Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-dtn-tcpclv4-18: (with DISCUSS and COMMENT)

"R. Atkinson" <rja.lists@gmail.com> Thu, 19 November 2020 03:39 UTC

Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: "R. Atkinson" <rja.lists@gmail.com>
In-Reply-To: <20201117011009.GA39170@kduck.mit.edu>
Date: Wed, 18 Nov 2020 22:38:57 -0500
Cc: DTN WG <dtn@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F3214A44-2F53-46F4-B45C-DF511E962E6E@gmail.com>
References: <158215235500.17580.7759757155303566523.idtracker@ietfa.amsl.com> <50c5dae1bc26ade7d0fcd9388873665868f7284c.camel@rkf-eng.com> <20201001015416.GE89563@kduck.mit.edu> <MN2PR13MB3567B7727DF06411E47A826A9F160@MN2PR13MB3567.namprd13.prod.outlook.com> <6D6A8A1F-69C2-4B2B-B8B3-464C680D9A3D@gmail.com> <20201117011009.GA39170@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/F8Zs12jNmQuwFSdn4pyFlGjcSqw>
Subject: Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-dtn-tcpclv4-18: (with DISCUSS and COMMENT)
Precedence: list

> On Nov 16, 2020, at 20:10, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> If we say that TLS support is "mandatory to implement" (do we?  I couldn't
> find such text in a quick search, but thought we had talked about it),

Hi,

I don’t see any text saying that TLS is “mandatory to implement” in the TCPCL I-D.  

I believe the TCPCL I-D should have text, probably in Security Considerations, saying that:

"TLS is mandatory to implement for all TCPCL implementations, but TLS is optional to use for a given TCPCL session."

I imagine the WG would be comfortable with words generally along those lines, but I am not sure whether a formal WG decision has been made. (DTN Chairs ?)

> it would require some very convoluted reasoning to come up with a scenario
> where an entity is "not capable of exchanging messages according to TLS
> 1.3" -- it would be right in the spec that your implementation needs to
> have the capability to do so!  

Agreed.

> Yes, we could come up with some explanation about local policy clamping the implementation's capabilities, but it seems like it would be simpler to use a slightly different wording here, like
> “if the entity is configured to enable exchanging messages according to TLS
> 1.3" that does not set up an apparent conflict between "capable" and
> "implements”.

That text edit would work for me.  

Effectively those edits would mean that all TCPCL implementations would need to implement TLS (which implementation really is easy since OpenSSL exists and could be used) but that local configuration might mean TCPCL is not in use for some TCPCL sessions.

As an aside, many commercial vendors use OpenSSL as the basis for their TLS implementations, in part because OpenSSL already has a FIPS-140 approval from US NIST.  This makes compliance with both US and non-US buyer requirements easier for vendors.  FIPS-140 is commonly required by non-US financial institutions and a range of countries other than the US, so it is not really a US-specific sales/acquisition issue.

Yours,

Ran

[dtn] Benjamin Kaduk's Discuss on draft-ietf-dtn-… Benjamin Kaduk via Datatracker
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Brian Sipos
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Magnus Westerlund
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Brian Sipos
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Magnus Westerlund
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Brian Sipos
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Magnus Westerlund
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Brian Sipos
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Magnus Westerlund
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Magnus Westerlund
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Magnus Westerlund
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Brian Sipos
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… R. Atkinson
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… R. Atkinson
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Rick Taylor
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Brian Sipos
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Brian Sipos
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… R. Atkinson
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Brian Sipos
Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk