[secdir] secdir review of draft-ietf-tsvwg-rfc4960-bis-15
David Mandelberg <david@mandelberg.org> Tue, 12 October 2021 02:12 UTC
Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE03F3A0B91 for <secdir@ietfa.amsl.com>; Mon, 11 Oct 2021 19:12:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=mandelberg.org header.b=GxVrtTYY; dkim=pass (2048-bit key) header.d=mandelberg.org header.b=Jmdn0NJY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXdBjQqyxaiO for <secdir@ietfa.amsl.com>; Mon, 11 Oct 2021 19:12:12 -0700 (PDT)
Received: from mail-ua1-x962.google.com (mail-ua1-x962.google.com [IPv6:2607:f8b0:4864:20::962]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 290283A0B83 for <secdir@ietf.org>; Mon, 11 Oct 2021 19:12:12 -0700 (PDT)
Received: by mail-ua1-x962.google.com with SMTP id h19so4377914uax.5 for <secdir@ietf.org>; Mon, 11 Oct 2021 19:12:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:dkim-signature:dkim-signature:to:from:subject :message-id:date:user-agent:mime-version:content-language :content-transfer-encoding; bh=4xOiGvxffyzZvc7j/Rr9A2jLcSL2ZDsRzSBKOPM3Vww=; b=UcG68RZQn5ZqpftOBgditXdiigDuaGrb5lcgdcVbSEPodbX7h6qU0Ky+v3XW/LaBio b7o/b5+PJkoBfz6ME7jMyHlTT2TS9H9c7Y2J3yBpCqxo895WJrLxZo1hbJXgLEdUNNO5 JXF1jCvYnWZYUI5zsScJmDm5cuvnTBtU5ENiLJWsSe6JYts78g1/yIRAyLT+lNV2NJpR ze0c0F/xl6mSe/M4DtbH4ehKHcP7RXvL6uYYV07GoG7t6prwdqGcZuXjJq+JARRGxa0d /vJWekzpXBz0Y+vRyqky9ggBA10RH5EBxGh55kGdIGg7kPqqv8EPKje1iq4Rut6Ow79e bnDA==
X-Gm-Message-State: AOAM532N2OvffaplzMwo5u4SRKzxzAjknEq7xUSoE5DbYdlDYCfx5lor PqYnjUCeRp+gs+hE//C+bjCcHQE3pK8T9dU/JjzfGr/VIev3GA==
X-Google-Smtp-Source: ABdhPJw+eHjmJzkwuab6apsrvj4KKf+XjzfYtS2wYkGbF1XQtSu9ZZSNAYe6SlMBCjiaNebZds6lHrkio/sU
X-Received: by 2002:a67:ac42:: with SMTP id n2mr28216024vsh.21.1634004730890; Mon, 11 Oct 2021 19:12:10 -0700 (PDT)
Received: from mail-outbound-e14cf917.virgo.mandelberg.org (pool-74-104-157-60.bstnma.fios.verizon.net. [74.104.157.60]) by smtp-relay.gmail.com with ESMTPS id e15sm2299114uaa.0.2021.10.11.19.12.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Oct 2021 19:12:10 -0700 (PDT)
X-Relaying-Domain: mandelberg.org
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-07914516; t=1634004730; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding : from; bh=xyAHBCBNoQ8R1QXVMw5tsyjE21N3mjN5VJdqzR3zZAc=; b=GxVrtTYYXoln80Bai1Ajk/20cWtAyAnJc8L433Sqk8uEOKbPtFTTgbP4DQaHGBrtLrUlc KmKMifZYEUQZLS0DA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-b7c648a2; t=1634004730; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding : from; bh=xyAHBCBNoQ8R1QXVMw5tsyjE21N3mjN5VJdqzR3zZAc=; b=Jmdn0NJYBHLIZcdKpBL4s6Sg+LJxYxTqyQb6Lre6OX99UDn4Mz5193x73G7QZCDXf3ROc MwucOcnoWRwRQ603BSkuUm9bshZQznybs/T5M2i7saKONpdFD169ExtR8Q3h3CEE8e6LgDL Rl0un/DgfYx049Qv59lLzINy6kydF3xxENp4wLdrpGtA/bjGpPZOWjTxfZAYTcM3keZAB7R R1PppKlLUYuOPBJlAqQ6f6aYUfg9yZb+Qkp7i3ehcLf69j2v6hNSJ2QdnhiJqtrGCoxPPgB U01j4osTiLVT7PnUljbjt9dpcwwh4ifk6s+SbzGkjGzBCx1Dc4fA/LgcsAFw==
Received: from [IPv6:fde5:2b79:35f0:2::14e] (solaria.virgo.mandelberg.org [IPv6:fde5:2b79:35f0:2::14e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail-outbound-e14cf917.virgo.mandelberg.org (Postfix) with ESMTPSA id 4HSzgt2Ck4z10Zt; Tue, 12 Oct 2021 02:12:10 +0000 (UTC)
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-tsvwg-rfc4960-bis.all@ietf.org
From: David Mandelberg <david@mandelberg.org>
Message-ID: <6bad085d-aea3-c827-5788-2d377ec0fac3@mandelberg.org>
Date: Mon, 11 Oct 2021 22:12:10 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/jjMl1h7m27GGcT--1IaqbZAHdO8>
Subject: [secdir] secdir review of draft-ietf-tsvwg-rfc4960-bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2021 02:12:18 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with nits. (nit) Section 2.3 describes MACs as "based on cryptographic hash functions using a secret key". If the intent is to limit this to MACs that use cryptographic hash functions, I'd suggest using the term HMAC instead of MAC. If not, I think there are other MAC algorithms that don't use hashes. (nit) The description of Chunk Length in Section 3.2 seems a bit complicated. (Not a lot complicated, just a bit.) I'd expect at least occasional security issues from incorrect implementations in programming languages that don't enforce in-bounds memory access. I'm guessing it's either too late to simplify the field, or there are good reasons for it to be the way it is? Are there any lessons learned by existing implementations that would be worth mentioning to help future implementors avoid issues with out-of-bounds memory access here? ("No" is a fine answer if this turns out to not have been a problem.) (nit) Section 5.1.5, bullet point 4 says 'If the elapsed time is longer than the lifespan carried in the State Cookie, then ... the endpoint MUST transmit an ERROR chunk with a "Stale Cookie" error cause to the peer endpoint.' That's different from the behavior if the MAC fails in bullet point 2. Does that mean that endpoints are REQUIRED to keep track of every secret they've ever used, so that they can distinguish between failed MACs and expired cookies for very old cookies? Should that be relaxed a bit to let implementations only store moderately recent secrets? (nit) Section 12.2.3 says "Regardless of where confidentiality is provided, the Internet Key Exchange Protocol version 2 (IKEv2) [RFC7296] SHOULD be used for key management." That makes sense for ESP, but is it intended to apply to DTLS too? (DTLS is mentioned earlier in the same section.) P.S. This was a very long document, so I ended up just skimming a bunch of the parts that I guessed were less likely to be relevant to security. Let me know if there are any particular sections I should take a closer look at.
- [secdir] secdir review of draft-ietf-tsvwg-rfc496… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… tuexen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… tuexen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… tuexen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Martin Duke
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… tuexen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… tuexen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… tuexen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… tuexen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… tuexen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Michael Tuexen
- Re: [secdir] secdir review of draft-ietf-tsvwg-rf… Michael Tuexen