[tsvwg] Comments on draft-tuexen-tsvwg-rfc4895-bis-04
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 19 July 2023 15:30 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDEA1C15152D for <tsvwg@ietfa.amsl.com>; Wed, 19 Jul 2023 08:30:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VDO61W0DUNF8 for <tsvwg@ietfa.amsl.com>; Wed, 19 Jul 2023 08:30:46 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2050.outbound.protection.outlook.com [40.107.20.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5A7FC15108D for <tsvwg@ietf.org>; Wed, 19 Jul 2023 08:30:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AI6YT0fV913NC/CY2+RPI2fQuCbkvpEIIGnssYtV6HgdKUb9+597KHicc24mcVC2knPOHWiCfufw3SIBa4495ZsQJJwzEJj7ELMPxW22TAiqSVyXXlupSG/SW8bq66c2X000Fw+Hc/QDB8HpDF88OjRm08P8VOALvkT1vqOwfsh0pL0URbqLuSCf+MlIqV4+JWQdaguBAHgKd2wMgHkykFWuqIE6xr3IihGthP9DEmr0nP6CIMyXuQAVQeO+8AWnU++MMi73yb1WTs3sbrYmF1reYIY2wJqbCMZq3gs3v8UOTnSTcUNZFGDvJpTHYhqSRbWXGRT6fWDTehGoEw20xQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=22PUVflGIYxxiHYYILPQiooDzjTCgVeRNt4vY8GuWDM=; b=oVgxxf1lBtndPjFK4n+QE+aXgj8U9BMWQCI5NM8AdiNxS4lpoSQGCB44OWEa/H88E2skwRt12ewNT/h+y7u0yPlQ0pl5hxE6BK4ucQpQthVpXqw+bhvr9RcXIGuwwheJbiwX73EstSd5tWZcpGeGCDjjpPPOaZ1P6dKqlf5P+g12zw7NEvlR+9QC3F68dBfoD1yVEq+hAy3cf1ZpGPHjIA0brPSfPHlIAPM/nHPp7cLan0CRXU8DLqWpfNfNSErgGNvPjxFPGWZQI5oZ+gReXi54zTeHyTZdetgDMOia9qAIZXOy8rR2g5H5pDd8s4Q2d0fh/+EfagZ4kiarVBHrzQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=22PUVflGIYxxiHYYILPQiooDzjTCgVeRNt4vY8GuWDM=; b=lcAsbdWuddOQ9Cz7xScxOxr6e8SpV3ZdUyh0B5QRQPeZtcF8fvvoVYZ/TOhVtjyaYvixV7wdh0EMEzluLMfnBE9/nogsuoS69vk5IHtp7Z/MgSRwgagkObmk2YYbxzmm9bNC4jfkCBEed8JZYNhwXqSEHMoieJ++MvDtUwISv9w=
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com (2603:10a6:10:40e::17) by DB8PR07MB6284.eurprd07.prod.outlook.com (2603:10a6:10:131::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.24; Wed, 19 Jul 2023 15:30:43 +0000
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::f42d:c1c8:7d3:f559]) by DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::f42d:c1c8:7d3:f559%7]) with mapi id 15.20.6588.031; Wed, 19 Jul 2023 15:30:43 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: tsvwg IETF list <tsvwg@ietf.org>, Michael Tuexen <tuexen@fh-muenster.de>, "ekr@rtfm.com" <ekr@rtfm.com>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>
Thread-Topic: Comments on draft-tuexen-tsvwg-rfc4895-bis-04
Thread-Index: AQHZulNZhoaBuVePxU+gHcXC5O6MNQ==
Date: Wed, 19 Jul 2023 15:30:43 +0000
Message-ID: <DU0PR07MB897017C58E87344912BF8E929539A@DU0PR07MB8970.eurprd07.prod.outlook.com>
Accept-Language: en-US, sv-SE
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR07MB8970:EE_|DB8PR07MB6284:EE_
x-ms-office365-filtering-correlation-id: 8b5d5642-db94-4788-bd22-08db886d1d90
