IETF Logo Mail Archive

Re: [tsvwg] DTLS in SCTP solution

Michael Tuexen <michael.tuexen@lurchi.franken.de> Thu, 30 March 2023 07:24 UTC

Return-Path: <michael.tuexen@lurchi.franken.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1EE2C151B2D for <tsvwg@ietfa.amsl.com>; Thu, 30 Mar 2023 00:24:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.895
X-Spam-Level:
X-Spam-Status: No, score=-6.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b_PEMZ9ihUCb for <tsvwg@ietfa.amsl.com>; Thu, 30 Mar 2023 00:24:30 -0700 (PDT)
Received: from drew.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C5DDC15C288 for <tsvwg@ietf.org>; Thu, 30 Mar 2023 00:24:29 -0700 (PDT)
Received: from smtpclient.apple (unknown [IPv6:2a02:8109:1140:c3d:dd9b:834e:7be7:a4d5]) (Authenticated sender: lurchi) by drew.franken.de (Postfix) with ESMTPSA id B87B17213B551; Thu, 30 Mar 2023 09:24:21 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
From: Michael Tuexen <michael.tuexen@lurchi.franken.de>
In-Reply-To: <DU0PR07MB8970AB8BF53DDA87701193D2958E9@DU0PR07MB8970.eurprd07.prod.outlook.com>
Date: Thu, 30 Mar 2023 09:24:19 +0200
Cc: tsvwg IETF list <tsvwg@ietf.org>, John Mattsson <john.mattsson@ericsson.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3ADD18B2-137A-42C8-AC89-73D909F0CD7A@lurchi.franken.de>
References: <PA4PR07MB8414B23B0D6BF4F71CA52C5F95A09@PA4PR07MB8414.eurprd07.prod.outlook.com> <42858D2B-F323-49E2-9722-B97C084994FA@lurchi.franken.de> <DU0PR07MB8970FD29E4EE3881A033DF6395819@DU0PR07MB8970.eurprd07.prod.outlook.com> <D3C8AFC6-C702-4E2A-8577-5BCF2A03844C@lurchi.franken.de> <DU0PR07MB8970BA955D44911D97BDF7F0958B9@DU0PR07MB8970.eurprd07.prod.outlook.com> <722045F2-692E-49B3-821C-AC93AB241334@lurchi.franken.de> <DU0PR07MB8970AB8BF53DDA87701193D2958E9@DU0PR07MB8970.eurprd07.prod.outlook.com>
To: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.500.231)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/BBt0UxsoBKRW32EqeDyTDtB3MBs>
Subject: Re: [tsvwg] DTLS in SCTP solution
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2023 07:24:34 -0000

> On 30. Mar 2023, at 03:37, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi Michael and WG,
>  Pruning the message to where there are questions. The summary are:
>  
>     • Bundling of crypto chunk will be reconsidered and may be impacted by 3)
>     • The text on sending errors and aborts will be fixed
>     • Currently handshakes messages etc are not path handled by SCTP. By using short HB intervals (<=2 seconds) one can ensure that the currently used path works, but an alternative was proposed by Michael that will be further considered and discussed.
Hi Magnus,

