[tsvwg] DTLS over SCTP (RFC6083bis): Key-update limitation issue
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 21 July 2021 07:47 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F384A3A0875; Wed, 21 Jul 2021 00:47:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQ28b5cEyJNN; Wed, 21 Jul 2021 00:47:33 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00041.outbound.protection.outlook.com [40.107.0.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03D133A0873; Wed, 21 Jul 2021 00:47:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NeS0wkXAaD+RalOphX1R9hTTQvUGogiLxLzsOgp6LJ//ZFxYy0ne8knuYkzJ/3p2zkvj7eVaQMWilMVL/k4lPLTsFOktosTUQsFH8kDSSMAnUDF7bjrI0WrcPzxJTWBel3ndaP2ulr0buhpJ9qm5BiCaDtBEgTUE7PQSRN8RREA8YLUIHx7IREupwTh11A8YknMXioolFSNUJQJXqpr4+10zb5BWYpjG2fs7xSO4iNceBQd+nYR2ZnzxW/zh3FiPCznLUDXUfUduNxzt4Yl8TqdW8PaF9C7cXxDS7X9FpoocJniu3SmhPR0v7k/bq8HCqhtLXNQomgwHzsaEh/IBvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OBBbJiP78ax6vk6LF1X2rCuWUbjb3+cpplW4M14zL80=; b=Q7ZR2Mhdw6YVEwguD4fAj+xQ70gBcz9n7HSSdlEuR7khWb3CdBxb2sJu69D17a5VYMkUzWC6kqfMmO3un3gDBR2Udr3WOqM9rdInDoP8cheTV7hhrT/t1F4pfODl6ihDf6xIlTGBuaz9ixRE7LNzkD7/TgFhntf5BIqaKG6paAGrYsAI+pLKgOTAEvn8dk2cfKUmvbzBBZ1hre7LZDj+kF/Pw5p5ulnlYOF+XpoCSJmbRL6Gik99nB6dywW6ZyjIpXbkOX6MvBLnJvaHkfYyG+KuzotCMdwHkpyIJD3JxshCaGilj+yWLj7M14r7F+C41njvn9CLaALybquD8WPKsQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OBBbJiP78ax6vk6LF1X2rCuWUbjb3+cpplW4M14zL80=; b=SN6AlB8VM0yRDm2rWKZwaWX6XvQsI1ksyeUlCGvbmZukzQCyrdlYLVOjrkxDKyx8K8TlkjcAVwB8M5bM8eMfkJGV7F2pW/Mnqfbc3qnrn3Aee4JUxcJqby3h170bWNt8e55Qdz88qoOirrzj8LwRwLi85jP80qg1t1k3S/0KkXg=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB2889.eurprd07.prod.outlook.com (2603:10a6:3:57::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.17; Wed, 21 Jul 2021 07:47:29 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::5c2c:3dc8:8947:e043]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::5c2c:3dc8:8947:e043%3]) with mapi id 15.20.4352.025; Wed, 21 Jul 2021 07:47:29 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "tsvwg@ietf.org" <tsvwg@ietf.org>
CC: "draft-ietf-tsvwg-dtls-over-sctp-bis@ietf.org" <draft-ietf-tsvwg-dtls-over-sctp-bis@ietf.org>
Thread-Topic: DTLS over SCTP (RFC6083bis): Key-update limitation issue
Thread-Index: Add+AISJm71932nGS+yiVREHgWL4zg==
Date: Wed, 21 Jul 2021 07:47:29 +0000
Message-ID: <HE1PR0702MB37727159581C534F2216653295E39@HE1PR0702MB3772.eurprd07.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ed108ee4-5e43-4b93-8bae-08d94c1bca7d
x-ms-traffictypediagnostic: HE1PR0701MB2889:
x-microsoft-antispam-prvs: <HE1PR0701MB28891FFF828993A4667C397095E39@HE1PR0701MB2889.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pmAokkKDU5HG0km6syuLulnE2mNuRpJlZ1cBUrdLCBSES1vMCGMsbrD7LGd/yyXG3SuANs1alMJstrSR0ykb7rZyCMQOtdGNw1tNKUfWvPpiC9hkUN/Ly2YM91H74AmLOTUfouJ+0K2/h+svtGAI8GCrHvnJUCHei4hBgcAtg3hIdu1C6EkBHbU5kFC8cqZ+PWWBWmXnAVuegX2Hhu1NeBPtuu8/nQAcvNGLO2Uztk+YDuIjDJGBwJYC55qFgbVQmC1Gs3C9G9RecrJ2OM8LdWqQlBlP0KZTyL9TlJC6Q5cjitgKeylgTQZ38zMMWififAAJSxXdXPLnOlAYfYXlMvaOtXYBOrVDnw9ndJGs2es7HgRmZ7rYv7o8cx3V2UbaPb021SLrDbQ1kE80LQmD1RZVh2k/2WIUpmFfzEnp3bSw021KPvlWMFmQ6EujuuweJ5vnVijdY05pz1/iJ3HRfDpWquRS3qnC/wB64pbCWxZs4PRJgGhhmzS7isLn3CrP0kote/15ikQns1xNjrLkB9IHx5fvX98EiMBAQitp8WY55aHJ4QAEL3HCSK0yV5e+w7oGxBH7P7CCSENiCYnKF7T+LoPobMF1zjX7KOb6co6mNQlphxcJU6C8DDP5NBmtXKLtaN7QEo+C/Z+JGHOYLhPlfMBWvxElnQwqCm8BeIPXDO1+juWTZmKcCA6n7fdUT71y16mMZodPDDqD6QuTdwUcpm0MSNrlnPiXcfTLEiuzZCMma84ycxIRod/MRPv7iqzpQjLUUJ1zGvfsFLuyxdEaD4/D7RPn4xTH0PvjNPphxA2HB7Z2bt1lVZz654LDxETzCO22HJjS0ajiRDDWjw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(39860400002)(376002)(136003)(396003)(38100700002)(44832011)(4326008)(6916009)(15650500001)(450100002)(122000001)(76116006)(86362001)(66476007)(64756008)(66616009)(8936002)(55016002)(52536014)(5660300002)(186003)(71200400001)(26005)(478600001)(9686003)(8676002)(33656002)(7696005)(966005)(6506007)(66556008)(66446008)(83380400001)(166002)(316002)(66946007)(99936003)(2906002)(38070700004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: