[tsvwg] Re: Deb Cooley's Discuss on draft-ietf-tsvwg-sctp-zero-checksum-10: (with DISCUSS and COMMENT)

Deb Cooley <debcooley1@gmail.com> Wed, 19 June 2024 19:42 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A3F0C1D4CC3; Wed, 19 Jun 2024 12:42:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rfZ7X8ZOfANI; Wed, 19 Jun 2024 12:42:54 -0700 (PDT)
Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F88FC180B75; Wed, 19 Jun 2024 12:42:54 -0700 (PDT)
Received: by mail-il1-x132.google.com with SMTP id e9e14a558f8ab-3760121ad45so408985ab.0; Wed, 19 Jun 2024 12:42:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718826173; x=1719430973; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KFPEnR6rXuqX3sLnZxhiRCvSgfxGz1CErf7DkMK5dqk=; b=cotnbLIIDShzlbWT5ReIm9DlTIFEIxzBs5S5lq6tGRmyfRQSc++oAZzvW6LjhzbW4Y Y3zyqfrczydVGP5CEJ0P+l6OSXsCvPWnHCoN/2KM0Zw56S+KVRULZLEW7JJnhoZ5wnP6 8biTUY2zpsVidjujIn/SAVTxvI3+lVyiMvONoCW1XiNIyXBUuOtQHgUsJIc298IDSF6V MympxG5X16HeqI3MCmoSAUyZMg9zpL6kgmkmU0H3k64RC8E2qEVXDbQE3e77HNP1+jA5 216prn3tDon42mLl8oifhe1+cz8HM7zeeY0OUpY4jww2J1Z/HnGvW7c/AjSvJl8fGzzo TgeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718826173; x=1719430973; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KFPEnR6rXuqX3sLnZxhiRCvSgfxGz1CErf7DkMK5dqk=; b=U9UjXhJoREovhX/0+KZF3FrGeg0q+VSgjjqKkbITYrp8B7vyePfr8HS5TM4dkLIs3x OxssL0hy5Ulc7NZATWV7JVlxu31BLNksbqUuxSIyc+fCstOExc3JS7Yd+GIyw2kOD7Ni YtwnqoW39ps0IDMhUjpQCIWHmD3ihieeA+of25LKoYfnROQrLdKLhvnRj3EevFZn2bVx dKkYdBD+xBejQZZ9NLzm6nYNO4m/5/CehW7544eTuGan1lCjWLv3+vAEeWXxYPWw4DZk WZMnyE8JhIV6ACu7pn9HQ8NIB5/YEkaPW0tDCqZ9JMGMafvG7OqkJ+22x1sewZQRYV50 y70w==
X-Forwarded-Encrypted: i=1; AJvYcCX74pdCp5Qz4DHHOzMfNdURngS/HnJkzHybfZpQnZ0Bi+qkPV9yznWzz36pzQKldP7gmrGCT5pNNcel6pHfMhIIgUJCxdP7AIBkVhZgnjtG4kcVdqnWghV00tQlIyvGaLOVkzIHSv2tszn0KUg5Xyl8Jz0LXw7Y3vSbEZe5BJZo4chBvQ==
