[secdir] SECDIR review of draft-ietf-t cpinc-tcpcrypt-07
Stephen Kent <stkent@verizon.net> Thu, 12 October 2017 16:55 UTC
Return-Path: <stkent@verizon.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35CFC124F57 for <secdir@ietfa.amsl.com>; Thu, 12 Oct 2017 09:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afGaeciTqm1t for <secdir@ietfa.amsl.com>; Thu, 12 Oct 2017 09:55:43 -0700 (PDT)
Received: from omr-a008e.mx.aol.com (omr-a008e.mx.aol.com [204.29.186.51]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEDE513453E for <secdir@ietf.org>; Thu, 12 Oct 2017 09:55:42 -0700 (PDT)
Received: from mtaout-mcc01.mx.aol.com (mtaout-mcc01.mx.aol.com [172.26.253.77]) by omr-a008e.mx.aol.com (Outbound Mail Relay) with ESMTP id A9C253800046; Thu, 12 Oct 2017 12:55:41 -0400 (EDT)
Received: from iMac.fios-router.home (pool-173-48-69-73.bstnma.fios.verizon.net [173.48.69.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mtaout-mcc01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id B64B03800009A; Thu, 12 Oct 2017 12:55:40 -0400 (EDT)
To: secdir@ietf.org, david.black@dell.com, krose@krose.org, ietf@kuehlewind.net
From: Stephen Kent <stkent@verizon.net>
Cc: bittau@google.com, M.Handley@cs.ucl.ac.uk, dbg@scs.stanford.edu, dm@uun.org, eric.smith@kestrel.edu, sqs@sourcegraph.com
Message-ID: <a81a01d1-f5b8-ea3b-ebc2-2536aa08fb5f@verizon.net>
Date: Thu, 12 Oct 2017 12:55:40 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------98C5D1EC086395F0BE510D0E"
Content-Language: en-US
x-aol-global-disposition: G
x-aol-sid: 3039ac1afd4d59df9e8c14ed
X-AOL-IP: 173.48.69.73
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/gEhPaNdIu9MyBhb_qTfLOTx_bbU>
Subject: [secdir] SECDIR review of draft-ietf-t cpinc-tcpcrypt-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2017 16:55:49 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.These comments were written with the intent of improving security requirements and considerations in IETF drafts.Comments not addressed in last call may be included in AD reviews during the IESG review.Document editors and WG chairs should treat these comments just like any other last call comments. This document is the specification for tcpcrypt, which is targeted to be an Experimental RFC. It is generally very well written, but it could benefit from a few edits, as noted below. The introduction (section 2) is brief and well written, stating the goals for the design. Section 3 is much longer, providing a detailed description of the protocol. (Although the description is characterized as “abstract” it is very detailed, with only format details deferred to Section 4.) This section also is generally well-written. In 3.2 I suggest including a forward pointer to the IANA Considerations section, since that section describes how future TEPs may be added to the list in Table 2. In 3.5 the text says: When two hosts have previously negotiated a tcpcrypt session, either host may initiate session resumption regardless of which host was the active opener or played the "A" role in the previous session. It’s not clear to me in what time frame this comment is meant to apply, e.g., if two hosts established a tcpcrypt session a week ago, is this comment still supposed to be applicable? Some clarification here would be useful. The end of this section establishes a requirement for an interface to enable an application to control session caching. Are interfaces of this sort commonly provided to applications by an OS? If so, an example would be useful; if not, the authors should acknowledge that this requirement may be problematic, i.e., applications may require modification to make use of the mandated interface. In 3.6 the mention Table 3 also should refer to IANA Considerations, since that section describes how additions algorithms may be added. The last sentence of 3.7 should be broken into several sentences; it is currently 7 lines long! Section 3.8 describes a fairly complicated set of constraintsassociated with rekeying, some of which are inter-related. It might help to have a table here to describe how these constraints interact, e.g., when TCP-mandated retransmission takes place in the context of a rekey. I suggest the following editorial changes in section 3: … assigns different roles to -> … assigns the roles to the two hosts … ephemeral public keys for hosts A and B -> … ephemeral public key agreement keys for hosts A and B … whose length depends -> … the length of which depends … whose integer value -> … the integer value of which … security of the AEAD algorithm -> … security of every AEAD algorithm Section 4 describes the byte-level encoding for the data structures described in Section 3, as part of the tcpcrypt specification. In 4.1 found the description of the “ignored” data the INIT1_ and INIT2_ messages to be a bit confusing. I had to reread the descriptions to figure out that this was the authors’ way of saying that data beyond the end of the message (as indicated by the message_len field) is to be ignored upon reception. I don’t think the graphics used here are a great way to explain this. Section 6 defines the initial set of AEAD algorithms supported by tcpcrypt, in Table 2. Each algorithm is assigned a value in the 1-255 range, a much smaller range of values that used in protocols like TLS. The text in Section 7 might need to remind readers that this will argue against the registration of “vanity” AEAD algorithms for tcpcrypt. Security Considerations are described in Section 8. I found the phrase “Most implementations will rely on system-wide pseudo-random generators…” to be a bit confusing, because the ambiguity of the word “system” here. I presume this really refers to a single device in mots cases, e.g., a laptop, desktop, smartphone, right? I suggest a reference to RFC 4086 might be a good substitute for much of the text at the beginning of this section. I’d like the authors to provide a rationale for the advice: “…limit the lifetime of the private parameters, ideally to no more than two minutes.” This seems a bit arbitrary to me. Suggested editorial changes to Section 8: … is one on which -> is one for which … without guessing the content of the resumption identifier, -> without successfully guessing the value of the resumption identifier, Thus, tcpcrypt specifies a way … -> To counter this threat, tcpcrypt specifies a way …
- [secdir] SECDIR review of draft-ietf-t cpinc-tcpc… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Daniel B Giffin
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Daniel B Giffin
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Black, David
- Re: [secdir] SECDIR review of draft-ietf-t cpinc-… Stephen Kent