Re: [secdir] Secdir last call review of draft-ietf-perc-private-media-framework

"Paul E. Jones" <paulej@packetizer.com> Sun, 12 May 2019 04:35 UTC

Return-Path: <paulej@packetizer.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 191951200F7; Sat, 11 May 2019 21:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=packetizer.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZOA3jbSLOZs; Sat, 11 May 2019 21:35:06 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [IPv6:2600:1f18:24d6:2e01:e842:9b2b:72a2:d2c6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55B4A12003E; Sat, 11 May 2019 21:35:06 -0700 (PDT)
Received: from authuser (localhost [127.0.0.1])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetizer.com; s=dublin; t=1557635697; bh=yAnSQ4emBQBwHGC22fewDWw/UOExXZgDOEXVDLXQWHw=; h=From:To:Subject:Cc:Date:In-Reply-To:References:Reply-To; b=f6SiLENzottS81fMoyW3Ylu6PKrA8uG2tIdWouJF2xo4JrI+ImmgKnkq0fAbDOW5J obIED2erjiLLBuWKZ/BE6l3yDXcdAznPxZHXJdMsLOJYr4gzW7TGbb7AuPd/QiDRbM uDE7mdwBeKsUFY8O3OG3wh3JqSy2jHTpy/dZ3yVs=
From: "Paul E. Jones" <paulej@packetizer.com>
To: "Vincent Roca" <vincent.roca@inria.fr>, "The IESG" <iesg@ietf.org>
Cc: "Vincent Roca" <vincent.roca@inria.fr>, "David Benham" <dabenham@gmail.com>, draft-ietf-perc-private-media-framework.all@ietf.org, aamelnikov@fastmail.fm, secdir@ietf.org
Date: Sun, 12 May 2019 04:34:55 +0000
Message-Id: <em9d093e61-1f9f-4cc7-be19-c97343337129@sydney>
In-Reply-To: <1CE6DB48-325C-41C2-A526-3F5FD5FA8388@inria.fr>
References: <155014077570.26619.9407568904769535504@ietfa.amsl.com> <emb104d043-b701-4e92-9e08-1e1815c2981f@sydney> <6882A552-80DF-4322-9683-13D8E655F2DB@inria.fr> <em0afb83b5-7014-4039-88b4-5ae3d87a6b0b@sydney> <DB650EB5-5E7E-46B3-A8B7-524B36D2AC26@inria.fr> <CAM5V9Z8Dz=qSB3n+8RGGx0d=1PgLds01asgOGDyhFL81g=TiuQ@mail.gmail.com> <D519986E-441D-4923-A556-6F3793B451BD@inria.fr> <emde7bdf10-574d-4853-bbf0-cd4bdbe6ec86@sydney> <1CE6DB48-325C-41C2-A526-3F5FD5FA8388@inria.fr>
Reply-To: "Paul E. Jones" <paulej@packetizer.com>
User-Agent: eM_Client/7.2.34711.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MBED1EEE47-568A-499C-B659-8ECC720E5B73"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ekex2JAe9_mO0eSkdUrRLHsenN0>
Subject: Re: [secdir] Secdir last call review of draft-ietf-perc-private-media-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 May 2019 04:35:10 -0000

Vincent,

Once again, thanks for the feedback.  Please allow me to reply inline 
and, if you're OK with the text, I can prepare a new revision.

>** In section 8.1 it is said:
>
>    "While confidentiality
>    would not be compromised by failing to implement mutual
>    authentication, employing it helps mitigate against denial of 
>service
>    attacks wherein a false entity sends a stream of packets that the
>    would force a legitimate entity to spend time attempting to 
>decrypt."
>
>This is true only if authenticating a received packet is cheap, which 
>is
>not necessarily the case. And in section 5 « Authentication » you say 
>that
>"details of this are outside the scope of specification", so we are not
>able to answer the above question: is authenticated really so cheap?
>With certain authenticated encryption technics (e.g. MAC-then-Encrypt),
>decrypting is required before checking data authenticity… So please
>clarify.

Actually, after reading that original text, I think it is even 
misleading to suggest confidentiality is not compromised.  In terms of 
encryption, that would be true, but in terms of net effect, it would 
not: without verifying the certificate, an unwanted party could 
potentially engage in the conference.  I think this would be better text 
(replacing the entire paragraph):

Use of mutual DTLS authentication (as required by DTLS-SRTP) ensures 
that a
false endpoint or false Media Distributor cannot interact with a 
legitimate
Media Distributor or endpoint.  This helps mitigate against denial of 
service
attacks wherein a false entity sends a stream of packets that would 
force
a legitimate entity to spend time attempting to decrypt.

With respect to whether the DoS mitigation is true or not, I think it 
is.  If mutual authentication fails, then no media packets would flow at 
all, thus no wasted time decrypting packets; packets would likely get 
rejected without inspection.  If mutual authentication succeeds, then 
the cost isn't at issue here, anyway, since the point of the paragraph 
is to talk about a side benefit of mutual authentication.  While the 
specifics are outside the scope of the document, the assumption is that 
some mechanism is employed to enable checking the validity of 
certificates.


>NB: there's also a typo in above sentence: "that the would".

Thanks, I fixed that.

>
>
>Finally, shouldn't this paragraph appear after the last one "A third
>party could cause..." since they are both concerning the same DoS 
>issue.
>In that case you start with simple protections (rate limitation, 
>heuristics)
>then continue with (cheap) authentication.

Agreed, moving it makes more sense.


>** Section 8.2.3: the following sentence is unnecessarily obscur IMHO:
>         "Within the window from last packet forwarded to the receiver 
>and the
>         latest received by the Media Distributor,..."
>Why don't you simply say that the MD can choose, at some point of time, 
>to
>delay some packets by an arbitrary duration? Do we really need this 
>notion
>of "window »?

