Re: [Hipsec] [saag] NULL encryption mode in RFC 5202-bis
Robert Moskowitz <rgm@htt-consult.com> Tue, 22 July 2014 17:34 UTC
Return-Path: <rgm@htt-consult.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFBEE1B29AD; Tue, 22 Jul 2014 10:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9IExcdB2Oyxf; Tue, 22 Jul 2014 10:34:40 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [IPv6:2607:f4b8:3:0:218:71ff:fe83:66b9]) by ietfa.amsl.com (Postfix) with ESMTP id B60441A0330; Tue, 22 Jul 2014 10:34:40 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id 47F3062A8E; Tue, 22 Jul 2014 17:34:40 +0000 (UTC)
X-Virus-Scanned: amavisd-new at localhost
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcGHMW+zotAV; Tue, 22 Jul 2014 13:34:30 -0400 (EDT)
Received: from lx120e.htt-consult.com (dhcp-97b3.meeting.ietf.org [31.133.151.179]) (Authenticated sender: rgm@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 758DF62A71; Tue, 22 Jul 2014 13:34:29 -0400 (EDT)
Message-ID: <53CEA0A4.7070605@htt-consult.com>
Date: Tue, 22 Jul 2014 13:34:28 -0400
From: Robert Moskowitz <rgm@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Michael Richardson <mcr+ietf@sandelman.ca>, Ted Lemon <ted.lemon@nominum.com>
References: <53BB798A.3080101@tomh.org> <m3lhs3dh5w.fsf@carbon.jhcloos.org> <399ECC6D-CB3D-46F7-A9D7-7465608F1B77@nominum.com> <53CE78ED.1030602@htt-consult.com> <F871C0FA-DA7A-43AB-82DF-29449636AEF1@nominum.com> <3737.1406042808@sandelman.ca>
In-Reply-To: <3737.1406042808@sandelman.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/YQ6yJR2LfQUzqg1KzjHjoXN-vmI
Cc: hipsec@ietf.org, saag@ietf.org
Subject: Re: [Hipsec] [saag] NULL encryption mode in RFC 5202-bis
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jul 2014 17:34:43 -0000
On 07/22/2014 11:26 AM, Michael Richardson wrote: > Ted Lemon <ted.lemon@nominum.com> wrote: > >> It is a switch to request integrity only. Or to only allow integrity > >> only. Either party MUST be able to reject an integrity only > >> negotiation. > > > That's not good enough. It should be the case that integrity-only > > negotiations are rejected by default, unless there's no protocol > > requirement for confidentiality. If there is no need for > > confidentiality, then the answer to the DISCUSS should be "there is no > > need for confidentiality." > > All of those knobs, correctly labelled, are all there already. Really. The code has the knobs, but Ted's question is does the spec have the knobs. Something like "default transform lists MUST NOT provide any of the integrity only suites. These MAY be offered only by explicit configuration." This discussion is about NULL which is quite a misnomer... But back in the days......... If you look at the HIP exchange, R1 contains the offered list, and I2 either contains the requested suite, or a counter list. Both are signed (in HIP-BEX) and thus can only be spoofed for anonymous HITs.
- [Hipsec] NULL encryption mode in RFC 5202-bis Tom Henderson
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Miika Komu
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Stephen Farrell
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Robert Moskowitz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Stephen Farrell
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Robert Moskowitz
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Tom Henderson
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Robert Moskowitz
- Re: [Hipsec] NULL encryption mode in RFC 5202-bis Paul Lambert
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… James Cloos
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Michael Richardson
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… James Cloos
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Paul Lambert
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Henry B Hotz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Ted Lemon
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Ted Lemon
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Michael Richardson
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Michael Richardson
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Edward Lopez
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [Hipsec] [saag] NULL encryption mode in RFC 5… Ted Lemon