IETF Logo Mail Archive

Re: [tsvwg] 3GPP SA3 reply LS on SCTP-AUTH and DTLS

John Mattsson <john.mattsson@ericsson.com> Wed, 31 May 2023 18:19 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A986C1519A8 for <tsvwg@ietfa.amsl.com>; Wed, 31 May 2023 11:19:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XtHLp8OxnDH for <tsvwg@ietfa.amsl.com>; Wed, 31 May 2023 11:19:28 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20604.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::604]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7291EC1519A7 for <tsvwg@ietf.org>; Wed, 31 May 2023 11:19:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q6o8Dw42lmaL5Lc7jKdr7UgQx6BZFO5r6t/tl+WijuxVMdUmeePq1AuaVMFbP1AV6JNlDHBPam3DLsXiP4JL/C6coUirrxp0cSaKWEIDDxUFPVbZbRrbcyVKU0gfJiTa3BUxMB9KJRZS7IGl8FyvSA4gJZRo1ouyz3sYLys+M2UDX10idYVA2W/3HPvo3z8i62Tbx9DUZbglWHj7wDqIHwEP47Gtzt5eT+CPCBw1Av0uq6PVQevV3NIjkxavz9v8DDN43vL8u6O1C9TB+OHh/4tqb7f+/z4Z7oojtkKs47fRGt7vadmF5CU0qn5hkp7mZQdF6ElT0oKmHAbHMJ3otA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1O8R9JdQ01WTM0sAfdPswNsrUwPFzrxTP8yeo4sRs1A=; b=eXpUqig/ONiLkX9f/G7+Rpxwnmkirwz7kSnILdTtyYSHnbOb6cSOEssHVtx4xYrqei/ocM3i46TqBawDj6GgNXuEIxe28Fs+VYSQHA2OSSt3fEhiw5X0O2lgvDPR+mZEh17Ww81mCfyStAjQxdDmhPeNkWw8e0sjzQfUi+5QKGDkLCiXoGNbhgSwKPawRC/RxK4HfGZe4PXXZYpa6DvP6PrOQ/3fXPlDNUnHanJbKCrGLvppYX41RNyrw16+FGrGIRk/ApkbohTMaAzbj/zLd5MCdBufY64um4rXYsjpewVSIPNA3ToB2Ik8fZ2YZqrDeIBulfF9yOlgaZRFnAvj2g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1O8R9JdQ01WTM0sAfdPswNsrUwPFzrxTP8yeo4sRs1A=; b=p2/BvXhA+f3SQ0FFdPIa/eggBjlCeq/sVp0teZQM39STTJk3gzlQCJz56QzZGCVVT4w9HYjaqscPznWXhwn7s7boiSWJWDpB2OseEDxGqc5jd9cPY6hYFjFtYiOpsD2p228hSdUnfeMPIGzrcbcJS7Med0/Th06lPJuU6DfL//I=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AS2PR07MB9206.eurprd07.prod.outlook.com (2603:10a6:20b:5ea::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6433.24; Wed, 31 May 2023 18:19:23 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957%7]) with mapi id 15.20.6433.024; Wed, 31 May 2023 18:19:22 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Michael Tuexen <michael.tuexen@lurchi.franken.de>
CC: "tsvwg@ietf.org" <tsvwg@ietf.org>
Thread-Topic: [tsvwg] 3GPP SA3 reply LS on SCTP-AUTH and DTLS
Thread-Index: AQHZkw5jR0QbklvOlk+K88oKMsRina90awGAgAAEwec=
Date: Wed, 31 May 2023 18:19:22 +0000
Message-ID: <GVXPR07MB96781A729067510A893956F789489@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB9678ED9FBCCF537C2BF27E71894B9@GVXPR07MB9678.eurprd07.prod.outlook.com> <DF338A30-1547-43F7-987A-B62009AFCC72@lurchi.franken.de>
In-Reply-To: <DF338A30-1547-43F7-987A-B62009AFCC72@lurchi.franken.de>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AS2PR07MB9206:EE_
x-ms-office365-filtering-correlation-id: 44de5851-03d5-45eb-f4d6-08db62038efd
