Markdown Version | Session Recording

Session Date/Time: 24 Mar 2022 09:00

saag

Summary

The Security Area Advisory Group (SAAG) session covered administrative updates, reports from various Working Groups (WGs), and a deep-dive presentation on IPsec by SA AD Paul Wouters. Key discussions also included the ongoing work in HTTP, DMARC, and W3C, as well as an important recognition of outgoing SA AD Ben Kaduk. The open mic session concluded with a technical discussion on the emerging pattern of "oblivious protocols" and the complex trust models they introduce.

Key Discussion Points

• Working Group Reports:
  • COSE: Nearing completion of the original specifications' advancement from Draft Standard to Standard. Chairs are requested to send reports to the SAAG mailing list.
  • HTTP: Significant progress on HTTP Signatures and HTTP Digests, encouraging review from the security area due to their cross-area applicability.
  • DMARC: Working on a Proposed Standard version of the former experimental specification, with ongoing debate on replacing the Public Suffix List usage with a tree walk.
  • Privacy Pass: Reworking its architecture draft to accommodate diverse use cases.
  • TLS: Many drafts are progressing, with continued debate on the "yech question."
  • W3C Federated ID Community Group: An effort is underway to redefine browser authentication, bringing browsers into a more active role for OAuth and OpenID Connect. The Federated ID Community Group is an open forum for proposals on this contentious topic.
• External Developments:
  • NIST's Round 3 Post-Quantum Cryptography (PQC) decision is imminent and is expected to trigger substantial work within the IETF.
• SA AD Updates:
  • AD-Sponsored Documents: RFC 9169 (ERS update) and security.txt have been published. The Numeric ID SEC Considerations draft remains in EDQ, pending resolution of ISG ballot comments.
  • Security Review Guidance: ADs emphasize the importance of consulting published lists of common security review "discuss" points and utilizing the DataTracker history field for detailed feedback.
  • New Working Groups:
    • SECRET (Sharing Credentials): Emerging from an ART area BOF, this work will be overseen by an SA AD.
    • PPM (Privacy Preserving Measurement): Rapidly spun up following IETF 112's Priv BOF, demonstrating efficient WG formation.
    • SKIT (Supply Chain Integrity): A new WG focused on supply chain integrity issues, discussed at the SECDISPATCH session.
  • WG Chair Changes: Noted changes in DANCE, KITTEN, PPM, SCIM, and COSE working groups, along with a general call for WG chair volunteers.
  • Errata Processing: Community assistance is requested to adjudicate approximately 250 reported errata for security work, with 153 outstanding reports related to active WGs.
• Recognition of Ben Kaduk: Outgoing SA AD Ben Kaduk was thanked for his four years of service, during which he redefined detailed security reviews. He balloted on 702 documents, issuing 299 discusses, significantly improving protocol security.
• IPsec Deep Dive (Paul Wouters):
  • Fundamentals: IPsec involves two main protocols: IKE (Internet Key Exchange) for negotiation and key management, and ESP (Encapsulating Security Payload) for data plane encryption. AH (Authentication Header) is largely superseded by null encryption with ESP.
  • Terminology: Clarified distinctions between IKE SA and IPsec SA, which are formally known as Parent SA and Child SA in IKEv2.
  • Modes of Operation:
    • Transport Mode: Used for host-to-host encryption, offers less overhead but is problematic with Network Address Translation (NAT).
    • Tunnel Mode: Encapsulates an entire IP packet within another, conceptually simpler, but adds MTU overhead.
  • NAT Traversal: ESP traffic (IP Protocol 50) is often blocked. Encapsulation over UDP (Port 4500) became standard for NAT traversal. Encapsulation over TCP (RFC 8229) is a problematic but sometimes necessary "last-ditch" circumvention technique, allowing multiplexing with TLS (e.g., on Port 443).
  • Policy Management: IPsec relies on the Security Policy Database (SPD) and Security Association Database (SAD) within the kernel to manage encryption rules and state.
  • IKEv1 (RFC 2409): Despite its age, IKEv1 remains cryptographically robust. Its perceived weaknesses stemmed from poor configurations (e.g., Aggressive Mode with weak Pre-Shared Keys) or implementation errors rather than fundamental protocol flaws. Issues included amplification attacks, multiple confusing modes, and incomplete integral protection of all packet fields.
  • IKEv2 Improvements: IKEv2 features bundled SA management, initiator-only retransmissions to prevent race conditions, anti-DoS protections (cookies, puzzles), reduced round trips by combining IKE SA and initial IPsec SA establishment, and enhanced EAP support.
  • IKEv2 Extensions and Future: Modern extensions include Mobike (mobility and multi-homing), session resumption, updated algorithms (ChaCha20-Poly1305, AES-GCM), IKE fragmentation support, and an "Intermediate Exchange" for large PQC key blobs. Work on "Multiple KE" (hybrid/composite classical + quantum key exchange) is ongoing.
• Oblivious Protocols and Trust Models:
  • A discussion arose about the emerging pattern of "oblivious protocols" (e.g., Oblivious DoH, OHi, PPM) which introduce an intermediary node to provide privacy by "obliterating" client identifiers.
  • The core technical challenge lies in defining and managing complex trust models in these three-party systems: how the client trusts the intermediary, and how the target trusts (or distrusts) the intermediary.
  • Abuse of these trust models can lead to issues such as Denial-of-Service (DoS) attacks against the target.
  • This topic could benefit from a structured analysis, potentially within the T-MODEL WG, to explicitly define assumptions and differences in opinion.
• BEET Mode: Mentioned as an expired, experimental IETF draft (Bound End-to-End Tunnel Mode) that aimed to compress IPsec overhead by recreating the inner IP header from policy, but saw limited deployment.

Decisions and Action Items

• COSE Chairs: Send working group reports to the SAAG mailing list.
• SA ADs: Continue to maintain and consult a running list of potential working group chair volunteers.
• WG Chairs and Participants: Actively assist in adjudicating the approximately 153 outstanding errata reports related to open Sec Area working groups.
• SA ADs: Improve communication regarding the creation of new working groups, such as SKIT.
• Community: Consider further discussion on "obliviating protocols" and their associated trust models within the SAAG or the T-MODEL working group to formalize implicit assumptions.

Next Steps

• Monitor for the upcoming NIST Round 3 PQC decision, which is expected to prompt new work in the IETF.
• Initiate the formal mechanics for the new SECRET working group.
• Continue the re-chartering process for the RATS working group.
• Further explore the technical implications and trust models of "obliviating protocols" in the IETF context.