IETF Logo Mail Archive

Re: [Atlas] Status Update

Abhijan Bhattacharyya <abhijan.bhattacharyya@tcs.com> Fri, 22 June 2018 19:49 UTC

Return-Path: <prvs=7048e9c8a=abhijan.bhattacharyya@tcs.com>
X-Original-To: atlas@ietfa.amsl.com
Delivered-To: atlas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8C5130EDD for <atlas@ietfa.amsl.com>; Fri, 22 Jun 2018 12:49:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_NONELEMENT_30_40=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tcs.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-vxWHurfN7P for <atlas@ietfa.amsl.com>; Fri, 22 Jun 2018 12:49:28 -0700 (PDT)
Received: from indelg02.tcs.com (indelg02.tcs.com [203.200.109.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B62F6130DF5 for <atlas@ietf.org>; Fri, 22 Jun 2018 12:49:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tcs.com; i=@tcs.com; q=dns/txt; s=default2048; t=1529696967; x=1561232967; h=mime-version:in-reply-to:references:subject:from:to: message-id:date; bh=P2R+VWKsn/vQQJzHo30LFo6KivmLh2bBTcFPC/ObwL8=; b=VE1Actf0nvj+YC3+eqnkRBqYFDGvJgos0GcSlyOF6c5gG8naShnwiRo8 b47vD62JDilgiikchzTLE/B6GoJ9jtvPljYmN0ja4PUslSZvDRvsBnjKu zDUmCQXZvzGHMfDRmyDPW52I3NifHsZxaL/l7p6YtlXHJuQR0z/Wqxa0h nLyuyykTM4k029pA9C811WZh8FbJ0q7cybN2SGhjgw47mLfVOiDPAy/YQ 5bjAejE3+i6BTfvbdncG/o6bwaNz8v9HHIWwjFzPKy6gQhdOieaQYRdwA 5EEhjRwDMQmXsxZQAKO18d/NJZTz4UZ6Brm2vg1NnMHqZzGhkI4nA2iwB Q==;
IronPort-PHdr: 9a23:fMT69hZPi+ioxWzZFNCldUf/LSx+4OfEezUN459isYplN5qZps26bR7h7PlgxGXEQZ/co6odzbaO7ua4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahYb5+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v9LlgRgP2hygbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQds4YS2VcRMZcTyNODYCmYYQNAeoPIOZWoZf+qVUAqhWxGRKhC/nzxjJSnHL22bE23/knHArb3AIgBdUOsHHModjpL6gSUeG1zKvSwjXFcvhbxDf955LUchA9u/6DQbJwftDLyUgvFwLKlEibpIv/MDyO1uQNsmqb4PBmVe61kGEnqxt+oiSzxsg2lobJhpgaykrE9CR52ok4PsG4R1JgYdK+DJRQsCSaOpJwT8g/TW9ovyM6xacHuZ69ZCUKyYooxwLRa/CddIiI+B3jWP6NIThkn3JpYq6whxG38UWm1+byVdG03U5XoidHjNXArG0B2h/J5sSZRPZx5Eis1DCS3A7J8O5EO1o7la/DJp4kxb4/i4QcvFzYHi/zhEX2lKiWdlg4+uSw6+TofLHmppiEOoF3kg/wN70glMqiD+kkNAYAUW6V9/672rP94UD1Xa1GjvwwkqbHrJDXPdkXq6ynDwNPz4ou6AyzAymo3dgCknQLNFdFdwiGj4jtNVHOOvf4DfKnjlu2izhrx/HGPr/7DZXLNHTMi7fhcqxh605A0gU80dBf6IhOCrABIPP8QFT8tMDEAR8iKQC73+HnCNBl2oMERW2PGrOZML/VsVKQ/O0vP+2Ma5UOuDvmKvgq+eLujXEjlV8aZ6mp0oMdaGqkEfR+P0WZfX3sj88cHmgQuAoyVuPqh0eYUTFPZna9Rbkx5iw+CI68E4jDXZingKad0yejAp1WemdGB0iWEXjyeYWLQewBaD+XIsN7jDMETqCrS5U92hG2qA/6171nI/LP+iICr5Lszt515+zNmhEs6zN0FN6R02SXQGFonmMHWSI20btioUx40FuMz7N40LRkEol/ztUBfS4AHr/1h8dTMerTfibmNoOFQVDgTdy8CjA4Zs80hdIVNQI1Esmmhwvr3ie2DfkSjbPPTKcdyIuU+VncGetGg1Pv6IkMshEJa/FkFETu0rV27QHVBoPXnl7fkq+2dakB9DPIsmqYmy7Ghmh2eSNUGYDsZ1E5Lh/MpNrwzl7HCbK1X+cJKAxEnOeIKqpIY9uhp1VPWOvqM9TXeXOgki/kDByIx7GFaszge2wBwCzWCEEeghEa1WqNLk41ASL38DGWNyBnCV+6OxCkyuJ5sn7uCxZslww=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2AiAQCXUS1b/wQXEqxSCRkBAQEBAQEBAQEBAQEHAQEBAQGCVEcEgQyBJ5pBdZQSFIFiAyMBCoRJAoMkNhYBAgEBAQEBAQIBgQgMgjUkAYJOAQEBAwEBARhNBwIOBwQFBg0DAQMBAQEBIAcHJx8JCAYBCggRAweDCgGBdxeregEBAYMHiEeBBYc4Jm0+dn4laoJaNYMYAQEDgSEEBQEIAwQDAT8MgwIEgiQChz8dG4UzP4s/BwKBa4QShVSEfh2DaIJqhReHdIIsiRACgRBxcFANGIJCCYIaF3oBAgaCQoUUhT0JZ4x0D4I5AQE
