IETF Logo Mail Archive

Re: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text

"Owen Friel (ofriel)" <ofriel@cisco.com> Wed, 07 February 2018 12:30 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: atlas@ietfa.amsl.com
Delivered-To: atlas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45296124205 for <atlas@ietfa.amsl.com>; Wed, 7 Feb 2018 04:30:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.53
X-Spam-Level:
X-Spam-Status: No, score=-14.53 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xnV4S6ju9vi7 for <atlas@ietfa.amsl.com>; Wed, 7 Feb 2018 04:30:12 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 746DC1241FC for <atlas@ietf.org>; Wed, 7 Feb 2018 04:30:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33202; q=dns/txt; s=iport; t=1518006612; x=1519216212; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=7Qvl3QAMORH++AsFzT4pw46r7+xUKkRyiEXDfoQvquE=; b=DBJ5nkX8fh/CUWUQHuUFdzSqnkMQ38J3AZLWIJvD7Cthvf2tjQIBSnZb OJySbrLEvzV7RthzbigSffiKQq4mmqisZsVOeDglvWD7ojvilLAeb6zuA LymxCzxW3yDUmO/FRjPvdR+6+VgtTC5kYcKkwjQDlOmUrGfuidNixI+qV g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CrAABJ8Hpa/4wNJK1dGQEBAQEBAQEBAQEBAQcBAQEBAYJZRwQtZnAoCoNbiiSOJIICl1IVggMKGAEKhRgCGoJNVBgBAgEBAQEBAQJrKIUjAQEBBAEBIQpBAgkQAgEIEQQBASEHAwICAiULFAkIAgQBDQUIiUlkELF7gieId4IKAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWEdYE1YIFXbHyCIIEOgy8BAQIBgTsBEgEJHQcoAoJfgmUFi3KOMooFCQKIG4gBhVOCJyOGBIQZh2CGPIc+iWMCERkBgTsBHzlgcHAVPYJGCYNyAQJ5eAGLWYElgRcBAQE
X-IronPort-AV: E=Sophos;i="5.46,473,1511827200"; d="scan'208,217";a="356015821"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Feb 2018 12:30:10 +0000
Received: from XCH-ALN-011.cisco.com (xch-aln-011.cisco.com [173.36.7.21]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id w17CUAPl010123 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 7 Feb 2018 12:30:10 GMT
Received: from xch-rcd-012.cisco.com (173.37.102.22) by XCH-ALN-011.cisco.com (173.36.7.21) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 7 Feb 2018 06:30:09 -0600
Received: from xch-rcd-012.cisco.com ([173.37.102.22]) by XCH-RCD-012.cisco.com ([173.37.102.22]) with mapi id 15.00.1320.000; Wed, 7 Feb 2018 06:30:09 -0600
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Rafa Marin-Lopez <rafa@um.es>
CC: "atlas@ietf.org" <atlas@ietf.org>
Thread-Topic: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text
Thread-Index: AdOTwyPirW/e5/LOQWOr6hMZrGuG4wIe6U8AAAUiSAAACT50gAC6qQuAADT/EAAAADV+gAAAQUWAAABNMIAAARaBAAAANTKAAAwUDUA=
Date: Wed, 07 Feb 2018 12:30:09 +0000
Message-ID: <457fb7d2acf54815ba4bf3aa4f38e5ef@XCH-RCD-012.cisco.com>
References: <AM4PR0801MB2706895905D2634096D4A11BFAEC0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <1351441E-26C6-4E16-AD62-B06C860AE97D@um.es> <AM4PR0801MB270672FDA690903CA86EFB3FFAF90@AM4PR0801MB2706.eurprd08.prod.outlook.com> <94E9FD8C-1889-4376-B0F9-13B2E44BBA96@um.es> <AM4PR0801MB270665259B97D62CE3B56ACFFAFD0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <D93CAAA0-7416-4662-807F-1AABBCC835C9@um.es> <AM4PR0801MB2706894677C27D81B16FD295FAFC0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <EB877997-5CB0-4FCD-A7A4-D49CE00CA63F@um.es> <AM4PR0801MB2706E1BB54E7CC1E8EB8D43AFAFC0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <62CCF4BC-6377-45FD-8943-5580B33AC1C1@um.es> <AM4PR0801MB27063D005FE14B5557AAF9BDFAFC0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
In-Reply-To: <AM4PR0801MB27063D005FE14B5557AAF9BDFAFC0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.8.30]
Content-Type: multipart/alternative; boundary="_000_457fb7d2acf54815ba4bf3aa4f38e5efXCHRCD012ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/atlas/q1BnVKFFzAAMzPAmoXNrEj3sBqg>
Subject: Re: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text
X-BeenThere: atlas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Application Transport LAyer Security <atlas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/atlas>, <mailto:atlas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/atlas/>
List-Post: <mailto:atlas@ietf.org>
List-Help: <mailto:atlas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/atlas>, <mailto:atlas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 12:30:15 -0000

