Re: [secdir] Secdir last call review of draft-weis-gdoi-rekey-ack-05
Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 29 August 2017 21:00 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E0E0132944; Tue, 29 Aug 2017 14:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v1kzSKQCoijz; Tue, 29 Aug 2017 14:00:04 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A011E124E15; Tue, 29 Aug 2017 14:00:03 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id u26so5222729wma.0; Tue, 29 Aug 2017 14:00:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=6YGrK2gCM29k+y7ct+1x7Dwb+DppKUiUtJ7d7zmm6WI=; b=Ph+680gQ4ibGuDeDQYN0b5wtAp1ZR+r3BunYehMLTBldOEanAZfIqzJxeIJ1hGTyW2 0S8+NuIOFm097gmq+aJ7xtPDZYumiEZ3vGALLHcpxaAYKz0by92yoazVZ9Bfczg+ievz FBL+5LgSqUZF3EMuEFLU3//okvU4HmOG36cPs9uPcWPT0QCqziSs0qyo04jEAnp74KZK b4+Uu59ryEHIghhhW4Np3jxnT0BtI0vo4LG7C4dToc/bwBi7UQZedOG7LkYRyKO5Bu4l GSqUrg5AQeTKcXQlQPFAAp8hyFYR5JaIp/Mkoasy/xDg/tqByUNKbsWdXkPFECc+PcZ5 UeXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=6YGrK2gCM29k+y7ct+1x7Dwb+DppKUiUtJ7d7zmm6WI=; b=N6QlW/dBDQlCDHJBjiOWCVERmeNMEdsP6MfrYV5jIV9D8BMu+HA6I3Y020UeAfEXZ4 hQaPC4UQ5Lb0AIXbuAZ4TLJDM50m1D+WWBW1BEUmLlBL54DTquOuk9CHTzY2lzaeLC/s x7E5RzAU7Y2y6peUePdtsQWvOjrj7r+GkvRS2E8fhfd9jRrevNpk42muXETP6xo3WCSe F6aMQy+I/6aUZW5R92qjZnfAj6MImYLuM+JpzXeBVGabu670MHoFFHn07HZqwHzWzCsP P3DgaETvEwleXI2emNOMygxwfCCOYnH8dncuZo25TTtmzaCWFDEpMjoruRWuwnutqi4/ IiGg==
X-Gm-Message-State: AHYfb5g+RO/mkbLXx8kBSr74+8KmcnSXs3SmKp26djrKrIlK/UniaHzx Bux1RM4j+Qv2UztNQ5k=
X-Received: by 10.28.238.197 with SMTP id j66mr354824wmi.170.1504040401535; Tue, 29 Aug 2017 14:00:01 -0700 (PDT)
Received: from [10.0.0.10] (bzq-109-67-55-26.red.bezeqint.net. [109.67.55.26]) by smtp.gmail.com with ESMTPSA id v60sm5177895wrc.71.2017.08.29.14.00.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Aug 2017 14:00:00 -0700 (PDT)
To: "Brian Weis (bew)" <bew@cisco.com>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-weis-gdoi-rekey-ack.all@ietf.org" <draft-weis-gdoi-rekey-ack.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
References: <150194814585.18635.3104789196001873381@ietfa.amsl.com> <E61F05DB-EEB0-4140-A2D4-DB11163C4E13@cisco.com> <e2b32453-8c4f-9707-0e1f-dab29540fe54@gmail.com> <DE62366A-0377-4DE1-9ED0-A14E44A7EC05@cisco.com>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <d6a9c046-4404-341b-2282-934bb5ca5ec7@gmail.com>
Date: Tue, 29 Aug 2017 23:59:58 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <DE62366A-0377-4DE1-9ED0-A14E44A7EC05@cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/keVga6sHGoHWF3eMh1X9Rt6lDyc>
Subject: Re: [secdir] Secdir last call review of draft-weis-gdoi-rekey-ack-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Aug 2017 21:00:07 -0000
Hi Brian, To me, incremental deployment is what crypto-agility is all about. But I guess others might disagree. In any case, this limitation needs to be discussed when we talk about agility. Thanks, Yaron On 29/08/17 23:48, Brian Weis (bew) wrote: > Hi Yaron, > >> On Aug 26, 2017, at 8:34 AM, Yaron Sheffer <yaronf.ietf@gmail.com >> <mailto:yaronf.ietf@gmail.com>> wrote: >> >> Hi Brian, >> >> Thank you for addressing most of my comments in the new version, and >> for clarifying points where I was off the mark. >> >> The only remaining comment that's only partly addressed is the one on >> crypto agility. Quoting myself: >> >> we need to define whether multiple such payloads can be sent >> simultaneously (if e.g. some GMs still support the old algorithm) and >> what's the expected behavior. >> >> In other words, supporting more algorithms in not sufficient. The >> question is whether we support incremental deployment of a new >> algorithm to a large group of GMs. > > Sorry, we missed this. Incremental deployment of any new policy > (algorithm or otherwise) within a group is not so straightforward. There > can really only be one set of policy used