Re: [tcpm] Roman Danyliw's No Objection on draft-ietf-tcpm-ao-test-vectors-08: (with COMMENT)
"touch@strayalpha.com" <touch@strayalpha.com> Fri, 04 March 2022 03:16 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5BE93A0DFC; Thu, 3 Mar 2022 19:16:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.328
X-Spam-Level:
X-Spam-Status: No, score=-1.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dri2M_-NUIsb; Thu, 3 Mar 2022 19:16:19 -0800 (PST)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21EF43A0DF9; Thu, 3 Mar 2022 19:16:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xm8vIJY6elv1dAlI6fmcAXLfGkr3TPDSsB+hnH1KzlM=; b=tmfEWJhhCuclLdfjVS8afAN5HS zEGujoR9PMMbCuhwBf34vbBVU4r/lW+9VMbb3xx/Fw7rPGbaETSefB/LhD70yFVhbf5f+DpUYtXRD 3Cdbt8ZbF+Bns+yQsEW7jYgvy4txGxViBNEJngV0kWplXZS/5w29pQ2VJnPmVC2sSmRQblEdErEUA v9LpS6SEqbuN+L9yKqQtukOsDjOsbaNgLVXamXSe8+Tk+90HwIdmuuHvGjW4zmI/16ZHqYhLVECMM 8pL3ACFY9SuwZAVvrii/68b/KjQEkdsOdILrt9mUuffmk+Mu6A2NVGvbWtZwqOc2iO9c5LT1xb+68 iYVqqe3A==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:55822 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <touch@strayalpha.com>) id 1nPyQP-008f2j-AJ; Thu, 03 Mar 2022 22:16:18 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_F701DED7-0518-49DB-91F0-EFD3BD634B08"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <B2284857-0A00-454F-A3F5-A2E234FAED11@strayalpha.com>
Date: Thu, 03 Mar 2022 19:16:11 -0800
Cc: The IESG <iesg@ietf.org>, draft-ietf-tcpm-ao-test-vectors@ietf.org, tcpm-chairs@ietf.org, tcpm@ietf.org, michael.scharf@hs-esslingen.de
Message-Id: <FCCDC6FA-E2CD-419A-92DC-68CC9980BF0D@strayalpha.com>
References: <164624617425.17940.4257598685672395625@ietfa.amsl.com> <B2284857-0A00-454F-A3F5-A2E234FAED11@strayalpha.com>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/dxPH7Kn6i6ntKi4OtbmYI6jBLKg>
Subject: Re: [tcpm] Roman Danyliw's No Objection on draft-ietf-tcpm-ao-test-vectors-08: (with COMMENT)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2022 03:16:24 -0000
Hi, Roman, On the two points below, I discussed it with Juhamatti and we have an updated response: - the ISNs will be listed at the front of each section, for convenience - HOWEVER, the test vectors are the definitive information; it is important only that they be verified. It is not typical for most TCP implementations to easily control the ISN, so these are NOT intended as configurations. However, if they were used as such, we provide the ISNs that would be used for configuration. - as to the specific information on how to compose the information to create the MKT PRF inputs, it seems prudent to not provide that as an example. Such duplication of information from RFC 5926 provides implementation details that should never be necessary in practice. These vectors are for testing code only As a result, the update just issued includes the ISNs in each section but omits the detail on how the connection info is composed to create the MKT input. Please let us know if these postions are problematic or would like to discuss them further. Joe — Dr. Joe Touch, temporal epistemologist www.strayalpha.com > On Mar 2, 2022, at 3:06 PM, touch@strayalpha.com wrote: > > Hi, Roman, > > Thanks for your review. Comments below. > > Joe > > — > Dr. Joe Touch, temporal epistemologist > www.strayalpha.com <http://www.strayalpha.com/> > >> On Mar 2, 2022, at 10:36 AM, Roman Danyliw via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote: >> >> Roman Danyliw has entered the following ballot position for >> draft-ietf-tcpm-ao-test-vectors-08: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ <https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/> >> for more information about how to handle DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-tcpm-ao-test-vectors/ <https://datatracker.ietf.org/doc/draft-ietf-tcpm-ao-test-vectors/> >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Thank you for making this document to help validate implementations. >> >> Thank you to Christian Huitema for the SECDIR review. >> >> I didn’t not validate all of the examples. >> >> ** Section 3.1.5. Since ISNs are part of the context needed to make the >> traffic key (per Section 5.2 of RFC5925), should some statement be made about >> their values in these example packets? > > Yes - thanks for catching that; v09 will address this issue and correct the text in the known issues area (which is confusing on this point). > >> ** Given the observed implementation errors noted in Section 8, consider >> including a single detailed example per algorithm of how the appropriate >> traffic key and MAC would be computed in an appendix. For example, considering >> Section 4.1.1, such a detailed example showing how to compute the traffic key >> could be: > > Thanks - that’s a great suggestion. I’ll add that too. > >> >> (fixed format font required to read it) >> >> ==[ snip ]== >> Master_key: "testvector" (74 65 73 74 76 65 63 74 6F 72) >> KDF_Alg: KDF_HMAC_SHA1 >> IPv4/TCP Packet: >> >> 45 e0 00 4c dd 0f 40 00 ff 06 bf 6b 0a 0b 0c 0d >> ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5a 00 00 00 00 >> e0 02 ff ff ca c4 00 00 02 04 05 b4 01 03 03 08 >> 04 02 08 0a 00 15 5a b7 00 00 00 00 1d 10 3d 54 >> 2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7 >> >> Source IP (sip): 10.11.12.13 (0A 0B 0C 0D) >> Destination IP (dip): 172.27.28.29 (AC 1B 1C 1D) >> Source Port (sport): 59863 (E9 D7) >> Destination Port (dport): 179 (00 B3) >> Source ISN (sisn): FB FB AB 5A >> Destination ISN (disn): 00 00 00 00 >> >> Send_SYN_traffic_key >> = KDF_alg(master_key, input) >> = HMAC-SHA1(master_key, i || Label || Context || Output_Length) >> >> i = 1 (01) >> Label= TCP-AO (54 43 50 2D 41 4F) >> Context = sip || dip || sport || dport || sisn || disn >> = 0A 0B 0C 0D AC 1B 1C 1D E9 D7 00 B3 FB FB AB 5A 00 00 00 00 >> Output_Length = 160 bits (00 A0) >> >> Send_SYN_traffic_key >> = HMAC-SHA1 ( 74 65 73 74 76 65 63 74 6F 72, >> 01 54 43 50 2D 41 4F 0A 0B 0C 0D AC 1B 1C 1D E9 D7 >> 00 B3 FB FB AB 5A 00 00 00 00 00 A0 ) >> = 6d 63 ef 1b 02 fe 15 09 d4 b1 40 27 07 fd 7b 04 16 ab b7 4f >> ==[ snip ]== >> >> >> >
- [tcpm] Roman Danyliw's No Objection on draft-ietf… Roman Danyliw via Datatracker
- Re: [tcpm] Roman Danyliw's No Objection on draft-… touch@strayalpha.com
- Re: [tcpm] Roman Danyliw's No Objection on draft-… touch@strayalpha.com