IETF Logo Mail Archive

Re: [Dots] DOTS secure transport discussion - introducing SSLS

Linda Dunbar <linda.dunbar@huawei.com> Wed, 23 March 2016 20:24 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 027FE12D8A8 for <dots@ietfa.amsl.com>; Wed, 23 Mar 2016 13:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.231
X-Spam-Level:
X-Spam-Status: No, score=-4.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qzFCzPlBkvfn for <dots@ietfa.amsl.com>; Wed, 23 Mar 2016 13:24:44 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F23A12D8AA for <dots@ietf.org>; Wed, 23 Mar 2016 13:24:36 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml705-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CLE13798; Wed, 23 Mar 2016 20:24:34 +0000 (GMT)
Received: from DFWEML701-CAH.china.huawei.com (10.193.5.175) by lhreml705-cah.china.huawei.com (10.201.5.168) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 23 Mar 2016 20:24:33 +0000
Received: from DFWEML501-MBB.china.huawei.com ([10.193.5.179]) by dfweml701-cah.china.huawei.com ([10.193.5.175]) with mapi id 14.03.0235.001; Wed, 23 Mar 2016 13:24:28 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: [Dots] DOTS secure transport discussion - introducing SSLS
Thread-Index: AQHRhDyoUi+XQweVm06XxEmNTrN3D59neF1A
Date: Wed, 23 Mar 2016 20:24:27 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F657E60F42@dfweml501-mbb>
References: <56F144DE.1040100@htt-consult.com>
In-Reply-To: <56F144DE.1040100@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.129]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.56F2FB83.00E3, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 34c145882dfb5e522a00cca8324d416f
Archived-At: <http://mailarchive.ietf.org/arch/msg/dots/UEuLZp3TfZ1osKCOAGlqrfI0LXQ>
Subject: Re: [Dots] DOTS secure transport discussion - introducing SSLS
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 20:24:55 -0000

Robert, 

 A couple of questions for SSLS & GPcomp:

- What data will GPcomp will compress? The first hop of any end node is Ethernet, which has 64 minimum bytes, with 46 bytes payload. 
The minimum IP packet header has 20 bytes. You can't really compress the header, can you? 
If the signaling is compact, a few bytes, the compression can't really get much value. 

- What is the relationship among SSE, SSLS, GPcomp? 

Thanks, Linda 

-----Original Message-----
From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Robert Moskowitz
Sent: Tuesday, March 22, 2016 8:13 AM
To: dots@ietf.org
Subject: [Dots] DOTS secure transport discussion - introducing SSLS

I find the DOTS requirements for message transport interesting and somewhat unique:

1)    Secure, of course.
2)    Perform well in the face of high congestion, typically on the 
receive link.
3)    Bi-directional.  Actually tightly linked uni-directional flows.
         That is peered more than client/server (despite clear cleint/server roles).
4)    Reduce communication stack fate-sharing to reduce attack surface.
5)    Easily restartable during an attack. (recovery after agent 
failure/reboot)


I can, and will if called on it, go through my logic in saying that TLS 
over TCP is not a good tool and even DTLS over UDP misses the mark.  ESP 
in transport mode comes close, but we can do better.

I have put this in:

https://www.ietf.org/internet-drafts/draft-moskowitz-dots-ssls-02.txt

DOTS Secure Session Layer Services

This introduces a real session layer, something really not present in 
the IETF stack, that provides a set of services.  SSLS and its services 
are laid out in:

https://www.ietf.org/internet-drafts/draft-hares-i2nsf-ssls-00.txt

Sue (and I) put the design for SSLS in i2nsf, as it is broadly 
applicable in a number of areas under i2nsf.  This includes i2rs and 
what I have called firstMILE (more on this shortly oer on MILE list).

Two other drafts that fit into this architecture are:

https://www.ietf.org/internet-drafts/draft-moskowitz-sse-03.txt
and
https://www.ietf.org/internet-drafts/draft-moskowitz-gpcomp-00.txt

SSLS (and SSE and GPComp) can use either IKEv2 or HIPv2 (or HIP-DEX) as 
the KMP to establish paired, tightly coupled uni-directional Security 
Associations.

By operating above the transport (TCP,UDP, SCTP, SMS, etc.) the security 
state is independent of transport setup and teardown.  SLS can even 
choose which transport to use under whatever knowledge it has of the 
condition and needs of the time.  It can support multiple, simultaneous, 
communication channels (fully leveraging SCTP for i2rs).

The work on SLS is not done.  A few of us have been working on it for a 
year, but only recently have the pieces fallen together.  SSE is ESP 
moved up the stack and I know of one non-public use of it. GPComp is 
IPCOMP moved up the stack and knowledge of which compression algorithm 
not advertised in each datagram.  Those are really the easy parts.  The 
KMP part is not a stretch.  Both IKE and HIP are higher layer KMPs and 
can be set up to be called as needed. But some work is needed still.

SLS is the new component.  The i2nsf-ssls draft needs clean up; I expect 
it to be further along by IETF (though not postable).

SO.....

I open the floor to discussion.

I would be interested in how others see using existing communication 
services to meet the DOTS requirements.

I am interested in how others see SLS and particularly SSLS and its use 
for DOTS.  I have a slot in the meeting, but I hope by that friday we 
have shaped some positions on this area.

Robert Moskowitz

_______________________________________________
Dots mailing list
Dots@ietf.org
https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email