[tsvwg] Re: Paul Wouters' Discuss on draft-ietf-tsvwg-sctp-zero-checksum-10: (with DISCUSS and COMMENT)

Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 13 June 2024 06:52 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 102B1C14F681; Wed, 12 Jun 2024 23:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6HqL4gAFACO; Wed, 12 Jun 2024 23:51:58 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on2040.outbound.protection.outlook.com [40.107.6.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF3F8C14F603; Wed, 12 Jun 2024 23:51:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cOno6rVM484jR8RGlCtu5yoXn4lc1PYl5vCxef5WM000Ny581A5ZUnz92moY/fujzIEQb3bC25xUBa2mUYjTiFM9Fs4zxOq8OP/ASBahliDRODjSL8HPNQGuBkb0SlfNMCU+E723ysRiy9BOPz2NBTctLDrT2lte7rlfEERRx5lwJammAR8AjfxgWbEL3g5F1N06eu3OM+zz2tuzHLu7B6XvICELLc5Ab7lD+muhsj2+km878meBuV0KP35VE0BNZ+KkjimpbNI5v3cQE6DLqG/AmkdyS/VZ+RNTwLkylAkxvqHsbOPmXPXkkUfYgon1UGtc2ixCt/T8+qq6Vdm4Ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IyYVBwGfZghhHx12/QJ+psGb4eRQvb9kNOi75KIEMYc=; b=kYCS8i5mQhiBXnPGZhChaUo7/idFAjDxBx+un5lLeMODPEy63uRU0YdpcbQ8VS5TRzqVdqCajIQFCxovOGWv7zakT4sr5giR6nD0ONgYaVRTcMgkxJsBzMC4RwJtmNk4GlByZ9M5J/W8trDEdeyqYY0Hj+S56JlmFUJqqEZMHTRUUMUIpa0cdpwn5DTbLc6MH7i58g6MMPddbGOoChWqOxIJBBFhaLFMvvI9pSz2uRBRvLt2Bhz6l/E34rTc+GugkcSXuYIDpHGfcj7CucNvCUD7f2ot8pzxgSx6vGts+YkQug52GW2z5q8MWHB5amu4sy+GlHfqBZbHtEN4GdcJgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IyYVBwGfZghhHx12/QJ+psGb4eRQvb9kNOi75KIEMYc=; b=nU3B6r7qdIbA59uJXSSH+dmOhlLyuKMYqQVIedxCNDTa5C/k279Lz3RM1AsyyTiluSgVBOuaFmwWiJW5d4dV7EUO/2UgeuGTXMgwYferDTj7eLDCPGn23b7Cgv9sN+QoLErhOxKy9rQRuGHlpt1Wl5Zacg937Bhx9tPxY5BXOSJQArGIpKYyygIqWPFMK6m0DMFXp8AV5EXpbpBNDxiUeKuwlcaIvwMLhV0c73Osr+tmpqsg/lqRy2XiTASmv+AeVyO0SNVLdvMMP7nQX+UNYGp8RhlXavP4qK6TCbkcxpbVsA6KyD1jgul3saZAodip7ElWaRl5IjvhFSl2dnA3ZA==
Received: from AS4PR07MB8874.eurprd07.prod.outlook.com (2603:10a6:20b:4f5::6) by PAXPR07MB7903.eurprd07.prod.outlook.com (2603:10a6:102:130::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7677.20; Thu, 13 Jun 2024 06:51:54 +0000
Received: from AS4PR07MB8874.eurprd07.prod.outlook.com ([fe80::5dc8:3768:1f55:6b14]) by AS4PR07MB8874.eurprd07.prod.outlook.com ([fe80::5dc8:3768:1f55:6b14%4]) with mapi id 15.20.7633.036; Thu, 13 Jun 2024 06:51:54 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>
Thread-Topic: [tsvwg] Paul Wouters' Discuss on draft-ietf-tsvwg-sctp-zero-checksum-10: (with DISCUSS and COMMENT)
Thread-Index: AQHavOKhCYQzVUair0CzakLx/0l7y7HFObkd