GIDwvQHi5iQA0KVfBvUmG+k6ki5/8LJXqiEm1tWyLqJxf1O5LNGOhQMjzG+dv/cD7phR5D5tnKjg60tD15gaxt8U9vv1FGKJG3fN5HSu8fDSM/wIs1oc94+ZJybpMmwSDlpFnS3F9FK9M/8xS95NLP85Za0JDHewhMi2MLrAF4XArrLQJG1TsdVJ8rtK9VxmP1nZRmZl74EOL/weTcayZ+eZSF9iH8D6DyR+ngIaDENu15r7DanWYlcl+QtRLzy+hpPhg0W3j5G2RrSsqkkBYmdJG+XpW72jZpI6MD98OZvPkV6LyEZ2Z/4ZO3OOfvS6qhY1iQ/p6men4eon1tgXfNELNuIEEikbeuNKcXWVUHYRHiWypMjE9Gc9qb/obQLalXxmGdB3kMtXLOG4Wm5RSuDGQ02DReOH6NrTjHDiAf52NO0/pTbtqXbRhfFTuX6u7vviFuq4+ZTuGVmMK1mFxwS6J4h/mABACLklRvdUWMwyjLemhibd8+ICB5FSeanatyksT5befA67npjblqESgJDZBZcsvw/wEsil8GfRAfv9ttHMB4lAtD0FhQcriRnCFNnFTUaQmbEVx8iC/jxy/gPBYbS8/uutdaZM3ONjsMOdfClPH4FgLsycCZukfPKzfX1IEk+7fRdpoJXDmJe35uhVx5HSESW3QTeYYhz66DPpcFZH2cSzAI0TDfQbeemMyCaCR8glJkffUnpqHPr3Ikg7cEgvJGms8gSTfU+f6VNctD42edUivjkdHPLYIyr7q7BW9UF9klwgkbbipoJd5sXFQTlTa+h4VdNuAUQxTW7tjOo2F7CKvbrqPvU72pwB7tu45np1QyPhQLBndCJpoS6jqUPEoZPn3q4JEiKhGaTqVvYs8A3TZFJQ8/KSYpj5ipMvjYEmU1VEAKGoPgP5+n7G4vi+YMR0BobxDFKq1Xl73vE4kmt1AAXknORz32xazdqbX9f5uZPmtKlOlaKvFvm8OOG8m4Kafp0H4ARpxtEopHENOFfkb1I4Cr3XStb/5wA9ltCHx3aqBK+H2Oy3iE1yUc7239gGDXy34efnmdRRs6AXd6PfH3NCxOXLI2B9jUsBuDwDj5dArQBkgK3a4REd2oNRvVB9+h8eY+S8TuRM/6mX+qbS57B1P98ogk4H4+6ZaIV7kKsdTn0gqQiBItqec+K6fZYBmDDHX13RZexCCdEluPkpe5LTxDnIQIsA9qrdLV9R4of7YLEnp0uBlKDNkQia04AbgFgt61RgmOysPYhNuxoLmbaqeSCT9rn/PbYir5zDMaukQJKf8dneSrC7JH4sdc52GY6XnrLZBcwQB6devEeGqTb71TrL8H8H
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0168_01D77E15.6A7B7DD0"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ed108ee4-5e43-4b93-8bae-08d94c1bca7d
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2021 07:47:29.3559 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UPbN1U8WX7litVHip/4FIWW1Df+8bMTg/Q8nFnqWoDiKDiUN9VNlRkGCs27wjp6XrdqzgMuaGuh8ia21dBvdRJDt1BV0odVUJQpJ1lal1HA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2889
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/D_NgNTo9VvdCeGahfdpQAUaefNg>
Subject: [tsvwg] DTLS over SCTP (RFC6083bis): Key-update limitation issue
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2021 07:47:39 -0000
Hi TSVWG, We authors of DTLS over SCTP update (https://datatracker.ietf.org/doc/draft-ietf-tsvwg-dtls-over-sctp-bis/) have run into an issue which we think do requires a design direction choice. That is the reason for the lengthy message below. So we know that we are going to rekey DTLS fairly frequently for two reasons. First with DTLS 1.2 and if you want to maintain PFS and not allow a key-reveal to back track much, then rekeying every hour to a couple of hours is recommended. Secondly AES-GCM cipher to protect the DTLS records have a fairly low AEAD limit of 2^24.5 DTLS records before rekeying needs to occur. Initiating rekeying is not an issue. The main issue we have is to determine when after a rekeying has occurred the receiver can drop the old keys. With SCTP's support for multiple streams, with independent transmission of user messages and its reliability mechanism this becomes a difficult puzzle. If one looks into the SCTP Sender side one can track which SCTP user messages or even individual SCTP packets that carry DTLS records that are protected with a certain key, and thus determine when all of these DTLS records using the old key have been delivered to the receiver and acknowledged in a non-renegable way. Then the sender can thus determine that the receiver will not need the old key anymore. The receiver side of knowing when a key is no longer in use is even harder, as the receiver may not have seen the user message that is outstanding due to packet loss and therefore would need an explicit signal from the sender that it is no longer using a key. The design in the current version of the draft relies on tracking which key was used based on the SCTP-AUTH key, which for DTLS 1.2 has a one to one relationship with the DTLS key and that has a key-ID. However, the current SCTP API for SCTP-AUTH has made an assumption that you would not rekey in