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: v4m0UFLQ+0/Ya1d2Vxnq4fYxXxp6PeCE1GE5bJcCKlvO5NJapQm5UHmnBChd6aXV5h+jM0QWzA+yDvVGZahaBxprB1wSjSeUV4xf4/kCstmYiO217VxRCymL95Tji6eVDYLAbLj+xZzzY659l4MUbF3xtuBAyPRpS8cFaJ88Jzh74LBWIQ14dPCrThfy4t1qFELsOOxzFeL3NCc15DfzSo/As43b15C8Fdf5oMDH4P+OtIyyrFxuoT61gX0/WbjxweEcf3A0VI4tVOoeGdu1WqTEnYrT2Z6CVmbM47OY4Jpa2HaAGemL5Egq5aQSwTqzXXmw+6vAVU3u1XhnKqM1aww65mJEUCfJSnYTzAXZlueDt3js48qrFgXYxwoiDKmzjFPDAAzhMSN6HMhrh2Dvo4lso8NndeuP/1bgk0oMbSTvE7YOVG8pBKYskD2s7YEbxtEunImY4n5/5PiwCJfoEB8vRV/OwgELxm0aAVCilAeE/1z8EO3QyLwFR5/VgscUCvj4vWSiu78+EuEAWKdCoboN6ZYoeI0RMYKdep1joDgHJp2fqcMbKEN7NpYRrxFxStjTNeAmb2yGaMP03dy5Ve6BtuiG40Ow5GZIse1ytLI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(39860400002)(376002)(346002)(396003)(136003)(451199021)(82960400001)(38100700002)(122000001)(86362001)(38070700005)(33656002)(166002)(8936002)(26005)(8676002)(41300700001)(966005)(6506007)(9686003)(44832011)(53546011)(52536014)(5660300002)(55016003)(2906002)(186003)(83380400001)(316002)(7696005)(66476007)(71200400001)(66556008)(66446008)(66946007)(478600001)(76116006)(64756008)(4326008)(6916009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qCGUhYdKQD1FyEcWPNRyfDaQGaIZ5Q4Iz0KoKvIXvRRkxZhyRwH92OlMkEROGAZeWrVfMV//A9YxXSOppdyS4b6R/Kz7CK9f17MUBUW+xShRgpWMB1iu4hHwREKsFOOgfY/iS/VaPbNznoGiGmDmWXLkgd5jiQkSfSdAoc1bUTxzwlVFq8gheRkxNxSHZImgg/jyq8ZUGYz/ZRqnQ94aZU+7i3Enzv/f+XAOAX+m9Fml/cu14b5kNYFdoA7f3wAPxNChHSbvPozerWMV3p+Xie/QKcNHt4j8y3Mtu4UK6r0dPRGWv3wj6pSjqHypExb53y4/A6u1JBTYYmt+0xX2yNSflG0HNyxn8EDBsJPm1rKKFUjMBrpRv9w+TDwG1oqjKk7uqiGHnJYqxpWI3y2mBDyvIuGAADJBFgCGuw/z+9IZNMzdUdeekNMrZo5p4opSmLozk0DdpVCSyw9ImzlYO2OB+pnMEqv/kAAE4FNFY8Oy2nOJgCHtxJ77Os6qDpwnelSSMysseAJD3Xqbbat+u4kb+L9C1PYxmqQOlUE0JmapK231t5yMMH82QJtqALtOJFC8eTWmBpzeRhD3ilJAvMzMjIgn0am06yrG0oDVioTwTeTkywUoCudR64FlOaotXg6Pfz80zJshrLoTDrEpaHB5zhHE8/lnZQJXioBx6IkPoncGv5m6TulEunhAH7clVV/tL2IorXtamYO8rAcd0UQqmz+i/me57WZgJqHy9YES6QJp0WQbosOQlWFRPqMg9V/fEgqpm4YrtuzS6oVk4Gv2EBKGgV+h42en7CaH81jbZQWWJXtLhSBqh/sS7uoyQ3fHGKCQ05pc/0YAEoJDDT/wejUWdOJ9HtAbOlTMQ0qO59Qt8SX8nBy6qaTjCuR7yX4NLgZAq0utLb9dU/j6JJ/h/qz+z4pYPShw8VjERfn01Dkh8nVyPfwgJ060RAjPay9Hjo0xrvWt6UDa1Pzqyl3VOrGQR+PaO9p/h9ayGbq9jJVhZmNbVNDMHruQA5Js7yrb0X4YhnUZTII8tl28s7tyhZ1c65WdVypSZGzMZ+U6zXR0dZDTIjWurJknswWU4SwUu1jRgYL5jo9dFpahyfv9JjA1yBrb8Oclbxs/dAlZbkJwYr6HlKXPpzx7O0uZObKqHc8b22Ksfw5F33XniiVAE+e5+7VONnuwOsoacLq1oe6DyRiR08cKA5WJ3PpqSeUL7y8USHWwGe1perbcuD1NHQ0mR6ZedjX7r830EeOv6HHmbHWcWcX8vDi3jBETTcJoUsAV+Pvq2tySVR4AeuDFnrBf5xLhjH8D2tQ0DB39vZD6UkA0V1z2RCOaj8MnqKmUR4af6x2CnDkV4RC4eI7zUBeuP1UbdO9/lNTntnko7aswFqQM7csSJC2EGwnu4bNSkDnaIzkTmn9hhg1BkBA8st8OdPxwTsn+lY0Psf+3a9y4RA5rf9vLQ8cIzbB5PoUp1xl4aVpICZ67GDqDKecFL5xD9GeONKmcPgaAeKkZpT5/X9pI9vKEv5ZTHfsN3LD1LD3FAlVxy3HPBqZFO/fZWfrC/Yte0flKWU4xd3N2FP9FjylG6HIdF8ihaw10dQz94IMtzKIfbNUZShEDcg==
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96781A729067510A893956F789489GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 44de5851-03d5-45eb-f4d6-08db62038efd
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 May 2023 18:19:22.6174 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dE6TzCirHkuPpR2e1DCgHS+ubDcIGU0DWkwJ7yfm1ibAnIvP5bFhm7VHUhTg+MO8euXBfq68CjNbEaaXsYnL5fPX4SppwkxaoYxK3fJynKM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR07MB9206
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/Dcfyy50MaKYIACDeDl2QVRG2aKU>
Subject: Re: [tsvwg] 3GPP SA3 reply LS on SCTP-AUTH and DTLS
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2023 18:19:33 -0000

