Re: [Tsv-art] Tsvart early review of draft-ietf-mls-protocol-16
Richard Barnes <rlb@ipv.sx> Fri, 23 September 2022 20:13 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70810C1526F2 for <tsv-art@ietfa.amsl.com>; Fri, 23 Sep 2022 13:13:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ut8ciRYtQAyI for <tsv-art@ietfa.amsl.com>; Fri, 23 Sep 2022 13:12:55 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE4D0C15256A for <tsv-art@ietf.org>; Fri, 23 Sep 2022 13:12:55 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id z25so1967035lfr.2 for <tsv-art@ietf.org>; Fri, 23 Sep 2022 13:12:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=yP/UhkqaH3X8pIDzd5ERZUPxZOr4KUbEqDIAhZOTlXw=; b=1X2aeDrTHGdE9knSV3f4hFYQfIvSqGBbkWCbki65OcwiT/INJjOAoXBJl8DakCgPnU x25+lmSWTtNBRHFkpbdkaloqLCf0kpxLTgoHF33tAdDmPNTGJpVX379/urbpv0OHXacb C1DzC86A9ISwgzT5IeNcxXgBBBND3/5dLNkYTmwKdl4TV/V32AEOGWjQ3do05o0rjpay mEZ49a/iByGgmaS0XxQ+imf1w9yOVGzWa3dZDy1iQCcOfsnvCAve/8I+YcIhnXpC9IrW gOT2yZgvviUqC2N30t8/O/xP+oYRwujoOojb0EqEHPzTg+bb9suarHjR/mT2tU6YSBJs NjIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=yP/UhkqaH3X8pIDzd5ERZUPxZOr4KUbEqDIAhZOTlXw=; b=1JMPS4e1kDpZ/qpz7DAxzmhA4p3EWkxP2GD9gU65qn50oznWf7Yuyn6Z7g1HhijusE ix1it57VjRq9k3TEFoeXM33RRZpemy4Qzu9k0xlGykyyuTISSkAPJR1t/ncbsxci1ktd GIq5vyds3nlk+mwX30ibRalcvA/FcUQWlY7B8WTXgAxsP59dHiID2v3oeW7B/y0a7BDG 2Swwyna9/tUFgHhvty7RW2VZpM65zBfJENtpdRSjNBbeVbJRv9leZs67TaDz+aOM9PU6 xPBV6ksi9eFXtDyKm6W572VvLD6k6QdwcW6EqYZJF7QST3EHuSAzgMiXoiR1LkSm80Cu xvKQ==
X-Gm-Message-State: ACrzQf1vCIgCiWoQWfrpn3/LdNwVejyjHKJCe6ND6tK5MJDQ/Qnu4kk+ d7vvZWYSURnjnWDIZVJH3l4ki5/pL5fuePvk9cg4+ppps8pv3g==
X-Google-Smtp-Source: AMsMyM7wDwzh95V2S+y4dtZaW/2gGWMqGrIQOmf4cUdD2p5jAgCZS/CW0PQeY1/wv6hZpjjjXIBTwBLbzvJiYtYqVCA=
X-Received: by 2002:a05:6512:3a95:b0:498:f272:6587 with SMTP id q21-20020a0565123a9500b00498f2726587mr3800041lfu.148.1663963973369; Fri, 23 Sep 2022 13:12:53 -0700 (PDT)
MIME-Version: 1.0
References: <166394376022.63378.259884919318909492@ietfa.amsl.com>
In-Reply-To: <166394376022.63378.259884919318909492@ietfa.amsl.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 23 Sep 2022 16:12:41 -0400
Message-ID: <CAL02cgRey098weHGtQDoPfSMOc6unW3Xg7kqanKDVrDq_jms_g@mail.gmail.com>
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Cc: tsv-art@ietf.org, draft-ietf-mls-protocol.all@ietf.org, mls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008d5d6705e95dcd53"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/xoJ70P-DkRsQIclBTP4VjhiH0ck>
Subject: Re: [Tsv-art] Tsvart early review of draft-ietf-mls-protocol-16
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2022 20:13:00 -0000
Hi Gorry, Thanks for taking a look at the document. I've posted a PR with some edits: https://github.com/mlswg/mls-protocol/pull/747 A couple of replies inline... On Fri, Sep 23, 2022 at 10:36 AM Gorry Fairhurst via Datatracker < noreply@ietf.org> wrote: > Reviewer: Gorry Fairhurst > Review result: On the Right Track > > This is an early review of draft-ietf-mls-protocol-16, which seeks to > specify a > key establishment protocol to provide scalable efficient asynchronous > group key > establishment. This document seems to define a component that could be > used to > build or operate over an Internet transport. The focus is on security > algorithms and procedures. There are some issues that > > Major Issue: This would have been easier to understand if there was a > section > that described the transport requirements of the messages. This makes me > wonder > what transport service is actually needed? - Can the underlying transport > reorder messages? Is loss tolerated or reliability required? Are there any > requirements on message size? etc. A brief paragraph explicitly explaining > the > requirements would help. > A later statement says, which appears to suggest any service can be used: > "MLS > is an encrypted messaging layer designed to be transmitted over arbitrary > lower > layer protocols....." > > I note draft-ietf-mls-architecture states: "MLS is not intended as a full > instant messaging protocol but rather is intended to be embedded in > concrete > protocols, such as XMPP [RFC6120]." This could form a part of such an > explanation, if it applies to this ID also? > Yes, all of the transport considerations in draft-ietf-mls-architecture apply here. The documents are a pair, as noted here < https://www.ietf.org/archive/id/draft-ietf-mls-protocol-16.html#section-3>. If you have thoughts on how to express that more clearly, suggestions would be welcome. Basically, the main constraint that MLS imposes is that all group messages process the same sequence of Commit messages in the same order. (Proposal and Application messages can arrive out of order.) https://www.ietf.org/archive/id/draft-ietf-mls-protocol-16.html#name-sequencing-of-state-changes I think for the most part, folks are envisioning MLS being run at the application layer, carried over something like HTTP / WebSockets (this is how Webex does things, for example), with the ordering above provided by an application-layer broker and normal "transport-layer" requirements addressed lower much in the stack. In principle, you could design a system that ran MLS directly over say TCP, but you would need a way to meet the Commit criterion. > Major Issue: The document targets PS, but the version I reviewed added a > "DISCLAIMER: This is a work-in-progress draft of MLS and has not yet seen > significant security analysis. It should not be used as a basis for > building > production systems." - Why is the final