X-IPAS-Result: A2AiAQCXUS1b/wQXEqxSCRkBAQEBAQEBAQEBAQEHAQEBAQGCVEcEgQyBJ5pBdZQSFIFiAyMBCoRJAoMkNhYBAgEBAQEBAQIBgQgMgjUkAYJOAQEBAwEBARhNBwIOBwQFBg0DAQMBAQEBIAcHJx8JCAYBCggRAweDCgGBdxeregEBAYMHiEeBBYc4Jm0+dn4laoJaNYMYAQEDgSEEBQEIAwQDAT8MgwIEgiQChz8dG4UzP4s/BwKBa4QShVSEfh2DaIJqhReHdIIsiRACgRBxcFANGIJCCYIaF3oBAgaCQoUUhT0JZ4x0D4I5AQE
X-IronPort-AV: E=Sophos;i="5.51,258,1526322600"; d="scan'208,217";a="8279651"
X-DISCLAIMER: FALSE
MIME-Version: 1.0
Sensitivity:
Importance: Normal
X-Priority: 3 (Normal)
In-Reply-To: <20180622194221.Horde.S372V87Px9x-QO2U9y-zhA7@webmail.um.es>
References: <20180622194221.Horde.S372V87Px9x-QO2U9y-zhA7@webmail.um.es>, <VI1PR0801MB2112385E74223CC722B0E2A1FA7B0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <OF2AB8BDA9.34065D36-ON652582B1.00498E9D-652582B1.00498EA3@tcs.com> <ee2be3a1-77ba-f471-a7a4-cecff6472d65@tik.ee.ethz.ch> <VI1PR0801MB211255800C10B61A4830FD57FA760@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Abhijan Bhattacharyya <abhijan.bhattacharyya@tcs.com>
To: DAN GARCIA CARRILLO <dan.garcia@um.es>, atlas@ietf.org, SARA NIEVES MATHEU GARCIA <saranieves.matheu@um.es>, RAFAEL MARIN <rafa@um.es>
Message-ID: <OFC193300F.99706FBD-ON652582B4.006C82A6-652582B4.006CE18C@tcs.com>
Date: Sat, 23 Jun 2018 01:19:16 +0530
X-Mailer: Lotus Domino Web Server Release 9.0.1FP8HF242 May 5, 2017
X-MIMETrack: Serialize by http on InKolM02/TCS(Release 9.0.1FP8HF242 | May 5, 2017) at 06/23/2018 01:19:16, Serialize complete at 06/23/2018 01:19:17, Itemize by http on InKolM02/TCS(Release 9.0.1FP8HF242 | May 5, 2017) at 06/23/2018 01:19:17, Serialize by Router on InKolM02/TCS(Release 9.0.1FP8HF242 | May 5, 2017) at 06/23/2018 01:19:18, Serialize complete at 06/23/2018 01:19:18
Content-Type: multipart/alternative; boundary="=_alternative 006CE181652582B4_="
Archived-At: <https://mailarchive.ietf.org/arch/msg/atlas/z8lkEJ6kG1q3I9BRLkXi90XwAxA>
Subject: Re: [Atlas] Status Update
X-BeenThere: atlas@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Application Transport LAyer Security <atlas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/atlas>, <mailto:atlas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/atlas/>
List-Post: <mailto:atlas@ietf.org>
List-Help: <mailto:atlas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/atlas>, <mailto:atlas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 19:49:32 -0000