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hGJIDTSaaJmXOFaDTgSvDoWrV8BUWhbKULO0Z7pzR22tO6FjY3Q3QrFKT0qMxzKfrwhNE/EFASequ1EgfS55vTkVh4G0uvXXdD/w2GvbJcEcLH8yCMThweD+5Br3b4vcDknHtqIEevJGPwn+vQPvap5IJq5f7gqF5CVG0FiVFdI3nw9Hc/1SxwmKO4FRXXDY5e32SQ1YiX1t4FDAZokNQ1xmeDffm/uhua44H5hfbW5ZJTXleHwnfLlteuCS5GsTwShkQQEgWUjpnBBULm/9r1Q07LhjfyZqSxmUmrLCo6wOT4WKzFkEv5Cp3k85OiHePxb8g+q8/pI37r3dpvpZ1ADmZeaOeebmVSY6IV8W/wQdyqqMXeRjYV/J5WUVxztjkGEh4fiE5Rz4sPcqjeIz+t9fAVMbqYg7/WnbaP91c7hLmMX5vUFTYvxDDZTtDHzB0TA57B2cBgGXxlD1iWCD13D+M5dnuTtC+XCLmrtQTzn596K9A0Zr/+kDolNMmjCobzP9hwzEi764dMOV8tGAi9EjgRCuuwOSyfPIxqOVm1LxpIk2ObQe0w5lo4SRJT4AB0E3StSwa4x9XMn/C6QPF2gwNAf8H1Y/8rkYorFKOYR13HAf7/0tlKB+kBWOma9OgzztwFeYEl96+aJclW39hw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR07MB8970.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(366004)(136003)(396003)(346002)(39860400002)(451199021)(71200400001)(478600001)(7696005)(91956017)(110136005)(186003)(6506007)(26005)(9686003)(2906002)(66446008)(316002)(41300700001)(76116006)(66946007)(66556008)(66476007)(64756008)(52536014)(8676002)(8936002)(5660300002)(38100700002)(166002)(44832011)(122000001)(82960400001)(38070700005)(33656002)(83380400001)(55016003)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DlpjfPH612osClYEl/R1qYb+0s7MNfdT6ItouGO19AGA+t7XSNbDWYY2nww/FKLR52/EHpSLTyPepQMUpOEcBHwSgUT1mtujJESC05qP5zhfenCZA5EXTkLGjcl0+AEnRgXeCxCiEEnXVPi1GQl8yLxHjrc3kN69NpNUsVvIkIERHMk7XcqCUqVWvmNuIy96t/IAtk3RdxVMMKKgi3aru8MQXpuGOwJ0g9iFiACOAWkR3DQGNMAi1YQDoAr2cv1HsS2UZtnyiDUiMbC2KoH4NKWBEr/o+WPD2aov/vwTXbc67TIGRgo6wjiKMxOmhtMRy6Rwbox9DxVkP4KozUnbrQxOUmOqaapQ/SNWAVks8bk87hDNXg5ul8QtoBCTr+n8X3jXtmH67RqYKxZppHYhN0YETdUtKN76vz+0bCrYA7jSsCQK1VgQAWHQohQGAAXWOpKI9vZ69ENk4tiev+1BC2GKAch71FvuTcWIRhqwVMA2AAtMUC7Ty/gKtSkMuqX1UYofLLuBQEdh/UHoCNlREEoHIZrC8pKr89N1g/h5b9ZQllXDyEJJvX4VBLWht6Bwj9ul1PFY2DkZ60VGyZZ1g3/eJ+bx44wLgwODRjLVuA+AKZl52XWZlbMVt9T71y5BHk88lhFONUvrBir26AwDiFstA7RdAubok3DLG97WsfgeVq+FDp6dGfCgSlYHvqPpqu2crV6Z8lc1v9MY+hxPX3J4aIZhGuzr9fGKxCIS215iolGEf5CghjaFh4pX/nNopjmq9XW5bIyVo0gQDxdS7Rd1v58VNRlA45JbyaXHQQ606o+535gWcn5rxt8ZytmPyP+JrKW0H7vse2setP2Pau5LkOy8fP3Kn2UZcHcj1U8ennN518sYNOPqylv1QH46aZKZZuHGH5Kn4t8Q5JUzAGXz+RIVvBjEbJkFCDh2ncRkHwdmu802lJYpAS5cqTS7U+BbAXRHTBlxSRQ5t0IfQtxTvQDr/24DXPGQVtzPEc4tG7bmSrSzEkTIPfQUz1p/L+XbrtOSaOrtgJQCtAHnvESRHf3KCSB2rSHXOdII5/+OW99Z3VN2vpou6/7hJ3NjH9VjOGPR/OSINBGJrBtY5FQmlYnm2tiTKYKXtJ+23fLhF7SUP/qXVPOj6WJDUUaPrqvrylqCNMTuTHqU3b4VfVlMnqPPGHI+gu4su1LDysFclIVULTKlHZE2LMyIGTfGRWD5uaiRyh75TDT1aYFuXNcJEW4zgJpJNGusAeJ6kfLdUQ5JTjDqsNKDJM3Ef7iGuw3SX3RQvNUXgFquQUjVCe/Klagi7vJJK/8T23o9bvM6jpQGPjd4e+T4QVD02g+/kXh+xiEOcrxxcD48/Rw9QH68HpkfDBmpUdYzngbLzqsxVcAzI5NwEee9SSPRyxzNxGdIKqUaYixpdo9amYxqwoGCqcBBTAQVzeJCyeMut5ahZJQbIMyJFiQg51o63Oou24XbNLcf/AEPFY1cHUSddaGYTJlSEc0NVCYpA550e0ttoBEahz8RPwxy5/c/U9xVyWvQuOsTKf8NleVbNHgZB07wlYD6qcp9HKamApgTuAWGqdku0XnGcyqbh5I9To/SGDA5hYVeC5mUQWmSVdLeHrzSg3/pRmp93O3sBJFpXw8=
Content-Type: multipart/alternative; boundary="_000_DU0PR07MB897017C58E87344912BF8E929539ADU0PR07MB8970eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR07MB8970.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b5d5642-db94-4788-bd22-08db886d1d90
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2023 15:30:43.1799 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gwWVuRmoFtDS/0woBtfWGVtN/+4f5l5FV/wLxvLKH0yHXelzW4QI9jTD2D0VyBMGQjbPkTA56ufAJWutbyq2S1f9rIME2HPIqkRGiYwtank=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR07MB6284
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/q4vg3tQjplNKrmh1VABAbeulzaI>
Subject: [tsvwg] Comments on draft-tuexen-tsvwg-rfc4895-bis-04
