IETF Logo Mail Archive

Re: [dispatch] DISPATCH IETF 111 meeting - preliminary outcomes and draft minutes

John Mattsson <john.mattsson@ericsson.com> Wed, 28 July 2021 18:47 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C1FE3A1BB5 for <dispatch@ietfa.amsl.com>; Wed, 28 Jul 2021 11:47:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XFi5SkCi5O6p for <dispatch@ietfa.amsl.com>; Wed, 28 Jul 2021 11:47:36 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40062.outbound.protection.outlook.com [40.107.4.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF5383A1BB4 for <dispatch@ietf.org>; Wed, 28 Jul 2021 11:47:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iuo4Hgs1ACdC4qxUEgZrBNeyUYKdLT4LMFY2mn240DbWUwIjqPIEXfqrwJv5sl2meSiEzEvIUM4ofc6THUbbo/R9vG6ASq2BehAOcvLh+omvoB6J3a3iNjc3Ghvnp0q3jvQ9dSgArgTLQA8EPyeBUhJ+uO+QduGQDsUP9M65uubhZUtjJSwNX4kBRU5jtSjwMlNBaDzZ1RX23s4dD7SswrQiVWV8yBRGILdDHrCEk+GPIP5g/cBYYqimTSw96UGLeueaLtcm+Wjk6wA616YZUidtWXaCFAsIEvUhkawr3pTTUw2fXgJcUG4vINxTF4O6Ksoswkp7ilRi4IWoG/Z7vw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ElPihQm5Y1A8zcPfauOOvXjwwwiXWW6QUD4OcaeTtmY=; b=BpjKnUlMDlNNmbEBOgmJ6DgPvH6NSfqJ2xekn2sEKEtLS/U0yZKAx0FWgwnEB47EUo7Bu7TYdU5YiLWbErdleLa+fCvz2l4DOBshregjoPCHjl+BFOL+MBMcr5wry+f/UevczXdcCSIvmAkOiZZUOrUMZ0AmTJQ18ZnN08BOzuxpVXbloofSiZ+aObtknLfXeA5vxzZhOnE3nNci+7ZJKS4P1OURIIPcCemifaJLb+cWIwUsxSnk4qEeCJ0NQYIOrrCPwcJEmRe1OYm3ljkkd/WmbokDFootVYCuZiyQDreVR1iGA0E4sqF6n8XPeeBCs9Z4UoV0xht2O8CXeQ1v4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ElPihQm5Y1A8zcPfauOOvXjwwwiXWW6QUD4OcaeTtmY=; b=Wa58S0f4LXcc6vDNsjufjMR6dgd8WKUNl3GqLViXo9M2HnFpwOemhsYAosC5o0o1tmoOHf0etmyvxjoC3M0Y8jWjkxpcqqTsl17sNx61ylSYj8WW4LFUD7xlgyhoE9+uZPGzgFcaMpEbqyWrMw4ZfpvRLLsAoxnrxmiw/2H6nrs=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0701MB2091.eurprd07.prod.outlook.com (2603:10a6:3:21::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.14; Wed, 28 Jul 2021 18:47:31 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::4999:ec50:d084:341b]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::4999:ec50:d084:341b%5]) with mapi id 15.20.4373.018; Wed, 28 Jul 2021 18:47:31 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Richard Barnes <rlb@ipv.sx>
CC: "dispatch@ietf.org" <dispatch@ietf.org>
Thread-Topic: [dispatch] DISPATCH IETF 111 meeting - preliminary outcomes and draft minutes
Thread-Index: AQHXgzpb6iflqBZmeUGEzWRA3H1WeatYpNYAgAAV80g=
Date: Wed, 28 Jul 2021 18:47:30 +0000
Message-ID: <HE1PR0701MB3050C7A46B70BF76CE2F811789EA9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <HE1PR0701MB30504412F0FCC7C14E2D504289E99@HE1PR0701MB3050.eurprd07.prod.outlook.com>, <CAL02cgTbvk4ns8PxX_h0UuuGMUZ1g-YyuyWy=QR56RwzcHXPmQ@mail.gmail.com>
In-Reply-To: <CAL02cgTbvk4ns8PxX_h0UuuGMUZ1g-YyuyWy=QR56RwzcHXPmQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ipv.sx; dkim=none (message not signed) header.d=none;ipv.sx; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 95d4c77a-7198-47c4-3718-08d951f827c2
x-ms-traffictypediagnostic: HE1PR0701MB2091:
x-microsoft-antispam-prvs: <HE1PR0701MB2091F5FE4E726C4D6D14E3CD89EA9@HE1PR0701MB2091.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 71ahcBy1MXPyOtkHo2j9+jraTzMv49InzgB2MRj6onqTwuTHVdcu80YhQEIkzNMxZeIxcsv+zIf25LRK7ysAkp0DFngEdn0W9RUUGJ5261tvVNnVlnsBUhlJ6ZoRiKid95WY/A8Pd+AWpY7VdMueL0AleMXMEd0EAB1roAFxVC52eWaAi59gQVp7TB7e78JcBG8G061orWr/coQGKIlTtGxFD4+WsTAgQGUltYsb5gu0bdi4k3hqNS4aLJS+Cw8aXwabHI4s3FzEky1GN99AsHokaXGMqYALY8cyOo1f+RWy4gJKXuLXC15LBtWk8U6uOk7u/FMP2QtLtQ1WO/cgLj3NpUoA1raNCxlTpYBZTUm5xiwLmMl+oa8ac0NzcuhblSw2uwHAPLtB+Bv9NvJP44DgtUd0ZC/PK7oZIvuuGX624EejdXGWRrP+1+EUeU4Y9vSGgsuvBJmNvP0TqewIKQDvvmojxu9AH0eJ1VcMjacW8BTn7LkAlBVyqBrAqwD9jYMZZDz2r0hr39Vy1aIX686SkCxILU8DLjC/jqpA4E1ZOfO06isEwdEY2XPDhy8CoiKDCTiInaKZx+epumbpxuznSjSF89MlVqCJwAIjlxZyaVACMLMkjhA/N5kvH7oJx66iz3O7AlhdjZ5WCO5VMrmRUgMEki4k42a1FjrGT9AztB/upG/f+7wbRESbdC1uQWpVIFvOL8bSC045rC2E+g+jAYDZMQ3xfCx59RhwhH0ORZrnkOUDz4sERKkiGZXvLu40naTyMyjHi5c1IaihVLjVAdPn61nwSt6SgW3lXjE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(166002)(83380400001)(86362001)(64756008)(6916009)(8936002)(7696005)(2906002)(38070700005)(44832011)(316002)(38100700002)(508600001)(66446008)(4326008)(186003)(53546011)(9686003)(5660300002)(66946007)(66476007)(66556008)(122000001)(52536014)(33656002)(71200400001)(966005)(55016002)(76116006)(66574015)(8676002)(26005)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: YmP7GokJ7XTvS4v56w1OQboty8Xh0XKOIl5/GzyblmcCq334k87B5TGsNkMw1ebuunVJdQdiK5A2FQyWAI4A4C2YQxMs7xJjCVBd3hncyjVJCyv/WqwYZ8C5xPg2Dbohgh5ihM8OO1DqdC+7FHp/5ivsSVxGR4aJKsuRdD/ZkHfzaadGGy71m2bHPDd63TWzyHrLBQYyA9B46Z6GrQbgDTsrprwnHRt+UDZMES5HOiBvaJP2KS/DAaceO3paeStXhdGHKvUBnep7psacXXLAZgsNngjESkmsDXw2yKSy5l1P9r86eR4P9aT1apbQzhSX5ba4AHccr4dwNb7n2n+r1ewctdrtFFjbQg4AehdYV05nhbcsnZWyyVoB9VI0GWamlXKVmuSpS5FDrV+FxBJzIkOpDlYrsPxWpCDnIm5hIzlIxai6Xx0kqHoEWVAZrbJP7MYgfWlPnMgYDQdOd0BD7kNtdhdXGwyyQIOV0+qYbXjffR7IeTbjRH5kEJCeKUvJIbQ8KgBRsvY7mfkToGddPU9l42Z3zvbHWid7wrhrD71eIcL/UVBBhAcqi/EPz/pc4QtuzOEgY/ytjl9kNL+uxqffKAGsZkWmZChH+5fdbGbGp4cNjKTXwBtCZdkCbwzB4vNfD/qEd7qd+Tbt4ASr0Scvfen8KcC8lEtyITcVqgp7cqT/oaDkhLB+Ab/tGUl7Vm2vsQscBr0wRzxr3tdZFHeAvtkwWn/bOVxG+h37E8/mIKFvvj7ISfVuhme2VVDC9ZxlvIlVOe7rsgFi/hZZWHeeRvTxOoDbRK8ECjB4MtWAjlFyojLPn+OZK616zwZgze1qTixXA06t0VCwzsR5g04E4WVfS+CtFkPdR+T+ps7z8Q1wGuhowBXYp67uGCYjR7Ck1gaiBiE0uw4EH3VFS1xcqsFlXyrY3nvGhHrdpjxQgE0SFHXY1Tj6DJq6R2qkwLhFmBF7ElZaCiMflZAONFhZExfGOawqui7sIvsmuDT6Z9mhsAJfZYbyijheMC2PpCwG79PNNgOn+4W9FH2k6OE8UN5TGEfzzW3dynbAKMmWHQBbv4duWWZ3VJKHKk9OcC8PsSdPVoYxOmJIlkCYQQJ1rDZe5QCDMS2VUPZOJgs19DD5kh8qmnFB3F9zcGjgVv/RQ7fet4tCStnzDrpN/vkx2DFRSF0wSAduzXntRmd9sCfWCbM/BFbWWlmOOO6ALQDVz3IPvHvICnyk4Z0rGJVN6vsS6eC0GlHacMgpmTBpoLk6bqZ2hxl6k/IfsFUxuvR4v/1rpn6HmXiACFSZxoYdJRwx4xPqSB2lzoxYv7UhDPMbgtUENVWjdNePmwsjGWOXkGfiRRlBLEApuryoag==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050C7A46B70BF76CE2F811789EA9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 95d4c77a-7198-47c4-3718-08d951f827c2
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2021 18:47:30.9105 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ClfCyDrXK9r4exyng/3xYbHcwKXeAPTqprsYYiJW7RsSBwtDBE2zbX8W7UJSS0LaPfDoZekYlIr2+ggc3InkzHqHl5gQYyTyGArJXFhUT9Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2091
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/-G5511Sc9Z6_GXwhd_v5-L1tal8>
Subject: Re: [dispatch] DISPATCH IETF 111 meeting - preliminary outcomes and draft minutes
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 18:47:42 -0000

