Re: [Tsv-art] Tsvart telechat review of draft-ietf-uta-rfc7525bis-09
Peter Saint-Andre <stpeter@stpeter.im> Thu, 14 July 2022 15:16 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2F1AC1388CD; Thu, 14 Jul 2022 08:16:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.127
X-Spam-Level:
X-Spam-Status: No, score=-2.127 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=KI+NKgew; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=mcBz7/du
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EIZhriG4d6dK; Thu, 14 Jul 2022 08:16:06 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3570FC138FA3; Thu, 14 Jul 2022 08:16:06 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 9FC795C00A4; Thu, 14 Jul 2022 11:16:05 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Thu, 14 Jul 2022 11:16:05 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1657811765; x= 1657898165; bh=lgxBdZopdlGVVvoF0JUX6rbZSEVgzS8QBUJka9m4U20=; b=K I+NKgewNu6kxIBLLDJDla1kOGPGQ8rwzfEQnqFCKsmWsGOURrc6MRIoMh/7VLb6S cOQDjSkjVF5CcJA+k/+wuOnERP5hedFeVBiSyAaX8iMtL/h1s3pwtW5wyuFEXJX2 mJdtHEMYoCPy5ZHoV0oI0K/bUc9BXsZ/fmZLP1dzopmxMfBLi0nMb2KuFFtibKGV LAdhbycMNDptLVKOKfsvrNadFtS99wlaU6DgeKJLA/Bb944OOx3dGeKcKduHLbFX RNer1u7hEwq7FmnTONZiIT01f4HE6bNMxK4Ur2kIUjyD2Dyv7nhWDVHguuVjnsTn uHG6VT+MKonfC+QxT6ltg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1657811765; x= 1657898165; bh=lgxBdZopdlGVVvoF0JUX6rbZSEVgzS8QBUJka9m4U20=; b=m cBz7/du2vE+iKuR4uDvGX1c6lo3zo5kqEcPDh4GWkPE4tZYUVMkdV2qP4j6+c635 sfdNBCH6BW5GrGtXxf4j0UH6tEeq4RsiTRvgzhE6xI0f0lFnJ2b1Mjd4jos1oht+ YG99+sdP4nkZ/iYAf5SPCN1X/CPi7Q4sIWiTewc41ScHPIfBcjdq1cpVBC9b6jkH BdKzppKVuOxKbI9K+VP49Kimd+5xDLnSmzFR48qWkyXn4u0+BTozBCnm56OAi5Yb I+NIJ5hIDbeFQXtrTyjtzsPKIWKfiRNoHR898MNhZ2eh+2/bFpzvm604fC6hVaBv yw9JvE0mWspNEztS+4PsQ==
X-ME-Sender: <xms:NTPQYi3N4MChJL5cNOSpMh30fKBBogz1YBSvUM0C8Oek-tG5d1rM9Q> <xme:NTPQYlHmf4scDi_utzPu0aafLWeEILRAZhX6-Lc8m8WEaWdZ667x_uWrktAB2tO71 FtceUedI220PABYDw>
X-ME-Received: <xmr:NTPQYq4ubtYm5tw7b4Te3Yys6JTh_0venZfsOs9ZcpdBaoDaYjtP8neiXBwD>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudejledgkeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepkfffgggfuffvvehfhfgjtgfgsehtkeertddtfeejnecuhfhrohhmpefrvght vghrucfurghinhhtqdetnhgurhgvuceoshhtphgvthgvrhesshhtphgvthgvrhdrihhmqe enucggtffrrghtthgvrhhnpeegheegjeegieegudfgieegueefledtgeehgfevgfdtudeg hfefvefgudejledtfeenucffohhmrghinhepfhhirhgvvgihvgdrtghomhdpghhithhhuh gsrdgtohhmpdhivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgr mhepmhgrihhlfhhrohhmpehsthhpvghtvghrsehsthhpvghtvghrrdhimh
X-ME-Proxy: <xmx:NTPQYj2gJXzHhAPY8-xxmYDaJap8IJ9gU7RvTNgchXb-uR7bzWcXig> <xmx:NTPQYlHMe4TZJwG44rtYXpqzLNG7MdtEB-rP_79Fx_vH1uw7In12yg> <xmx:NTPQYs9g2bvfH11r9Q6EkB-HrLNgaGBK7ekEkLES7vHDxrHhiynjGg> <xmx:NTPQYpi-Fq_EYPnw0lKzVpMkBO-hqV2dbsSpLAGNoisD_vjSEJ2a5g>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 14 Jul 2022 11:16:04 -0400 (EDT)
Message-ID: <6743c156-afb6-7b07-abe8-065cf731bb9f@stpeter.im>
Date: Thu, 14 Jul 2022 09:16:03 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "tsv-art@ietf.org" <tsv-art@ietf.org>
Cc: "draft-ietf-uta-rfc7525bis.all@ietf.org" <draft-ietf-uta-rfc7525bis.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "uta@ietf.org" <uta@ietf.org>
References: <165771265249.6415.15334363478505429325@ietfa.amsl.com> <3f0c3919-385a-558c-581a-72fc01820ec1@stpeter.im> <PA4PR07MB84148B8B171D159D1A5DB87F95889@PA4PR07MB8414.eurprd07.prod.outlook.com>
From: Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <PA4PR07MB84148B8B171D159D1A5DB87F95889@PA4PR07MB8414.eurprd07.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/vdVSmHq3wa4i3BCTx7aWDN82lsc>
Subject: Re: [Tsv-art] Tsvart telechat review of draft-ietf-uta-rfc7525bis-09
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2022 15:16:11 -0000
