[tsvwg] Updated draft LS to 3GPP regarding SCTP-AUTH and DTLS
Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 29 November 2022 09:40 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCAB0C14CE4B for <tsvwg@ietfa.amsl.com>; Tue, 29 Nov 2022 01:40:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cJOzjAsIMrF0 for <tsvwg@ietfa.amsl.com>; Tue, 29 Nov 2022 01:39:57 -0800 (PST)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2078.outbound.protection.outlook.com [40.107.104.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40378C14EB1C for <tsvwg@ietf.org>; Tue, 29 Nov 2022 01:39:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RvuzmCV5BKDtdAjmcEFGSmVinTascwN4K/Y2zg4oXI70itG059bkg2jAsoKag45d+Qeq+kw71tp6XtZgSrjF6DyWdhtJek/zPmE9SNXcC8dbtf1MyJ9qHyk6LBmvndA3h2RxZDYbPqJyp0XnWjz0rljpuktt/LM6ixmkZNNdqnkltSAa/Yxmd2b6Q6RAzl99sGS/51rzk4U2Y4lbYVvdZKg+jF/tUtUkmWjqeILkQtgmJJXESpCb7W4Gw6bWoIEgo1sxe6cX3r6qvM4+ODuWnR9OtQsL3vD10+8yIpSt5loRYNRAPwdBIjlik79m4Ja0VWM50A0CQ3y16DDvCQ4ceA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WXA3z7IsYYFeXO80pzgqyQORpCQC+6DBylruI4am9MM=; b=KrilfxKLRvdiTHIqawnnLDvcKkwbqRDmrtFoLCxWozF7zbRMWddxhz1MZw06T2zQnKaMZvzueKN/dkdzHXUsq6B7WPIMqiT2pOnHBavdQpigoKun8UxCepV1R1wIeEp8jn+Z0IWqYhnTXqcIOM3uUPFnwNuVQpiqS2jddngYUwJTK4Zy9V/uwF0sewjw0hFxMhG8ReF25+RWt1dQ5fAhicCjNdXYut00niUTIc/eg8ZbCqbZRF0LoVNpPSN2SKdGWbqsvIU7OcdUQSA5PVwMhm5QcX9hQVlQ8b3U4AILRVuUISPc/27LTcsS5SMyAXmusKm+eB6rA2nIMQyMUIXIew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WXA3z7IsYYFeXO80pzgqyQORpCQC+6DBylruI4am9MM=; b=K/RkKsK0OruBGTnppKsYb4Z8Mh2ib9/AEmTFSamDOxrszatnSW4yxS7KyueUejf9+KCwACf6dtolwGl9RAcm1Kaev56nU6rmK5wlURu9zCEgszThyQ0s4Ky0wcpogn2gpAGr/egHg31INU6BBFuNseupZ0X4wzfJbOwe67uapoU=
Received: from PA4PR07MB8414.eurprd07.prod.outlook.com (2603:10a6:102:2a2::6) by AS8PR07MB7383.eurprd07.prod.outlook.com (2603:10a6:20b:2ab::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.23; Tue, 29 Nov 2022 09:39:54 +0000
Received: from PA4PR07MB8414.eurprd07.prod.outlook.com ([fe80::f694:1ec2:3a2c:bbc5]) by PA4PR07MB8414.eurprd07.prod.outlook.com ([fe80::f694:1ec2:3a2c:bbc5%5]) with mapi id 15.20.5857.021; Tue, 29 Nov 2022 09:39:54 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: tsvwg IETF list <tsvwg@ietf.org>
CC: Michael Tuexen <michael.tuexen@lurchi.franken.de>
Thread-Topic: Updated draft LS to 3GPP regarding SCTP-AUTH and DTLS
Thread-Index: AQHZA9YenokRMoQfoUawq7jcUGWwuA==
Date: Tue, 29 Nov 2022 09:39:54 +0000
Message-ID: <PA4PR07MB84149532DCC9DF9F035A478D95129@PA4PR07MB8414.eurprd07.prod.outlook.com>
Accept-Language: en-US, sv-SE
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PA4PR07MB8414:EE_|AS8PR07MB7383:EE_
x-ms-office365-filtering-correlation-id: 98b60df0-5fb3-4fe1-cea3-08dad1edab8a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ik3dAqsfIoxB8tu2Nzx5qoXOIC5HJNA+5YSazhr0SVH9oyXnyC5GFQxifUmYx2BxldCzjsB1tUf6oGOFRctB2azl6/oyW5a4dthZ4DV/Rze9QVZHvGBZaXQufB22U80TnjfZ+Ne5VPOV//I5eRVQ1PTtngzQ5dT3Er7RUx6NUhom4ehFAVeZDKr8XkZCLAWqeTMYkUNL4hKFGHUx+/jIrMNuWRLxj9LNe5XEa3skY+ufsfmt3E1N8tKBb2WXXU6RX43336+3gFnZpB59yRlM9IdWtndz4jR/wlhDrquRHVPymTWMjpleaOu2vkTGN2QJXXnazOV4HjRPkjGhDAX1KdakYKXjso5xCWShRqwljgII/4vFTg/e4TE/lW1fM12pSnV3RsUPolFkfI6v59I42fw6psDVMmak+tPsCDLh/p0v0VmHVxRFX8UssssNJ5xHZuWHRsWUY1pexmDwHHOORsn1k9p/SkLy82siRwzedC5Djz+jXbpGVLbBRvbX9TrjHOWZ07aObn01QDcUz45EMl7YfHMnosi64Y0INvNx2ccx93gCMpp0YXmnnebD1yMYZBuqs0TSR7a1/iFcerHM2uGG+e6f2oQuOREAHzYtAsLuDQEhmf1d5LzTO88jlLZXlrV5mcMvkex08D/ICdKwRIkmcytn26ouxuUSovdD4XIKJvXm1VNc/2WNPkS5KHlgj+KV7zuaVApjRm/J1g9A80ZusIf7Ljf4544KkMml0jhlFnPOIhmsh3PJ8U2OmcN0Nbc5xjHdtyFYwyNiaelKVoZU23tLusSwAR6Qu5cUEyQK4H4WV8oXRjavaeXV7M/7