The draft charter states “The group will also work on specifications that describe how to deriving keying material for protecting application payloads using JOSE and COSE.”. You could possibly be more explicit Hannes and add a statement about evaluating use TLS records to protect application data vs. using key exporting, etc.

The latest consolidated draft we submitted describes both potential architectures: https://tools.ietf.org/html/draft-friel-tls-atls-00#section-6.1 with some initial comments on recommendations. This could certainly be expanded upon.

Owen


From: Atlas [mailto:atlas-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday 7 February 2018 12:12
To: Rafa Marin-Lopez <rafa@um.es>
Cc: atlas@ietf.org
Subject: Re: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text

Rafa, I believe we are on the same page on this topic. I hope that the charter text covers the intention correctly. If you have suggestions for improving the text nevertheless please let us know.

Ciao
Hannes

From: Rafa Marin-Lopez [mailto:rafa@um.es]
Sent: 07 February 2018 12:06
To: Hannes Tschofenig
Cc: Rafa Marin-Lopez; atlas@ietf.org<mailto:atlas@ietf.org>
Subject: Re: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text

Hi Hannes:

El 7 feb 2018, a las 12:35, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> escribió:

Hi Rafa,

It is hard to anticipate future discussions on the pros and cons of re-using the TLS/DTLS record layer for protection of application data but in the past we have seen John Mattsson arguing that the DTLS record layer is too inefficient for IoT devices, which is why he and his co-worker have worked on OSCORE.

[Rafa] Yes, we have read the document though the analysis only focuses in the message size but not in other factors (e.g. the advantage/disadvantages of re-using existing source code). I think a complete analysis should also include those factors.

In summary, under my point of view, using the TLS record represents a tradeoff between message size and re-using something that will already be in the device.


I prefer to leave this design decision open and then evaluate and discuss it in the group. For that reason I thought your proposal is relevant to the discussion.

[Rafa] I fully agree.

Best Regards.


Ciao
Hannes

From: Rafa Marin-Lopez [mailto:rafa@um.es]
Sent: 07 February 2018 11:26
To: Hannes Tschofenig
Cc: Rafa Marin-Lopez; atlas@ietf.org<mailto:atlas@ietf.org>
Subject: Re: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text

Hi Hannes:


El 7 feb 2018, a las 12:19, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> escribió:

Hi Rafa,

[Rafa] Ok. But my question is: are we going to consider TLS record for application data protection?
[Rafa] Since the TLS record is used for the handshake anyway, the (constrained) device, in case of the IoT, will have the record layer implemented. Why don’t  we can re-use it for the application data protection?


It might depend on the use case what approach is better.
In DTLS-SRTP, for example, it was considered better to re-use SRTP instead of the DTLS record layer due to existing hardware. Another example: For EAP-TLS used in network access the TLS record layer is only used during the handshake between the EAP peer and the EAP server but for the link layer security a different security mechanism is used instead since the endpoints are different.

[Rafa] I do not know the case of DTLS-SRTP but, in my opinion, the case of EAP-TLS is different since between TLS and the link layer you have EAP and the goal of the TLS is the authentication and key generation for EAP to generate the MSK and not for the link layer itself. In other words, the link layer is agnostic about the use of TLS or not. Moreover, in EAP tunneled methods you use TLS record to protect further information between EAP peer and EAP server not only the handshake.

Best Regards.



Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
Atlas mailing list
Atlas@ietf.org<mailto:Atlas@ietf.org>
https://www.ietf.org/mailman/listinfo/atlas

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
Atlas mailing list
Atlas@ietf.org<mailto:Atlas@ietf.org>
https://www.ietf.org/mailman/listinfo/atlas

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email