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2023 15:30:50 -0000
Hi, I have reviewed draft-tuexen-tsvwg-rfc4895-bis-04 and have some comments: General: So an authentication algorithm for SCTP-AUTH should not be required to use HMAC. It appears better to have the algorithms define themselves if they are using HMAC or might be using some other way of deriving the authentication tag. This will require that the algorithms also define a KDF of the input key data if not using HMAC. As in many cases the input shared association key will be longer than the what the algorithm uses. This specification needs to deprecate the old SHA-1 and SHA-256 algorithms and replace them with new algorithms that uses another key-derivation so that we get directional keys depending on sending and receiving. I would think the most straight forward change here is to derive one send key and one receive key. Where the send key is derived using first the vector that contains the material oneself sent in init, followed by the peers. An the receive key is reverse order of the these vectors. As long as one first check that the peers random values are not identical this appears to generate unique input data for the key derivation function based on direction. But, someone more knowledgeable in the finer point of crytpo should check my assumptions. Alternatively, one need to have a role label or something that is included to derive two different keys. I would note that maybe is desired as that would avoid API changes. The next question is what to do with mandatory to support interoperability point. The current HMAC-SHA1 is broken due to the directionality issue, so I think going forward one should not be required to support that. So the question is what to support instead? The replay attack potential we need to discuss also. If one only want to prevent DATA replay after TSN wraps, i.e. when 2^32 bytes having been sent, then one can include a strong recommendation for rekeying. However, I think we should discuss if one would like to fix this for all chunks by actually include a sequence number (for example 16 bits) in the SCTP-AUTH chunk, and run the MAC over an extended version of that field (64-96 bits in total) so that SCTP-AUTH prevent replay of really old SCTP-AUTH chunks as the epoch would not match and give integrity failure. Detailed comments: Abstract needs to mention that this obsoletes 4895. Section 1: "Using Transport Layer Security (TLS), as defined in RFC 3436<https://www.ietf.org/archive/id/draft-tuexen-tsvwg-rfc4895-bis-04.html#RFC3436> [RFC3436<https://www.ietf.org/archive/id/draft-tuexen-tsvwg-rfc4895-bis-04.html#RFC3436>], does not help because it only secures SCTP user data." Should likely be updated with reference to RFC 6083 or rather replacement solution. "Therefore, an SCTP extension that provides a mechanism for deriving shared keys for each association is presented. These association shared keys are derived from endpoint pair shared keys, which are configured and might be empty, and data that is exchanged during the SCTP association setup." Especially the first sentence appear to me not to