IETF Logo Mail Archive

[tsvwg] Draft Liaison statement to 3GPP RAN3 and SA3

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 28 July 2023 15:57 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE8C6C15106E for <tsvwg@ietfa.amsl.com>; Fri, 28 Jul 2023 08:57:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTfxs_-LAyxv for <tsvwg@ietfa.amsl.com>; Fri, 28 Jul 2023 08:57:25 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2087.outbound.protection.outlook.com [40.107.20.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0B6BC14CE54 for <tsvwg@ietf.org>; Fri, 28 Jul 2023 08:57:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y0kTmEsudeiS17e4KTWZBWuSbWWxNecJDME7vFG156LwS3wfF92nQTXEX+BSzoKdlW7oMsUh+woujkRHZ9yUwcHrcwB7gklnI+q6lmd9kNAB5TOTcykDQ8nhc2eM6P+iLu335wz0gSlTn9IYW0uCEovQbjqt3p9Jn91vkRLZoaVZWjdvd/JlZfBnY+5IhjZBXcTK3hoTuICq3ZwyFlGTZTp5SSovlyxswoRxpMhgpxNwNQgVLd3c1fQYgyA2HnS0Pon7yUwWgd735ELfX7FqFGGBziaBVucilrRcMZnmMSmp4qkw4UNByAV1ofHr/O8TqAa5Rgg7nbDYXNi2IqM/lA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oDSnDuRpyljKXeQ56AIKKvEoTtwTwaMhq5TTNUENv8Y=; b=HrGGPADu5mjF4DIK8fVbX99hDncFdYrXiJtUDu/mmkU24wBtGGkgMAvVbp9QkhNQy+hmORwoxo+lwmIN+AEj58btf4g3pD4YOFC6gtfY5LMY6qv3fFfYgRJZHZs5c3qbPFCXTYu8SkyEDJfFqgNMK6yOve8p+wKNaP2X4K9SdsGMfvsPwRjnCJRft2Cj725a+eEQ5pEvTA+QnuGYxnc9A3s+oxXPaMiEE7HyJvYEkGz2HEzyV3JLcJ7Ardn5fyWN9GOHrMjd1NwnuZLFJamL8ItPt7fiAJ+UQbhQzs7vPk+dhTbgATCz7qe14/1BVdQH4TTALcIRs33AY2RIsEWuFA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oDSnDuRpyljKXeQ56AIKKvEoTtwTwaMhq5TTNUENv8Y=; b=gIp631rFX+o/ttdzEbYFx8vxuX2v1IqWHWqS54XtB48Ywlou6SbGgHkPGQjfOUs/JoOdKCfC1zhaKltZlB4+bquvziaVihSiLzS2R26fLsM8uh7T46NY+AdJSKhoN3zC91P0Ju0jU4RQAk/PKH5ZbNUZU3NbsZWhemvvVsLIH+M=
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com (2603:10a6:10:40e::17) by DBAPR07MB6517.eurprd07.prod.outlook.com (2603:10a6:10:186::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.29; Fri, 28 Jul 2023 15:57:21 +0000
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::f42d:c1c8:7d3:f559]) by DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::f42d:c1c8:7d3:f559%7]) with mapi id 15.20.6631.026; Fri, 28 Jul 2023 15:57:21 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: tsvwg IETF list <tsvwg@ietf.org>
Thread-Topic: Draft Liaison statement to 3GPP RAN3 and SA3
Thread-Index: AQHZwWv2cIOd3XaiFUmKvB+FP1gU3w==
Date: Fri, 28 Jul 2023 15:57:21 +0000
Message-ID: <DU0PR07MB897090B712BC51017B2EEA739506A@DU0PR07MB8970.eurprd07.prod.outlook.com>
Accept-Language: en-US, sv-SE
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR07MB8970:EE_|DBAPR07MB6517:EE_
x-ms-office365-filtering-correlation-id: 31f34d5a-5f3b-4e70-ee60-08db8f835407
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qMTTffsVH1jPrKf3zk+1AXdjTBdQKabO4cQBPqgyLRHKf5Yz7jfdQ34ubNWGVGsjAYk2iiiBbtPJThS+Bsnp/lP7pnrVsChdTU0laiGm5x0UjcVwxw6akBrSbP6LScfwZFjRdnu59TTtuw6SyEgaQnA4LUFjrUt+3jL5+zQyRT1z3N++iNdeTy2cHemn9vtCI+CoYcl4IC5Zyia60pzIMbbGWf/pWQwI85fqLvbU+JrjO7FoWbD0HojPSFXlDmO0r2iINBh2Cle41zSjrEePAEMpryNMEQoWePnNAefBl05L6driNESZubfGObOg6DmOsD5vzKC9akqN8Mei+YH3ZstlwMkg77U/98QFR7ksaXJLstxmGC0WMUY0syXoJ312E1EXNxCH30Dp1denaFNstbnLKYopVQFSfQsPytH+Z0xvnFxjkXXPzc0lg4fFX12dsGYCHFLzkQ+TcvATOU2CcPL4FNvULMf2QocsCDoTZjJVt0BC+j+VrKMEqDmyakX+JCDgot9iR6t29Vgb4JtNf3n1IgKNdldEqX2RaqE6FnlXWcR7+1QLVXQinVP3bEiyyZp9a/xzKrTHRxmLSTChAHwmlQroleSsrMSL7LQj4LyyxWOMXy+uW39RjG5h+t2fUFqZ1OUDgewGbmIZJzqKuB2GsxNUqaCIhH1BsXqHIvB1+GiA+4WJ+ZKwbzFFt59F
