[secdir] secdir review of draft-ietf-ppsp-peer-protocol

David Harrington <ietfdbh@comcast.net> Mon, 30 June 2014 20:57 UTC

Return-Path: <ietfdbh@comcast.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 698BD1A0A9C for <secdir@ietfa.amsl.com>; Mon, 30 Jun 2014 13:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.751
X-Spam-Level:
X-Spam-Status: No, score=-0.751 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D3-xhQOzFzU3 for <secdir@ietfa.amsl.com>; Mon, 30 Jun 2014 13:57:15 -0700 (PDT)
Received: from qmta15.emeryville.ca.mail.comcast.net (qmta15.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:44:76:96:27:228]) by ietfa.amsl.com (Postfix) with ESMTP id 3205E1A0452 for <secdir@ietf.org>; Mon, 30 Jun 2014 13:57:15 -0700 (PDT)
Received: from omta12.emeryville.ca.mail.comcast.net ([76.96.30.44]) by qmta15.emeryville.ca.mail.comcast.net with comcast id LknY1o0080x6nqcAFkxFcc; Mon, 30 Jun 2014 20:57:15 +0000
Received: from [192.168.1.181] ([184.39.6.21]) by omta12.emeryville.ca.mail.comcast.net with comcast id Lkwx1o00Q0TCz8g8Ykx0mF; Mon, 30 Jun 2014 20:57:12 +0000
From: David Harrington <ietfdbh@comcast.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_59D99498-7C22-430A-AEFE-8ED10BF35B8E"
Date: Mon, 30 Jun 2014 16:56:56 -0400
To: "iesg@ietf.org IESG" <iesg@ietf.org>, secdir@ietf.org, draft-ietf-ppsp-peer-protocol.all@tools.ietf.org
Message-Id: <78982690-9233-4763-9FA2-0904BD683BBF@comcast.net>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
X-Mailer: Apple Mail (2.1878.2)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1404161835; bh=Qz9hPodZywhgN8kgCSgX5Iaj8/igop8f2HNLBUP5QRo=; h=Received:Received:From:Content-Type:Date:Subject:To:Message-Id: Mime-Version; b=Ciz5noTCg3hnRAjDvObIJfiyDDkHiAzqPpbXH1Ccl+MPzFljuX7h0jSwxlmqRe51c N50c9GIzLMG6+4Ztjg09b9oHrW22gSU2Tn2k9SdeWPXY/ufH34BAd3CjS+ZJjynETp i23qQ4Bx/HpeftGCbWLNFQ/NXcP/IX1u6M5QYNwv/53QHmTUDOvDtS6lDY7DuOA0Fw BePcECRLSawGfXNcOi3neVNLMs0u9tp3SIgicX/kdVuBy9X/dPSqie+ocPBxIQN0jL QoHSXMlLIFCSDa5D8rLb0puHVcKHMBOQmOcjtNwNcPvJg4ZRMOjWuN7DBXtSShZjYJ PBJlQo5hw4cpA==
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/joYFFJlUnKBwyA3t9KOmo6A6gYs
Subject: [secdir] secdir review of draft-ietf-ppsp-peer-protocol
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jun 2014 20:57:17 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.
Summary: I think this document is far from ready for publication as a standard., or for last-call reviews. The WG has review work to do before this document is ready for expert review.
I gave up reviewing this document after 10 pages, because it was so not ready for review.

I will say that, being both an opsdir and secdir reviewer, I was greatly encouraged by the table of contents, which shows that a lot of consideration was given to security and ops and mgmt. But then I started reading the text in the main part of the document, and was severely disappointed by what I found.
I chose to sample sections of the document to see if maybe it was just the opening text that was problematic. I don’t think so.

1)  Editorial: in the terminology section, it says
   content integrity protection scheme
       Scheme for protecting the integrity of the content while it is
       being distributed via the peer-to-peer network.  I.e. methods for
       receiving peers to detect whether a requested chunk has been
       maliciously modified by the sending peer.
I do not believe this protocol can detect intent, so to claim that it can detect whether a chunk has been maliciously modified is inaccurate. It can tell if a chunk has been modified.

2) Technical: in the definition  of swarm ID, there is a conditional that applies to VOD. It is ambiguous whether it also applies to live streaming. I recommend this wording be modified to make it clearer.
If Merkle trees are not used for integrity protection, what is the swarm ID for VOD?

3) Ed: s/as it source/as its source/

4) Ed: " This message conveys protocol options, in particular, peer A includes
   the ID of the swarm as the destination peers can listen for multiple
   swarms on the same transport address.”
I couldn’t parse this sentence; is it missing punctuation?
I recommend rewording for clarity.

