IETF Logo Mail Archive

Re: [Iot-directorate] Iotdir early review of draft-camwinget-tls-ts13-macciphersuites-06

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Sun, 09 August 2020 14:10 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: iot-directorate@ietfa.amsl.com
Delivered-To: iot-directorate@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBD053A0C19; Sun, 9 Aug 2020 07:10:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=XqPS/Gu+; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=YlYeVk1a
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZ1DhFTqrz7S; Sun, 9 Aug 2020 07:10:18 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCFD73A0C18; Sun, 9 Aug 2020 07:10:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4122; q=dns/txt; s=iport; t=1596982217; x=1598191817; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=EalmM7Ir7x5K/UfIv/+6XcuBstAUC6NANn4z4JNSYr0=; b=XqPS/Gu+x7EF71Yo8uaFCm2LQZ9ZYyA+UjeFiu8+jsUOpVBmDUUWdQA3 YCaqBCwfIdTGUEfBV/0kG3yfe0kyfvFBvlzxJnXbQLWFibecy7b9RVb01 GMV/lnf5iSXOkKQ9JyADtjBQKhyTiKUckBwwAs8ozG2Z1DsKh4GBuvfnd o=;
IronPort-PHdr: 9a23:aw6LkRQ+UyFMxnqFpFQ9Kec8Fdpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQB92J8PtCh+fStqnmH2cJst6Ns3EHJZpLURJNycAbhBcpD8PND0rnZOXrYCo3EIUnNhdl8ni3PFITFJP4YFvf8Wa76zIfHhD2M0x+L7e9Fovblc/i0ee09tXaaBlJgzzoZ7R0IV22oAzdu9NQj5FlL/M6ywDCpT1DfOEFyA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CPBQBiAzBf/4cNJK1gHAEBAQEBAQcBARIBAQQEAQFAgUqBUlEHb1gvLAqELINGA6Y2glMDVQsBAQEMAQEYCwoCBAEBgVaCdgIXgh8CJDgTAgMBAQsBAQUBAQECAQYEbYVcDIVyAgQBARAREQwBASwLAQ8CAQgaAiYCAgIlCxUQAgQBDQUigwQBgksDLgEOpyQCgTmIYXaBMoMBAQEFgTMBhA0Ygg4DBoEOKoJwg1+GQBqCAIERJxyBOIEVPoJcAQEBhHUzgi2PUoMtoysKgmKIY4w9hHkDHqASki6KPZR3AgQCBAUCDgEBBYFqI4FXcBU7KgGCCgEBMlAXAg2OHwwXFIM6hRSFQnQ3AgYBBwEBAwl8jwQBgRABAQ
X-IronPort-AV: E=Sophos;i="5.75,454,1589241600"; d="scan'208";a="800333945"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Aug 2020 14:10:13 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 079EADvP028496 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 9 Aug 2020 14:10:13 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 9 Aug 2020 09:10:13 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 9 Aug 2020 09:10:12 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sun, 9 Aug 2020 09:10:12 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fiSqUhd6mCa+pJi5vskOEHDq/oPRSSvkFj5+cTebGoJi2Ga6Oot69ZgIlB1FhZpxDMEKQxvYSHil5TkQ15ddLde0gvKJlG+S3t7T73DFQmBBvU+EkagQ5BXX1BqRtThI+ZcRrc+67OfSudh4QGGfK0HVFFsb/00Me/euFmUz5f0sQ7lFDQAl1TK9AW56m3y3EXdPp53U4pFvLTsQgFhme2tA2RYCYhAjfgSOrYyRIx6cypImhCiyzCV86tzxfEOGD1qDtKt7jv8txIeO7Z4JEfpfKEHd1yF74nREDn3wXD0Srcz2KpN3utQfs+KdVRJ444iwViPm/FTsAiuhPclG6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EalmM7Ir7x5K/UfIv/+6XcuBstAUC6NANn4z4JNSYr0=; b=aQkZ3tHf9XClPUwNvXO8A/4Wn+IwFpFchUVZNzabqYYspvrvHPPjTM4MUZVhxnwtH4XNOn4N76YNkkI9swrq+IxFkD7sXKU3QWKM2BW3BFctJL7pq6fxDFDJ65M/xjRNQmPIv3ZlYDpgrgZX/gA21g2Y3MEDxtenLxMU/lhXQPkjw4mDzJndPREOdL7U077R7QLixAsOQ8n3YIycLVF9SUm02r0fEBIfB5+mA1njotrsR+pvvg9h8P+m5/kCe0/LeG9+8rhdC+VC9DD4t2Ak4RIDWKEHspkWzAJEICOOJSYGhBgted7HIiOkn+VcdD9zSQd8vU5MpqQqdvQ3oXXDwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EalmM7Ir7x5K/UfIv/+6XcuBstAUC6NANn4z4JNSYr0=; b=YlYeVk1aYBRJ8DwYVLx7kLju5uMOVjcRSraiUJudioDYV53xQDonoe+01k8qizzDI5SjavoVGnv19BTi3KgPjB3Af+pVF8NsUtR/+TjAP2tCsdVJSJGYmRmjxPxz426wm6QNXxn91CTAH+oVHGEGIIPX1IwqbEYbbqlg4gaG730=
Received: from BY5PR11MB4070.namprd11.prod.outlook.com (2603:10b6:a03:181::16) by BYAPR11MB3334.namprd11.prod.outlook.com (2603:10b6:a03:1c::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.19; Sun, 9 Aug 2020 14:10:12 +0000