+1 Dan.
The draft https://tools.ietf.org/html/draft-bhattacharyya-dice-less-on-coap-01 also proposes how the session initiation part of DTLS can be switched to CoAP to optimise the resource usage during session establishment by leveraging the lightweight semantics of CoAP. Also, to accomplish the stated objective of establishing end-to-end security association in a secure manner and managed at the application itself. The draft also tries to be less disruptive to existing DTLS implementations by defining an adaptation layer that ensures channel security by allowing the reuse of the existing DTLS record-layer encryption through the session key tuple from the CoAP layer. Of course there can be several other ways to accomplish this than what has been described in the draft.

So, it seems there are several corners with similar interests and with implementations in silos. A coordination effort will essentially lead to standardisation of the different interfaces and handshakes to reconcile these propositions.  


With Best Regards
Abhijan Bhattacharyya
Associate Consultant
Scientist, TCS Research
Tata Consultancy Services
Building 1B,Ecospace
Plot -  IIF/12 ,New Town, Rajarhat,
Kolkata - 700160,West Bengal
India
Ph:- 033 66884691
Cell:- +919830468972
Mailto: abhijan.bhattacharyya@tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.	IT Services
Business Solutions
Consulting
____________________________________________


-----"Atlas" <atlas-bounces@ietf.org> wrote: -----
To: atlas@ietf.org
From: DAN GARCIA CARRILLO 
Sent by: "Atlas" 
Date: 06/22/2018 11:17PM
Cc: SARA NIEVES MATHEU GARCIA <saranieves.matheu@um.es>, RAFAEL MARIN <rafa@um.es>
Subject: Re: [Atlas] Status Update

Dear Mirja,

Regarding the "draft-kuehlewind-taps-crypto-sep". I think it may be  
related to what we where also proposing in Section 4 of the   
"draft-garcia-core-app-layer-sec-with-dtls-record". A separation of  
the DTLS record from the DTLS handshake, which could be done with  
several protocols, though an API to be standardized.

It think, this idea is worth pursuing and maybe we could try to push  
it forward in a joint effort.

Best Regards,
Dan.



Hannes Tschofenig <Hannes.Tschofenig@arm.com> escribió:

> I did a quick read of draft-kuehlewind-taps-crypto-sep-02
>
> I agree that providing flexibility by separating the transport  
> protocol, record  protocol and control protocol makes sense.
> If you look at the TLS / DTLS protocol you can see that there is  
> much of this already realized today. For example,
>   * Transport: support for various underlying protocols, even non-IP.
>   * Record: DTLS has been used to establish keying material for SRTP  
> and, if you look at network access authentication, also for use with  
> WiFi security. The same is true for some other radio technologies,  
> such as IEEE 802.15.4 in Thread.
>
> Where the nice separation falls apart a bit (which is not  
> appropriately reflected in the figures) is the unfortunate fact that  
> the handshake protocol itself may need to use some security  
> protection for its own use. In TLS the design just happens in such a  
> way that the record layer is re-used for protecting handshake  
> messages itself (once keys become available). In other protocols,  
> like IKEv2/IPsec there are two separate mechanisms used.
>
> I believe the core message in your document and the message in our  
> document is the same. I have to check how close our Mbed TLS API is  
> to the requirements you outline in your document.
>
> An area where more work is needed IMHO is in the policy context  
> since the developer has to determine which layer has to be protected  
> with what mechanism. This is particularly important when the same  
> protocol can in a flexible way be used at different layers. When you  
> use totally different protocols, as it is often done today then this  
> policy is hardwired.
>
> Ciao
> Hannes
>
> -----Original Message-----
> From: Atlas [mailto:atlas-bounces@ietf.org] On Behalf Of Mirja Kühlewind
> Sent: 19 June 2018 18:53
> To: atlas@ietf.org; Tommy Pauly; Chris Wood
> Subject: Re: [Atlas] Status Update
>
> Hi all,
>
> writing as an individual contributor, not an IESG member.
>
> I just briefly looked at draft-friel-tls-atls-00 and when I saw  
> Figure 6, I have to say that I do wonder a bit what additional  
> standardization is needed here. The new parts are the key export and  
> the App Data Crypto box. However, the key export is mainly an  
> interface question and to my understanding there are by now already  
> libraries that provide the needed interface for quic. And the actual  
> app data crypto should be rather straight forward and probably does  
> not need that much standardization...?
>
> In the context of taps, however, we've been thinking about how to  
> even more generalize this approach (in figure 6). The two points I  
> think could be generalized here even more are
>
> 1) The TLS handshake should be completely separated from the crypto  
> and could be run directly by the TLS stack without "tunneling" it  
> through the application. Effectively, in theory the handshake would  
> not even need to use the same transport connection or transport  
> protocol than the application (also it probably could).
>
> This also something we discuss/propose in this draft as input for taps:
> https://tools.ietf.org/html/draft-kuehlewind-taps-crypto-sep-02
>
> 2) The TLS handshake could negotiate within one handhshake multiple  
> key shares that can be used on different layers for different  
> protocols and algorithms. I guess that is more a question/request  
> for the TLS working group but goes into the same direction of  
> separating handshake/control and the actual crypto more.
>
> Mirja
>
>
>
> On 19.06.2018 15:23, Abhijan Bhattacharyya wrote:
>> Hello Hannes,
>> Thanks for the update. The revise charter looks good. So what can we
>> expect in Montral? Do we expect another attempt towards a BoF?
>> I have a view against the particular observation of low activities in
>> the mailing list. I think what ATLAS is trying to do is to collect and
>> coordinate between different relevant stray proposals (which may have
>> already been worked out) under a single consolidated standardization
>> effort. So, the activities are waiting at a threshold of a coordinated
>> future progress. But, more activities in this list is definitely a
>> proposition to establish the point of interest for the IETF community.
>>
>> With Best Regards
>> Abhijan Bhattacharyya
>> Associate Consultant
>> Scientist, TCS Research
>> Tata Consultancy Services
>> Building 1B,Ecospace
>> Plot -  IIF/12 ,New Town, Rajarhat,
>> Kolkata - 700160,West Bengal
>> India
>> Ph:- 033 66884691
>> Cell:- +919830468972
>> Mailto: abhijan.bhattacharyya@tcs.com
>> <mailto:abhijan.bhattacharyya@tcs..com>
>> Website: http://www.tcs.com
>> ____________________________________________
>> Experience certainty. IT Services
>> Business Solutions
>> Consulting
>> ____________________________________________
>>
>>
>> -----"Atlas" <atlas-bounces@ietf.org <mailto:atlas-bounces@ietf.org>>
>> wrote: -----
>> To: "atlas@ietf..org <mailto:atlas@ietf.org>" <atlas@ietf.org
