[Secdispatch] Need advice on which Security WG is appropriate to discuss Lightweight Authentication methods

Linda Dunbar <linda.dunbar@futurewei.com> Tue, 09 July 2024 23:03 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2CC0C169418 for <secdispatch@ietfa.amsl.com>; Tue, 9 Jul 2024 16:03:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.76
X-Spam-Level:
X-Spam-Status: No, score=-5.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2JVFSdkRg2Hs for <secdispatch@ietfa.amsl.com>; Tue, 9 Jul 2024 16:02:59 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2133.outbound.protection.outlook.com [40.107.220.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83027C151097 for <secdispatch@ietf.org>; Tue, 9 Jul 2024 16:02:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=mA/3HVW0YYco3UWAzIqu7nXwd78Jz0xn56DLKe54wkNRNz3oApwhH8DQ4jappFqxg09CUSfXeBeh6X3mJumFMsdzLeGFGR0a1VU6o3cV2WRJTmPcqeoc7htxKh+ZcPVpDIxX/B2lL7113acamsfiv0Sr/jr0OLzTOZFSbnR0w3wfYvOEu50FJmU0u70d8Pvxo6K2JdeZTT1lGKwwhD3qwmOJJ5A76cewMk5KX2N59sCVMIvkmySTsx68oPYa7i6VXpcXPTLpreaq/5xJxkhDRZ+KqFOb3SKlw6eQM8w7PrS3YYcyJffDEZ2j1SskuXi4WJPg6utkKrdjN56DCjMQtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uzSe5NRYP8OeBIsY+1+8M8/G28kCpcJux/CxHsHvfXc=; b=aS0MuTkE0rvuNarY8v4XS2hkSSEUtTuNketv67JkfECUnL6Yxmn7H0YmGFG4cTtBGtnu2pxYqT+xGQW7cnk4qi/spaaAGeu/91bz0rC/i8ibQj0mXaoBREqKwLCSYNhCLiXhrBFsWr6Brp2NyBPepGHRod3HbhaiJx/tlvpPE71mHg/In+XUxNNXV0Tqxe+7iX/9PagcgRf2UAusgdiv5eb9pb/o88QzDlFseomIcWaRwn9c34HwkxZ49vq+w9uzEoKCac6i6EBUB936YAAQ4M0aLn8vGxhcnDvzDmK9e+/FTaHW1aDo2P2K93VqEZ6Ut/vOQ+uUk4+4LgPokopQuw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uzSe5NRYP8OeBIsY+1+8M8/G28kCpcJux/CxHsHvfXc=; b=jU8UgYiF+OmWdBERTsVdem4NODRKq9gtQuCGgbSJjSq+sg9S7PLIt9ljUyePcjDU/Bnbg/C4Dl1Rz7QVuZrBOZPDgn05pfsYw+V8RUt9FKYfOfYCCL5x7V/aWa6lt0LscMn4tSAjaunaeeC3oBbGUGzmuv/xjiiL6c8I8uE4Rbo=
Received: from CO1PR13MB4920.namprd13.prod.outlook.com (2603:10b6:303:f7::17) by PH0PR13MB6106.namprd13.prod.outlook.com (2603:10b6:510:29a::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.36; Tue, 9 Jul 2024 23:02:55 +0000
Received: from CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::4021:909f:bb6c:72a6]) by CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::4021:909f:bb6c:72a6%5]) with mapi id 15.20.7741.033; Tue, 9 Jul 2024 23:02:55 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Thread-Topic: Need advice on which Security WG is appropriate to discuss Lightweight Authentication methods
Thread-Index: AQHa0lQhH48Sh+I/tUaa4poEBG6HrQ==
Date: Tue, 09 Jul 2024 23:02:55 +0000
Message-ID: <CO1PR13MB492015BED747DC805DAB6DD185DB2@CO1PR13MB4920.namprd13.prod.outlook.com>
References: <PH0PR13MB4922391FE48C3D3DFB033D6485DB2@PH0PR13MB4922.namprd13.prod.outlook.com>
In-Reply-To: <PH0PR13MB4922391FE48C3D3DFB033D6485DB2@PH0PR13MB4922.namprd13.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=futurewei.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR13MB4920:EE_|PH0PR13MB6106:EE_
x-ms-office365-filtering-correlation-id: 826effbb-3012-4398-9bb6-08dca06b448d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: K2tDMKQEQ2Igh+y+3N3j1DeL3TE/K3NIuEcjEX4Wpc9M9sDMGcaARlxblzZwKp9RlX2BR6w6Q43m+Kj/qRdVY+QY6pRhJp4tFHQ9Rj5zNPnYjaQ0Iwr0rJB6sSWxpsQhPKadVZVbZa46kmXEKr+rQXCs9fKfggrOBNVV5hRHZM1aFdK6SNL7Wi66wFAkFYg8PDmXmwq5k9hvG1/F08/Jio5UOdj8IDYuusY9lx+2F5okd7X6/CUEJ/oXU4lvtaXdz8++DS1I9AOmzXmYdcEWdOAXLaRtCMPO5CbbQf8jqgH3rUkMNate0ENLHwGdZpxClSOrtpF1CMhkwdxBmozNX/DjyXbz7Yv9A/RAyImxS5VoJUqvVmnELn6O20zuVDVLCKxz7R++xoH+bGRvkhUDoKCpawXUOKcCJU9qrTPvF3wzxNVcBHGEVo829rcR9HOWcJ0nNjtma6hYFkLGSmHe8MKqY5pv7BgZi6N0FBVJYpkVIyzgRps1R8WcpBELwB7H0uwUAsdpFMxWZIoGXbhkhxuaBPa7Lqbhrs3T8PQPFa0KgwYOtiK0fOKnZa9wi2A3GgH2u1uZmMjU+7wGn5/5pkH2cejAMgc5mR87c49ffqvRSdZYl3Led1Ii0+Y+Md4MZBg1JlVs5HPQmYTB+xy6gmVtdmmNNmrYSu45lQiHgN13rHkBns28j3TVLVgB2iIDZ2kicg4l1n2URCEPaTKk76HiwQAoYbyeHToFyohKVVPEaIitM4qg5NHjCWX2vj8HKUORnrgyE9X3zhhT4/QbRuwwY1TWXPrCPaxoGqILfnY/OZ+HiqFDpf6mJTMS+cNp4CYFpNORWroiaxdn1PUT0jtdcihd11SAq+KhE1d7qf4MD5qj7fkYw/G1T+XGwb9hNof/C2ZUWk8jK8xwNTBEfwokDnjIHFZLAYYi86VnT2jZDaJAMpQH21pQKUfg/0pFYRK8Qmgc3nuc82RqUpjAD0OBsrJ0ig3Lsv8vP1zpJ002dBR6BmlXcE1wzZxmq5lDgwiEHucuEs4EZyx3rWFBxBNpHGPpGpPquDNZHdfRJbmO/Wodqygl2OeW6WUmZENf9rlICKTCxxW7MEQZUo3o6rSouK+OTzcd+G8FECHkqjdDxKIqPe4G3Yyw6UKi1zyPTIBgqWYuEvSUVDD5p2hUnOVtsBUU1wrm/K9XYiINm5DDSAA7183u8idm4IS1+S6NUDvmqIxC69BTnpBQy6jacOrflvzU18Fwb0TEGw0PYbo3eWcltNC86K2aUXQsgtppB0bPqVVIuLl2halN8NgpH8unaw30VF+3IoWD/07k5Fn7U8XG/pJMvNLfWDveySknauBxdlqOwkV678QZmbY2I2PuYAvJUMp6bosSIrHoa6U=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR13MB4920.namprd13.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8AwVglwTcCMPIQ93C81S8K9sGS8+LSlusvy+6GbTpfPFShpDDLEKM6rY4xY4b3x8I356b4qJjGUQRAWv+bdR2WbfGF1U0HQTCuosx8Qs0JwUo1YqfjZ0roRlVu7kCJCa0jxsnnvoD7O5a9bo7o8/Xb/sWbSKXeYrV3/Fqa7NKh+8w7CqC8kz/8NCwNC5c9jxFLEUom4shCdKnLjs0oOghP+v5zy1hjxK07aU/s39RE/ATAuoXmtwSQEb9R9cQXqM+2QilJ/v9y/+DSbbZ+XhCxPGIuwr9smVAcmrz8wYWcev+Ky1L70jzDBueh3cm0tFc8en4rIa3ltVde2X5WjkrX5jfVMcYhpnLQ3caGbe+oMbSPngJw0RsqN+Ru8SXAKA975YJBUJuKjql0qWRTFFZxKqWfU2R9ICOL2OVYgAN/ZUOTP0eyfXR6SX1V2Q84M4eOE4kOBhvayB12cUZ/orS65jJEwU96PhhNtnfMWEsg691irl2VusXtCwTrVu9dsqHfWN/J0X9FYKERQ4tXcfg04DHMOCeHlIU2IFofsYTYfMwqi9z5QJrNouovx720Vw6tEcySZKQO9K0eXZrdlVhHIy9YnIxV38AnGekXhRNsHFdNSArJV92oCuiUa2pvOgLd8pUEMMBGafkUn9O8vPX/i7errPLaY1TsBueTs/kcLa8jk6j0UuZOg+o1jFnPJ7StSb2jG2zeR9iU/MtJVZOYAn863lYtkL2fCa8ApTj7VIT/s4Tq2jlhhXV6ANkDrws9anFUqexUgE6eWxzzUgyLoogv3Fi7WE3Hj0BTZMB9yTrBizOxXvZoBW2OrTidF3cPpz8+Hc4ywbHEZEiofPsqEZxTGZ4r3x0Q+mijmQUuwHi19+NpcnlpSxcHDihwnfIVNuC/qjkmynMVlvbrP0L0DnQFFtqBdDNnoAl1l+KHD7lptSWtSWa28RxoUOnRaS5hcodXYCjYHlkmXYRJK6BFLjviG+XpHD/xStmflyKydP0w50ge+rrOwDRdnkvUsyDXroLWkHwsJDECjtMDfRTfUCfaRK89zTx/65KK4d5B/17RS/SH6d1pZiILlmJ8g0iApRFpGTZkTzFhO8Oqqz8CaGBn8wLuVM9Aw9309gjoyBRDuprRNT5vIn6VcaxSkV08JmBRhPdxrEZ1eVd1Hu89gVDNQtsJXmulatt9E1X5BEfHRTu0O3tMD+N4NWNRMH6AgED7kApQsXxGBMbHgQ+tFrCoe8I7OImcTABSCdEH5rsMdFboXR2k6XJgsxq3mIM0SLHXWJgJlm+l/yrFIhjKo96zIMru+uMtxvS12s5M8jp1d726IqjuXTuiO6d9+RPx4+HApq5l5auu7WQ4JOk2D15x52c7bgWX12XXjnpyZkt2cb0GO5ZZx9GQSoCxnf1wSXPoI0zivfPnUc7UBxUnWx5rDqTFlFxvCGosYlXksQH5zm0tQMOS7MtDdmbvzSfqZ+/qHVVbTS76sM1aDhC286ZMapOflV6QTM0V4qpoTRrsU8Quvr03Ar4d/XELUoA9L/3jgdPOQo8dM5ozGAVwcNX4iVO/pgP50Jnufa2GsH1IWt+66+5DdDXhLuXtu/
Content-Type: multipart/alternative; boundary="_000_CO1PR13MB492015BED747DC805DAB6DD185DB2CO1PR13MB4920namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR13MB4920.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 826effbb-3012-4398-9bb6-08dca06b448d
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2024 23:02:55.1303 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7e5ww5gJX3x7+Tq7Uh2FUR8eWuRMgom3BjB+WtmeODaaxEP2rYqeBYGeRDGA+ChTXeREO6T4qKyuuv0d6JYv1Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR13MB6106
Message-ID-Hash: 5DA5ORQFUGP7C44TWECBUYLW224DSXEH
X-Message-ID-Hash: 5DA5ORQFUGP7C44TWECBUYLW224DSXEH
X-MailFrom: linda.dunbar@futurewei.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdispatch.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdispatch <secdispatch@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Secdispatch] Need advice on which Security WG is appropriate to discuss Lightweight Authentication methods
List-Id: Security Dispatch <secdispatch.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/nQWg5RqWLgyqQiJJasZ-lE_C3nE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Owner: <mailto:secdispatch-owner@ietf.org>
List-Post: <mailto:secdispatch@ietf.org>
List-Subscribe: <mailto:secdispatch-join@ietf.org>
List-Unsubscribe: <mailto:secdispatch-leave@ietf.org>

