Re: The TCP and UDP checksum algorithm may soon need updating

Russ Housley <housley@vigilsec.com> Mon, 08 June 2020 19:33 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 862473A0F50 for <ietf@ietfa.amsl.com>; Mon, 8 Jun 2020 12:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5I23MI4LZ33 for <ietf@ietfa.amsl.com>; Mon, 8 Jun 2020 12:33:44 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA65A3A0F51 for <ietf@ietf.org>; Mon, 8 Jun 2020 12:33:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 01CD4300B3C for <ietf@ietf.org>; Mon, 8 Jun 2020 15:33:42 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id a5gkFBiJNmSV for <ietf@ietf.org>; Mon, 8 Jun 2020 15:33:40 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id B48AC300A51; Mon, 8 Jun 2020 15:33:40 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Subject: Re: The TCP and UDP checksum algorithm may soon need updating
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <701D43E2D4CCEC304A935A92@PSB>
Date: Mon, 8 Jun 2020 15:33:42 -0400
Cc: IETF <ietf@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <DC0B2BC4-3249-46F3-A2DA-514FA1F8766C@vigilsec.com>
References: <28A2725D-00F8-4739-8A73-ED176F8EF561@strayalpha.com> <3AA98081-A70E-4076-8096-79FFAEE8A738@huitema.net> <830b91c4-0bb5-af5b-f7b8-c5edd43dc87e@mtcc.com> <4512C1BF-5722-479B-8506-24018610BEAD@strayalpha.com> <5b4ea5ea-e2d6-1a01-3676-dd2a72dbd2c1@mtcc.com> <2C425F1E-2E12-4E47-ACEC-AF4C4A93FA3E@akamai.com> <140429ad-af8b-e03f-a641-1e78b6056fa4@mtcc.com> <D55AFBFD-0D59-4176-B6BD-D6A1801FEC2C@akamai.com> <77B2A0BC-0B4B-4118-A618-CE3F91B976F1@tzi.org> <fe52fd56-86df-26c0-eabf-39a45b293491@foobar.org> <38EE3FAB-BFA6-4E4C-97EB-BEA1581BDF78@tzi.org> <701D43E2D4CCEC304A935A92@PSB>
To: John C Klensin <john-ietf@jck.com>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/M3BxMy3QCmJksTsyqY1wQVh638Y>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2020 19:33:47 -0000


> On Jun 8, 2020, at 3:07 PM, John C Klensin <john-ietf@jck.com> wrote:
> 
> 
> 
> --On Monday, June 8, 2020 20:39 +0200 Carsten Bormann
> <cabo@tzi.org> wrote:
> 
>> ...
>> We now have the opportunity to make pervasive use of security;
>> nobody knows how long that window of opportunity will stay
>> open.  Instead of working on changing checksums, we should go
>> for it.
> 
> <mini-rant>
> While you are going for it just be sure that if the window
> closes again, and closes sufficiently hard in some places to ban
> the use of encrypted message flows entirely, the community is
> not faced with a choice among no Internet, a highly fractionated
> Internet with no communications between "crypto ok" and "crypto
> prohibited" countries, or trying to limp along using protocols
> that are known to be defective because we decided to ignore the
> problems with them in favor of putting all of our proverbial
> eggs in the pervasive security and encryption basket.
> </mini-rant>

Meeting this requirement requires integrity protection, not confidentiality.

Russ