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR07MB8970.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(39860400002)(136003)(346002)(366004)(396003)(451199021)(71200400001)(7696005)(83380400001)(82960400001)(478600001)(6506007)(26005)(9686003)(966005)(166002)(66556008)(66476007)(64756008)(66446008)(122000001)(38100700002)(186003)(66946007)(76116006)(6916009)(44832011)(316002)(86362001)(8936002)(8676002)(33656002)(4001150100001)(41300700001)(2906002)(55016003)(38070700005)(5660300002)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iGgOMX1X9XvgxvCgkHXosF4O4SYQMjz4k0HeaD/Xkw4V9XvtsHai0EMoqwEEdn36mvaiJ3aYifZY4sjA75cUW5cH4aO2uSzA1FdJrs4P5t/hxMtjsdGhpJQKMrBxWcaV4wD4w5V4vIqnqB70nopIu+p/TQonps3F7efJrljyY5OxJMfY3fJgA4DhT8xTzJLKYbvuSRb0u685tGAqm8/XF+rdSn+pr0OH3OLzzEDYLODUDWSgjs+XueU9ImzjVp2z6Vx6Kbrx4sPGioouI4vUFjMSvfTsSDYaoQeonf2rR5LPrv8HDf5RGWJ+fpF5gv/a4DQdzOLEuknAZ1GaM1JLuNoF5fx3RYwXHetEQSAlsLbokjBp0UZGnu65/6e22ycCOzolCid8H2Gv9InkWjMSHp2FyOB7KbCxPeZ6Ov4oYPeYXO1PaeAtlFCsek8ghbpDV0XGh2ypz5HXJBC3PHalDI4IOD7Ug12epccs9aDEXV4ptBL3Wm5JKLNkS3DpIUphARP+FmHX6SxchPWWtiSqOhzH93ghMGXSiXVgBR2uxYEtkNvzFuI6hxgeg6HF/Ppr0il0oHPOvAmulChoUsXLZYFyO4j4LGd27DnMKi4jE+WKzqA4fYHG79KGK1M+5ey/7t/rfo8FJ1sicxjrKo7MVOoE9+S7bY7ZV2Bz9850Dr3+76ZD4r3si+5Zx2BLX6/JGVjAk6NUei20PUD4/a4t2hEdLvaUOEu838q/hJ3ZS1fHGMrloG8QquyCDEb4dHdp/sovu7JP4wgu97shJRkiAyLhVx7X9G243ig7Wc4uSOpUyftHxla9WIYcm+UccERmXaEoM1NPETn0zVjtwaBU57iz2OfpZ4j8FNGthwLzkSfCVhf5AycyhsnFKGFz5R2D2nIWFUuum3tzAvAHnVyqdkqma9HhlTVL6T+0b5BUPWbXvd/nrbb7a7lO64816MHkgWoUXPaQaiWLtS8PP3ydIuX2UNnsQn+e+jl73ZRMl/O5wlzGpFfn15AXG32v6HRygxEEMD1hwi12khSTL9oSc8gB3ufjWPYCfgIgnTbfO7Z3qpn9uOFy5M2GR8WBwa5nrc7onG4F5kQcY1LkatjtgpOW6LF8rSyQ7eXTDbl6cFxSqQqqzf5fktsim7cd0I49U17Qv6urLh+/v/DGsDLQfe+xh+ZtvICRD4/wImN6q0bSCCOaiY7Gi+fhK9OOJD9l255mAi/UWowHz6gArTp7md8OU9TwHZ4FObrT/w9pDeT7upD5K11U3KDltOy872AjtmEagFl7aJpAPsSVgU+5HOoarj21CTTFy6qQSnM+QHfQbROCah8coxfA2GwMpWqU3tnNoBhN6TpnNXwGRZ8qQLxgsDpam/PHIZPxg8qULxt/yhAvurZ5z2WYphVmNN3j0ouKrl8NvsDcJEBhlf3gBMKubpSMEKiCqzmy44mbVa0RPTcTdW8zCf9uuyzKVW/CFKw8n+NA+geCda/8HwmW3AKtYV/KeyI4yK1WpsilJFrfLnUJ6bwTj02q8MItZ3QaNsJJ6TQP0CVaF8KJYiNDs4qLT7tG7XF4Zz42A6sz7fwzNDQa3ViX+aTuCerP2Vqh8xcdhKpgFcNHDGI69TdZdyLcV4x8TxNmcD8oIRhgK0U=
Content-Type: multipart/alternative; boundary="_000_DU0PR07MB897090B712BC51017B2EEA739506ADU0PR07MB8970eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR07MB8970.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 31f34d5a-5f3b-4e70-ee60-08db8f835407
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2023 15:57:21.3730 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lOXO12OByt0+PpzRhWEDtH0HL7aufLHVvh9CvWW39DfVoKWu91V/lmqdQOqS3Z0jD7njbMhl+grNja8BFvE5NwLCQqH8EeaAhatzymLMNqE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR07MB6517
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/UgGsR3cjH2nrCZs2ckt8fPuZfzg>
Subject: [tsvwg] Draft Liaison statement to 3GPP RAN3 and SA3
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2023 15:57:28 -0000