by the entire group because if > a sender has been updated to a new set of policy it can’t really use it > until all receivers are similarly upgraded. This is a place where a > capabilities exchange can be useful for a key server to declare a switch > to a new algorithm after all members claim to support it, but that might > never happen in a large group. Practically speaking incremental updates > in a large group might require two different groups with a bridge > between, or some other deployment structure. Since it’s a broader > problem, I’m not sure what else we can do in this document to address > incremental deployment. > > Thanks, > Brian > >> >> Thanks, >> Yaron >> >> On 24/08/17 19:48, Brian Weis (bew) wrote: >>> Hi Yaron, >>> Thanks for the review. We’ve added some clarification below, and made >>> some changes in -06 to address your comments. Please let us know if >>> we did not address them satisfactorily. >>>> On Aug 5, 2017, at 8:49 AM, Yaron Sheffer <yaronf.ietf@gmail.com >>>> <mailto:yaronf.ietf@gmail.com> <mailto:yaronf.ietf@gmail.com>> wrote: >>>> >>>> Reviewer: Yaron Sheffer >>>> Review result: Has Issues >>>> >>>> Summary: this reviewer is not clear about the value of the push-ack >>>> (compared >>>> to a pull) and about the strategy that was chosen. >>> In a group key management system either a “pull” (triggered by a >>> group member) or a “push” (by the key server)" could be used to >>> provide updates to the group. However, a “pull” by the group member >>> implies a polling method, which has the deficiency that the key >>> server cannot cause a policy replacement any sooner than the polling >>> method by the group members. Also “polling” can cause additional >>> unnecessary traffic. So is is better for any update on the group >>> policy or renewal of group keys to be distributed by the GCKS using a >>> PUSH message. The ACK-message is used to offer a feedback mechanism >>> to a policy update for the PUSH exchange. >>>> >>>> *//* >>>> >>>> * "For example, a GCKS policy can use the acknowledgements to >>>> determine [...] >>>> which members may no longer be members of the group." This sentence >>>> is very >>>> confusing: when are members not members? >>> We’ve reworded this text. It’s trying to convey that a missing ACK >>> message (or a certain number of it) can be used to identify that a >>> group member is no longer receiving group traffic, and is now may be >>> considered an ex-group member. For example, it could be a multicast >>> receiver that is no longer interested in being a receiver for the >>> group. But it could also be that a network event has caused it to be >>> unavailable for a sufficient length of time such that it doesn’t have >>> current keying material and therefore can’t be considered a current >>> group member. There is no reliable “I’m leaving the group” message >>> flow, and of course in my second example no such messages would have >>> been intended by the group member. >>>> * The new protocol capability is defined as optional, but really >>>> isn't. "A GM >>>> receiving the KEK_ACK_REQUESTED attribute can choose to ignore it, thus >>>> appearing as if it does not support the KEK_ACK_REQUESTED attribute. >>>> However, >>>> GCKS policy may consider a non-responsive GM to no longer desire to >>>> be a member >>>> of the group." So if you want to play the game, you MUST support the new >>>> attribute. >>> Point taken. We’ve changed the text to reflect this. >>>> * I'm puzzled at the overall protocol. Being able to send ACKs is a >>>> GM software >>>> capability. Why not have the GM announce this capability when it >>>> initially >>>> registers to the GCKS? Then the GCKS would know what to expect, >>>> whereas with >>>> the current protocol it is left waiting for an ACK that may never >>>> come, either >>>> because the GM is dead or because it just doesn't feel like >>>> responding. Add