IETF Logo Mail Archive

Re: [Anima] I-D Action: draft-ietf-anima-grasp-13.txt - SONN

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 08 June 2017 02:36 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63F7A129420 for <anima@ietfa.amsl.com>; Wed, 7 Jun 2017 19:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1nH4xsIOfZX for <anima@ietfa.amsl.com>; Wed, 7 Jun 2017 19:36:10 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81CAC1200F1 for <anima@ietf.org>; Wed, 7 Jun 2017 19:36:10 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 70F15E1A1; Wed, 7 Jun 2017 22:36:59 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A59146380F; Wed, 7 Jun 2017 22:36:09 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Anima WG <anima@ietf.org>
cc: Toerless Eckert <tte@cs.fau.de>, Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <20170607225624.GF20021@faui40p.informatik.uni-erlangen.de>
References: <149669625424.3230.10151704455578829166@ietfa.amsl.com> <f829bda3-d4f5-014d-8ffd-e63537171ba6@gmail.com> <20170606232417.GJ12427@faui40p.informatik.uni-erlangen.de> <15560.1496872540@obiwan.sandelman.ca> <20170607225624.GF20021@faui40p.informatik.uni-erlangen.de>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 07 Jun 2017 22:36:09 -0400
Message-ID: <16530.1496889369@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/IVYKm5ivjHL5RctLVQYiHAapLpo>
Subject: Re: [Anima] I-D Action: draft-ietf-anima-grasp-13.txt - SONN
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2017 02:36:13 -0000

Toerless Eckert <tte@cs.fau.de> wrote:
    > So, in some near term future, ANI/ACP is so successfully that we
    > have four possible ACP channel protocols: IPsec, IPsec/GRE, dTLS and
    > 802.1ae

That's only three, btw.
And the answer is that you'd use IKEv2 to negotiate which one of them to use,
because IKEv2 was designed *SPECIFICALLY* to do this kind of thing.

    > a) We need a security association before we negotiate so the negotiation does
    > not become an attack vector. Solution: We build a a TLS connection

You just assumed TLS.
If you can assume TLS, I can assume IKEv2, and save a lot more code, and
pages less

And you have to assume TLS 1.3 (so you need new code and new libraries on
every device). The process will still be suspectible to trivial TCP RST
attacks.  So please add some security for that part too!


    >> 2) We have no meaningful specification for IP over *TLS thing.
    >> (but that, I mean a deployed protocol with an RFC and widespread
    >> implementation.)

    > The negotiation is just GRASP inside TLS. No IP needed.

I'm talking about the "dTLS" option above you just named.
What is it?  "IP in DTLS" isn't anywhere near enough.
Why not add OpenVPN to the list too?
At least it has widely used, extensively tested reference code, even if it
has no public specification.

Some developer in Mumbai will still have no idea what that means.
Is there an IXIA or SPIRENT module so that I can test it at 10G? or 100G?
That's a serious objection: you can't just make stuff up like that.

    >> 3) I have been trying to understand the MACsec KMP, as some would like to run
    >> the ACP over MACsec.    I originally was led to believe that there was no
    >> KMP, but after finding the full specifications, it's clear that there is
    >> support for PSK and other things and even IDevID are mentioned.
    >> I'd still like to suggest that we negotiate the use of MACsec (or of some
    >> yet-to-be-well-defined IP over TLS) via IKEv2.  It's not at all hard, and
    >> if IKEv2 is the MTI, then we need it implemented anyway.  An IKEv2 minimal
    >> implementation can be very small; lwig has some good advice, but it
    >> assumes initiator only, and we need both.
    >>
    >> I can not see a purpose for SONN, and I do not think we can do a proper
    >> security analysis, and it forces TLS to be MTI.  SONN will therefore add
    >> a significant (3-5 pages) of text on how to use TLS properly.

    > Would be great if you could point me to some example RFC where something like
    > this ("how to use TLS appropriately") is done!

I think that the Opportunistic Security specification, https://tools.ietf.org/html/rfc7435
tried to do this.  I'm not a TLS guy, so go ask one of them.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email