On 7/14/22 3:55 AM, Magnus Westerlund wrote: > Hi, > > Solution for 1) looks good. > >> 2) Section 3.1.1: >> "Rationale: Several stronger cipher suites are available only with TLS 1.2 >> (published in 2008). In fact, the cipher suites recommended by this document >> for TLS 1.2 (Section 4.2 below) are not available in older versions of the >> protocol." >> >> Are they not available in newer versions either? If they are not then please be >> explicit, if not, then the rationale would be to consider to go to never >> versions. I think the main reason for staying on 1.2 is if you need other >> features not available in TLS 1.3 like mutual re-authentication. > > From a security perspective, TLS 1.3 is preferable of course. The > authors and UTA WG are not ready to deprecate TLS 1.2 yet (IMHO that > should be done in an RFC along the lines of RFC 8996) and we believe > that the best *current* practice at this time is to continue supporting > TLS 1.2. That will likely change in 7525ter whenever it is published. > > [MW] Yes I do see the preference for newer versions. My goal was to > point out that in the update of (D)TLS to 1.3 there is no longer feature > parity and that can cause issue for some applications using (D)TLS. > > >> So maybe this >> rational should be updated to indicate more like why 1.2 may be preferred over >> 1.3 than why it is preferred over the earlier version which shall not be used. > > We do say: > > * Implementations SHOULD support TLS 1.3 [RFC8446] and, if > implemented, MUST prefer to negotiate TLS 1.3 over earlier > versions of TLS. > > (There is also discussion > <https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-eb83fa0c83a1354e&q=1&e=e369f3c9-8e8b-4673-8fdb-6a4812d69b6e&u=https%3A%2F%2Fgithub.com%2Fyaronf%2FI-D%2Fissues%2F446 > <https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-eb83fa0c83a1354e&q=1&e=e369f3c9-8e8b-4673-8fdb-6a4812d69b6e&u=https%3A%2F%2Fgithub.com%2Fyaronf%2FI-D%2Fissues%2F446>> > > about changing that SHOULD to MUST.) > > [MW] And I would think the below feature discrepancy are relevant > reasons why changing this from SHOULD to MUST may be problematic. > However, these applications will have to start thinking about how to > deal with this issue anyway as 1.2 clearly have weakness. > > >> Based on our work on DTLS/SCTP >> https://datatracker.ietf.org/doc/draft-ietf-tsvwg-dtls-over-sctp-bis/ > <https://datatracker.ietf.org/doc/draft-ietf-tsvwg-dtls-over-sctp-bis/> > really >> the issue we found with using (D)TLS 1.3 have been related to long lived >> sessions and how TLS 1.3 keyUpdate works. I think three aspects we found in the >> DTLS/SCTP work is relevant here for consideration and do affect applications in >> their choice. >> >> • Periodic re-authentication and transfer of revocation information of both >> endpoints (not only the DTLS client). >> >> • Periodic rerunning of Diffie-Hellman key-exchange to provide forward secrecy >> and mitigate static key exfiltration attacks. >> >> • When using keyUpdate the master secret isn't impacted, which results in >> applications using TLS exporter to derive key material are not getting new keys >> if re-envoking the exporter after a keyUpdate. Thus, application protocols >> using the TLS exporter needs to take this into account to include epoch >> counters or similar in the key-derivation process and it will not result in >> forward secrecy. I would note that QUIC v1 uses its own key update mechanism as >> defined in Section 6 of RFC 9001 that I think illustrates this. >> >> For DTLS/SCTP we did go with a more complex method based on creating new DTLS >> connections and dealing with handling of two connections in parallel due to >> SCTPs capability for parallel transmission of data. That also avoided use to >> have to rely solely on DTLS 1.2 to handle these issues and we can use DTLS 1.3 >> and likely any future DTLS version too. > > This is interesting and helpful. Can you suggest any text for rfc7525bis > along these lines? Or should we simply point to > draft-ietf-tsvwg-dtls-over-sctp-bis for the relevant considerations? > > [MW] First of all I should have noted that there IPR claimed by Ericsson > on the Parallel DTLS solution https://datatracker.ietf.org/ipr/5218/ > <https://datatracker.ietf.org/ipr/5218/> sorry for missing calling that > out originally. > > So I could contribute a proposed text for the issues and I would think > that would be the most relevant part anyway to bring up. The solution > space is so dependent on application protocol itself and due to the IPR > I think it would be inappropriate for me to actually suggest text. Agreed. I will discuss with my co-authors (one of whom is offline this week) and we'll be back in touch. Peter
- [Tsv-art] Tsvart telechat review of draft-ietf-ut… Magnus Westerlund via Datatracker
- Re: [Tsv-art] Tsvart telechat review of draft-iet… Peter Saint-Andre
- Re: [Tsv-art] Tsvart telechat review of draft-iet… Magnus Westerlund
- Re: [Tsv-art] Tsvart telechat review of draft-iet… Peter Saint-Andre