Re: [sfc] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08
Martin Vigoureux <martin.vigoureux@nokia.com> Tue, 19 October 2021 10:16 UTC
Return-Path: <martin.vigoureux@nokia.com>
X-Original-To: sfc@ietfa.amsl.com
Delivered-To: sfc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AA4F3A0A4D for <sfc@ietfa.amsl.com>; Tue, 19 Oct 2021 03:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.646
X-Spam-Level: **
X-Spam-Status: No, score=2.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, GB_SUMOF=5, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N9mT2QwYObr5 for <sfc@ietfa.amsl.com>; Tue, 19 Oct 2021 03:16:36 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130093.outbound.protection.outlook.com [40.107.13.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06EC73A0A5F for <sfc@ietf.org>; Tue, 19 Oct 2021 03:16:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A3gzwjkp27IGgEVck+ZQI+jkr7xB6MlyavpiyV/5MiSrv10ixbijr6QyKy6nVESHrIY9Fqi1VKnCCL820LQ2EgYWQN+cXeAe8wALr+8ccfuOg/Rjsolc7AkxYKkSz4QvxJM+uJNf5BfbkSWP2xCUG/QySToMMjRa8dMv9Na0RkxJ8kCHpD6wQPQlW1IJA9KZKPbDefgy4WtJh4hP1LPJl83bU++UIrytJyfUDhsTw9Q1DWQQTObFjZNWv39NToCiLoIHG9As8Jz5oIUI0Fme8OVJDW5z5CMexlQ3pz+wv4RNNh1UUtE+l7kw6Gs+fC3PiAPq8Gl78JwaSIPSny1uLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bR75odQNfeMDTw1jtLwtKc9PcetaeugAquWDiBW/xLU=; b=B+BjPLUD1rsRrnIkzeZAx9AtWPanqp9X4tvcNtUFyB2yxaq9UQKFSHuvdVm1D/9m0TrGhDqycUo3aFXNAjbmR6A2OQpj0ttpSi6T2ZVVN63zJB+X5wXPv+gP6c9PDT8g9BibvGcyJa5dpPkwq34d6x5d3uwHYDE8KocrLVx+W2nR+eNz4dtawDpX8Mp8GYfTnuaE7ulDihAHi+a4ReK7r4bGEzmSP+mrE9kwLABKyFCo225A0TwLz3jWu8Uu3Y0nGMi5igDLzVx5Xc0M7NlJ1i3CxOK/0+WfBfQW6aBpgEyCGmAI+MeP6YGaDRJJ/Pq3VOpP8oqcODckQuCleQLemA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bR75odQNfeMDTw1jtLwtKc9PcetaeugAquWDiBW/xLU=; b=C4+rxw67+gh+mSYg27aaCQ2+1iOv55btzqGCfcXLA4zo+xhjHuM5teHk80g3oVxCQXDgxgegnHDppS9t8xgtpBkFJ2Y22a0CDo00sTQdTIELl+jvWWM2Q7ltun7f1PBhDUv8EBYZGUThTQoLSagyQifDhcj6l6hxiz3axWzUV/c=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nokia.com;
Received: from AM6PR07MB5560.eurprd07.prod.outlook.com (2603:10a6:20b:6f::22) by AM5PR0701MB2772.eurprd07.prod.outlook.com (2603:10a6:203:74::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.13; Tue, 19 Oct 2021 10:16:31 +0000
Received: from AM6PR07MB5560.eurprd07.prod.outlook.com ([fe80::602d:c982:a27b:a643]) by AM6PR07MB5560.eurprd07.prod.outlook.com ([fe80::602d:c982:a27b:a643%7]) with mapi id 15.20.4628.015; Tue, 19 Oct 2021 10:16:31 +0000
To: "Joel M. Halpern" <jmh@joelhalpern.com>, "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
Cc: "shwetha.bhandari@gmail.com" <shwetha.bhandari@gmail.com>, "Youell, Stephen" <stephen.youell@jpmorgan.com>, "sfc@ietf.org" <sfc@ietf.org>, "krishna.sashank@gmail.com" <krishna.sashank@gmail.com>, James Guichard <james.n.guichard@futurewei.com>
References: <163210969860.31323.5718880916818308072@ietfa.amsl.com> <DM8PR11MB5606222AA0739CE8093A6777DAA39@DM8PR11MB5606.namprd11.prod.outlook.com> <7329d9eb-3597-0006-dbc5-892a4ada74ab@huitema.net> <DM8PR11MB56061C0D02BC169F39D41407DAA49@DM8PR11MB5606.namprd11.prod.outlook.com> <31b9ad77-1848-011c-9b3f-3787aee21e41@huitema.net> <DM8PR11MB5606D099B760809CB3DD8326DAA59@DM8PR11MB5606.namprd11.prod.outlook.com> <db45f7e3-3961-68fa-5e90-981756139b51@huitema.net> <DM8PR11MB5606B4D10F2CE68734684248DAA89@DM8PR11MB5606.namprd11.prod.outlook.com> <3c35465f-d7bd-b4dd-ee35-ae5da3c5c0cf@joelhalpern.com>
