Hi Spencer, In regard to the venue for having these discussions I actually think QUIC WG is one of the more relevant places as I would agree with Martin Thomson that QUIC will require some additional considerations so that one only weaken the forgery probability of data objects that are willing to accept this, and not the QUIC connection’s functionality as whole.
I would note that SRTP actually specifies the authentication tag length separately for RTP and RTCP within one RTP session. Thus, using short tags for the media is possible without impacting the control signaling part that can have far greater impact if forged than a single RTP payload. In regards to RTP I would note that in the context of WebRTC or other than uses multiple media type RTP sessions, applying shortened auth tags do impact all media types in the RTP session. Thus, if one wants different tag lengths on audio and video then one do need different RTP sessions. Cheers Magnus From: QUIC <quic-boun...@ietf.org> on behalf of Spencer Dawkins at IETF <spencerdawkins.i...@gmail.com> Date: Thursday, 11 May 2023 at 18:34 To: Christian Huitema <huit...@huitema.net> Cc: quic@ietf.org <quic@ietf.org> Subject: Re: FW: New Version Notification for draft-mattsson-cfrg-aes-gcm-sst-00.txt I agree with Christian here ... On Mon, May 8, 2023 at 7:28 PM Christian Huitema <huit...@huitema.net<mailto:huit...@huitema.net>> wrote: OK, I understand the tradeoff: actual security of AES-GCM depends on tagbits - log2(message_size/128), but for AES-GCM-SST there is no dependency on packet size. I'm pointing to the first sentence, in bold. I am afraid that we will have long discussions about proper levels of security. For current implementations of QUIC, the most frequent packet size is lower than 1536. The maximum packet length at the IP layer is 65535. The effective security of 16 bit tags is thus between 124 and 119 bits, so we could argue that with SST 120 bits would probably be OK. Except that shaving just one byte per packet is not really exciting. Going to 64 bits would be, but then forgeries seem doable, even with SST. Using 96 bit tags might make sense, if QUIC implementers agree with the security tradeoff. And also if we can be convinced that this is not an avenue for a downgrade attack... As above, I agree, and I hope our "long discussions" are as short as possible, and happen as early as possible, and as efficiently as possible. John's note on this topic started out (I think) in SFRAME and MOQ, where people suggested that he should also let the QUIC working group know about it, and other people suggested he should also let AVTCORE know about it. If the community can pick a venue to have a single conversation, and have that conversation until it converges, in a way that this proposal doesn't trip over obvious objections after WGLC, that would be a lot shorter, earlier, and more efficiently than letting multiple working groups duke it out during IETF Last Call! Best, Spencer