Security Dispatch group and Chairs:

Our draft (https://datatracker.ietf.org/doc/draft-dunbar-secdispatch-ligthtweight-authenticate/ describes lightweight authentication methods to prevent malicious actors from tampering with IP encapsulation headers or the metadata carried by the UDP Option Header. The IP encapsulation header is for steering encrypted payloads through the Cloud backbone without requiring the Cloud Gateway to decrypt or re-encrypt the payload as outlined in the  https://datatracker.ietf.org/doc/draft-ietf-rtgwg-multisegment-sdwan/   .
The proposed method is for environments where there are IPsec tunnels between SD-WAN Customer Premises Equipment (CPEs) and the Cloud Gateway (GW). For traffic originating from SD-WAN CPEs and terminating within the Cloud Data Center (DC), the Cloud GW decrypts the IPsec traffic. For traffic that needs to be routed via the Cloud Backbone to remote CPEs, the proposed lightweight authentication method is used. This method enables the Cloud GW to selectively authenticate the GENEVE header added to the encrypted traffic between CPEs, ensuring integrity and security during transit.

Need your advice on which Security Area WG is appropriate for discussing this content. Since there is no SecDispatch meeting in IETF120, we submitted a request to AllDispatch. There will be a lot of topics being discussed in AllDispatch, we are not sure if we will get a time slot.

We need feedback from security experts on the proposed authentication methods. We also need feedback on which of the following ways is better for distributing Authentication Keys:

  1.  The IPsec tunnel itself provides a secure channel for transmitting the authentication keys. This ensures that the keys are protected from eavesdropping or tampering during distribution.
  2.  Reuse the existing IPsec keys as input to a key derivation function (KDF). The KDF generates unique authentication keys that are cryptographically linked to the IPsec keys but not directly exposed. This adds a layer of protection, even if the IPsec keys are compromised.


The proposed authentication method requires less processing compared to adding another layer of IPsec Authentication Header (AH) on top of IPsec Encapsulating Security Payload (ESP) traffic. This efficiency is achieved by focusing on authenticating only the GENEVE headers, rather than the entire packet, thereby reducing computational overhead and latency.

Any thoughts and advice are greatly appreciated.

Linda Dunbar