TSVWG,

Below is my proposed draft Liaison statement please provide comments and suggestions for improvements.

Cheers

Magnus






Title: DTLS for SCTP next steps and request for input
Response to:    Reply LS on SCTP-AUTH and DTLS (S3-233355)

Source:                     IETF Transport Area Working Group (TSVWG)
To:                            3GPP SA WG3, and 3GPP RAN WG3
To Contacts:             Lionel Morand <lionel.morand@orange.com<mailto:lionel.morand@orange.com>>
                                 3GPPLiaison@etsi.org<mailto:3GPPLiaison@etsi.org>
CC:                           Charles Eckel eckelcu@cisco.com<mailto:eckelcu@cisco.com>
                                 TSVWG tsvwg@ietf.org<mailto:tsvwg@ietf.org>

Send any reply LS to: statements@ietf.org<mailto:statements@ietf.org>
Purpose:                      For action
Deadline:         2023-09-11 Action Needed

1. Description

IETF’s Transport Working Group (TSVWG) thanks 3GPP SA3 for “Reply LS on SCTP-AUTH and DTLS” [1]. This LS is a follow up to inform 3GPP SA3 and RAN3 that TSVWG continues its work on a DTLS based security solution for SCTP that should be suitable to the needs of 3GPP for the N2, Xn, F1, and E1 interfaces. TSVWG would like to inform 3GPP how input from 3GPP and its participants can help ensure that the time plan is met.

In the development work of a replacement as reported in the previous liaison statement (Titled: Updated LS to 3GPP regarding SCTP-AUTH and DTLS) [2] the work had run into some security issues. In the continued work to address these security issues there are now two different proposals that TSVWG is attempting to choose between. The first is to continue with the previous solution with DTLS on top of SCTP [3] and relying on an updated version of SCTP-AUTH [4] to ensure the DTLS records are in order per message and no records can be injected into protected message. The second solution is to create an encryption chunk [5] that encapsulates all the payload of SCTP packets, where each SCTP packet’s content can be protected by DTLS [6] ensuring confidentiality, source authenticity, and integrity.