Received: from BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::e42f:216e:af3e:8ce5]) by BY5PR11MB4070.namprd11.prod.outlook.com ([fe80::e42f:216e:af3e:8ce5%7]) with mapi id 15.20.3261.022; Sun, 9 Aug 2020 14:10:11 +0000
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "iot-directorate@ietf.org" <iot-directorate@ietf.org>
CC: "draft-camwinget-tls-ts13-macciphersuites.all@ietf.org" <draft-camwinget-tls-ts13-macciphersuites.all@ietf.org>, Jack Visoky <jmvisoky@ra.rockwell.com>
Thread-Topic: [Iot-directorate] Iotdir early review of draft-camwinget-tls-ts13-macciphersuites-06
Thread-Index: AQHWbfD4FdlURq43j0CVcUiO6aKMGqkvXFoA
Date: Sun, 09 Aug 2020 14:10:11 +0000
Message-ID: <919FE80F-C51D-4BF9-BCA8-A652BD724EE1@cisco.com>
References: <159693845367.4048.18288256104777981676@ietfa.amsl.com>
In-Reply-To: <159693845367.4048.18288256104777981676@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.18.200713
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [73.162.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3feee59d-1acc-4847-0ad7-08d83c6dee47
x-ms-traffictypediagnostic: BYAPR11MB3334:
x-microsoft-antispam-prvs: <BYAPR11MB33341AEE2F93408F019BA508D6470@BYAPR11MB3334.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ar6zZhOlZZZUeL5oAiK72iwl0EwKRGE+Oto3PGAh8eD0LffSXwoujGOkU5yivXZUcOjEk2RDD2TYHqie3edMKL5dFSh2EAk0CUoLRfltv05dWH14/ceqR558wObEQ8BI0T1uuRZC4GpobI+34xR6d5vfZjt7E1AV0u9o/TA24Rexv0sX2GZqEk0j7vv2KRlePhtMb6SwVGvMJFkJOrRrh1VxvBywHLwxVhr5ONPtuuORocKWuXzAt4O4upOZwI5NmOPp03WEbAQbCt8wBrdiR1f93bl5NlXl31PyAUD5+/GpLxKRX82kifmn208BdvXvTgUc4TsGcxSCsh+ugewdw6iC7W2xGl5vOfONqYJhZ8N71lo7PAQhGrGb/bbI2hsVV8f75g7UCTda2B3cjgSfNA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4070.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(366004)(346002)(136003)(39860400002)(376002)(66556008)(66476007)(54906003)(2906002)(316002)(6506007)(478600001)(36756003)(6512007)(8936002)(26005)(186003)(966005)(33656002)(8676002)(71200400001)(4326008)(6486002)(5660300002)(76116006)(110136005)(66446008)(64756008)(66946007)(2616005)(86362001)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: r/5ORyKaFVQEBJ8zDaRABIg8gCu0Z/Fy77pcK0AxEejEXcVMzMhUNvykPTASiDxWq42zKHu3KaeC2kM2f9JGEkekS/SU0yR4vzbvOiia1qcr3cDTrr5rUI1WIhGmdVtpIsM1k2Xwnf7Y4F6AwQPcIe+/9Iyje9wmrRVySVwTXEeAXhaBEpgdJCZz8nPfOwbbcxqdL0wbs2YT0c0D2Zce4E3TjvBGnZpOZsL2/AAbMLxoFQEItBPPGt+5h7eI/+j/FDu1V+rhWP9XRAUbDqtf7BeQu56wFUyovUGUp5RPWU9CX1yHhDpLa7hkQfAPJj528DZo33skI0rMIwBNar8Ml7xRozgRIGA5zPxGSrGGsWtnKORslZ/SYvrll7mkIKel1qf/gBMKlZMLvGdGPO1cWhgEqkWwzIWiYbypErUgrEvh7QShxpbi3739S2CxppM3/lSFF2ZKKeOOr4h1f333kwJ+45yEN95uBYkJKHXZHBQF8C5NDc8mt8ONYzwABxQ+PbI4huXix6zxK+/R9cESJjyD9pythfImVAMMRyKpZuPQkyX6In0lSbvEaCZiqLdeEdKx77ezuoT53IuU89zNLO0iCsWfro4j6axc0n2xLe4YXUxNsbn4j3wcFuKzNkDQti6628WNS0BTlS5g6k2ZGQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C82F2B10DC152B40BE1881B1901BC7A1@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4070.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3feee59d-1acc-4847-0ad7-08d83c6dee47
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2020 14:10:11.5402 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AkBqbHRFhC+XRo2GNGVDG8wk+c3aN/YKwZOtMaE3bSGwr0cxkF4J3b00NP8apb/pcm7vn9zaEU1jV1aqK+xcBQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3334
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-directorate/-bGJVnu5m_0MblNFtL6Pfj112fE>
Subject: Re: [Iot-directorate] Iotdir early review of draft-camwinget-tls-ts13-macciphersuites-06
X-BeenThere: iot-directorate@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for the IoT Directorate Members <iot-directorate.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-directorate/>
List-Post: <mailto:iot-directorate@ietf.org>
List-Help: <mailto:iot-directorate-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Aug 2020 14:10:20 -0000