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PA4PR07MB8414.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(346002)(376002)(39860400002)(136003)(366004)(396003)(451199015)(5660300002)(44832011)(33656002)(55016003)(316002)(6916009)(9686003)(26005)(52536014)(41300700001)(8936002)(91956017)(66446008)(66556008)(186003)(66476007)(66946007)(64756008)(76116006)(8676002)(15650500001)(122000001)(38100700002)(38070700005)(82960400001)(166002)(2906002)(4326008)(83380400001)(86362001)(966005)(7696005)(6506007)(71200400001)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MNIjEmI6HdnCi/A+iinAV5bun/DIwGOF8f25gMKxyCOHabl8Yj4Skh4vcerexs3eVLLSyV7eaYwgVAoyUKYagdlgtRNY3SP3L2BWd+c24BKBxyiOVtvta6vc+mw6eO4YaQsAanmNEXY8Z7DD9RdaNy6ib6I0osrC0DhDwEhezU6Xci2KWxYYr3qujXnR9IiR+NIu462kgrR0GhOskO+lQZosb9+WQvk9xnhBmYo8Bc+4rMPwl/7bg+vXzCV0YMD3khCbHV6qjTOCb4DveBlkuz7hpPHTAnGkfASBs1u4/XWCagk+BsSi0yJlFkFGSr8u9c9JoMMVSIddTgbmnkKVEJqsZfZ9iaW1T9qpMkfYlKm/A09M2k+7Me03CLUCiyc6MATXb6s+5lIsy7n5wWY9pEicju7EqI6o6rCICsaWPyWcPau/xKiDo0ZVle8tX8NMVdUlkPCQTs2VNMYDAYpE3Gh62dldSezLa28ogOEyT2Dr96eEU57dy2oXW9PWjCCGpusRzfX5eoUObG/UXmHicDcgO7X1crHYQkBHoTTuU7uEkIzIH5LX/b8MV/BbB09sJgDPfhxXNUrgWgsULo/wRjbYFH/k+sCn4SNgLran8O2gSSP5g+Teoeo2CVySR4I26iAvJ1Sh+BRhIdbeiv/aPQ87E/+EFF9wkkNwAfg2/Uofl2mpf78LyAJJMXrxFNug6m+DuZNGQdjJN+EFep1EEcTqQGKNHpv+J+RZGcyARXKKcpfyC7bv0agh3pea8o4RPcQRCZKsd7MXO3OKOXyRa25NhQQcfkh7gkL58k2Bwtj66Yf+bKxZWsBDKlGgVP4+neYV/gzOh3rFuD61/jCsox3J49id3LFvXAkM/jrQRLpjKe3UMhiviY5kBnLW6PKmf7t8zTEhOpkUOAZ0nG0NdrlyIQvy1XmTuyW0Q2aN8xxDH0CGVpzhuOfb5QF84qv3w6BOqjNbdCOt+zcZuune3P8X9ctgAL/2bi1r71BdZnztWK/NK2cJAijPMMk6m4wxdIiBU/o3k9m4/a/qHovOTMDJiu/ArREcPSI/q6gVTkyZ48CWE1aOrPwpEf1XxGTCddriSDz5qbfyIwKeh7A6tx5cXMMyXhOaVrNBGJfwjGNeIgvjJEtFC0wEsizo+VeuXBYzxq7kOOQVSEVV4MGNYO4E8ph5wwSwhidUDg3KTTf+jNRKXc5ynYMPNwVMbt6dWAzS/z6b0hvOyZFk4Q7ifj6TDCBe/IiLqzo5XGyEvCHqZoz3iHAoYXLCvh4VSEpXno5YhKbf+Hs2O/NbWASTHITQOHz6aujURy4LwnK6yr84K0gCnMI8c18HRjl16THflutBGNe8WDrjoOlXXH1N8a+BtgJaOOPwuo22FUDOY5hp5V6V6lfSziX0M62R98X9zpkZlAlCrV8GT7YVVsS6CZBY9HHTEFpKs+P2lVxWhcQwfejl/0IOw0BJ0epE/P4y7eJ3F2MdDpvk94G77mjszv73AiRh41yJhSu5ZWX3T2cP2MmiIBQ4Gi9H4VPYey9dkm6waIIcOnFe5TGcCiuakeGbY7EG1FmY1SQrPqbnn9DGklAvMpHq6DwTVqrg1kGGJeJfRAI4n+nqHt54jdHsDgH9yXr8M3w07zdPyk14HIU=
Content-Type: multipart/alternative; boundary="_000_PA4PR07MB84149532DCC9DF9F035A478D95129PA4PR07MB8414eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PA4PR07MB8414.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 98b60df0-5fb3-4fe1-cea3-08dad1edab8a
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Nov 2022 09:39:54.1489 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: V95zz2TZZ0SDzkLcNPG5QVLF5U+ZxdDTQrIJH7FzZuTPJEKSbLFk3GMHpNUUX0MiYaLSHYlyqG64TbX72coJzDex1xYln/b2tndfdgUmpsE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7383
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/vSfHRaIWph6meAspegmbpuD8WTk>