the >>>> long waits (jitter of "a few seconds" and potential retries), and >>>> this looks >>>> like a far from optimal management experience. >>> Indeed a GM could announce its capability, but whether or not ACKs >>> are desired is a component of the group policy. In the context of >>> GDOI the GCKS is the entity that defines the group policy. There can >>> be groups where the ACK is used, whereas others do not. The >>> capabilities announcement you suggest could certainly help the KS to >>> know whether or not to expect the ACK from a particular GM, but the >>> focus of this I-D is on the the declaration of the request for ACKs >>> by the GCKS and the format of the ACK. >>>> * 2.2: "This is a private key" - to avoid confusion, I suggest: >>>> "This is a >>>> secret symmetric key" (if this is indeed the case). Obviously using >>>> the same >>>> key for encryption and for HMAC is not a best practice. >>> We’ve made this change. >>>> * Sec. 5: ACK messages can also be duplicated in the network. I >>>> suggest to add >>>> a sentence describing what the GCKS should do in this case. >>> The Security Considerations (section 7.3) describes a method for the >>> GCKS to detect replays. This is arguably better placed in this >>> section, so we’ve moved it here.. >>>> * Sec. 6: I am confused about the notion of "jitter" here. If the >>>> PUSH messages >>>> are sent as multicast (the recommended alternative AFAICT), I'm not >>>> sure about >>>> the benefit of using multicast, given that each recipient responds >>>> with a >>>> unicast ACK. And if the PUSH is unicast, there should be no reason >>>> for a jitter >>>> as the sender can throttle the PUSH messages as necessary. >>> The concept of “jitter” is most valuable for responses to a multicast >>> PUSH message. The use of a multicast PUSH message lower processing on >>> the GCKS. Since each GM can e given the exact same policy, there’s no >>> call to send it out as a unicast message. The jitter helps spread out >>> the replies a bit to avoid inundating the GCKS. >>>> * Moreover, everything would be much more predictable if the GCKS could >>>> indicate if a jitter is expected and how much of a jitter (based on >>>> size of the >>>> group, network throughput, and queue length). Specifically, this >>>> would allow >>>> the GCKS to tell how long it should wait for an ACK. >>> This would be somewhat useful, but in practice might not help the >>> GCKS as much as it seems. The jitter value provided would also be >>> dependent on several network parameters that aren’t under the control >>> of the GCKS or the GM. Even when the GM does not add any jitter to >>> the ACK, the underlying network may delay the PUSH and/or for the >>> ACK. And as stated in Section 6, the GCKS may be configured with >>> additional policy actions like retransmissions to overcome lost ACKs. >>> Altogether to add jitter to the ACK is not a must, it is a way to >>> help the GCKS deal with a huge number of GMs. In practice, we’ve >>> found that having the GMs choose the jitter has worked well, even >>> when the GMs are different implementations. >>>> * Cryptographic agility: this document specifies only one algorithm >>>> for the >>>> HASH value, and says that if a new algorithm is needed, there will >>>> be a new >>>> KEK_ACK_REQUESTED payload defined. However to make sure that this really >>>> "works", we need to define whether multiple such payloads can be sent >>>> simultaneously (if e.g. some GMs still support the old algorithm) >>>> and what's >>>> the expected behavior. I would suggest to define an additional >>>> SHA-512 payload >>>> just to make for a concrete example. >>> This is a good suggestion. We’ve added SHA-512 versions of the >>> existing KEK_ACK_REQUESTED values. >>> See <https://tools.ietf.org/html/draft-weis-gdoi-rekey-ack-06> >>> Thanks, >>> Brian >>> -- >>> Brian Weis >>> Security, CSG, Cisco Systems >>> Telephone: +1 408 526 4796 >>> Email: bew@cisco.com <mailto:bew@cisco.com> <mailto:bew@cisco.com> >> >> >> Thanks, >> Yaron >> >> On 24/08/17 19:48, Brian Weis (bew) wrote: >>> Hi Yaron, >>> Thanks for the review. We’ve added some clarification below, and made >>> some changes in -06 to address your comments. Please let us know if >>> we did not address them satisfactorily. >>>> On Aug 5, 2017, at 8:49 AM, Yaron Sheffer <yaronf.ietf@gmail.com >>>> <mailto:yaronf.ietf@gmail.com> <mailto:yaronf.ietf@gmail.com>> wrote: >>>> >>>> Reviewer: Yaron Sheffer >>>> Review result: Has Issues >>>> >>>> Summary: this reviewer is not clear about the value of the push-ack >>>> (compared >>>> to a pull) and about the strategy that was chosen. >>> In a group key management system either a “pull” (triggered by a >>> group member) or a “push” (by the key server)" could be used to >>> provide updates to the group. However, a “pull” by the group member >>> implies a polling method, which has the deficiency that the key >>> server cannot cause a policy replacement any sooner than the polling >>> method by the group members. Also “polling” can cause additional >>> unnecessary traffic. So is is better for any update on the group >>> policy or renewal of group keys to be distributed by the GCKS using a >>> PUSH message. The ACK-message is used to offer a feedback mechanism >>> to a policy update for the PUSH exchange. >>>> >>>> *//* >>>> >>>> * "For example, a GCKS policy can use the acknowledgements to >>>> determine [...] >>>> which members may no longer be members of the group." This sentence >>>> is very >>>> confusing: when are members not members? >>> We’ve reworded this text. It’s trying to convey that a missing ACK >>> message (or a certain number of it) can be used to identify that a >>> group member is no longer receiving group traffic, and is now may be >>> considered an ex-group member. For example, it could be a multicast >>> receiver that is no longer interested in being a receiver for the >>> group. But it could also be that a network event has caused it to be >>> unavailable for a sufficient length of time such that it doesn’t have >>> current keying material and therefore can’t be considered a current >>> group member. There is no reliable “I’m leaving the group” message >>> flow, and of course in my second example no such messages would have >>> been intended by the group member. >>>> * The new protocol capability is defined as optional, but really >>>> isn't. "A GM >>>> receiving the KEK_ACK_REQUESTED attribute can choose to ignore it, thus >>>> appearing as if it does not support the KEK_ACK_REQUESTED attribute. >>>> However, >>>> GCKS policy may consider a non-responsive GM to no longer desire to >>>> be a member >>>> of the group." So if you want to play the game, you MUST support the new >>>> attribute. >>> Point taken. We’ve changed the text to reflect this. >>>> * I'm puzzled at the overall protocol. Being able to send ACKs is a >>>> GM software >>>> capability. Why not have the GM announce this capability when it >>>> initially >>>> registers to the GCKS? Then the GCKS would know what to expect, >>>> whereas with >>>> the current protocol it is left waiting for an ACK that may never >>>> come, either >>>> because the GM is dead or because it just doesn't feel like >>>> responding. Add the >>>> long waits (jitter of "a few seconds" and potential retries), and >>>> this looks >>>> like a far from optimal management experience. >>> Indeed a GM could announce its capability, but whether or not ACKs >>> are desired is a component of the group policy. In the context of >>> GDOI the GCKS is the entity that defines the group policy. There can >>> be groups where the ACK is used, whereas others do not. The >>> capabilities announcement you suggest could certainly help the KS to >>> know whether or not to expect the ACK from a particular