IETF Logo Mail Archive

Re: [Tcpcrypt] Draft charter text

John-Mark Gurney <jmg@funkthat.com> Sun, 13 April 2014 20:50 UTC

Return-Path: <jmg@h2.funkthat.com>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA0821A022F for <tcpcrypt@ietfa.amsl.com>; Sun, 13 Apr 2014 13:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.174
X-Spam-Level:
X-Spam-Status: No, score=-2.174 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4gKWUPz8uQp6 for <tcpcrypt@ietfa.amsl.com>; Sun, 13 Apr 2014 13:50:38 -0700 (PDT)
Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) by ietfa.amsl.com (Postfix) with ESMTP id EF5E81A022D for <tcpcrypt@ietf.org>; Sun, 13 Apr 2014 13:50:37 -0700 (PDT)
Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s3DKoXMv027853 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 13 Apr 2014 13:50:34 -0700 (PDT) (envelope-from jmg@h2.funkthat.com)
Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s3DKoVgN027846; Sun, 13 Apr 2014 13:50:31 -0700 (PDT) (envelope-from jmg)
Date: Sun, 13 Apr 2014 13:50:31 -0700
From: John-Mark Gurney <jmg@funkthat.com>
To: Joe Touch <touch@isi.edu>
Message-ID: <20140413205031.GK34745@funkthat.com>
References: <533C33D2.4060004@it.uc3m.es> <534569A0.9020505@fifthhorseman.net> <20140410085034.tv16loo60c0wco8k@webcartero01.uc3m.es> <5348528D.1030101@isi.edu> <20140413090902.x1yd873rkcco4g8o@webcartero01.uc3m.es> <CABu4T3+yYoNReA+S7S057_aWBwia-Tw_y8YX8ALdup-_soN3Tw@mail.gmail.com> <534ACC3E.1020308@isi.edu> <CAKC-DJhG4n2gD5JdKi_+ODfaV826sw7+n8a1s=zyycgFvNKjTQ@mail.gmail.com> <534AD30D.1040301@isi.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <534AD30D.1040301@isi.edu>
User-Agent: Mutt/1.4.2.3i
X-Operating-System: FreeBSD 7.2-RELEASE i386
X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396
X-Files: The truth is out there
X-URL: http://resnet.uoregon.edu/~gurney_j/
X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html
X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE
X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger?
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Sun, 13 Apr 2014 13:50:34 -0700 (PDT)
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/FraULZxNYTXNeLFU7Ec5iTgHCWk
Cc: MARCELO BAGNULO BRAUN <marcelo@it.uc3m.es>, Erik Nygren <erik+ietf@nygren.org>, Andrea Bittau <bittau@cs.stanford.edu>, tcpcrypt@ietf.org
Subject: Re: [Tcpcrypt] Draft charter text
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2014 20:50:39 -0000

Joe Touch wrote this message on Sun, Apr 13, 2014 at 11:10 -0700:
> On 4/13/2014 10:54 AM, Erik Nygren wrote:
> >On Sun, Apr 13, 2014 at 1:41 PM, Joe Touch <touch@isi.edu
> ><mailto:touch@isi.edu>> wrote:
> >
> >
> >    You need to MAC the IP dest, dest port, and all signal bits in the
> >    IP header (sequence, flags, etc.). This will still make it through a
> >    NAT, but will break a 'rewriting proxy' - but that's the kind of
> >    attack that TCP crypto ought to protect against, because it's
> >    indistinguishable from a MITM attack (it *is* a MITM).
> >
> >Unfortunately, applying a MAC on the IP dest will break NAT64 which is a
> >valid and increasingly critial use-case.
> 
> If you avoid MACing any address or port info (except perhaps dest port), 
> then all you have left to identify your connection is the ISN pair, and 
> that seems a bit dangerous.

How/Why is that dangerous?

If it is used w/ an authentication layer that authenticates that the
session hash is the same on both sides, how is this dangerous?  The
authentication layer has stated that the session key is known only to
the end points, and not to any MITM.

MAC'ing the IP/port info will prevent 90% of the internet from using
it was most end users are behind NATs...  Be it a corrporate nat, or
the nat their ISP provided so that they are only allocated one IP...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

v2.41.0 | Report a Bug | By Email | System Status