Re: [Tsv-art] Tsvart early review of draft-ietf-mls-protocol-16
Gorry Fairhurst <gorry@erg.abdn.ac.uk> Sat, 24 September 2022 07:35 UTC
Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E805C1522CC; Sat, 24 Sep 2022 00:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yb5U4afVOkuu; Sat, 24 Sep 2022 00:35:14 -0700 (PDT)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [137.50.19.135]) by ietfa.amsl.com (Postfix) with ESMTP id 79A24C14F725; Sat, 24 Sep 2022 00:35:11 -0700 (PDT)
Received: from [192.168.1.64] (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id DA15A1B001B6; Sat, 24 Sep 2022 08:35:02 +0100 (BST)
Content-Type: multipart/alternative; boundary="------------VKWhS8RWF3YaV0EoAsSfQiA4"
Message-ID: <884b31e9-c706-bfdf-966c-9915fc8ab4f2@erg.abdn.ac.uk>
Date: Sat, 24 Sep 2022 08:35:01 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
To: Richard Barnes <rlb@ipv.sx>
Cc: tsv-art@ietf.org, draft-ietf-mls-protocol.all@ietf.org, mls@ietf.org
References: <166394376022.63378.259884919318909492@ietfa.amsl.com> <CAL02cgRey098weHGtQDoPfSMOc6unW3Xg7kqanKDVrDq_jms_g@mail.gmail.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
In-Reply-To: <CAL02cgRey098weHGtQDoPfSMOc6unW3Xg7kqanKDVrDq_jms_g@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/Naab4lutyNFypMjGrSt6157ikh4>
Subject: Re: [Tsv-art] Tsvart early review of draft-ietf-mls-protocol-16
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2022 07:35:18 -0000
On 23/09/2022 21:12, Richard Barnes wrote: > Hi Gorry, > > Thanks for taking a look at the document. I've posted a PR with some > edits: > > https://github.com/mlswg/mls-protocol/pull/747 > > A couple of replies inline... > > On Fri, Sep 23, 2022 at 10:36 AM Gorry Fairhurst via Datatracker > <noreply@ietf.org> wrote: > > Reviewer: Gorry Fairhurst > Review result: On the Right Track > > This is an early review of draft-ietf-mls-protocol-16, which seeks > to specify a > key establishment protocol to provide scalable efficient > asynchronous group key > establishment. This document seems to define a component that > could be used to > build or operate over an Internet transport. The focus is on security > algorithms and procedures. There are some issues that > > Major Issue: This would have been easier to understand if there > was a section > that described the transport requirements of the messages. This > makes me wonder > what transport service is actually needed? - Can the underlying > transport > reorder messages? Is loss tolerated or reliability required? Are > there any > requirements on message size? etc. A brief paragraph explicitly > explaining the > requirements would help. > A later statement says, which appears to suggest any service can > be used: "MLS > is an encrypted messaging layer designed to be transmitted over > arbitrary lower > layer protocols....." > > I note draft-ietf-mls-architecture states: "MLS is not intended as > a full > instant messaging protocol but rather is intended to be embedded > in concrete > protocols, such as XMPP [RFC6120]." This could form a part of such an > explanation, if it applies to this ID also? > > > Yes, all of the transport considerations in > draft-ietf-mls-architecture apply here. The documents are a pair, as > noted here > <https://www.ietf.org/archive/id/draft-ietf-mls-protocol-16.html#section-3>. > If you have thoughts on how to express that more clearly, suggestions > would be welcome. I am unsure what "broadcast" means in that list, i.e.: * Broadcast delivery of Proposal and Commit messages to members of a group As a transport/network person, "Broadcast to a group" seems to be "multicast to a group" . > > Basically, the main constraint that MLS imposes is that all group > messages process the same sequence of Commit messages in the same > order. (Proposal and Application messages can arrive out of order.) > > https://www.ietf.org/archive/id/draft-ietf-mls-protocol-16.html#name-sequencing-of-state-changes > > I think for the most part, folks are envisioning MLS being run at the > application layer, carried over something like HTTP / WebSockets (this > is how Webex does things, for example), with the ordering above > provided by an application-layer broker and normal "transport-layer" > requirements addressed lower much in the stack. In principle, you > could design a system that ran MLS directly over say TCP, but you > would need a way to meet the Commit criterion. As a transport person, knowing whether there are message ordering requirements and whether the are message reliability requirements, maybe this could be said somewhere. I thought that could be a case, you will know if it is appropriate to add these to the list. > > Major Issue: The document targets PS, but the version I reviewed > added a > "DISCLAIMER: This is a work-in-progress draft of MLS and has not > yet seen > significant security analysis. It should not be used as a basis > for building > production systems." - Why is the final document proposed as a PS > rather than > EXP, if this is not for general deployment? Or is this clause to > be removed by > RFC-Ed? > > > That disclaimer is standard on security protocols that are in-progress > (following the pattern of TLS 1.3). MLS has received significant > security analysis by this point, so I'll remove it. > OK > > Major Issue: From a transport perspective, there are issues in the > statement > providing insufficient guidance on selecting a rate: "Update > messages SHOULD be > sent at regular intervals of time as long > as the group is active, and members that don't update SHOULD > eventually be removed from the group. It's left to the application > to determine an appropriate amount of time between Updates." > - One possible way to address this is to state that the messages > are either > sent over a congestion-controlled transport or the maximum > aggregate rate of > messages falls within a specific guideline as defined in RFC8085, > or some other > BCP with similar advice on rate selection. > > > As noted above, I expect that in most cases, MLS will be operated a > few layers above a transport that has congestion control. And I think > the intervals people have in mind here are on the order of days, not > milliseconds. But I'll try to clarify this. > That would likely address the issue. > > Minor: " Application messages MAY be padded to provide some > resistance against > traffic analysis techniques over encrypted traffic [CLINIC] > [HCJ16]." - Padding > is a well known technique - it can have benefits and also have > drawbacks, e.g. > in efficiency of transmission and for message-based transfers in > reducing > robustness to paths that have limited PMTU, where larger messages > can be > dropped. > > > Added a note about this. > > Minor: " A receiver MUST verify that there are no non-zero > bytes in the padding field, and if this check fails, the enclosing > MLSCiphertext MUST be rejected as malformed." - I don't doubt > that this is > useful, but it would be helpful to add a sentence to explain > why these are > required to be encoded as zero. > > > Added a note about this. > > On Fri, Sep 23, 2022 at 10:36 AM Gorry Fairhurst via Datatracker > <noreply@ietf.org> wrote: > > Reviewer: Gorry Fairhurst > Review result: On the Right Track > > This is an early review of draft-ietf-mls-protocol-16, which seeks > to specify a > key establishment protocol to provide scalable efficient > asynchronous group key > establishment. This document seems to define a component that > could be used to > build or operate over an Internet transport. The focus is on security > algorithms and procedures. There are some issues that > > Major Issue: This would have been easier to understand if there > was a section > that described the transport requirements of the messages. This > makes me wonder > what transport service is actually needed? - Can the underlying > transport > reorder messages? Is loss tolerated or reliability required? Are > there any > requirements on message size? etc. A brief paragraph explicitly > explaining the > requirements would help. > > A later statement says, which appears to suggest any service can > be used: "MLS > is an encrypted messaging layer designed to be transmitted over > arbitrary lower > layer protocols....." > > I note draft-ietf-mls-architecture states: "MLS is not intended as > a full > instant messaging protocol but rather is intended to be embedded > in concrete > protocols, such as XMPP [RFC6120]." This could form a part of such an > explanation, if it applies to this ID also? > > Major Issue: The document targets PS, but the version I reviewed > added a > "DISCLAIMER: This is a work-in-progress draft of MLS and has not > yet seen > significant security analysis. It should not be used as a basis > for building > production systems." - Why is the final document proposed as a PS > rather than > EXP, if this is not for general deployment? Or is this clause to > be removed by > RFC-Ed? > > Major Issue: From a transport perspective, there are issues in the > statement > providing insufficient guidance on selecting a rate: "Update > messages SHOULD be > sent at regular intervals of time as long > as the group is active, and members that don't update SHOULD > eventually be removed from the group. It's left to the application > to determine an appropriate amount of time between Updates." > - One possible way to address this is to state that the messages > are either > sent over a congestion-controlled transport or the maximum > aggregate rate of > messages falls within a specific guideline as defined in RFC8085, > or some other > BCP with similar advice on rate selection. > > Minor: " Application messages MAY be padded to provide some > resistance against > traffic analysis techniques over encrypted traffic [CLINIC] > [HCJ16]." - Padding > is a well known technique - it can have benefits and also have > drawbacks, e.g. > in efficiency of transmission and for message-based transfers in > reducing > robustness to paths that have limited PMTU, where larger messages > can be > dropped. > > Minor: " A receiver MUST verify that there are no non-zero > bytes in the padding field, and if this check fails, the enclosing > MLSCiphertext MUST be rejected as malformed." - I don't doubt > that this is > useful, but it would be helpful to add a sentence to explain > why these are > required to be encoded as zero. > > It appears this would be resolved in the PR that I reviewed. > > _______________________________________________ > Tsv-art mailing list > Tsv-art@ietf.org > https://www.ietf.org/mailman/listinfo/tsv-art I hope this was helpful, and look forward to seeing a new version of this in the future, Best wishes, Gorry
- [Tsv-art] Tsvart early review of draft-ietf-mls-p… Gorry Fairhurst via Datatracker
- Re: [Tsv-art] Tsvart early review of draft-ietf-m… Richard Barnes
- Re: [Tsv-art] Tsvart early review of draft-ietf-m… Gorry Fairhurst