rightly capture what is provided. I think some clarification on the shared key properties in general might be needed. "The SCTP extension for Dynamic Address Reconfiguration (ADD-IP) requires the usage of the extension described in this document. The SCTP Partial Reliability Extension (PR-SCTP) can be used in conjunction with the extension described in this document." This extension review and its interaction appears to need to be updated. But, it might be simpler to focus on if there are any extension at this time that would not be compatible with SCPT-AUTH? I think one can also consider if one like to provide a slightly more detailed overview of the solution to make the document easier to understand for the reader. Section 3.2: The chunk types for INIT, INIT-ACK, SHUTDOWN-COMPLETE, and AUTH chunks MUST NOT be listed in the CHUNKS parameter. However, if a CHUNKS parameter is received then the types for INIT, INIT-ACK, SHUTDOWN-COMPLETE, and AUTH chunks MUST be ignored. What about Init to re-establish an SCTP association after a failover? Is the security context something that is required to be maintained as indicated in Section 10. And is this thus true? Shouldn’t Initi chunks after the association is established be using SCTP-AUTH? Section 4.1: Not that this could not happen that an unknown algorithm is used. But it really should not happen. After the Init and Init-ACK each peer will provide what they support. And it does represent a security issue. Because can you after having negotiated use of SCTP-AUTH even trust a packet with a non supported algorithm identifier? Section 6.1: An SCTP endpoint MUST NOT change the parameters listed in the HMAC-ALGO parameter during the lifetime of the endpoint. I think it is unclear what is meant with a lifetime of the endpoint here. I can understand that this would apply for the life time of the SCTP association, but for the life time of the endpoint appears to limiting. I think that this preference list should be bound to a shared key. Thus, if one generate new endpoint pair shared key, one can have a different preference list when using that key? Section 8: I think there might be additional extension / changes needed as some of the other potential changes has been agreed on. But, lets figure out how to handle the directionality and in that discussion consider API impact. Section 9: Needs to be update to clarify which registries the reference should just be updated, and in which there are any new registrations. Section 10: So I think this document is missing a discussion on how to ensure that SCTP Association has unique keys. So as long as the random function are of good quality it is very low probability that the key input vector will be the same between two associations. But, this can in theory occur. Also the level the shared key is used will also impact the likelihood for collisions. If the shared key is strictly between two endpoints then the probability will be on one level. But if the shared key is shared across a set of N endpoints which all may communicate between each other then the reduction of collision resistance is reduced by (N-1)*(N-2). Cheers Magnus Westerlind