Subject: [tsvwg] Updated draft LS to 3GPP regarding SCTP-AUTH and DTLS
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2022 09:40:01 -0000
Hi, I have now updated the draft text for the LS. So please review and provide any feedback. /Magnus Westerlund Subject: Security concerns with SCTP-AUTH and impact on progress of DTLS over SCTP From: TSVWG To Group: 3GPP RAN3, 3GPP SA3 To Contact: <3GPPLiaison@etsi.org<mailto:3GPPLiaison@etsi.org>> BODY: The IETF Transport Area Working Group (TSVWG) has been working on an updated specification for DTLS over SCTP (RFC6083) that removes the user message limitation as previously acknowledged in the earlier liaison statement [1] to 3GPP RAN3. As part of this work security issues with SCTP-AUTH (RFC 4895) was found, as well as better understanding of the actual security properties provided by SCTP-AUTH. These impact DTLS over SCTP, because both RFC 6083 and the current working draft [2] for an updated solution rely on SCTP-AUTH. The security issues identified in SCTP-AUTH, can be summarized as: * First packets from host A can be reflected by an attacker back to host A to make it believe that these packets are coming from its SCTP peer (B). Thus, reflection of DATA chunk can be accomplished if the SCTP transport sequence number (TSN) and Stream Sequence Number (SSN) can be matched to an acceptable range in host A. * Secondly, its current key provisioning can result in the same key being used for multiple authentication algorithms. This situation can theoretically be created by an attacker capable of rewriting the INIT or INIT-ACK AUTH chunk to change the preference order could result in that HMAC-SHA-1 and HMAC-SHA-2 used with the same key. A better understanding of the replay protection that SCPT combined with SCPT-AUTH provides and its interaction with DTLS over SCTP has also been realized. SCTP-AUTH does not provide better replay protection than what SCTP itself provides unless additional measures are taken. This means that replay of DATA chunks may be possible after 2^32 DATA chunks have been sent and the TSN has wrapped. To be accepted by the endpoint the TSN and SSN needs to have acceptable values for the receiver. For other chunk types with sequence number similar risk exist if their sequence number are wrapped. However, that is fairly unlikely due to these chunk types low frequency of usage. Chunk types without sequence numbers can be replayed at any time, what impact this may have is normally limited as SCTP-AUTH prevents forging of those that could have significant effect. However, it is uncertain what impact on a specific implementation replay of chunks out of its original state context can result in. The SACK chunk replay can have significant effect after the TSN has wrapped as a replay can if timed correctly move the cumulative ACK TSN forward for a sender and potentially result in that the receiver missing a data chunk will never receive it thus dead locking the SCTP association. The resulting impact on DTLS over SCTP is the following: 1. Reflection of a DATA chunk that matches TSN and SSN currently acceptable can result in delivery of the data in the DATA chunk to DTLS over SCTP. This data will be either a complete DTLS record or be inserted as part of a DTLS record. This injection is then expected to be detected by DTLS integrity protection as DTLS keying is directional, resulting in the whole DTLS record being discarded. Such a failure is expected to result in an SCTP association termination as it represents a non-recoverable transport protocol failure. 