From: Martin Vigoureux <martin.vigoureux@nokia.com>
Message-ID: <8cc756da-e664-55b8-f22c-2ecd289e80dd@nokia.com>
Date: Tue, 19 Oct 2021 12:16:18 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
In-Reply-To: <3c35465f-d7bd-b4dd-ee35-ae5da3c5c0cf@joelhalpern.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: CH0PR04CA0071.namprd04.prod.outlook.com (2603:10b6:610:74::16) To AM6PR07MB5560.eurprd07.prod.outlook.com (2603:10a6:20b:6f::22)
MIME-Version: 1.0
Received: from [172.30.2.230] (131.228.2.20) by CH0PR04CA0071.namprd04.prod.outlook.com (2603:10b6:610:74::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4608.15 via Frontend Transport; Tue, 19 Oct 2021 10:16:26 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 794d16e0-0eec-41b6-dbda-08d992e9855a
X-MS-TrafficTypeDiagnostic: AM5PR0701MB2772:
X-Microsoft-Antispam-PRVS: <AM5PR0701MB2772F3782A02F4CF5DA254A38CBD9@AM5PR0701MB2772.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ykT7Z9JCFbCvZZueiPBKFP1WY9KQ38YdTpL+ldyT72G+G/m/0+m4rFJhne8RhpctAG6e5oqTrirTddThIEOFHiTU9Enz10XS1qsylXeG/vVqWwoof80B1TdU3Sd+/oGdRIluQu1kV4oIiCq7EqGcDozp0959yTbsSY6USdi8aTFxVUNsxonr6bHB4GaixSl3AGlCuhaNtCCZ9WnXT10ZUkhE9FD/AI5K8QTHMDHhBpBM8Cbv2tdpE5oL64CSBM8GmogT3wbBYgQdJLjhVKnUWj1Ym5n5UToSAiJLPwUXp8dvIBaKntYbWZACUd6Sdu6qubUlVa0MogMNvfOD0D0upV8He0YjRZdmagT45bFT+P7O5d6OmgG4cGPWt3ogUOh8CpnmWl9GS1PrXjhkogwo8YaZTwBnyWKfgJLJ2Q4A+/4CXsI2LAVooQfmRpCT7kqXZnvYE2HrryrCZ7zyKvRzRoJUz4uchAI/1VI8l7a+75dD4rWcMBDFKDzXMDCWDcnOitNVws6UBDO4MHvPB31eETv+zQrJuS6NZjBQCvgL7WnsaIGMRhDvYluQCm9OhRbWnOPqmHxSDYFVvc19a/YCwr3KKek6SoYP39tZGMYE8bPqo7uAsD4E3DQIJE/HVcm6A7EZxJ9BdEKWHHHQsHB5tCmDZwWEbBiUHrTQnq+AY6I4GDDivLTYBBonCZPzCKTTk8Du4q+dRSF9Jcnj08LZvTeue/AOsmjso52zWxDNYNOU1ZaYAqJ+iqrctSa1LtTNS/L8Zv+XFSWCJUFI27hjsA22bZkp+3+1031XFOeAq90fkFbTU5JL2Okwl41qXoCTYXhyFYED9KVFP6YgHSC0Y78f5FcjdnatbsKiGMFfncY=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB5560.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(6666004)(83380400001)(82960400001)(8936002)(26005)(66574015)(4326008)(508600001)(66556008)(53546011)(2616005)(956004)(66476007)(66946007)(52116002)(2906002)(30864003)(54906003)(16576012)(38100700002)(38350700002)(36756003)(110136005)(44832011)(8676002)(31696002)(31686004)(86362001)(5660300002)(186003)(316002)(6486002)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: S/aycOk0ngTnaYing68zPr7ukeu582rgmZV1zN2Xas1cUqVivsSTYTpIy+huuFK54wZofcYyYOJLA6rISrSXaHLwdYVK2DtDdu2nJ7D5rpwOFHjCOELZwqLbCT5xQB2Wj86udsocnfWIorsVQjqhDYqns6a6SXSxelmCUOJCR3SpImGxGhs9pJW+xTL+3/umiIz2rx7i3HQpK8Yz6PnBgcFYObcTMCn+Y85qONWlUip08DBADCDJ97sWQ9n1Zkfb7NexXlSIRJoGjVNjFuun3LYfvYztDnNaz593OADSU0KO7EYXCPywFEWFwCvABpUqfcY0LFmdyE0glUQ8PGa3rpxv0EBngveT4KREWb9LLmQ7b5VJWBlhvrVQ91thDP8oCbNHqBKwd9aa2fzaobMvBsOxV1R9tjEPjCcdiXAGDUJO+nw2ZpKYPxnqT3njUZdmJJrzfgwLt1TlvJSoSFWQaeHU6V9X15/z5M+QnbTHiSLW+BnVfWA7YtnW8afE6+zwcCTIqtbVRz+APJRMsmENtLxG5Gouno9+jMJqMJqymTCSQYM8fzphuwzUPKXN9wWBedxGi5t6WReePmbB+27XOa3TQUWwW+jTJkEXiEB2+0zVM19t2Crm9E6Cm9e+31WNcb7MyMPO+6+tUStT+1HP2vnGr/aswB4KZdOnLBfVAzPjoNiJwRoGZPQLorrjCfcTWxkUuavrujYG779bcTeciS/Hmp7eQndLk+ldZjOBvXhZsYXTh3LDTKGM/bv6L5GY7VsP7n2l4ZRbvdKy+iwmXH++DIgZBJYKBoPAZOJ8Ui10tIw4wZBQupI6ovD5iSg6Z2r8TQ29ltDMixcE1roHsq8KhQt2r6zzBdzGmpsfArHhp8AaUSOQnb+u7N87BuBQeQDHmD2t62H64v+Rfm6f/+/HU27RArMecGT4OrwkQLxM4waM4E2up/C2sTQwNLvW0DoTTkn9qvqG82zsqhvZKDsOyyxV+LFAidAuV92ixINP0cd6uQEX0obKcSvOL9lT5uqQCD2SIsQ5k0VHkdKUKW12Nh00kp8GFMSIn0UZK8dBwbRrC6QSBXaiVn50yG8QqiOyiM6kgSkOegO077WFW0xEfFbjhBgedY90t64okFx3U/6fmEoZ3CmnDbnqSjozzoIq4WkKhjNuYFushBVJmS6FRBqkZiZ1lbA0QOJ6r3pV8tJD6VPMnkRCZ0hHfm3uZucn08i7v54+hHR9Wb0/Z4XLtbsPos/0bIN9XV2zzq4OHUD1Sv7OfgUKXPY/HZC1IxLK5ko5ZTypL+X2LjvVY0p/GnXVQn/IjNesuL7uIyDmXlL5D0bHYY3wfBri8hve/dUrF5zUwV05ktv/k0uImbRsM9pc+xnltxK1z1ayalBIDTmCQNHaFhTGPPgk17KMRavDtf3kzGdVt0TTS9heoyHk5mUsvnPti+MHYGSDqMwLluTdr4UW/IJXWsDrp8yj