GM, but the >>> focus of this I-D is on the the declaration of the request for ACKs >>> by the GCKS and the format of the ACK. >>>> * 2.2: "This is a private key" - to avoid confusion, I suggest: >>>> "This is a >>>> secret symmetric key" (if this is indeed the case). Obviously using >>>> the same >>>> key for encryption and for HMAC is not a best practice. >>> We’ve made this change. >>>> * Sec. 5: ACK messages can also be duplicated in the network. I >>>> suggest to add >>>> a sentence describing what the GCKS should do in this case. >>> The Security Considerations (section 7.3) describes a method for the >>> GCKS to detect replays. This is arguably better placed in this >>> section, so we’ve moved it here.. >>>> * Sec. 6: I am confused about the notion of "jitter" here. If the >>>> PUSH messages >>>> are sent as multicast (the recommended alternative AFAICT), I'm not >>>> sure about >>>> the benefit of using multicast, given that each recipient responds >>>> with a >>>> unicast ACK. And if the PUSH is unicast, there should be no reason >>>> for a jitter >>>> as the sender can throttle the PUSH messages as necessary. >>> The concept of “jitter” is most valuable for responses to a multicast >>> PUSH message. The use of a multicast PUSH message lower processing on >>> the GCKS. Since each GM can e given the exact same policy, there’s no >>> call to send it out as a unicast message. The jitter helps spread out >>> the replies a bit to avoid inundating the GCKS. >>>> * Moreover, everything would be much more predictable if the GCKS could >>>> indicate if a jitter is expected and how much of a jitter (based on >>>> size of the >>>> group, network throughput, and queue length). Specifically, this >>>> would allow >>>> the GCKS to tell how long it should wait for an ACK. >>> This would be somewhat useful, but in practice might not help the >>> GCKS as much as it seems. The jitter value provided would also be >>> dependent on several network parameters that aren’t under the control >>> of the GCKS or the GM. Even when the GM does not add any jitter to >>> the ACK, the underlying network may delay the PUSH and/or for the >>> ACK. And as stated in Section 6, the GCKS may be configured with >>> additional policy actions like retransmissions to overcome lost ACKs. >>> Altogether to add jitter to the ACK is not a must, it is a way to >>> help the GCKS deal with a huge number of GMs. In practice, we’ve >>> found that having the GMs choose the jitter has worked well, even >>> when the GMs are different implementations. >>>> * Cryptographic agility: this document specifies only one algorithm >>>> for the >>>> HASH value, and says that if a new algorithm is needed, there will >>>> be a new >>>> KEK_ACK_REQUESTED payload defined. However to make sure that this really >>>> "works", we need to define whether multiple such payloads can be sent >>>> simultaneously (if e.g. some GMs still support the old algorithm) >>>> and what's >>>> the expected behavior. I would suggest to define an additional >>>> SHA-512 payload >>>> just to make for a concrete example. >>> This is a good suggestion. We’ve added SHA-512 versions of the >>> existing KEK_ACK_REQUESTED values. >>> See <https://tools.ietf.org/html/draft-weis-gdoi-rekey-ack-06> >>> Thanks, >>> Brian >>> -- >>> Brian Weis >>> Security, CSG, Cisco Systems >>> Telephone: +1 408 526 4796 >>> Email: bew@cisco.com <mailto:bew@cisco.com> <mailto:bew@cisco.com> > > -- > Brian Weis > Security, CSG, Cisco Systems > Telephone: +1 408 526 4796 > Email: bew@cisco.com <mailto:bew@cisco.com> >
- [secdir] Secdir last call review of draft-weis-gd… Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-wei… Brian Weis (bew)
- Re: [secdir] Secdir last call review of draft-wei… Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-wei… Brian Weis (bew)
- Re: [secdir] Secdir last call review of draft-wei… Yaron Sheffer