X-Gm-Message-State: AOJu0Yw3Kq/l1KK8SczQC7DXzrHPdpC1Al0YhopXAeLm2s7IzmqtFLIM 5SwuO/026wJjrjzTO0RX6lDnQagW2opSQ9EEjeBfWd6zfY8RAoizXDJrvigeypCmQavgebDfN1r 1Uz11NYi/Ea0MYGqGNjXomPCRzgSYt6Q=
X-Google-Smtp-Source: AGHT+IEsz24C1+sAe8k2Ry4GbOEbbezyXZ96TCtugF6vuzHQ9lO8BPbAmTos4yOwcrI4ZQKS5dxDL5Tw1j6bxxhPT8U=
X-Received: by 2002:a92:c269:0:b0:374:abf8:4f65 with SMTP id e9e14a558f8ab-3761d74e1d1mr34905085ab.32.1718826173579; Wed, 19 Jun 2024 12:42:53 -0700 (PDT)
MIME-Version: 1.0
References: <171777230482.20251.8346371564760157384@ietfa.amsl.com> <A20D6FE1-2120-48C0-BDF3-6413FE9E50A4@lurchi.franken.de> <CAGgd1Oc_5wot62=i_-5TMXb2DB0JjZcoj1ufjZCy7zYtv8dHjw@mail.gmail.com> <08D9D3F9-DF0E-493A-833D-0ACC1414F230@lurchi.franken.de> <CAGgd1OfdomkJig01ehqPhZXXGtiizXQMK2Op3s4g1Z7CRhM3+g@mail.gmail.com> <3309F3EA-2871-4D5E-9C08-8F5C001983AA@fh-muenster.de> <CAGgd1OcFfK42S3o4bCoGfbKDiQ5RKb9A_hwK28TjC6LZAui=0w@mail.gmail.com> <9BF506E8-F6FC-4C0A-9606-87DA4E7AF9B6@fh-muenster.de>
In-Reply-To: <9BF506E8-F6FC-4C0A-9606-87DA4E7AF9B6@fh-muenster.de>
From: Deb Cooley <debcooley1@gmail.com>
Date: Wed, 19 Jun 2024 15:42:41 -0400
Message-ID: <CAGgd1OfY8Or_8nLVzA22RNSPy32D0OujQODB0WQ5+e7uAJ0mSA@mail.gmail.com>
To: tuexen@fh-muenster.de
Content-Type: multipart/alternative; boundary="00000000000081cd54061b436744"
Message-ID-Hash: 4J7FD53JYJVJHCP6V2QY53SMQDSY6NIA
X-Message-ID-Hash: 4J7FD53JYJVJHCP6V2QY53SMQDSY6NIA
X-MailFrom: debcooley1@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, draft-ietf-tsvwg-sctp-zero-checksum@ietf.org, tsvwg-chairs <tsvwg-chairs@ietf.org>, tsvwg IETF list <tsvwg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tsvwg] Re: Deb Cooley's Discuss on draft-ietf-tsvwg-sctp-zero-checksum-10: (with DISCUSS and COMMENT)
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/9m-PgHKRWGovNPaiyKAgXTzSYj4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>