2. Unless frequent enough rekeying of SCTP-AUTH is occurring, DATA chunk from A to B (and/or from B to A) can be replayed to B (or A) after at least 2^32 DATA chunks have been sent. The same constraint on matching TSN and SSN applies for a successful replay. If the data in the DATA chunk is a complete DTLS record, then it depends on DTLS rekeying frequency if this old DTLS record will be accepted as new user message. If a successful replay’s data include part of a DTLS record, then it is expected to fail the DTLS integrity check and thus result in SCTP association termination. 3. Reflection or replay of SCTP control chunks could result in termination or dead lock of the SCTP association, i.e., attacking the availability of the SCTP association. We note that these attacks will require the attacker to have the capability of capture packets on the path between the endpoints, as well as send packets with forged source address that reach the targeted endpoint, alternatively also send packets from an on-path location. For more details on these security issues please review the presentation to the TSVWG [3]. An identified mitigation that protects against the replay of DATA and SACK chunks is to ensure that the SCTP-AUTH key has been replaced and discard before 2^32 TSN values have been used since the first SCTP packet protected by this key. Note that this does not appear to satisfactory mitigate the reflection attack. TSVWG is willing to start working on addressing these security issues in SCTP-AUTH immediately. However, it is unclear how long it will take to finalize a resolution that addresses these issues. DTLS over SCTP [2] will also have to be updated to address the replay properties of SCTP-AUTH. We wanted to inform SA3 of these security issues and observation about replay potential as they impact the security properties of the usage of RFC 6083 that is already defined in “Security architecture and procedures for 5G system” 3GPP TS 33.501 Rel 16 and forward. We want to inform RAN3 that, due to the discovery of the security issues and the need to address these, there will be additional delay before an update DTLS over SCTP specification will be done. It’s currently uncertain how long it will take, but it will likely take at least to the later part of 2023 before a complete solution can be available. References: [1] https://datatracker.ietf.org/liaison/1744/ [2] https://datatracker.ietf.org/doc/draft-ietf-tsvwg-dtls-over-sctp-bis/ [3] https://datatracker.ietf.org/meeting/115/materials/slides-115-tsvwg-sctp-auth-security-issues-00
- [tsvwg] Updated draft LS to 3GPP regarding SCTP-A… Magnus Westerlund
- Re: [tsvwg] Updated draft LS to 3GPP regarding SC… Gorry Fairhurst
- Re: [tsvwg] Updated draft LS to 3GPP regarding SC… Black, David
- Re: [tsvwg] Updated draft LS to 3GPP regarding SC… Magnus Westerlund
- Re: [tsvwg] Updated draft LS to 3GPP regarding SC… Michael Tuexen