document proposed as a PS rather > than > EXP, if this is not for general deployment? Or is this clause to be > removed by > RFC-Ed? > That disclaimer is standard on security protocols that are in-progress (following the pattern of TLS 1.3). MLS has received significant security analysis by this point, so I'll remove it. > Major Issue: From a transport perspective, there are issues in the > statement > providing insufficient guidance on selecting a rate: "Update messages > SHOULD be > sent at regular intervals of time as long > as the group is active, and members that don't update SHOULD > eventually be removed from the group. It's left to the application > to determine an appropriate amount of time between Updates." > - One possible way to address this is to state that the messages are either > sent over a congestion-controlled transport or the maximum aggregate rate > of > messages falls within a specific guideline as defined in RFC8085, or some > other > BCP with similar advice on rate selection. > As noted above, I expect that in most cases, MLS will be operated a few layers above a transport that has congestion control. And I think the intervals people have in mind here are on the order of days, not milliseconds. But I'll try to clarify this. > Minor: " Application messages MAY be padded to provide some resistance > against > traffic analysis techniques over encrypted traffic [CLINIC] [HCJ16]." - > Padding > is a well known technique - it can have benefits and also have drawbacks, > e.g. > in efficiency of transmission and for message-based transfers in reducing > robustness to paths that have limited PMTU, where larger messages can be > dropped. > Added a note about this. > Minor: " A receiver MUST verify that there are no non-zero > bytes in the padding field, and if this check fails, the enclosing > MLSCiphertext MUST be rejected as malformed." - I don't doubt that this > is > useful, but it would be helpful to add a sentence to explain why these > are > required to be encoded as zero. > Added a note about this. On Fri, Sep 23, 2022 at 10:36 AM Gorry Fairhurst via Datatracker < noreply@ietf.org> wrote: > Reviewer: Gorry Fairhurst > Review result: On the Right Track > > This is an early review of draft-ietf-mls-protocol-16, which seeks to > specify a > key establishment protocol to provide scalable efficient asynchronous > group key > establishment. This document seems to define a component that could be > used to > build or operate over an Internet transport. The focus is on security > algorithms and procedures. There are some issues that > > Major Issue: This would have been easier to understand if there was a > section > that described the transport requirements of the messages. This makes me > wonder > what transport service is actually needed? - Can the underlying transport > reorder messages? Is loss tolerated or reliability required? Are there any > requirements on message size? etc. A brief paragraph explicitly explaining > the > requirements would help. > > A later statement says, which appears to suggest any service can be used: > "MLS > is an encrypted messaging layer designed to be transmitted over arbitrary > lower > layer protocols....." > > I note draft-ietf-mls-architecture states: "MLS is not intended as a full > instant messaging protocol but rather is intended to be embedded in > concrete > protocols, such as XMPP [RFC6120]." This could form a part of such an > explanation, if it applies to this ID also? > > Major Issue: The document targets PS, but the version I reviewed added a > "DISCLAIMER: This is a work-in-progress draft of MLS and has not yet seen > significant security analysis. It should not be used as a basis for > building > production systems." - Why is the final document proposed as a PS rather > than > EXP, if this is not for general deployment? Or is this clause to be > removed by > RFC-Ed? > > Major Issue: From a transport perspective, there are issues in the > statement > providing insufficient guidance on selecting a rate: "Update messages > SHOULD be > sent at regular intervals of time as long > as the group is active, and members that don't update SHOULD > eventually be removed from the group. It's left to the application > to determine an appropriate amount of time between Updates." > - One possible way to address this is to state that the messages are either > sent over a congestion-controlled transport or the maximum aggregate rate > of > messages falls within a specific guideline as defined in RFC8085, or some > other > BCP with similar advice on rate selection. > > Minor: " Application messages MAY be padded to provide some resistance > against > traffic analysis techniques over encrypted traffic [CLINIC] [HCJ16]." - > Padding > is a well known technique - it can have benefits and also have drawbacks, > e.g. > in efficiency of transmission and for message-based transfers in reducing > robustness to paths that have limited PMTU, where larger messages can be > dropped. > > Minor: " A receiver MUST verify that there are no non-zero > bytes in the padding field, and if this check fails, the enclosing > MLSCiphertext MUST be rejected as malformed." - I don't doubt that this > is > useful, but it would be helpful to add a sentence to explain why these > are > required to be encoded as zero. > > > >
- [Tsv-art] Tsvart early review of draft-ietf-mls-p… Gorry Fairhurst via Datatracker
- Re: [Tsv-art] Tsvart early review of draft-ietf-m… Richard Barnes
- Re: [Tsv-art] Tsvart early review of draft-ietf-m… Gorry Fairhurst