This is perfect.  I have cleared my discuss.

Thank you for your consideration,

Deb Cooley

On Tue, Jun 18, 2024 at 2:48 PM <tuexen@fh-muenster.de> wrote:

> > On 12. Jun 2024, at 00:27, Deb Cooley <debcooley1@gmail.com> wrote:
> >
> > That addition to the Security Considerations works for me.
> >
> > If this work continues, we can have the debate on the aside then.
> >
> > Thank you.  When I see the update, I will clear my discuss.
> Hi Deb,
>
> since I have not seen any further correspondence, I updated the
> document. It should address your concern, but does not address
> Paul's issue (waiting for an answer from him).
>
> Best regards
> Michael
> >
> > Deb
> >
> > On Tue, Jun 11, 2024 at 3:55 PM <tuexen@fh-muenster.de> wrote:
> > > On 11. Jun 2024, at 20:18, Deb Cooley <debcooley1@gmail.com> wrote:
> > >
> > > I'm certainly not arguing that CRC32c is the best integrity mechanism
> ever, because it isn't.  This draft has basically allowed its removal
> because there is something better protecting the integrity of the data.
> There needs to be something written in the Security Considerations about
> that.  Even if it is to reference the requirements in Section 3 with a
> short rationale.  Or it can reference the part of the IANA section where
> the requirements are listed, again with a short rationale.  It doesn't have
> to be long, and it can reference the requirements you already specified.
> > OK. What about using:
> >
> > <section>
> > <name>Security Considerations</name>
> > <t>This document does not change the considerations given in
> > <xref target="RFC9260"/>.</t>
> > <t>Using an alternate error detection method provides an equal or better
> level
> > of data integrity than the one provided by using the CRC32c checksum
> algorithm
> > due to the first requirement of alternate error detection methods.
> > The second requirement of alternate error detection methods ensures that
> the
> > existence of middleboxes expecting correct CRC32c checksums does not
> result in
> > permanent path failures.</t>
> > </section>
> >
> > This also deals with the second requirement. Does this address your
> concern?
> > >
> > > An aside:  As for tunnels vs auth modes, is it even possible to meet
> the two requirements with an authentication mode, where the packet is not
> obscured from any device between sender and recipient?  I suspect that the
> answer is 'no'.
> > The answer is 'yes'.
> > But the focus on this document is the define the framework and provide
> one
> > (the most important one in my personal opinion) alternate error
> detection method.
> > If another one (based on the AUTH, CRYPTO, or DTLS chunk) will be
> defined, the
> > method to avoid permanent path failures needs to be defined. But this is
> not
> > needed for SCTP over DTLS.
> > Which one of these methods will be defined, or even if one additional
> method
> > at all will be defined, depends on how the work on securing SCTP traffic
> in
> > TSVWG will continue. This is not clear to me yet, since IPRs are involved
> > on the CRYTO and DTLS chunks...
> >
> > Best regards
> > Michael
> > >
> > > Deb
> > >
> > >
> > >
> > > On Fri, Jun 7, 2024 at 5:02 PM Michael Tuexen <
> michael.tuexen@lurchi.franken.de> wrote:
> > >> On 7. Jun 2024, at 20:47, Deb Cooley <debcooley1@gmail.com> wrote:
> > >>
> > >> Are the only two options DTLS or SCTP AUTH?  If so, the draft doesn't
> make
> > >> that clear.
> > > The only option currently being defined is SCTP over DTLS. One
> additional
> > > could be based on SCTP AUTH, but that will require additional details
> for
> > > dealing with middleboxes expecting correct CRC32c checksums. This is
> > > described in the document. Other additional method could be based on
> the
> > > DTLS or CRYPTO chunk, currently being proposed by Ericsson. However,
> these
> > > would also need some mechanisms to deal with middleboxes.
> > > Since these mechanisms are not required for SCTP over DTLS (the
> middleboxes
> > > don't see the CRC32c at all), and this might be the largest deployment
> > > scenario (WebRTC), this is left to the document describing such an
> > > alternate error detection method.
> > >
> > > Best regards
> > > Michael
> > >>
> > >> Deb
> > >>
> > >> On Fri, Jun 7, 2024 at 1:28 PM Michael Tuexen <
> > >> michael.tuexen@lurchi.franken.de> wrote:
> > >>
> > >>>> On 7. Jun 2024, at 16:58, Deb Cooley via Datatracker <
> noreply@ietf.org>
> > >>> wrote:
> > >>>>
> > >>>> Deb Cooley has entered the following ballot position for
> > >>>> draft-ietf-tsvwg-sctp-zero-checksum-10: Discuss
> > >>> Hi Deb,
> > >>>
> > >>> thanks for the review. Please see my responses in-line.
> > >>>
> > >>> Best regards
> > >>> Michael
> > >>>>
> > >>>> When responding, please keep the subject line intact and reply to
> all
> > >>>> email addresses included in the To and CC lines. (Feel free to cut
> this
> > >>>> introductory paragraph, however.)
> > >>>>
> > >>>>
> > >>>> Please refer to
> > >>>
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> > >>>> for more information about how to handle DISCUSS and COMMENT
> positions.
> > >>>>
> > >>>>
> > >>>> The document, along with other ballot positions, can be found here:
> > >>>>
> https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-zero-checksum/
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> ----------------------------------------------------------------------
> > >>>> DISCUSS:
> > >>>>
> ----------------------------------------------------------------------
> > >>>>
> > >>>> Currently Section 9 says roughly that there are no changes to the
> > >>> Security
> > >>>> Considerations to RFC 9260.  I have two comments:
> > >>>>
> > >>>> 1.  Since this draft is proposing to remove an integrity mechanism
> in
> > >>> SCTP,
> > >>>> there should be an update to the paragraph in RFC9260 Security
> > >>> Considerations,
> > >>>> specifically 12.2.2.  Protecting against Data Corruption in the
> Network
> > >
> > >
> >
>
>