IETF Logo Mail Archive

Re: [Hipsec] [saag] NULL encryption mode in RFC 5202-bis

Ted Lemon <ted.lemon@nominum.com> Tue, 22 July 2014 14:29 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C69D01B292A; Tue, 22 Jul 2014 07:29:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhRrT6eYfy2J; Tue, 22 Jul 2014 07:29:05 -0700 (PDT)
Received: from shell-too.nominum.com (shell-too.nominum.com [64.89.228.229]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 331421B28F4; Tue, 22 Jul 2014 07:29:05 -0700 (PDT)
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 00D331B873E; Tue, 22 Jul 2014 07:28:46 -0700 (PDT)
Received: from webmail.nominum.com (cas-01.win.nominum.com [64.89.228.131]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id E55CA190060; Tue, 22 Jul 2014 07:28:45 -0700 (PDT)
Received: from nat64.meeting.ietf.org (31.130.238.169) by CAS-01.WIN.NOMINUM.COM (192.168.1.100) with Microsoft SMTP Server (TLS) id 14.3.158.1; Tue, 22 Jul 2014 07:28:45 -0700
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ted Lemon <ted.lemon@nominum.com>
In-Reply-To: <m3lhs3dh5w.fsf@carbon.jhcloos.org>
Date: Tue, 22 Jul 2014 10:28:43 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <399ECC6D-CB3D-46F7-A9D7-7465608F1B77@nominum.com>
References: <53BB798A.3080101@tomh.org> <m3lhs3dh5w.fsf@carbon.jhcloos.org>
To: James Cloos <cloos@jhcloos.com>
X-Mailer: Apple Mail (2.1878.6)
X-Originating-IP: [31.130.238.169]
Archived-At: http://mailarchive.ietf.org/arch/msg/hipsec/deVWhvmWtWcrQZIcIOZMKmGkAQE
Cc: hipsec@ietf.org, saag@ietf.org
Subject: Re: [Hipsec] [saag] NULL encryption mode in RFC 5202-bis
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jul 2014 14:29:08 -0000

On Jul 8, 2014, at 11:06 AM, James Cloos <cloos@jhcloos.com> wrote:
> If those doing IP over Amateur Radio are a use case, they require NULL.

If Amateur Radio's prohibition on encryption is considered to be important in making decisions about crypto in protocols, then I think we are in a situation where we can't have crypto protocols that don't disallow downgrade attacks, because implementations always have to be willing to downgrade to no encryption if the other endpoint is an Amateur Radio station.

So, by reductio ad absurdum, I claim that this isn't something the working group should consider as a deciding factor.   I think the same observation also applies to Michael's comment about debugging on stacks with limited trace capability.   If you need to disable encryption, you should have to do something fairly extraordinary to make that happen.

v2.23.0 | Report a Bug | By Email