the middle of an individual user message. The SCTP-AUTH spec can support rekeying of SCTP-AUTH in the middle of user messages, it is only a factor of the API and its current function that allow us to use that API from DTLS level to track when all user messages have been delivered. In summary, each side in its sender role need to verify that all previous key packets have been delivered prior to a rekeying. Then the rekey is used as explicit signal to the receiver that it can drop the previous key. Thus, the receiver will have the current key (n) and previous (n-1) key. And n-1 will only be removed when key n+1 is in place. So if we keep the current design and want to make it possible to implement the DTLS over SCTP with the current API as basis, then we will have limitations on how large user messages and how long their delivery may take. Basically a large user message may not require more bytes then what is available from the current key's AEAD limit, it needs to be possible to complete transmission before the next rekeying can occur. You will not be able to rekey to the next key (n+1), until the user message using key n-1 has completed transmission. And this could cause a block against sending new user messages if the key-limit is reached for key n. The strict upper limit to a user message size will be 2^38.5 bytes, i.e. the user message consume the whole AES-GCM key limit in bytes. Thus in practice likely a magnitude or more smaller messages can be used. As said you need to complete the transmission of this whole message before the need to do the next, next rekeying. Our thoughts is that this is not suitable for any application that attempts to use one or more stream as a byte stream within a single user message and like to apply DTLS to it. We don't know about any such application currently. Currently we don't think these limitations will be a problem, however they are introducing limitations to SCTP that does not exist if you don't attempt to use DTLS over SCTP. If you have such an application that would run into this problem we need to hear it. We have also so far considered two alternative designs (B and C) that could resolve this issue but which we think have other draw backs that are significant also. B) As the core of the issue is the SCTP API and how it tracks SCTP-AUTH keys, we could abandon/update the SCTP API and demand that applications are capable of tracking the user message packet ranges that are protected with different keys. Then DTLS and SCTP-AUTH could rekey freely when needed given that they ensure that all SCTP packets with reliable user messages protected by the previous key has been delivered. However, this disregard the SCTP API that are fairly well used would mean that deployment of this version would be substantially harder and require updated SCTP stack implementations and APIs. Also an updated SCTP API would be substantial amount of work. C) We could break the ULP user message to SCTP user message mapping. This would allow the DTLS layer to freely fragment user messages and the individual DTLS records and their related keys on to different SCTP user messages. This would enable rekeying, but would require expanded functionality in the DTLS layer to track fragments and user message end markers for the different upper layer protocol user messages. We will think if we can come up with other solutions and if you have ideas don't hesitate to contact us. Thus, we are asking two things of you. First, do you know of an SCTP application that use very large user messages or maps byte streams onto single SCTP user messages? Secondly, is the currently outlined solution with limitations sufficient, or do we need alternative designs like B or C? Your feedback is highly appreciated For the co-authors Magnus Westerlund We are tracking this issue at: https://github.com/gloinul/draft-westerlund-tsvwg-dtls-over-sctp-bis/issues/ 62
- [tsvwg] DTLS over SCTP (RFC6083bis): Key-update l… Magnus Westerlund