLLyjT1RyIyCI4uWLxyjxC/ q6na4dqwjFRML8v4MasDgs5lfcOBMr+fXw9lrZlF/WQR5IPYSpSakx09qjxhuot7PIxR kAfg==
X-Gm-Message-State: AHYfb5jz6ohzPBBg97YZjGge7pc5VznETHOVOHQAVPfj31oCX7mtWuD4 CXZhPFN29VQkPS41tbA=
X-Received: by 10.28.67.1 with SMTP id q1mr970670wma.162.1503761687829; Sat, 26 Aug 2017 08:34:47 -0700 (PDT)
Received: from [10.0.0.10] (bzq-109-67-55-26.red.bezeqint.net. [109.67.55.26]) by smtp.gmail.com with ESMTPSA id h190sm2955727wmd.4.2017.08.26.08.34.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 26 Aug 2017 08:34:46 -0700 (PDT)
To: "Brian Weis (bew)" <bew@cisco.com>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-weis-gdoi-rekey-ack.all@ietf.org" <draft-weis-gdoi-rekey-ack.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
References: <150194814585.18635.3104789196001873381@ietfa.amsl.com> <E61F05DB-EEB0-4140-A2D4-DB11163C4E13@cisco.com>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <e2b32453-8c4f-9707-0e1f-dab29540fe54@gmail.com>
Date: Sat, 26 Aug 2017 18:34:44 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <E61F05DB-EEB0-4140-A2D4-DB11163C4E13@cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/_JNgYUSQ3I5GxZi5Mmct6UO2_6c>
Subject: Re: [secdir] Secdir last call review of draft-weis-gdoi-rekey-ack-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Aug 2017 15:34:56 -0000

Hi Brian,

Thank you for addressing most of my comments in the new version, and for 
clarifying points where I was off the mark.

The only remaining comment that's only partly addressed is the one on 
crypto agility. Quoting myself:

we need to define whether multiple such payloads can be sent 
simultaneously (if e.g. some GMs still support the old algorithm) and 
what's the expected behavior.

In other words, supporting more algorithms in not sufficient. The 
question is whether we support incremental deployment of a new algorithm 
to a large group of GMs.