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 794d16e0-0eec-41b6-dbda-08d992e9855a
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB5560.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Oct 2021 10:16:31.7092 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: martin.vigoureux@nokia.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2772
Archived-At: <https://mailarchive.ietf.org/arch/msg/sfc/reeHpWcCUy9fNIp1TP2gETkSL60>
Subject: Re: [sfc] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08
X-BeenThere: sfc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Service Chaining <sfc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sfc>, <mailto:sfc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sfc/>
List-Post: <mailto:sfc@ietf.org>
List-Help: <mailto:sfc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sfc>, <mailto:sfc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2021 10:16:42 -0000
Joel, I agree with your analysis. Franck, I don't think it is reasonable to expect the wg to produce actionable requirements on the security and/or operational aspects of such type of solution. I sadly don't have more useful suggestions than to either work with cfrg to come up with a solution which would work in domains where sfc is typically used or design a solution based on Christian's suggestion, but with possibly a limited scope of applicability. I suspect that any of these changes will require another round of review by the WG. -m Le 2021-09-28 à 19:15, Joel M. Halpern a écrit : > (Keeping the SFC group on copy in hopes they will prove me wrong.) > > I am not sure what to recommend here. Neither Jim nor I are in a > posiition to mediate a dispute about cryptography. > The document got through WG last call with barely sufficient support. > The odds of getting meaningful feadback if we ask the WG about the > problem scope are very low. We have had to push people to get enough > response to things on the charter that we commited to. > > If the proposed document does not work as written, then we shouldn't > progress it in its current form. As ntoed, getting meaningful WG > discussion of changes seems unlikely. > > Martin, if you have a suggestion, Jim and I (and presumably the WG) are > listening. > > Yours, > Joel > > On 9/28/2021 11:12 AM, Frank Brockners (fbrockne) wrote: >> Hi Christian, >> >> Thanks for the follow up – and the suggestion of an alternate >> approach. IMHO – and I checked with other authors, who voiced similar >> views – it would be best to follow your guidance and have the working >> group crispen up the requirements as well as assumptions for the >> operational environment and only then discuss and evaluate solution >> approaches. >> >> Depending on the target set of requirements and the operational >> environment, the WGcanchoose an appropriate approach with guidance >> fromCFRG. That could be, per what you