Hi Michael,

>Where you able to also get some feedback related to the questions I raised in my e-mail sent on May 14th?
I was not there myself. But I would assume that 3GPP did not discuss more than the information in the LS and in the drafts. Your questions are certainly relevant, but the security group might not be the right working group to ask some of your questions.

Magnus and Michael wrote:
>> Much lower requirements on DTLS implementations when it comes to support of functionality
>Which is the other way around at the SCTP level.
Not having to make any changes to the DTLS library is very important from a security standpoint. Changes to the DTLS library can easily introduce security vulnerabilities and having changes makes it much harder to quickly apply security patches.

Cheers,
John

From: Michael Tuexen <michael.tuexen@lurchi.franken.de>
Date: Wednesday, 31 May 2023 at 16:04
To: John Mattsson <john.mattsson@ericsson.com>
Cc: tsvwg@ietf.org <tsvwg@ietf.org>
Subject: Re: [tsvwg] 3GPP SA3 reply LS on SCTP-AUTH and DTLS
> On 30. May 2023, at 17:54, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
>
> Hi,
> 3GPP SA3 (Security) had a meeting last week and sent a Reply LS to TSVWG regarding SCTP-AUTH and DTLS. The LS will appear in the IETF LS tracker at a later date when the 3GPP and IETF secretariats has processed the LS.
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-e80a50d8b7f2c96c&q=1&e=910c8519-cb03-46e1-a414-afc589ed9d3f&u=https%3A%2F%2Fwww.3gpp.org%2Fftp%2Ftsg_sa%2FWG3_Security%2FTSGS3_111_Berlin%2FDocs%2FS3-233355.zip
> SA3 discussed the discovered vulnerabilities, DTLS over SCTP, DTLS in SCTP, the importance of this work, and agreed on the following text:
> "SA3 would like to thank IETF Transport Area Working Group (TSVWG) for notifying SA3 of the vulnerabilities related to SCTP-AUTH and DTLS over SCTP.
> SA3 agrees that the vulnerabilities are serious – they are affecting confidentiality, integrity, replay, and availability. Supporting DTLS over SCTP in N2, Xn, F1, and E1 interfaces has been made mandatory from Release 15 onwards. Therefore, SA3’s understanding is that it is important to solve all the security vulnerabilities, including the availability vulnerabilities. Since the problem is related to the use of DTLS with SCTP, SA3’s understanding is that the solution should be based on DTLS, and the solution should not rely on unsupported DTLS features.
> SA3 kindly asks TSVWG to work on and publish a solution as soon as possible."
Hi John,

thanks for the information. Where you able to also get some feedback related to the questions
I raised in my e-mail sent on May 14th?
> We need to progress the work in TSVWG fulfilling 3GPP requirements of fixing the availability vulnerabilities, not relying on unsupported DTLS features, and to publish a solution as soon as possible. DTLS in SCTP seems like the only solution as it solves the availability vulnerabilities and do not rely on unsupported DTLS features.
This conclusion is not clear to me. It highly depends on the architecture of the SCTP you are using.
Therefore, my questions above. However, up to know we have not made any particular requirements on
whether you use a userland or kernel SCTP stack. We just specified a socket API and ensured that
you can implement it in kernel land. Implementing it in userland is then not a problem.

Best regards
Michael
> Cheers,
> John

v2.23.0 | Report a Bug | By Email