Re: [Hipsec] [saag] NULL encryption mode in RFC 5202-bis
Paul Lambert <paul@marvell.com> Mon, 21 July 2014 23:57 UTC
Return-Path: <paul@marvell.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D16EA1A02E9; Mon, 21 Jul 2014 16:57:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Level:
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id smanxjZ8-9dR; Mon, 21 Jul 2014 16:57:17 -0700 (PDT)
Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FD971A0066; Mon, 21 Jul 2014 16:57:17 -0700 (PDT)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s6LNurFt012094; Mon, 21 Jul 2014 16:57:07 -0700
Received: from sc-owa03.marvell.com ([199.233.58.149]) by mx0a-0016f401.pphosted.com with ESMTP id 1n8ud7k8dn-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 21 Jul 2014 16:57:07 -0700
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA03.marvell.com ([::1]) with mapi; Mon, 21 Jul 2014 16:57:07 -0700
From: Paul Lambert <paul@marvell.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Mon, 21 Jul 2014 16:57:03 -0700
Thread-Topic: [Hipsec] [saag] NULL encryption mode in RFC 5202-bis
Thread-Index: Ac+kFmUEabbuV/jcQ7OvNK+uD17ktABKN8vA
Message-ID: <7BAC95F5A7E67643AAFB2C31BEE662D01EE45B1C4E@SC-VEXCH2.marvell.com>
References: <53BB798A.3080101@tomh.org> <53BBC8DE.1010006@cs.tcd.ie> <8171.1404842394@sandelman.ca>
In-Reply-To: <8171.1404842394@sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.14, 0.0.0000 definitions=2014-07-20_03:2014-07-18,2014-07-20,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1407210277
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/H-Zh__jQ3zI2f1cSaDqd4Noh1hE
Cc: "hipsec@ietf.org" <hipsec@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [Hipsec] [saag] NULL encryption mode in RFC 5202-bis
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 23:57:20 -0000
NULL may be useful to some, but should NOT be mandated (should rather than must). It's another knob that could be set incorrectly and bypass the encryption. Not all products will want or need NULL. Paul ]-----Original Message----- ]From: Hipsec [mailto:hipsec-bounces@ietf.org] On Behalf Of Michael ]Richardson ]Sent: Tuesday, July 08, 2014 11:00 AM ]To: Stephen Farrell ]Cc: hipsec@ietf.org; saag@ietf.org ]Subject: Re: [Hipsec] [saag] NULL encryption mode in RFC 5202-bis ] ] ]Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: ] > Generic: is it still considered a good plan to have null ] > confidentiality suites such as these? Or for those to be ] > Mandatory-To-Implement (MTI)? That clearly was the generic ]consensus as ] > we have these in a number of protocols. The new reasons to move ]from ] > that I think are: 1) we no longer need this for debugging purposes ] > really since libraries and dev tools have moved on and are better ]now, ] > and we specifically no longer need these for protocols that are no ] > longer new, 2) BCP188 could be considered to argue against having ]these ] ]There are an incredible number of systems (Linux with stock-in-kernel ]NETKEY IPsec for instance), where it is impossible or very very ]difficult to get a packet capture of the traffic after decryption, but ]before it goes up the protocol stack. ] ]On such systems, if you have a problem in the field with a protocol that ]runs over ESP (whether HIP or IKEv2 keyed), and you can't figure out how ]it works, and it appears to with without ESP, then the lack of debugging ]means that you turn off all security. ] ]ESP-authenticated-with-NULL-encryption is debuggable in the field. ]Not having it, means turning off ESP; and if the problem is in the link ]between the ESP layer and the upper layer, then... ] ]-- ]Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= ]IPv6 IoT consulting =- ] ]
- [Hipsec] NULL encryption mode in RFC 5202-bis Tom Henderson
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Miika Komu
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Stephen Farrell
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Robert Moskowitz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Stephen Farrell
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Robert Moskowitz
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Tom Henderson
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Robert Moskowitz
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Paul Lambert
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… James Cloos
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Michael Richardson
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… James Cloos
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Paul Lambert
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Henry B Hotz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Ted Lemon
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Ted Lemon
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Michael Richardson
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Michael Richardson
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Edward Lopez
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Ted Lemon