suggest below, something much >> simpler from a control plane perspective - avoiding the complexities >> of SSS – with a data-plane as simple as what the draft currently >> suggests. That could also be another, yet to be determined approach, >> such as the approach based on nested encryption that the WG discussed >> before, or an SSS based approach with a polynomial per packet, etc. >> Hopefully we’ll get it right the next time. >> >> Martin, Jim, Joel – any thoughts and guidance from your end, on >> whether the document should be handed back to the working group? >> >> Thanks again, Frank >> >> *From:*Christian Huitema <huitema@huitema.net> >> *Sent:* Saturday, 25 September 2021 16:42 >> *To:* Frank Brockners (fbrockne) <fbrockne@cisco.com>; secdir@ietf.org >> *Cc:* shwetha.bhandari@gmail.com; last-call@ietf.org; Youell, Stephen >> <stephen.youell@jpmorgan.com>; sfc@ietf.org; >> draft-ietf-sfc-proof-of-transit.all@ietf.org; krishna.sashank@gmail.com >> *Subject:* Re: [Last-Call] Secdir last call review of >> draft-ietf-sfc-proof-of-transit-08 >> >> On 9/25/2021 4:20 AM, Frank Brockners (fbrockne) wrote: >> >> Hi Christian, >> >> Thanks for the follow-up. Please see below. >> >> -----Original Message----- >> >> From: Christian Huitema<huitema@huitema.net> >> <mailto:huitema@huitema.net> >> >> Sent: Friday, 24 September 2021 17:16 >> >> To: Frank Brockners (fbrockne)<fbrockne@cisco.com> >> <mailto:fbrockne@cisco.com>;secdir@ietf.org <mailto:secdir@ietf.org> >> >> Cc:shwetha.bhandari@gmail.com >> <mailto:shwetha.bhandari@gmail.com>;last-call@ietf.org >> <mailto:last-call@ietf.org>; Youell, Stephen >> >> <stephen.youell@jpmorgan.com> >> <mailto:stephen.youell@jpmorgan.com>;sfc@ietf.org >> <mailto:sfc@ietf.org>; draft-ietf-sfc-proof-of- >> >> transit.all@ietf.org >> <mailto:transit.all@ietf.org>;krishna.sashank@gmail.com >> <mailto:krishna.sashank@gmail.com> >> >> Subject: Re: [Last-Call] Secdir last call review of >> draft-ietf-sfc-proof-of-transit- >> >> 08 >> >> On 9/24/2021 1:39 AM, Frank Brockners (fbrockne) wrote: >> >> Hi Christian, >> >> Thanks a lot for the detailed follow-up. Please see inline. >> >> -----Original Message----- >> >> From: Christian Huitema<huitema@huitema.net> >> <mailto:huitema@huitema.net> >> >> Sent: Thursday, 23 September 2021 22:13 >> >> To: Frank Brockners (fbrockne)<fbrockne@cisco.com> >> <mailto:fbrockne@cisco.com>;secdir@ietf.org <mailto:secdir@ietf.org> >> >> Cc:shwetha.bhandari@gmail.com >> <mailto:shwetha.bhandari@gmail.com>;last-call@ietf.org >> <mailto:last-call@ietf.org>; Youell, Stephen >> >> <stephen.youell@jpmorgan.com> >> <mailto:stephen.youell@jpmorgan.com>;sfc@ietf.org >> <mailto:sfc@ietf.org>; draft-ietf-sfc-proof-of- >> >> transit.all@ietf.org <mailto:transit.all@ietf.org> >> >> Subject: Re: [Last-Call] Secdir last call review of >> >> draft-ietf-sfc-proof-of-transit- >> >> 08 >> >> On 9/23/2021 12:31 PM, Frank Brockners (fbrockne) wrote: >> >> Hi Christian, >> >> Thanks a lot for your detailed review. Please see >> inline. >> >> -----Original Message----- >> >> From: Christian Huitema via >> Datatracker<noreply@ietf.org> <mailto:noreply@ietf.org> >> >> Sent: Monday, 20 September 2021 05:48 >> >> To:secdir@ietf.org <mailto:secdir@ietf.org> >> >> >> Cc:draft-ietf-sfc-proof-of-transit.all@ietf.org >> <mailto:draft-ietf-sfc-proof-of-transit.all@ietf.org>; >> >> last-call@ietf.org >> <mailto:last-call@ietf.org>;sfc@ietf.org <mailto:sfc@ietf.org> >> >> Subject: Secdir last call review of >> >> draft-ietf-sfc-proof-of-transit-08 >> >> Reviewer: Christian Huitema >> >> Review result: Serious Issues >> >> I have reviewed this document as part of the >> security directorate's >> >> ongoing effort to review all IETF documents >> being processed by the >> >> IESG. These comments were written primarily >> for the benefit of the >> >> security >> >> area directors. >> >> Document editors and WG chairs should treat >> these comments just >> >> like any other last call comments. >> >> This document proposes a security mechanism to >> prove that traffic >> >> transited through all specified nodes in a >> path. The mechanism >> >> works by adding a short option to each packet >> for which transit >> >> shall be verified. The option consists of a >> random number set by >> >> the originator of the packet, and a sum field >> to which each transit >> >> node adds a value depending on public >> parameters, on the random >> >> number and on secrets held by the node. The >> destination has access >> >> to all the secrets held by the nodes on the >> path, and can verify >> >> whether or not the final sum corresponds to >> the sum of expected >> >> values. The proposed size >> >> of the random number and the sum field is 64 bits. >> >> In the paragraph above, I described the >> mechanism without >> >> mentioning the algorithm used to compute these >> 64 bit numbers. The >> >> 64 bit size is obviously a >> >> concern: for cryptographic applications, 64 >> bits is not a large >> >> number, and that might be a weakness whatever >> the proposed algorithm. >> >> The actual algorithm appears to be a bespoke >> derivation of Shamir's >> >> Secret Sharing algorithm (SSS). In other word, >> it is a case of >> >> "inventing your >> >> own crypto". >> >> ...FB: SSS is a well know algorithm and >> >> draft-ietf-sfc-proof-of-transit does not >> >> modify it. >> >> All draft-ietf-sfc-proof-of-transit does is to >> operationalize the >> >> SSS algorithm >> >> for the proof of transit use case. >> >> Also note that the draft does not require the use >> of 64 bit numbers. >> >> Nor does draft require a minimum time between >> changing the secrets. >> >> What particular attack are you concerned about >> where 64 bit numbers >> >> are a >> >> concern? >> >> SSS relies on the representation of >> polynomials as a sum of >> >> Lagrange Basis Polynomials. Each of the >> participating nodes holds a >> >> share of the secret represented by a point on >> the polynomial curve. >> >> A polynomial of degree K on the field of >> integers modulo a prime >> >> number N can only be revealed if at list K+1 >> participants reveal >> >> the value of their point. The safety of the >> algorithm relies on the >> >> size of the number N and on the fact that the >> secret shall be revealed only >> >> once. >> >> But the algorithm does not use SSS directly, >> so it deserves its own >> >> security >> >> analysis instead of relying simply on Shamir's work. >> >> The proposed algorithm uses two polynomials of >> degree K for a path >> >> containing >> >> K+1 nodes, on a field defined by a prime >> number N of 64 bits. One >> >> K+of the >> >> polynomial, POLY-1, is secret, and only fully >> known by the verifying node. >> >> The other, POLY-2 