Thanks,
	Yaron

On 24/08/17 19:48, Brian Weis (bew) wrote:
> Hi Yaron,
> 
> Thanks for the review. We’ve added some clarification below, and made 
> some changes in -06 to address your comments. Please let us know if we 
> did not address them satisfactorily.
> 
>> On Aug 5, 2017, at 8:49 AM, Yaron Sheffer <yaronf.ietf@gmail.com 
>> <mailto:yaronf.ietf@gmail.com>> wrote:
>>
>> Reviewer: Yaron Sheffer
>> Review result: Has Issues
>>
>> Summary: this reviewer is not clear about the value of the push-ack 
>> (compared
>> to a pull) and about the strategy that was chosen.
> 
> In a group key management system either a “pull” (triggered by a group 
> member) or a “push” (by the key server)" could be used to provide 
> updates to the group. However, a “pull” by the group member implies a 
> polling method, which has the deficiency that the key server cannot 
> cause a policy replacement any sooner than the polling method by the 
> group members. Also “polling” can cause additional unnecessary traffic. 
> So is is better for any update on the group policy or renewal of group 
> keys to be distributed by the GCKS using a PUSH message. The ACK-message 
> is used to offer a feedback mechanism to a policy update for the PUSH 
> exchange.
>>
>> *//*
>>
>> * "For example, a GCKS policy can use the acknowledgements to 
>> determine [...]
>> which members may no longer be members of the group." This sentence is 
>> very
>> confusing: when are members not members?
> 
> We’ve reworded this text. It’s trying to convey that a missing ACK 
> message (or a certain number of it) can be used to identify that a group 
> member is no longer receiving group traffic, and is now may be 
> considered an ex-group member. For example, it could be a multicast 
> receiver that is no longer interested in being a receiver for the group. 
> But it could also be that a network event has caused it to be 
> unavailable for a sufficient length of time such that it doesn’t have 
> current keying material and therefore can’t be considered a current 
> group member. There is no reliable “I’m leaving the group” message flow, 
> and of course in my second example no such messages would have been 
> intended by the group member.
> 
>> * The new protocol capability is defined as optional, but really 
>> isn't. "A GM
>> receiving the KEK_ACK_REQUESTED attribute can choose to ignore it, thus
>> appearing as if it does not support the KEK_ACK_REQUESTED attribute. 
>> However,
>> GCKS policy may consider a non-responsive GM to no longer desire to be 
>> a member
>> of the group." So if you want to play the game, you MUST support the new
>> attribute.
> 
> Point taken. We’ve changed the text to reflect this.
> 
>> * I'm puzzled at the overall protocol. Being able to send ACKs is a GM 
>> software
>> capability. Why not have the GM announce this capability when it initially
>> registers to the GCKS? Then the GCKS would know what to expect, 
>> whereas with
>> the current protocol it is left waiting for an ACK that may never 
>> come, either
>> because the GM is dead or because it just doesn't feel like 
>> responding. Add the
>> long waits (jitter of "a few seconds" and potential retries), and this 
>> looks
>> like a far from optimal management experience.
> 
> Indeed a GM could announce its capability, but whether or not ACKs are 
> desired is a component of the group policy. In the context of GDOI the 
> GCKS is the entity that defines the group policy. There can be groups 
> where the ACK is used, whereas others do not.  The capabilities 
> announcement you suggest could certainly help the KS to know whether or 
> not to expect the ACK from a particular GM, but the focus of this I-D is 
> on the the declaration of the request for ACKs by the GCKS and the 
> format of the ACK.
> 
>> * 2.2: "This is a private key" - to avoid confusion, I suggest: "This is a
>> secret symmetric key" (if this is indeed the case). Obviously using 
>> the same
>> key for encryption and for HMAC is not a best practice.
> 
> We’ve made this change.
> 
>> * Sec. 5: ACK messages can also be duplicated in the network. I 
>> suggest to add
>> a sentence describing what the GCKS should do in this case.
> 
> The Security Considerations (section 7.3) describes a method for the 
> GCKS to detect replays. This is arguably better placed in this section, 
> so we’ve moved it here..
> 
>> * Sec. 6: I am confused about the notion of "jitter" here. If the PUSH 
>> messages
>> are sent as multicast (the recommended alternative AFAICT), I'm not 
>> sure about
>> the benefit of using multicast, given that each recipient responds with a
>> unicast ACK. And if the PUSH is unicast, there should be no reason for 
>> a jitter
>> as the sender can throttle the PUSH messages as necessary.
> 
> The concept of “jitter” is most valuable for responses to a multicast 
> PUSH message. The use of a multicast PUSH message lower processing on 
> the GCKS. Since each GM can e given the exact same policy, there’s no 
> call to send it out as a unicast message. The jitter helps spread out 
> the replies a bit to avoid inundating the GCKS.
> 
>> * Moreover, everything would be much more predictable if the GCKS could
>> indicate if a jitter is expected and how much of a jitter (based on 
>> size of the
>> group, network throughput, and queue length). Specifically, this would 
>> allow
>> the GCKS to tell how long it should wait for an ACK.
> 
> This would be somewhat useful, but in practice might not help the GCKS 
> as much as it seems. The jitter value provided would also be dependent 
> on several network parameters that aren’t under the control of the GCKS 
> or the GM. Even when the GM does not add any jitter to the ACK, the 
> underlying network may delay the PUSH and/or for the ACK. And as stated 
> in Section 6, the GCKS may be configured with additional policy actions 
> like retransmissions to overcome lost ACKs. Altogether to add jitter to 
> the ACK is not a must, it is a way to help the GCKS deal with a huge 
> number of GMs. In practice, we’ve found that having the GMs choose the 
> jitter has worked well, even when the GMs are different implementations.
> 
>> * Cryptographic agility: this document specifies only one algorithm 
>> for the
>> HASH value, and says that if a new algorithm is needed, there will be 
>> a new
>> KEK_ACK_REQUESTED payload defined. However to make sure that this really
>> "works", we need to define whether multiple such payloads can be sent
>> simultaneously (if e.g. some GMs still support the old algorithm) and 
>> what's
>> the expected behavior. I would suggest to define an additional SHA-512 
>> payload
>> just to make for a concrete example.
> 
> This is a good suggestion. We’ve added SHA-512 versions of the existing 
> KEK_ACK_REQUESTED values.
> 
> See <https://tools.ietf.org/html/draft-weis-gdoi-rekey-ack-06>
> 
> Thanks,
> Brian
> 
> -- 
> Brian Weis
> Security, CSG, Cisco Systems
> Telephone: +1 408 526 4796
> Email: bew@cisco.com <mailto:bew@cisco.com>
>

v2.23.0 | Report a Bug | By Email