Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-dtn-tcpclv4-18: (with DISCUSS and COMMENT)

"R. Atkinson" <rja.lists@gmail.com> Thu, 19 November 2020 03:39 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 105813A07DE for <dtn@ietfa.amsl.com>; Wed, 18 Nov 2020 19:39:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0TiQ6dgQNL0O for <dtn@ietfa.amsl.com>; Wed, 18 Nov 2020 19:38:59 -0800 (PST)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C855E3A07DB for <dtn@ietf.org>; Wed, 18 Nov 2020 19:38:59 -0800 (PST)
Received: by mail-qt1-x835.google.com with SMTP id f93so3400885qtb.10 for <dtn@ietf.org>; Wed, 18 Nov 2020 19:38:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=J+/zIyStnWvIYkUO4GQJ/inuFbs5DdkK78di45RW6pM=; b=ussB+lgyLEpn9K8OxuP/JcufBz67cb4vhcV4meiicGO6TqJMZFNkXCzEap8yrfUNvO VAh/cwCm/JU/XG3OuCC1ve2U6vSJS7ZAYJBmLjQap2b1gI+gjsm9zFICt3ifaVv/RhLC M0uCIy0usGt+X3waAICSSczLGGUkUzXILFbJjuNxRBSSdrO3xj7lu/LshJf2FtT29mxr 5OEfISlL1z/QxREVR7mLCPLaRhNITbZfD+RNWPeJWsfZaWouwbEpjVsilOsDxKTsMRVe 5OBtfkL/xvnEPzbNAhP8AoIUfi+98p6LReC8XVfGifWevhfPD4RtaBLHhFTLCRBD0Eub uThA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=J+/zIyStnWvIYkUO4GQJ/inuFbs5DdkK78di45RW6pM=; b=bvy/vZFup4x08plJIoEIyKIREuc2nFqEy2p1O50glYnWeE7vgZ6wVfZPD+9n8r4F6i nDXXW/ax/0Ac6QdUrjROSDojpLzeIIEuHJVPFzOqIIqotBjgEAGeE8Tn4hWOtNDsek9t NEyP4okhvWqy0Jz/6PvskBTHzsQ37e7ZVqYBIN0KAe4deH68Uq3cUN9h52hnOIxoBtBg EN8Bdzg9Hq95dHOoUq40QIgGO5+og+pPoglF9iSBrFVqBaubtNNyzxltqE5Z5SaoIdts ZmosyM3CNVYsp/hqi8zPi2VgSH/4Eqxg5fs67PQ3xJPpy14AzWjSS+DZhHYSuS8MGBx7 acow==
X-Gm-Message-State: AOAM5316tZ5nDasY0K2uyp3LSgMUEvZMP32izEazYwEhvc6+M45Whxjh IEqQZrpyQH4gHWJIjq8gzrrh+AdzoKI=
X-Google-Smtp-Source: ABdhPJytp/Jhp3hLD1vmuGt1e9crxm2TVoCCcZ62QFssUsCsTMsdcmDUQ7Rc59OrA0/KVcr6FDIOVA==
X-Received: by 2002:ac8:221b:: with SMTP id o27mr8340902qto.54.1605757138993; Wed, 18 Nov 2020 19:38:58 -0800 (PST)
Received: from [10.30.20.27] (pool-141-156-180-77.washdc.fios.verizon.net. [141.156.180.77]) by smtp.gmail.com with ESMTPSA id m2sm17484694qtu.62.2020.11.18.19.38.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Nov 2020 19:38:58 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: "R. Atkinson" <rja.lists@gmail.com>
In-Reply-To: <20201117011009.GA39170@kduck.mit.edu>
Date: Wed, 18 Nov 2020 22:38:57 -0500
Cc: DTN WG <dtn@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F3214A44-2F53-46F4-B45C-DF511E962E6E@gmail.com>
References: <158215235500.17580.7759757155303566523.idtracker@ietfa.amsl.com> <50c5dae1bc26ade7d0fcd9388873665868f7284c.camel@rkf-eng.com> <20201001015416.GE89563@kduck.mit.edu> <MN2PR13MB3567B7727DF06411E47A826A9F160@MN2PR13MB3567.namprd13.prod.outlook.com> <6D6A8A1F-69C2-4B2B-B8B3-464C680D9A3D@gmail.com> <20201117011009.GA39170@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/F8Zs12jNmQuwFSdn4pyFlGjcSqw>
Subject: Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-dtn-tcpclv4-18: (with DISCUSS and COMMENT)
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 03:39:02 -0000


> On Nov 16, 2020, at 20:10, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> If we say that TLS support is "mandatory to implement" (do we?  I couldn't
> find such text in a quick search, but thought we had talked about it),

Hi,

I don’t see any text saying that TLS is “mandatory to implement” in the TCPCL I-D.  

I believe the TCPCL I-D should have text, probably in Security Considerations, saying that:

"TLS is mandatory to implement for all TCPCL implementations, but TLS is optional to use for a given TCPCL session."

I imagine the WG would be comfortable with words generally along those lines, but I am not sure whether a formal WG decision has been made. (DTN Chairs ?)

> it would require some very convoluted reasoning to come up with a scenario
> where an entity is "not capable of exchanging messages according to TLS
> 1.3" -- it would be right in the spec that your implementation needs to
> have the capability to do so!  

Agreed.

> Yes, we could come up with some explanation about local policy clamping the implementation's capabilities, but it seems like it would be simpler to use a slightly different wording here, like
> “if the entity is configured to enable exchanging messages according to TLS
> 1.3" that does not set up an apparent conflict between "capable" and
> "implements”.

That text edit would work for me.  

Effectively those edits would mean that all TCPCL implementations would need to implement TLS (which implementation really is easy since OpenSSL exists and could be used) but that local configuration might mean TCPCL is not in use for some TCPCL sessions.

As an aside, many commercial vendors use OpenSSL as the basis for their TLS implementations, in part because OpenSSL already has a FIPS-140 approval from US NIST.  This makes compliance with both US and non-US buyer requirements easier for vendors.  FIPS-140 is commonly required by non-US financial institutions and a range of countries other than the US, so it is not really a US-specific sales/acquisition issue.

Yours,

Ran