>> <mailto:atlas@ietf.org>>
>> From: Hannes Tschofenig
>> Sent by: "Atlas"
>> Date: 06/08/2018 05:14PM
>> Subject: [Atlas] Status Update
>>
>> Hi all,
>>
>> Owen and I submitted another BoF proposal to the IESG based on the
>> feedback from the last IETF meeting.
>>
>> Here is the most recent charter text we came up with:
>>
>> ---
>>
>> There are multiple scenarios where clients and servers need to
>> negotiate shared encryption keys and establish secure, authenticated,
>> integrity-protected, end-to-end encrypted sessions at the application
>> layer over untrusted transport. There are a proliferation of transport
>> protocols and mechanisms in use today across web and IoT use cases
>> including, but not limited to, TCP, UDP, IP, Bluetooth and Zigbee.
>> Additionally, network topologies often include middleboxes and proxies
>> that terminate transport layer connections from clients and
>> re-originate new transport layer connections towards the servers. From
>> the clients and servers perspective, these transport layer proxy
>> functions are untrusted and application data must be protected and
>> encrypted, and not exposed to these proxies. There are multiple
>> potential mechanisms that could be considered for negotiation of
>> encryption keys, and establishment of end-to-end encrypted sessions at
>> the application layer between clients and servers, and this working
>> group proposes use of existing (D)TLS protocols and stacks.
>>
>> This working group proposes reuse of (D)TLS at the application layer
>> as a simple and straightforward means of achieving the security and
>> implementation goals. The primary purpose of the working group is to
>> develop specifications defining how (D)TLS can be leveraged at the
>> application layer (i.e. Application Layer TLS or ATLS) to establish
>> end-to-end encrypted sessions over a multitude of different transports.
>>
>> Additionally, during development of ATLS specifications, the working
>> group will consider and address concerns such as:
>>
>> o complex, multi-hop and lossy transport topologies
>>
>> o (D)TLS record fragmentation at the transport layer
>>
>> o middlebox operators whose goals include interception of application
>> layer data
>>
>> The working group will engage with other relevant working groups
>> across the Applications and Real-Time Area (art), Security Area (sec)
>> and Transport Area (tsv), and one of the goals of this working group
>> is to explicitly identity all related working groups that must be
>> consulted during ATLS specifications development.
>>
>> ---
>>
>> There do not seem to be minutes available from the IESG/IAB BoF
>> discussions and how they reached their conclusions. So, we can only
>> report what has been told to us by proxy.
>>
>> In any case, the IESG rejected the BoF proposal.
>>
>> The impression from the IESG was that the Bar BOF in London produced
>> mixed feelings and that there was no activity on the list afterwards.
>>
>> Another comment was that the required standardization effort is too
>> small to justify the setup of an entire working group.
>>
>> At first, this sounds a bit negative. On the other hand, we have two
>> implementations right now. While they need to be polished I believe
>> this is something we could go forward with.
>>
>> Ciao
>> Hannes
>>
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose
>> the contents to any other person, use it for any purpose, or store or
>> copy the information in any medium. Thank you.
>> _______________________________________________
>> Atlas mailing list
>> Atlas@ietf.org <mailto:Atlas@ietf.org>
>> https://www.ietf.org/mailman/listinfo/atlas
>>
>> =====-----=====-----=====
>> Notice: The information contained in this e-mail message and/or
>> attachments to it may contain confidential or privileged information.
>> If you are not the intended recipient, any dissemination, use, review,
>> distribution, printing or copying of the information contained in this
>> e-mail message and/or attachments to it are strictly prohibited. If
>> you have received this communication in error, please notify us by
>> reply e-mail or telephone and immediately and permanently delete the
>> message and any attachments. Thank you
>>
>>
>>
>> _______________________________________________
>> Atlas mailing list
>> Atlas@ietf.org
>> https://www.ietf.org/mailman/listinfo/atlas
>>
> IMPORTANT NOTICE: The contents of this email and any attachments are  
> confidential and may also be privileged. If you are not the intended  
> recipient, please notify the sender immediately and do not disclose  
> the contents to any other person, use it for any purpose, or store  
> or copy the information in any medium. Thank you.
>
> _______________________________________________
> Atlas mailing list
> Atlas@ietf.org
> https://www.ietf.org/mailman/listinfo/atlas



_______________________________________________
Atlas mailing list
Atlas@ietf.org
https://www.ietf.org/mailman/listinfo/atlas

v2.23.0 | Report a Bug | By Email