Date: Thu, 13 Jun 2024 06:51:54 +0000
Message-ID: <AS4PR07MB8874F4834C60F9294D26315895C12@AS4PR07MB8874.eurprd07.prod.outlook.com>
References: <171820843899.39049.3184675366874098070@ietfa.amsl.com>
In-Reply-To: <171820843899.39049.3184675366874098070@ietfa.amsl.com>
Accept-Language: en-US, sv-SE
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS4PR07MB8874:EE_|PAXPR07MB7903:EE_
x-ms-office365-filtering-correlation-id: b27c5060-8d33-4671-a758-08dc8b754fec
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230034|366010|376008|1800799018|38070700012;
x-microsoft-antispam-message-info: R1PWYlAnGUQgnBg/MJLZbBR0bdFmSBOqCpPYgtTfeoyTSIScs+D1ncIpxjm5c6vdQUrSSEV74SvAocTLg6N40On1wUX7YHanRMDdL0eAxrgz4OZllHkoBtbzK454+vu3ULomeW0uDB1z1KKIWwIK/ZWamy6sFpZ47FOARhKmOh1vBqDwH9Qnj6N0qiRk4SwebeUHcrqyFLnzKU/hewFiY7YW31ssKSF529XpMmjZAo8pPH84liIahkvNP8WUdHL2APGYPJVqw5oh3lm240nie40e5QCp0q5MGjMJ2G1uiTaV5ePAzi7cHrsnQ78+1m1zuHfF74PCXeLB36Jd3iP0+/PNcGBw+FJue9UR71wrOOqaliVMOebEpTJvKM/W9mbV9PoyiL7NEyz1oNfRYoOngfMvfSkCF6C3dBaLNifPOIjJXEsplTxEmCKyIJwVOxtsnzpeEcY7HUQ/I6HXKE1DZgLzu1GkT4BK0/DGQdcotITgOnmmjsacBORJ2hsGP2ZRx5RQniTTOiUCQZl4skjicZlkqVo13z0o2K3bRTO1MqZHo0O8KgkXtbZaPKb+brJwBX6AzgklUD1Z2HAk6ZVxKPubdewDXhOKWBcbKWpQBK6y0k20+Tf1wgi3yYTG5Qby+Hd/I/4IvGjmZDFY5qGIlSOdY/KqQpphKlls77zeht9j+PGr0HBAzufT/GpwpjtiVYdG6Ipwwu7QFmZyub1Fy51CEbSvwgfkOUwpGSQGIha8GlC7uop3bQwuFdnu84IAAiWpCo+pBMM8IvjAvSLFILMJjh3NjB8cukEO8ndkZUClcj27jM0f42+NZCYNjXOZR4W+jGEiVzXIWWtJfiGRE4YosUad4gibi7YNM+ZIYJ9GIgflFHuPZGq5IVvO89BHALbI2VLgggD4FuK2xfqj7xUzR9hu/vd6ttS445yBO4rioYm6N5F+wH0MmdWPwrbdAQSLvMgMAZ8LlBLNh5AxnaMB7BFxXHMNl+VvpW4w7/aN05vIM3bGAhGZOyRmarPxobstzwdr12Y5700NAJvQtM9iiVecrG8DHa8GRfRnhVsAt2t8oIrvX3sz+Vv/9gH3IEI8rNWDowg9F8CLsm1WR9iL38KWbYeFaisviJ3Ik2vYo+QGLYTYV5VmrggImCw9kOH29TCLtKs0vumwYrIQwkKy/SRfVzSgxg7G1H+PikYl33a1UO0S2oJaCYwGiE7eZiB6llRedKOdihXa/GhUI5iWKO07t9mrTxZ2mL2xrWO7mnxYvObfKYJb9DmGPvNXAr9qsBEYHN0jkaW5mNXrb8KvLvZ+glvO17ryq/k37fStN8ISqubXNBras0q0nLfrCMPxZNALwOy5lJnjKrFfwiMpggTjLwZkVWeaOftnzvI=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR07MB8874.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230034)(366010)(376008)(1800799018)(38070700012);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Fz0kc73Bm0MY1GJU/chfz3Y4sSW6gvdYGt72a1E86K3CWq6KXwBXhIpPGlbtTQZRXRT2lw32BDfT4/sjILZ16uG5Js+7ER37Poi4NOgNg46NXwud11zKY0qT/yt/LyMkaXkEH5jyJVluvxoX225igBF84XmknYvPkYcT3GU0CtTfTM+cDlXro6u7gS9+2CByrD96dinAAvm8q0ibWCYuQwROtC0j7hzVqsep7UiZGrZhpOwHpU0h/sj+vct3NIvDk444LPXfxsyv7LQaHU5XlcP+3uKrxBTL4aw3FGOxHD5AGGuexRA8MHSDks2DrUoBUjn30Ktz2DybjKrMqIDeEOLO18+giOdlCs85I44hoXEc3UWBs/rtBA2KvCqOBIPktQbyDTA2jeI6G5R7oUMS9/QoVPm1e0pkbtIjP5UikOYkHQF4+8vbRyr66/1MhCd/debn7wHzuxQS4L28C8Da2gLEF20Vl+9hNkYoSIQseEAQcUmDoaBFWUtsrQ4MkNQlqcIKUhQiyp5efRbY1t7hUkjpskiNBIrC8YAUUXK/VxwoG6DkToWtMuuF2wHbC6a/FZauOMzWUVf7CtLgO4HgSG/TnHci6YpoEh0p3BkbNDAWrARVfIQjA7Qh0drK4ZMTKqVYOL9rj6/njQnRdLOqagENFlVOEPp0zr8iseIWm9FsxDwegZpP21Kk5V+eXBO9a1zPNxX46OG4Eaa2Pbter6Y7J7G2XRSsh+tiwuuRWvAr2lt+qlt6dbWySYyrrfaDdv4g8t4y9RUG1l346nDklaKY61v3TUpTCbURvicMCVdT+EY7y6SuBHWH5pxxOJGps1VeemqkWCuP4yQPp3rADiwRlg/EgnJTA67cU/06Gdy7x7DpdpkHkIJZzy0ao8CjSXyL7NbFH4np5HzMtCuoSelzee3tCDBPkjrGn6fy2VEkS6nvYxzrHOpIghFUZx969+MkdEQbkyjEQ8x3hf/tRLrdHQkg2utvYVxBegMcKgtWh2ug0YXUf0b1VcJby4qR7suYiaUglucmt0h5opM5I2oSyszHjRT6JqTDZ5KoJrlUCuuqCZ2BCaILFqbR87DL4Knp8vWYu5YjVjfsczEftA+4JzJMFgaT+HWhQIlkOHGiZ1PMpo+2PXj9K3ByY9OZCReLNEolVeJSGlthwLzvTwimczXRBk2fVOvwyJbMbCc1ZKYLYTyQ/UD1QSmTGqpCdantiXdKADnDtLYLa/RLAST8geU2n37r06AfVUWvySgNDQP9adw3ZzeRLIhfx/zxxzSfvAjCc/XQPl82nSgLXjyphMdH4GcwOUgnX8J9LGGJvgkzRzJcdAgNhgCCqLOnPotOivJg6E6A/bSTPwTTNmhKaKHc1lCpR28TIvDJRv4MLSLasFCEUPCASIufkkZtqVde8bOy9QVQmXmdxLnUNhfrLzzYtYWHi44ip8IjTNJUjPPFQQrpzjnWnD+fwdKeqWsKmg7JcB49eDMLoW0K9/QKFHgxcp2z5XwyiFhlIMaMXoJgq0n10hZffU33Rui3u+soVQd8XjMNM2sFlrLVvYIc61QoTQwvqYdBmzjX4rXUppYUJgInYmq1RN+Ais9PXjD3MKaCFme34zn17ceZJa11nG4r33Gb9C6Ofhj856U=
Content-Type: multipart/alternative; boundary="_000_AS4PR07MB8874F4834C60F9294D26315895C12AS4PR07MB8874eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS4PR07MB8874.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b27c5060-8d33-4671-a758-08dc8b754fec
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jun 2024 06:51:54.8084 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /5juE5CKpKR9UdxUkQvh1Uy1bA8D3MCzQAFbcf95E5pikGy9PJaKYEY3PkkySjxron+HgaEf6iIYROb0Eftd+a6qd3MrAmigW/X4qEZ04CM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR07MB7903
Message-ID-Hash: BFEDLSOXUMLWRE765BJFVFGGHA5LEC2A
X-Message-ID-Hash: BFEDLSOXUMLWRE765BJFVFGGHA5LEC2A
X-MailFrom: magnus.westerlund@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-tsvwg-sctp-zero-checksum@ietf.org" <draft-ietf-tsvwg-sctp-zero-checksum@ietf.org>, "tsvwg-chairs@ietf.org" <tsvwg-chairs@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tsvwg] Re: Paul Wouters' Discuss on draft-ietf-tsvwg-sctp-zero-checksum-10: (with DISCUSS and COMMENT)
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/jsXTuJ3zQKxkxcnZwShdKXwArnk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>