is public, with the constant >> coefficient set at a >> >> random value RND for each packet. >> >> For each packet, the goal is compute the value >> of POLY-1 plus >> >> POLY-2 at the point 0 -- that is, the constant >> coefficient of >> >> POLY-3 = POLY-1 + POLY- >> >> 2. >> >> Without going in too much details, one can >> observe that the >> >> constant coefficient of POLY-3 is equal to the >> sum of the constant >> >> coefficients of POLY-1 and POLY-2, and that >> the constant >> >> coefficient of POLY-2 is the value RND present >> in each packet. In >> >> the example given in section 3.3.2, the >> numbers are computed modulo >> >> 53, the constant coefficient of POLY-1 is 10, >> and the value RND is >> >> 45. The final sum CML is indeed >> >> 10 + 45 = 2 mod 53. >> >> To me, this appears as a serious weakness in >> the algorithm. If an >> >> adversary can observe the value RND and CML >> for a first packet, it >> >> can retrieve the constant coefficient of >> POLY-1, and thus can >> >> predict the value of CML for any other packet. >> That does not seem very >> >> secure. >> >> ...FB: There seems to be a bit of confusion or >> misreading of how the >> >> method >> >> works. In the above statement you seem to assume that >> the verifier >> >> would not be part of the proof-chain, so that the >> final CML value >> >> would be somehow exposed to an external entity along >> with RND. This >> >> is not the case. The verifier is the last node (k+1) >> in the proof-chain. >> >> At concept level, the method reconstructs the >> polynomial hop by hop, >> >> picking >> >> up a point on the curve at every hop. Only final node >> in the >> >> proof-chain, which is also the verifier, acts on the >> information of >> >> all the k+1 points and as such is able to reconstruct >> the polynomial. >> >> In section 3.2.1, the draft explicitly states that >> the verifier *is* >> >> part of the >> >> proof-chain: "Each of the k+1 nodes (including >> verifier) are assigned >> >> a point on the polynomial i.e., shares of the SECRET." >> The fact that >> >> the verifier, i.e., the last node in the proof-chain >> ("k+1"), can >> >> retrieve the secret, is desired and intentional, >> because the verifier >> >> needs to compare the result of the iterative >> construction of the secret with >> >> the secret value it received from the controller. >> >> This is how the system is designed, and the >> calculation of (10+45) >> >> mod 53 = 2 is part of the verification. >> >> OK. That's slightly less bad. But it is still very bad >> crypto, >> >> because you are effectively doing a linear combination. >> >> You are evaluating POLY-3 = POLY-1 + POLY-2 >> >> POLY-2 can be written as POLY-2 = RND + POLY-2-NC, in >> which POLY2-NC >> >> only contains the non constant terms -- that is, >> POLY-2-NC(0) = 0 >> >> Then for any point X, we get POLY-3(X) = POLY-1(X) + >> POLY2-NC(X) + >> >> RND For a given value Xj of X, this means we can >> express : POLY-3(Xj) >> >> = Vj + RND In which Vj is a constant term = POLY-1(Xj) >> + POLY2-NC(Xj) >> >> Each node will increment the cumul by the value LPCj * >> POLY-3(Xj) = >> >> LPCj >> >> * (Vj + RND) >> >> Suppose that an adversary can observe the value of CML >> before and >> >> after being incremented by node Xj. Suppose that it >> could do that >> >> twice. Then it has the >> >> values: >> >> CML1-before-j = C1b >> >> CML1-after-j = C1a >> >> D1 = C1a - C1b = LPCj * (Vj + RND1) >> >> CML1-before-j = C2b >> >> CML1-after-j = C2a >> >> D2 = C2a - C2b = LPCj * (Vj + RND2) >> >> D2-D1 = LPCj*(RND2-RND1) >> >> LPCj = (RND2-RND1)/(D2-D1) >> >> Vj = D2/LPCj - RND2 >> >> The inverse of numbers modulo a prime P is easily >> computed -- see >> >> Fermat's little theorem. >> >> Once the input and output of a node have been observed >> twice, it >> >> becomes easy to update the cumulative sum CML while >> bypassing these >> >> nodes. >> >> ...FB: This is great. Thanks for spelling out the >> details. You raise a good point: >> >> For the solution to make sense, we need to ensure that an >> attacker cannot >> >> observe the input and output of a node. >> >> To ensure this does not happen, we must require the >> communication to/from >> >> the node to be encrypted, e.g., through link layer encryption >> of at least the >> >> proof-of-transit data fields. >> >> We'll add this requirement to the draft - and also detail >> the threat you describe >> >> above in detail in the security considerations section. >> >> That still will not be sufficient, because you also have to >> deal with the nodes >> >> themselves. By definition, they see the intermediate results >> of other nodes. For >> >> example, if the function chain is A->B->C->D->E, the node B >> sees the output of B >> >> and the node D sees the input of D. If B and D collude, they >> have access to the >> >> input and output of C. They can easily find the secrets of C, >> and then execute a >> >> chain A->B---->D->E in which the input of D is "corrected" to >> hide the absence of >> >> C from the evaluator E. >> >> Thanks much. You raise another valid point and we will add it to >> the security considerations section. >> >> That said, IMHO we'd need to put the scenario you raise into >> perspective: >> >> If the nodes B and D would be compromised by an attacker, the >> deployment would face a much more serious security issue than what any >> proof-of-transit method could protect against. >> >> The linear combination scheme in the draft is not sound >> crypto. My >> >> recommendation is to present the problem and the threat model >> clearly to the >> >> crypto community, for example by presenting to the CFRG, and >> solicit advice on >> >> better algorithms. >> >> There has been quite a bit of discussion on proof of transit in >> several WGs, even before the SFC WG picked it up. And the SFC working >> group has considered different approaches early on in the solution >> specification, including e.g., using nested encryption, which is >> probably more in line with your preferences. >> Seehttps://datatracker.ietf.org/doc/html/draft-ietf-sfc-proof-of-transit-01#section-3.5.1 >> <https://datatracker.ietf.org/doc/html/draft-ietf-sfc-proof-of-transit-01#section-3.5.1>. >> From my recollection of the discussion - others please chime in - one >> main reason of why the current approach was chosen was its >> computational simplicity, i.e., hardware platforms which do not >> support native encryption capabilities like AES-NI can implement it >> without considerable impact on the computational latency. So in other >> words, the current method is the result of a trade-off decision. >> >> We are discussing mathematics, not opinions. It is not a matter of >> preferences, it is a