These two solutions appear to both to fulfill the security and functional requirements to address 3GPP’s needs as understood by TSVWG. The interpretation of the requirements is the following:

  *   Support message size of larger than 500 kb, which appear to be the approximate theoretical maximum size of Xn (3GPP TS 48.423) messages. Although we note that the original liaison statement from RAN3 [7] refers to SCTP’s unlimited message size.
  *   Enable long lived SCTP association with lifetimes of many weeks.
  *   Periodic mutual re-authentication of the peers.
  *   Periodic rekeying with forward secrecy and enable Diffie-Hellman Exchanges forcing an attacker to perform dynamic key-exfiltration after each rekeying.
  *   Security solution should not be vulnerable to SCTP association availability attacks based on injecting or prevention of delivery of a small number of packets by an on- or off-path attacker.
  *   Rekeying or re-authentication may not interrupt the SCTP using applications message delivery for any extended time, such as multiple RTTs to drain all transport messages to perform the rekeying.

We also have noted the wording in the reply liaison statement [1], “Since the problem is related to the use of DTLS with SCTP, SA3’s understanding is that the solution should be based on DTLS, and the solution should not rely on unsupported DTLS features”.

The two proposed solution has different properties when it comes to robustness (i), requirements on the DTLS implementation (ii), implementation effort in the SCTP stack (iii). These differences are summarized in this presentation (Slides [8], Recording [9]) to the TSVWG meeting at IETF’s 117th Meeting. As many of the differences are related to implementation and requirements on DTLS implementation it would really help if either of the 3GPP WG’s or at least its participants would provide input to the TSVWG work on which of the solutions that it would be preferable to pursue by TSVWG.

TSVWG’s meeting at IETF 117 was unable to make a choice at this time on which solution to pursue due to lack of sufficient breath of input and time for participants to prepare and discuss the differences. To address this and make progress as quickly as possible an online interim meeting of TSVWG has been scheduled on the 19th of September 2023 at 16:00-18:00 CEST where this can be discussed in more depth. TSVWG would like to invite interested parties to participate in this interim meeting which is open to anyone. No registration will be required, however an IETF datatracker account (https://datatracker.ietf.org/accounts/create/) will be needed to join the session. The session details and a join link will be available from this page: https://datatracker.ietf.org/meeting/upcoming

In the discussion at IETF 117 TSVWG meeting, it was requested that 3GPP clarified which SCTP message sizes that a solution is required to support. In other words, are the theoretical maximum message size mentioned above relevant to be supported, or would it be sufficient that a smaller message size is supported? In general, it would be good to have SA3 and RAN3 confirm that the interpretation of the requirements are relevant.

TSVWG plans to make a consensus decision on its mailing list after the interim meeting. If a rough consensus is achieved on which solution to pursue, TSVWG should be able to finish its work within a year. Meaning that approved for publication by IESG specifications could be available by the end of 2024, with published RFC within one to two months. However, for this time plan to hold it is necessary that sufficient level of review is achieved. Thus, interested parties needs to be involved in the remaining process in TSVWG.

2. Actions

For both SA3 and RAN3:


  *   TSVWG would like to invite interested to participate in the TSVWG Interim meeting on the 19th of September 2023 at 16:00-18:00 CEST.


  *   TSVWG would like to request that any input on the choice of solution is provided in an LS by 2023-09-11.



  *   TSVWG would like to request confirmation if the interpretation TSVWG has made on requirements are relevant to 3GPP.

3. Upcoming Meetings

2023-09-17: Online interim meeting of TSVWG 16:00-18:00 CEST. Details for this meeting will be linked from this page when available: https://datatracker.ietf.org/meeting/upcoming

2023-11-03 to 2023-11-10: IETF’s 118th Meeting in Prague.



4. References

[1]       3GPP Liaison, “Reply LS on SCTP-AUTH and DTLS”, 3GPP doc nr: S3-233355
[2]       https://datatracker.ietf.org/liaison/1806/
[3]       https://datatracker.ietf.org/doc/draft-ietf-tsvwg-dtls-over-sctp-bis/
[4]       https://datatracker.ietf.org/doc/draft-tuexen-tsvwg-rfc4895-bis/
[5]       https://datatracker.ietf.org/doc/draft-westerlund-tsvwg-sctp-crypto-chunk/
[6]       https://datatracker.ietf.org/doc/draft-westerlund-tsvwg-sctp-crypto-dtls/
[7]       https://datatracker.ietf.org/liaison/1723/
[8]       https://datatracker.ietf.org/meeting/117/materials/slides-117-tsvwg-71-dtls-in-sctp-00
[9]       https://youtu.be/HcjKkhYn08Q?t=2484

v2.23.0 | Report a Bug | By Email