Hi Paul,

I think you are correct that security considerations likely need to explicitly state that security mechanisms and the CRC32c integrity protection have a one way dependency between the mechanisms and the process to turn off the CRC32c should never impact the security solution negotiation and is never an alternative. The dependency that exist is that zero checksum has a pre-requisite that something stronger protects the packets. There should never be a dependency in the other direction.

Secondly in WebRTC there are no alternative option to DTLS. So, if an attacker fails the DTLS handshake the whole PeerConnection establishment will fail. Also, because the whole SCTP packet is encrypted there is no way an external attacker could even know if zero-checksum was applied or not.

Cheers

Magnus


From: Paul Wouters via Datatracker <noreply@ietf.org>
Date: Wednesday, 12 June 2024 at 18:07
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tsvwg-sctp-zero-checksum@ietf.org <draft-ietf-tsvwg-sctp-zero-checksum@ietf.org>, tsvwg-chairs@ietf.org <tsvwg-chairs@ietf.org>, tsvwg@ietf.org <tsvwg@ietf.org>
Subject: [tsvwg] Paul Wouters' Discuss on draft-ietf-tsvwg-sctp-zero-checksum-10: (with DISCUSS and COMMENT)
Paul Wouters has entered the following ballot position for
draft-ietf-tsvwg-sctp-zero-checksum-10: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot-positions%2F&data=05%7C02%7Cmagnus.westerlund%40ericsson.com%7C42fc8c719863435154f808dc8af9c2d0%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638538052513554079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=dsWIk0k78sd%2Bc80qdwIGAgIbMQV6q2otQngrVNJDq0I%3D&reserved=0<https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/>
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-tsvwg-sctp-zero-checksum%2F&data=05%7C02%7Cmagnus.westerlund%40ericsson.com%7C42fc8c719863435154f808dc8af9c2d0%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638538052513563148%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=wJaEeMg1BBAtq%2BVRSqPLSTxjGA9eWdJeV1ue82VCLiQ%3D&reserved=0<https://datatracker.ietf.org/doc/draft-ietf-tsvwg-sctp-zero-checksum/>



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Should there be a short discussion in the Security Considerations on what to do
when DTLS fails? This could be a bid-down attack from DTLS to crc32. Perhaps
some text that states if DTLS is configured, that if DTLS fails to establish,
this should be a hard fail and not a soft fail to crc32 'protected' clear text?


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

NITS:

        A Virtual Network (VN) is a network provided by a service provider
        to a customer for the customer to use in any way it wants.

I think "any way" is a bit too strong? Service providers have a lot of AUP and
fine print.

being being received -> being received