matter of threat model. The draft that I reviewed >> does not mention that the scheme should only be used in a benign >> environment in which no attacker can see the traffic and all nodes are >> fully trusted to not try gaming the system. The proposed scheme uses >> crypto vocabulary, with references to SSS and use of terms like >> "proof" or "cryptanalysis". Indeed, the header paragraph of the >> security considerations says: >> >> POT is a mechanism that is used for verifying the path through which >> >> a packet was forwarded. The security considerations of IOAM in >> >> general are discussed in [I-D.ietf-ippm-ioam-data]. Specifically, it >> >> is assumed that POT is used in a confined network domain, and >> >> therefore the potential threats that POT is intended to mitigate >> >> should be viewed accordingly. POT prevents spoofing and tampering; >> >> an attacker cannot maliciously create a bogus POT or modify a >> >> legitimate one. Furthermore, a legitimate node that takes part in >> >> the POT protocol cannot masquerade as another node along the path. >> >> These considerations are discussed in detail in the rest of this >> >> section. >> >> The previous discussions have shown that an attacker CAN "maliciously >> create a bogus POT or modify a legitimate one", provided it is able to >> see the traffic, or some of the traffic. The discussions also show >> that "a legitimate node that takes part in the POT protocol" CAN >> "masquerade as another node along the path". Contrary to statements in >> the "cryptanalysis" section, "A passive attacker observing CML values >> across nodes (i.e., as the packets entering and leaving)" CAN >> "perform differential analysis". The attack cannot "be mitigated using >> a good PRNG for generating RND". >> >> If the system was only designed for operation in a "benign >> environment" and you were only concerned with detecting operation >> failures, I am pretty sure that you could come out with something less >> complicated. For example you could exploit the analysis that I made to >> radically simplify the implementation and describe the scheme as "CML >> = Sum (Xj*RNDp)", where Xj is a secret coefficient provisioned to node >> j, and RNPp is per packet random number. The verification by the >> evaluator will check that "RND == CML + Xe*RND", where "Xe = 1 - Sum >> Xj". That would get you an easy-to-implement checksum. But you would >> need to be very clear about the domain of application, and the failure >> mode if the traffic can be observed or nodes can be compromised, and >> the draft should probably drop the references to Shamir's SSS, because >> they just obfuscate the analysis. >> >> -- Christian Huitema >> >
- [sfc] Secdir last call review of draft-ietf-sfc-p… Christian Huitema via Datatracker
- Re: [sfc] Secdir last call review of draft-ietf-s… Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Christian Huitema
- Re: [sfc] [Last-Call] Secdir last call review of … Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Christian Huitema
- Re: [sfc] [Last-Call] Secdir last call review of … Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Christian Huitema
- Re: [sfc] [Last-Call] Secdir last call review of … Frank Brockners (fbrockne)
- Re: [sfc] [Last-Call] Secdir last call review of … Joel M. Halpern
- Re: [sfc] [Last-Call] Secdir last call review of … Martin Vigoureux