Re: [TLS] Are we holding TLS wrong?

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Thu, 08 November 2018 04:53 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10285130E2D; Wed, 7 Nov 2018 20:53:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.875
X-Spam-Level:
X-Spam-Status: No, score=-1.875 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9tSpw6aqmlk; Wed, 7 Nov 2018 20:53:34 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938E7130DFF; Wed, 7 Nov 2018 20:53:26 -0800 (PST)
Received: from [31.133.154.159] ([31.133.154.159]) by web-mail.gmx.net (3c-app-gmx-bs74.server.lan [172.19.170.217]) (via HTTP); Thu, 8 Nov 2018 05:53:20 +0100
MIME-Version: 1.0
Message-ID: <trinity-2d31619c-321d-45a0-8871-385bd95fb8aa-1541652800774@3c-app-gmx-bs74>
From: "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net>
To: "Fossati, Thomas (Nokia - GB/Cambridge)" <thomas.fossati@nokia.com>
Cc: "David Schinazi" <dschinazi.ietf@gmail.com>, "draft-ietf-babel-dtls@ietf.org" <draft-ietf-babel-dtls@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/html; charset=UTF-8
Date: Thu, 8 Nov 2018 05:53:20 +0100
Importance: normal
Sensitivity: Normal
In-Reply-To: <20181108043010.GA11967@nokia.com>
References: <CAPDSy+7-ceNNLJpFK0Z4SitBaUgxTpxiea8Z0QtpeSr+MNLKFg@mail.gmail.com> <20181108043010.GA11967@nokia.com>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:lsky+gAv+FGPV/Sz2py1WvX3ZsPnYZAvQKgDJoZ+xsivnMMdnAofvPWAYgUmfo8cTpgdf O/6RjE6qPjVazIDrPKldZxFoLGq1m206mZ/PHH9nf72Eti3VP0yncV/2aBL1He3HiPS4oRNcc1w6 hJbde0LnlRvntfu9tyKWOVVF12elqf0Sy/LM7nwRYm80t565Tht5LMJzYOrxRsT98noj94OGy4d+ pzKzQ0+vdolbl0XjGAyhHIRaMD84nrSyl36Vw/hOgC0g9wRcMxCaUpSjNAms5xtoTx+r6s6UUBZm XM=
X-UI-Out-Filterresults: notjunk:1;V01:K0:78Dx8oNuuyg=:Djh3ujhl+x6kqz5Qo9eFTQ tSD0brcfOO9+gepEoW8EQBw1UjKZam4BO6inJIFqwAskvSGQPTXinwaWufkBMQxRcsF/Z0nSK 6RrBjLs6itb2KbNx9q7xwF2ABd+itNferNnlvy4Tp30XuW7FHU5FTlz9hJd47B5+XsCBxQtxq l72x9Zo16rvtecN7C2ezMu8W7qp1TziYTQ82fiJ13nD12TDXC31OkH3uEvVBeqUJZl4p3+rus 7ONejUI8aSmUi8agI0vWAVaujEV36eroW6GUtWqGLD6fd9qbC/ey7FMJkeld71WRRAqtjj1fT y8XuGglvPFgvlW2ySQud7qvFlbU5+sn7+qREfZ4C2W9WQKv986vnyj/EuTT2wj9YNX9suLB0x hyqBAaSQSyhJ7/G2HehcAwLfaty0tAEPpTcO11eAkxrVbs3zM6A73zQPPhQ3pMosdwddGhcLo 8/psaSfGtFOeb8FlhXo/iXmzUJrlYu8XFpdu4Uxm842duBfPg9NaGfzX1ZeRmRH7EJhRJ4b87 YAEMdNU+bPJNDQI/gPevZjpiagPnNi6mUXTYw+eYaXhANKkQX0a5gYaJnG2/QJiE2aO1k8aut hVXm2eo2BNF8c=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5ODW67mNcy0LhjxEQuKLYYe072w>
Subject: Re: [TLS] Are we holding TLS wrong?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 04:53:37 -0000

I took a quick look at the document and I don't know Babel. 
 
I see that you have two different proposals for securing Babel messages, namely 
* DTLS, and 
* a custom format offering integrity protection only. 
 
You correctly note in the document that DTLS offers more features. It is an authentication and key exchange protocol.  
 
One option to explore is to use DTLS to perform authentication and key exchange then use your custom format for integrity protection of packets with the keys exported from DTLS. Design-wise this approach is similiar to what we have done with DTLS-SRTP. This would also allow you to cover the multicast security case. 
 
Ciao
Hannes
 
Gesendet: Donnerstag, 08. November 2018 um 11:30 Uhr
Von: "Fossati, Thomas (Nokia - GB/Cambridge)" <thomas.fossati@nokia.com>
An: "David Schinazi" <dschinazi.ietf@gmail.com>
Cc: "draft-ietf-babel-dtls@ietf.org" <draft-ietf-babel-dtls@ietf.org>rg>, "tls@ietf.org" <tls@ietf.org>
Betreff: Re: [TLS] Are we holding TLS wrong?
Hi David,

A few quick notes below.

Cheers

The 11/08/2018 09:14, David Schinazi wrote:
> Hi everyone,
>
> Over in the Babel working group we have a draft about securing Babel with
> DTLS:
> https://tools.ietf.org/html/draft-ietf-babel-dtls-01" target="_blank" rel="nofollow">https://tools.ietf.org/html/draft-ietf-babel-dtls-01
>
> It's 5 pages long, could any TLS experts please give it a quick read and
> let us know if we're using DTLS correctly?
>
> Also, should the document contain guidance such as which DTLS version to
> use?
>
> Thanks,
> David

Premise: I don't know Babel -- apologies for any nonsense!

One high level thing which I can't extrapolate from the draft (which is
probably due to my ignorance with Babel) is whether you envisage that
*every* node does DTLS on the unicast channel, IOW that non-DTLS nodes
are excluded from the mesh? Or would it be acceptable to mesh HMAC and
DTLS neighbours? What about clear-text speakers? (It'd seem unwise to
let them in an otherwise secured enclave.)

You should probably provide some guidance about the kind of
credentials do you plan to use (certs, raw pkeys)?

It seems to me that the P2P nature of the protocol requires mutual
authentication, could you confirm it? This seems to be a critical thing
to prevent a rogue node to spoof the lowest (highest, I have already
forgot, sorry) L-L address in a clear-text multicast Hello and bypass
authentication.

- s2.1
"Nodes SHOULD ensure that new client DTLS connections use different
ephemeral ports from recently used connections to allow servers to
differentiate between the new and old DTLS connections."

Maybe you could suggest using a sufficiently entropic connection id here
as a more robust alternative.

- s2.5
Not sure what the ceremonies around flushing a neighbor are, but I'd
make explicit signalling EOD at least a SHOULD? It seems more polite
:-)

- s.3
Not sure which TLS stack Babel nodes will use (are you targeting
extremely constrained devices with custom TLS implementations?), but all
the stacks I know of let the application set the MTU and take care of
splitting the messages in MTU sized chunks transparently.

--
Thomas
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/tls