IETF Logo Mail Archive

Re: TLS on disconnected/intermittently connected networks

Sam Hartman <hartmans-ietf@mit.edu> Thu, 04 March 2021 20:52 UTC

Return-Path: <hartmans-ietf@mit.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 299E23A1672 for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 12:52:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_FAIL=0.001, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3S-NsAkF-9er for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 12:52:51 -0800 (PST)
Received: from mail.suchdamage.org (mail.suchdamage.org [52.9.186.167]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F7FD3A1671 for <ietf@ietf.org>; Thu, 4 Mar 2021 12:52:51 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.suchdamage.org (Postfix) with ESMTP id 084F9302FB; Thu, 4 Mar 2021 15:52:51 -0500 (EST)
Received: from mail.suchdamage.org ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wl58MqMPkTZv; Thu, 4 Mar 2021 15:52:50 -0500 (EST)
Received: from carter-zimmerman.suchdamage.org (cpe-24-165-19-20.hawaii.res.rr.com [24.165.19.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) (Authenticated sender: hartmans-laptop) by mail.suchdamage.org (Postfix) with ESMTPSA; Thu, 4 Mar 2021 15:52:50 -0500 (EST)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id BACEACA87F; Thu, 4 Mar 2021 15:52:38 -0500 (EST)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Keith Moore <moore@network-heretics.com>
Cc: ietf@ietf.org
Subject: Re: TLS on disconnected/intermittently connected networks
References: <20210302010731.GL30153@localhost> <0632b948-9ed1-f2bd-96da-9922ebb2aa60@mtcc.com> <YECpybvczdbKHvHx@puck.nether.net> <CAMm+LwiiySi5O1_WDc4-F9x1XfMFFvE-rEbc4uw+31DHJNEHEA@mail.gmail.com> <3f4db10c-dd92-354b-4fc9-6f14f4383454@network-heretics.com> <809967EB-F315-48D9-A301-73DFA4212FDE@dukhovni.org> <f9ad3bdd-3768-8c5f-a98c-73249f9a5ac3@network-heretics.com>
Date: Thu, 04 Mar 2021 15:52:38 -0500
In-Reply-To: <f9ad3bdd-3768-8c5f-a98c-73249f9a5ac3@network-heretics.com> (Keith Moore's message of "Thu, 4 Mar 2021 14:59:47 -0500")
Message-ID: <tsleegufxpl.fsf@suchdamage.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/xFMx1huGOlHpY60si6CabB7KjmE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 20:52:53 -0000

>>>>> "Keith" == Keith Moore <moore@network-heretics.com> writes:


    Keith>    IOW it's not only TLS and X.509 that are needed, but a
    Keith> stack (including browser) that can use these without needing
    Keith> DNS or external connectivity.

I've been doing this a fair bit for isolated networks for cyber training
and for other things in that space.
We end up providing a DNS and a PKI etc.


At this point it's going to be simpler to provide some good devops'd dns
and PKI than to go develop a custom browser.

I gave a talk on our work at
https://debconf20.debconf.org/talks/32-when-we-virtualize-the-whole-internet/

last year.  It's focused more on the software packaging  aspects of
setting up the more complex aspects of the infrastructure, but does give
an architectural overview for this sort of approach.
If all you need is DNS and PKI and the like, it's much simpler than the
problems I focus on in the talk.

v2.23.0 | Report a Bug | By Email