5) Ed: "denotes what chunks of the content peer B, resp. C have.”
I don’t know what word “resp.” is abbreviating.
Substituting words that start with resp, (e.g., response, respectively, etc.) I cannot make sense of this sentence.

6) tech: I feel uncomfortable with section 2 containing examples that describe the overall flow. Examples are non-normative text, usually contained in a non-normative appendix. These examples describe the order of messages, and it is 

7) in example 2.2, the integrity hash is provided by the peer that is providing the (potentially maliciously modified) content. Isn’t that like asking the fox to verify that the henhouse is safe?

8) in 3, paragraph 1, it says “In general,” which seems less specific than normally expected of standards language.

9) in 3, paragraph 1, it says “this behavior”, but I’m not sure which behavior it is referencing. It is unclear whether not sending error messages, or discarding messages, or stopping communication, or classifying peers is the behavior that allows a peer to deal with slow, crashed, or silent peers. I don’t understand HOW any of the behaviors mentioned would allow a peer to deal with slow, crashed, or silent peers. I do not understand on what basis peers are judged “good” or “bad”.

10) in 3, paragraph 2, it says, "Multiple messages are multiplexed into a single datagram for
   transmission.  Messages in a single datagram MUST be processed in the
   strict order in which they appear in the datagram.” While this might be true for UDP, is this also accurate for TCP or other non-datagram transports? 
This is not written using RFC2119 keywords; should “are” be “MUST be” or “SHOULD be” or “MAY be”?

11) in 3, paragraph 3, the second sentence seems to contradict the first sentence, and since neither is written using RFC2119 keywords, it seems to really leave the whole question open to implementer interpretation.

[jumping forward to sample other places in the document]

12) section 8 is ambiguous:
"8.  UDP Encapsulation

   PPSPP implementations MUST use UDP as transport protocol and MUST use
   LEDBAT for congestion control [RFC6817].  Using LEDBAT enables PPSPP
   to serve the content after playback (seeding) without disrupting the
   user who may have moved to different tasks that use its network
   connection.  Future PPSPP versions can also run over other transport
   protocols, or use different congestion control algorithms.
“
I find “MUST use UDP” inconsistent with “”can also run over other transport protocols”, and “MUST use LEDBAT” inconsistent with “or use different congestion control protocols”.

[jumping ahead …]
In 8.3, there is a discussion of multiple swarms sharing a UDP port. I’m unsure whether this would work, but since UDP is stateless, it might. Do channels work for protocols like TCP? 

[jumping ahead …] 

"A SIGNED_INTEGRITY message (type 0x07) consists of a chunk
   specification, a 64-bit NTP timestamp [RFC5905] and a digital
   signature encoded as a Signature field in a RRSIG record in DNSSEC
   without the BASE-64 encoding [RFC4034].”
Can this work in an implementation with no NTP support?

[juming ahead …]
8.14 describes a keep alive message format, but no processing instructions.
Are receiving implementations required to do anything with this message? are they supposed to respond somehow?
How does the sender of a keep alive determine that the connection is still live?
There is no message type for keep alive. If the first octet of the keep alive happens to be 0x0a, how does the receiver know whether this is a keep alive or a CHOKE message?

Table 7 defines the messages types in decimal. But the text uses hex values. 


—
At this point, I will observe that I think this document is far from ready for publication as a standard. 

The WG, and the chairs and shepherd, really need to look at this document closely to ensure the English is clear and unambiguous, that RFC2119 keywords are used to specify the behaviors expected from implementers.

I think this document would be well served by describing the message types and formats and their processing in a transport-neutral manner, and then describing the transport-specific mapping details, so it is clear and unambiguous how the mapping of message sequences to datagrams is handled for UDP and DCCP, and how the mapping of message sequences should be handled for stream-based protocols like TCP. There are some message types, notably keep alive, that I am not sure apply in the same way to different transports.

Multiple messages are multiplexed in a datagram. How are the messages delimited? If there is any corruption in one message, how does the receiver find the end of the message and the start of the next message? If I understand correctly, invalid messages are discarded and no error code is sent. If one of the messages are found to be invalid, are all messages in that datagram discarded? or are all subsequent messages in that datagram discarded? or is it valid to process the remaining messages in the datagram after an invalid message is detected? If so, would that conflict with the rule that all messages must be processed in order?

How will messages be limited in stream-based transports? if 1000 messages are sent in a streaming protocol, and number 3 is invalid, what happens to the remaining stream of 997 messages?

Dave Harrington
ietfdbh@comcast.net