IETF Logo Mail Archive

[secdir] SECDIR review of draft-ietf-t cpinc-tcpcrypt-07

Stephen Kent <stkent@verizon.net> Thu, 12 October 2017 16:55 UTC

Return-Path: <stkent@verizon.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35CFC124F57 for <secdir@ietfa.amsl.com>; Thu, 12 Oct 2017 09:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afGaeciTqm1t for <secdir@ietfa.amsl.com>; Thu, 12 Oct 2017 09:55:43 -0700 (PDT)
Received: from omr-a008e.mx.aol.com (omr-a008e.mx.aol.com [204.29.186.51]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEDE513453E for <secdir@ietf.org>; Thu, 12 Oct 2017 09:55:42 -0700 (PDT)
Received: from mtaout-mcc01.mx.aol.com (mtaout-mcc01.mx.aol.com [172.26.253.77]) by omr-a008e.mx.aol.com (Outbound Mail Relay) with ESMTP id A9C253800046; Thu, 12 Oct 2017 12:55:41 -0400 (EDT)
Received: from iMac.fios-router.home (pool-173-48-69-73.bstnma.fios.verizon.net [173.48.69.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mtaout-mcc01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id B64B03800009A; Thu, 12 Oct 2017 12:55:40 -0400 (EDT)
To: secdir@ietf.org, david.black@dell.com, krose@krose.org, ietf@kuehlewind.net
From: Stephen Kent <stkent@verizon.net>
Cc: bittau@google.com, M.Handley@cs.ucl.ac.uk, dbg@scs.stanford.edu, dm@uun.org, eric.smith@kestrel.edu, sqs@sourcegraph.com
Message-ID: <a81a01d1-f5b8-ea3b-ebc2-2536aa08fb5f@verizon.net>
Date: Thu, 12 Oct 2017 12:55:40 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------98C5D1EC086395F0BE510D0E"
Content-Language: en-US
x-aol-global-disposition: G
x-aol-sid: 3039ac1afd4d59df9e8c14ed
X-AOL-IP: 173.48.69.73
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/gEhPaNdIu9MyBhb_qTfLOTx_bbU>
Subject: [secdir] SECDIR review of draft-ietf-t cpinc-tcpcrypt-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2017 16:55:49 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.These comments were written with the intent of improving security 
requirements and considerations in IETF drafts.Comments not addressed in 
last call may be included in AD reviews during the IESG review.Document 
editors and WG chairs should treat these comments just like any other 
last call comments.

This document is the specification for tcpcrypt, which is targeted to be 
an Experimental RFC. It is generally very well written, but it could 
benefit from a few edits, as noted below.

The introduction (section 2) is brief and well written, stating the 
goals for the design.

Section 3 is much longer, providing a detailed description of the 
protocol. (Although the description is characterized as “abstract” it is 
very detailed, with only format details deferred to Section 4.) This 
section also is generally well-written.

In 3.2 I suggest including a forward pointer to the IANA Considerations 
section, since that section describes how future TEPs may be added to 
the list in Table 2.

In 3.5 the text says:

When two hosts have previously negotiated a tcpcrypt session,

either host may initiate session resumption regardless of which

host was the active opener or played the "A" role in the

previous session.

It’s not clear to me in what time frame this comment is meant to apply, 
e.g., if two hosts established a tcpcrypt session a week ago, is this 
comment still supposed to be applicable? Some clarification here would 
be useful. The end of this section establishes a requirement for an 
interface to enable an application to control session caching. Are 
interfaces of this sort commonly provided to applications by an OS? If 
so, an example would be useful; if not, the authors should acknowledge 
that this requirement may be problematic, i.e., applications may require 
modification to make use of the mandated interface.

In 3.6 the mention Table 3 also should refer to IANA Considerations, 
since that section describes how additions algorithms may be added.

The last sentence of 3.7 should be broken into several sentences; it is 
currently 7 lines long!

Section 3.8 describes a fairly complicated set of constraintsassociated 
with rekeying, some of which are inter-related. It might help to have a 
table here to describe how these constraints interact, e.g., when 
TCP-mandated retransmission takes place in the context of a rekey.

I suggest the following editorial changes in section 3:

… assigns different roles to -> … assigns the roles to the two hosts

… ephemeral public keys for hosts A and B -> … ephemeral public key 
agreement keys for hosts A and B

… whose length depends -> … the length of which depends

… whose integer value -> … the integer value of which

… security of the AEAD algorithm -> … security of every AEAD algorithm

Section 4 describes the byte-level encoding for the data structures 
described in Section 3, as part of the tcpcrypt specification. In 4.1 
found the description of the “ignored” data the INIT1_ and INIT2_ 
messages to be a bit confusing. I had to reread the descriptions to 
figure out that this was the authors’ way of saying that data beyond the 
end of the message (as indicated by the message_len field) is to be 
ignored upon reception. I don’t think the graphics used here are a great 
way to explain this.

Section 6 defines the initial set of AEAD algorithms supported by 
tcpcrypt, in Table 2. Each algorithm is assigned a value in the 1-255 
range, a much smaller range of values that used in protocols like TLS. 
The text in Section 7 might need to remind readers that this will argue 
against the registration of “vanity” AEAD algorithms for tcpcrypt.

Security Considerations are described in Section 8. I found the phrase 
“Most implementations will rely on system-wide pseudo-random 
generators…” to be a bit confusing, because the ambiguity of the word 
“system” here. I presume this really refers to a single device in mots 
cases, e.g., a laptop, desktop, smartphone, right? I suggest a reference 
to RFC 4086 might be a good substitute for much of the text at the 
beginning of this section.

I’d like the authors to provide a rationale for the advice: “…limit the 
lifetime of the private parameters, ideally to no more than two 
minutes.” This seems a bit arbitrary to me.

Suggested editorial changes to Section 8:

… is one on which -> is one for which

… without guessing the content of the resumption identifier, -> without 
successfully guessing the value of the resumption identifier,

Thus, tcpcrypt specifies a way … -> To counter this threat, tcpcrypt 
specifies a way …

v2.23.0 | Report a Bug | By Email