IETF Logo Mail Archive

[secdir] secdir review of draft-ietf-tsvwg-rfc4960-bis-15

David Mandelberg <david@mandelberg.org> Tue, 12 October 2021 02:12 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE03F3A0B91 for <secdir@ietfa.amsl.com>; Mon, 11 Oct 2021 19:12:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=mandelberg.org header.b=GxVrtTYY; dkim=pass (2048-bit key) header.d=mandelberg.org header.b=Jmdn0NJY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXdBjQqyxaiO for <secdir@ietfa.amsl.com>; Mon, 11 Oct 2021 19:12:12 -0700 (PDT)
Received: from mail-ua1-x962.google.com (mail-ua1-x962.google.com [IPv6:2607:f8b0:4864:20::962]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 290283A0B83 for <secdir@ietf.org>; Mon, 11 Oct 2021 19:12:12 -0700 (PDT)
Received: by mail-ua1-x962.google.com with SMTP id h19so4377914uax.5 for <secdir@ietf.org>; Mon, 11 Oct 2021 19:12:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:dkim-signature:dkim-signature:to:from:subject :message-id:date:user-agent:mime-version:content-language :content-transfer-encoding; bh=4xOiGvxffyzZvc7j/Rr9A2jLcSL2ZDsRzSBKOPM3Vww=; b=UcG68RZQn5ZqpftOBgditXdiigDuaGrb5lcgdcVbSEPodbX7h6qU0Ky+v3XW/LaBio b7o/b5+PJkoBfz6ME7jMyHlTT2TS9H9c7Y2J3yBpCqxo895WJrLxZo1hbJXgLEdUNNO5 JXF1jCvYnWZYUI5zsScJmDm5cuvnTBtU5ENiLJWsSe6JYts78g1/yIRAyLT+lNV2NJpR ze0c0F/xl6mSe/M4DtbH4ehKHcP7RXvL6uYYV07GoG7t6prwdqGcZuXjJq+JARRGxa0d /vJWekzpXBz0Y+vRyqky9ggBA10RH5EBxGh55kGdIGg7kPqqv8EPKje1iq4Rut6Ow79e bnDA==
X-Gm-Message-State: AOAM532N2OvffaplzMwo5u4SRKzxzAjknEq7xUSoE5DbYdlDYCfx5lor PqYnjUCeRp+gs+hE//C+bjCcHQE3pK8T9dU/JjzfGr/VIev3GA==
X-Google-Smtp-Source: ABdhPJw+eHjmJzkwuab6apsrvj4KKf+XjzfYtS2wYkGbF1XQtSu9ZZSNAYe6SlMBCjiaNebZds6lHrkio/sU
X-Received: by 2002:a67:ac42:: with SMTP id n2mr28216024vsh.21.1634004730890; Mon, 11 Oct 2021 19:12:10 -0700 (PDT)
Received: from mail-outbound-e14cf917.virgo.mandelberg.org (pool-74-104-157-60.bstnma.fios.verizon.net. [74.104.157.60]) by smtp-relay.gmail.com with ESMTPS id e15sm2299114uaa.0.2021.10.11.19.12.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Oct 2021 19:12:10 -0700 (PDT)
X-Relaying-Domain: mandelberg.org
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-07914516; t=1634004730; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding : from; bh=xyAHBCBNoQ8R1QXVMw5tsyjE21N3mjN5VJdqzR3zZAc=; b=GxVrtTYYXoln80Bai1Ajk/20cWtAyAnJc8L433Sqk8uEOKbPtFTTgbP4DQaHGBrtLrUlc KmKMifZYEUQZLS0DA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-b7c648a2; t=1634004730; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding : from; bh=xyAHBCBNoQ8R1QXVMw5tsyjE21N3mjN5VJdqzR3zZAc=; b=Jmdn0NJYBHLIZcdKpBL4s6Sg+LJxYxTqyQb6Lre6OX99UDn4Mz5193x73G7QZCDXf3ROc MwucOcnoWRwRQ603BSkuUm9bshZQznybs/T5M2i7saKONpdFD169ExtR8Q3h3CEE8e6LgDL Rl0un/DgfYx049Qv59lLzINy6kydF3xxENp4wLdrpGtA/bjGpPZOWjTxfZAYTcM3keZAB7R R1PppKlLUYuOPBJlAqQ6f6aYUfg9yZb+Qkp7i3ehcLf69j2v6hNSJ2QdnhiJqtrGCoxPPgB U01j4osTiLVT7PnUljbjt9dpcwwh4ifk6s+SbzGkjGzBCx1Dc4fA/LgcsAFw==
Received: from [IPv6:fde5:2b79:35f0:2::14e] (solaria.virgo.mandelberg.org [IPv6:fde5:2b79:35f0:2::14e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail-outbound-e14cf917.virgo.mandelberg.org (Postfix) with ESMTPSA id 4HSzgt2Ck4z10Zt; Tue, 12 Oct 2021 02:12:10 +0000 (UTC)
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-tsvwg-rfc4960-bis.all@ietf.org
From: David Mandelberg <david@mandelberg.org>
Message-ID: <6bad085d-aea3-c827-5788-2d377ec0fac3@mandelberg.org>
Date: Mon, 11 Oct 2021 22:12:10 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/jjMl1h7m27GGcT--1IaqbZAHdO8>
Subject: [secdir] secdir review of draft-ietf-tsvwg-rfc4960-bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2021 02:12:18 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Ready with nits.

(nit) Section 2.3 describes MACs as "based on cryptographic hash 
functions using a secret key". If the intent is to limit this to MACs 
that use cryptographic hash functions, I'd suggest using the term HMAC 
instead of MAC. If not, I think there are other MAC algorithms that 
don't use hashes.

(nit) The description of Chunk Length in Section 3.2 seems a bit 
complicated. (Not a lot complicated, just a bit.) I'd expect at least 
occasional security issues from incorrect implementations in programming 
languages that don't enforce in-bounds memory access. I'm guessing it's 
either too late to simplify the field, or there are good reasons for it 
to be the way it is? Are there any lessons learned by existing 
implementations that would be worth mentioning to help future 
implementors avoid issues with out-of-bounds memory access here? ("No" 
is a fine answer if this turns out to not have been a problem.)

(nit) Section 5.1.5, bullet point 4 says 'If the elapsed time is longer 
than the lifespan carried in the State Cookie, then ... the endpoint 
MUST transmit an ERROR chunk with a "Stale Cookie" error cause to the 
peer endpoint.' That's different from the behavior if the MAC fails in 
bullet point 2. Does that mean that endpoints are REQUIRED to keep track 
of every secret they've ever used, so that they can distinguish between 
failed MACs and expired cookies for very old cookies? Should that be 
relaxed a bit to let implementations only store moderately recent secrets?

(nit) Section 12.2.3 says "Regardless of where confidentiality is 
provided, the Internet Key Exchange Protocol version 2 (IKEv2) [RFC7296] 
SHOULD be used for key management." That makes sense for ESP, but is it 
intended to apply to DTLS too? (DTLS is mentioned earlier in the same 
section.)

P.S. This was a very long document, so I ended up just skimming a bunch 
of the parts that I guessed were less likely to be relevant to security. 
Let me know if there are any particular sections I should take a closer 
look at.

v2.23.0 | Report a Bug | By Email