Re: [babel] rfc6126bis security implementation requirements

Juliusz Chroboczek <jch@irif.fr> Fri, 16 November 2018 13:18 UTC

Return-Path: <jch@irif.fr>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2B7130ECF for <babel@ietfa.amsl.com>; Fri, 16 Nov 2018 05:18:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72n_SJzhJG1y for <babel@ietfa.amsl.com>; Fri, 16 Nov 2018 05:18:52 -0800 (PST)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07446128BCC for <babel@ietf.org>; Fri, 16 Nov 2018 05:18:51 -0800 (PST)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id wAGDIiaw007537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 16 Nov 2018 14:18:44 +0100
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id wAGDIkDI025273; Fri, 16 Nov 2018 14:18:46 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 5516B71FC8; Fri, 16 Nov 2018 14:18:50 +0100 (CET)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id RMWhcB2KZu0R; Fri, 16 Nov 2018 14:18:48 +0100 (CET)
Received: from pirx.irif.fr (unknown [138.231.120.148]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 30C8671FC1; Fri, 16 Nov 2018 14:18:46 +0100 (CET)
Date: Fri, 16 Nov 2018 14:18:46 +0100
Message-ID: <87tvkhw47d.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Toke =?ISO-8859-1?Q?H=F8iland-J=F8rgensen?= <toke@toke.dk>
Cc: Babel at IETF <babel@ietf.org>
In-Reply-To: <87in14dn1b.fsf@toke.dk>
References: <CAF4+nEHaYMX_iLvE5teUvk97ZmO03oS1LRaS1A7BiNaLMEwcWw@mail.gmail.com> <87o9axrvrm.wl-jch@irif.fr> <CAF4+nEH+K3hGfrTQTR+5kH_FCtJok-qoZ_J3e9_zeWCiWjWQ=g@mail.gmail.com> <87in14dn1b.fsf@toke.dk>
User-Agent: Wanderlust/2.15.9
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Fri, 16 Nov 2018 14:18:44 +0100 (CET)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Fri, 16 Nov 2018 14:18:46 +0100 (CET)
X-Miltered: at korolev with ID 5BEEC3B4.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 5BEEC3B6.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 5BEEC3B4.000 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 5BEEC3B6.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 5BEEC3B4.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 5BEEC3B6.000 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/UJUBJFZruPRhYKwKPYZOmkd2cV8>
Subject: Re: [babel] rfc6126bis security implementation requirements
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2018 13:18:54 -0000

>> A recommendation can be pretty weak depending on what you say about
>> when it might not be applicable. Let's see if anyone else has comments
>> on this.

> Well for my part, I read "recommend both" as "great, I can continue to
> not implement DTLS". :)

I take this to mean that you agree with me in principle...

> Don't have any strong opinion on the wording, though...

...but think I'm being overly pedantic.  (You probably have a stronger
expression in mind.)

As to implementing Babel-DTLS or not: the bet we're making with Babel-HMAC
is that people don't actually need asymmetric auth or confidentiality, and
that they'll be happy enough with the deliberately minimal features provided
by Babel-HMAC.

I like to think of Babel-DTLS as our insurance in case we lose the bet.
(David and Antonin might see things differently.)

-- Juliusz