while thinking about your proposed usage of DTLS, two additional points came
up, which I'm not sure about:
1. Handling of restart
   Since you only accept CRYPTO chunks in ESTABLISHED state, I guess you don't support
   the restart procedure. Is that correct?
2. Support of Dynamic Address Reconfiguration (RFC 5061)
   The ASCONF chunk contains an address parameter the receiver uses to lookup the
   association. Since this is needed before doing the decryption, I guess you don't
   support this either.
If the above statements are not wrong, than the limitations should be documented.
>  
> > > 4. I can see how you can implement this using a userland SCTP stack and a DTLS stack.
> > >    However, I have a hard time to see how to implement this in a kernel SCTP stack.
> > >    I guess one would do the encrypt/decrypt part in the kernel and the DTLS negotiation
> > >    in userland, but the required socket API is not clear to me.
> > >    In my opinion, whatever solution is been worked on, it should work for userland and
> > >    kernel stacks.
> > > 
> 
> <Snipped>
> > MW: So lets start with an important thought from our perspective. We want to use a security mechanism that is well used and implemented with an active community to avoid the fate of having to few eyes looking at it and finding security flaws. Thus, we would like to use DTLS as it is.
> > From a specification perspective what the current proposal results in are an API between the crypto chunk and the protection engine that will have to be invoked for each sent or received packet after the association has been established. How one implements this can be debated and depends also if one has a kernel or userland SCTP implementation. One thought we have here when it comes to DTLS is that one can do the same optimization as for example Netflix did for TLS over TCP, where one keeps the handshake in user space and moves the per record processing into kernel or even HW acceleration. I don’t see that HW acceleration of SCTP is needed for the use case we have, but a kernel implementation likely want to have the DTLS record processing in the kernel. This would look similar to what this page has in its image under the “OpenSSL Module” heading: https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-d0b951f46effb220&q=1&e=da5f6591-ef92-44df-b52a-35db44877ead&u=https%3A%2F%2Fwhisperlab.org%2Fintroduction-to-hacking%2Fnotes%2Fopenssl
> > From my perspective splitting DTLS into two parts implementation wise does not change the relationship for outer input, it only creates the need for an internal API in the implementation. But I think this shows how one can reduce the impact of this structuring.
> 
> This is what I'm trying to understand. I do see no problem in doing the encryt/decrypt part inside the SCTP stack, I'm just
> wondering what function split is needed and how an API would need to look like.
> 
> Let me ask this explicitly: Do you envision that your proposal can be implemented in a kernel stack using some extensions
> of the socket API? Or are you focussing on userland stacks.
> 
> MW: I do envision that it can be implemented by kernels. However, I am not certain that the Socket API is sufficient. I think another API is likely needed to support either a per packet call out to user land for the crypto transformation, or for a split implementation with the DTLS record processing in the kernel on would need one API part that for SCTP stack to Crypto engine part in kernel, and another part of the API that is for configuring keys. 
I think we are tied to the socket API, although we can extend it. Doing an upcall per packet does not sound
like a good idea. Doing the encrypt/decrypt part in the kernel is not a problem. We just need an API for
controlling that and the necessary information like keys and sequence numbers. Putting down the control
at one point is simple, not sure about handling changes of the keys. At least for DTLS/SCTP this was the
part which required some steps like the draining of messages.
> Your statement above "we would like to use DTLS as it is" kills running DTLS conceptually on top of SCTP, since the services
> just don't match. The only way is to run it below SCTP, since the services of DTLS match the ones of IP. But you need to
> touch DTLS implementations to generate the packets you want. If you want to use existing DTLS implementations, you need to
> use SCTP over DTLS. The only problem is supporting multihoming there, which comes down to running a single SCTP association
> over multiple DTLS connections.
> MW: I think here is where we might differ from perspective. When I say DTLS as is I do mean that DTLS operates on either plain text payloads (datagrams) and produces protected payloads (datagrams). In our proposal the plain text is the set of chunks intended for one SCTP packet. The protection operation will produce a DTLS record that is the payload of the CRYPTO chunk. So yes there are a bit of wrapper code around DTLS stack, a stack built for FOO/DTLS/UDP would just not just work. But the most relevant in that the crypto operations are fully defined by DTLS not by CRYPTO chunk. This to avoid a specification that rots. Instead by keeping up with DTLS security issues and patching these and almost all the attack surface stays with that implementation.  
I understand that argument. This basically sounds like "Running SCTP over DTLS". The only difference is that
the payload of DTLS is the list of chunks, not the SCTP packet.

Best regards
Michael
> 
> Cheers
> Magnus Westerlund

v2.30.2 | Report a Bug | By Email | System Status