Definitely not essential.  I tried to make whole paragraph a little 
easier to read.  How about this:

While the Media Distributor can purposely stop forwarding media flows, 
it
can also select an arbitrary starting point to resume forwarding those
media flow, perhaps forwarding old packets rather than current packets.
As a consequence, what the media source sent can be substantially 
delayed
at the receiver with the receiver believing that newly arriving packets
are delayed only by transport delay when the packets may actually be
minutes or hours old.

The most significant change with this text, I think, (apart from 
removing "window") is changing "media source said" to "media source 
sent".  If that's less clear, I can try to put "said" back in, but I 
felt the current wording of "that it is what was said just now" was 
really hard to parse.

Thanks!
Paul


>
>
>
>Cheers,
>
>   Vincent
>
>
>>Le 1 mai 2019 à 07:00, Paul E. Jones <paulej@packetizer.com> a écrit :
>>
>>Vincent,
>>
>>I was finally able to get back to this and prepare an updated draft.  
>>I make changes as outlined below that should appear in -10 shortly.
>>
>>Section 8.1: Will add an introductory sentence.
>>Section 8.1: Good point. That's confusing, as mutual authentication is 
>>required in DTLS-SRTP. The value goes beyond cascading, too, and is 
>>really a tool to help mitigate against DoS.  I'll re-word this 
>>paragraph substantially.
>>Section 8.2.2: You're right. I'll make a clear requirement statement 
>>on replay protection earlier in the body of the document and update 
>>that text.
>>Section 8.2.3: Good point. And there is a limited mitigation for this, 
>>which is to re-key the conference periodically.  I'll add another 
>>paragraph about that, since it might not be obvious.
>>
>>Thanks!
>>Paul
>>
>>------ Original Message ------
>>From: "Vincent Roca" <vincent.roca@inria.fr>
>>To: "David Benham" <dabenham@gmail.com>om>; "Paul E. Jones" 
>><paulej@packetizer.com>
>>Cc: "Vincent Roca" <vincent.roca@inria.fr>fr>; secdir@ietf.org; 
>>draft-ietf-perc-private-media-framework.all@ietf.orgtf.org; "The IESG" 
>><iesg@ietf.org>
>>Sent: 3/4/2019 9:02:16 AM
>>Subject: Re: Secdir last call review of 
>>draft-ietf-perc-private-media-framework
>>
>>>Hello David, Paul, all,
>>>
>>>I gave a look at version -09 of your I-D, here are a few comments.
>>>
>>>Summary: Almost ready
>>>
>>>** Section 8.1
>>>  There is a sentence introducing section 8.2, but none for section 
>>>8.1. For instance it is not explicitely
>>>explained what is meant by « 3rd party attack ». I suggest adding a 
>>>sentence.
>>>
>>>** Section 8.1
>>>You’re saying that "If mutual DTLS authentication is not employed… ». 
>>>Is it really an optional mechanism?
>>>I must admit I haven’t read the rest of your I-D where this is 
>>>probably explained, I’m just a bit surprised here.
>>>
>>>** Section 8.2.2
>>>It is suggested but not clearly said that the replay protection of 
>>>Section 3.3.2/[RFC3711] MUST be used.
>>>The sentence can be understood as replay protection is mandatory, 
>>>Section 3.3.2 of [RFC3711] is an example
>>>of such a mechanism.
>>>I don't think this is what you mean.
>>>
>>>** Section 8.2.3
>>>Saying that "The delayed playout attack is a variant of the replay 
>>>attack" is IMHO misleading.
>>>Delaying and re-sending a packet already sent are two different 
>>>attacks (and the fact that replay
>>>protection is of no help against delayed packets is a good sign of 
>>>these differences).
>>>I'd remove this sentence altogether.
>>>
>>>
>>>Otherwise, concerning your previous comment:
>>>
>>>
>>>>Follow up question regarding your general comments on sect 8.1 and 
>>>>8.2 which we have not yet addressed in -09 ;
>>>>
>>>> > Attacks of section 8.1 seems more realistic to me than attacks of 
>>>>section 8.2
>>>> > because of a weaker attacker model: the attacker is outside of the 
>>>>systems,
>>>> > and not necessarily on the path.
>>>> > Therefore I would have liked to see more details in section 8.1, 
>>>>that’s all.
>>>>
>>>>You're asking for greater detail in sect 8.1 precisely because you 
>>>>estimate that third-party attacks (aka outsiders to a given 
>>>>conference) are more likely/common than the attacks we covered in 
>>>>the subsequent 8.2 section.   Is that correct?
>>>>
>>>>If so, I think we could restate some of what we have in sect 8.1 to 
>>>>make it flow better and/or be clearer.   But it is not clear to us 
>>>>what we left out detail-wise, or if we left out other attack 
>>>>examples.
>>>>
>>>>With PERC's HBH integrity checks, authentication as well as HBH and 
>>>>E2E encryption, we can quickly describe in text the 
>>>>prevention/mitigation of attacks on the confidentiality of the 
>>>>media/content - PERCs reason to be - to explain some of the brevity.
>>>>
>>>>Could you help point us in the right direction with an example or 
>>>>two of the things we should do to detail/elaborate sect 8.1.
>>>
>>>[VR] I was surprised to see for instance 8 lines of text in section 
>>>8.2.2 or 8.2.4 to describe attacks
>>>that cannot take place because of the PERC design. That being said, I 
>>>see that version -09 has a
>>>more detailed section 8.1 which is fine.
>>>
>>>Cheers,
>>>
>>>    Vincent
>