Richard Barnes <rlb@ipv.sx> wrote:

> I hate sending symmetric keys around as much as the next person.  But we should be pragmatic here.

I think the NOT RECOMMENDED suggestion on the table is quite pragmatic. The suggestions here are much softer than the RFC 8996: "MUST NOT negotiate TLS 1.1".


> Here, SDES still does what it says on the label

I don't think that is true. SDES is labeled as an IETF proposed standard. It might barely have met the requirements for that when it was published, but it certainly does not anymore. While SDES is as insecure as it always has been, the distance between SDES and what is considered acceptable security has grown big.

-John

From: Richard Barnes <rlb@ipv.sx>
Date: Wednesday, 28 July 2021 at 19:26
To: John Mattsson <john.mattsson@ericsson.com>
Cc: dispatch@ietf.org <dispatch@ietf.org>
Subject: Re: [dispatch] DISPATCH IETF 111 meeting - preliminary outcomes and draft minutes
I hate sending symmetric keys around as much as the next person.  But we should be pragmatic here.

The situation with SDES is unlike the situation with a bunch of the other deprecations we have done recently (SSLv3, TLS 1.0).  There, the protocol was broken, in the sense that it does not provide the guarantees that it is supposed to provide.  Here, SDES still does what it says on the label, just like it always has; we’re just increasingly grumpy about that model and there are somewhat better alternatives.

Note “somewhat” — DTLS-SRTP is only better than SDES to the extent that the certificates in the DTLS exchange are verified independent of the signaling path.  If you rely only on the fingerprint in SDP for authentication, then an SDP-path entity can swap out fingerprints to intercept get keys just as well as with SDES.  (At best, this swaps an active for a passive attack, which is not nothing, but not a huge step.)  We do have mechanisms for such verification, but they’re not widely deployed.

All of which tells me that there's not an urgent need for action here.  SDES is not a looming threat to the Internet.  In the many deployments where it is used, it still does what it claims to do, and people have accommodated that into their broader system models.  Even if there were to be a mass migration to DTLS-SRTP, the actual security benefit for all that work would be fairly minor until we do a lot more work to solve the authentication problems.

So if folks want to make a bigger, scarier warning label to put on SDES to guide people away from it, sure, fine.  But it doesn’t seem like a blaring red warning light is called for.  In terms of this document, the content is probably mostly OK if we reframe it in that light.  Obsoleting SDES and marking it Historic, though, is over the top; it will just create unnecessary consternation.

--Richard

On Tue, Jul 27, 2021 at 7:08 PM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
westhawk thp@westhawk.co.uk<mailto:thp@westhawk.co.uk> wrote:


>> On 26 Jul 2021, at 23:30, Kirsty P <Kirsty.p=40ncsc.gov.uk@dmarc.ietf.org><mailto:&lt;Kirsty.p=40ncsc.gov.uk@dmarc.ietf.org&gt;> >wrote:

>>

>> SDP Security Descriptions is NOT RECOMMENDED and Historic: consensus was >sub-optimal. There was support for revisiting the space currently standardised >by SDP, but not on direction (whether to do a deprecation with/without >replacement). Future paths suggested included: mmusic, a new WG, more work >required for it to be ready, or a BoF (said in chat) to vet the idea further.

>My sense is that there was a rough consensus around a goal to make it possible >to deprecate SDES - but the required steps were unclear.

Yes, looking at the Jabber log there was quite strong support for the goal of deprecating SDES:

Eric Rescorla: Let's all just agree that this (Mattson's SDES) draft is a good idea and promote it to full standard toda
Martin Thomson: now that I see John presenting this, I have to wonder: why didn't this deprecation happen before?
Sean Turner: When Dan Wing got up and said not to use SDES in Berlin - I assumed that was that ;)
Pete Resnick: Why "NOT RECOMMENDED" instead of "MUST NOT"?
Sean Turner: +1 to what ekr said
Rich Salz: +1 also


Regarding the next required steps I agree with Pete. Let’s charter.

Ben Kaduk: So is this dispatch to BoF, or straight to WG?
Pete Resnick: @ben: Sounds like this discussion has done the equivalent of BoFing. Charter.

Cheers,
John
_______________________________________________
dispatch mailing list
dispatch@ietf.org<mailto:dispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/dispatch

v2.23.0 | Report a Bug | By Email