Hi Michael,
Thanks for the review.  Adrian also provided feedback to the use cases as we (the authors) will work towards tightening them up
Or clarifying them.....and correct that (at least for me) the most compelling one is the blackbox auditability.  The others are also there
as some of the not so older systems do not have AES but yes to SHA-2.  I believe the authentication could be done at a software stack
as that is not done as frequently.

Warm regards,  Nancy

On 8/8/20, 7:01 PM, "Iot-directorate on behalf of Michael Richardson via Datatracker" <iot-directorate-bounces@ietf.org on behalf of noreply@ietf.org> wrote:

    Reviewer: Michael Richardson
    Review result: Ready
    
    Reviewer: Michael Richardson
    Review result: Ready with Nits
    Document: draft-camwinget-tls-ts13-macciphersuites-06
    
    I have reviewed this document.
    I found it clear and well written.
    
    I reviewed the discussion in the TLS WG list at:
       https://mailarchive.ietf.org/arch/msg/tls/0oy4wY4xiB1tASCBDWczh2xTVMM/
    
    I found the discussion in the TLS list as to why the TLS WG should not adopt
    it compelling, and I understand and agree with the reasons to go via the ISE.
    I do not feel that this is a run-around the WG.
    
    I did not find the three initial use cases at all compelling :-(
      SHA256, implemented in software, is not particularly faster than AES.
      See, for instance: https://cryptopp.com/benchmarks.html
      where we see ~100 MiB/s {O(10^2)} for most algorithms on "big CPU"
      (with some exceptions)
      I suspect they are all bound by memory I/O speeds, not details of the algorithm.
      I could not see an AEAD mode bench tested on that page.
    
    On smaller CPUs, the difference MIGHT be more compelling, but on the smaller
    such CPUs, there is usually AES acceleration, which would make use of
    an hardware acclerated AES based AEAD algorithm likely better than SHA256.
    Of course, there is probably some devices, built without any security in
    mind, which lack even that.  I question whether or not they will be able to
    do reasonable authentication of the TLS end points (the RSA or ECDSA operations).
    
    The use which I *DID* find compelling was in the fourth case, and I suspect
    that it covers many of the other cases.
    
       Furthermore, requirements for providing blackbox
       recording of the safety related network traffic can only be fulfilled
       through using integrity only ciphers, to be able to provide the
       safety related commands to a third party, which is responsible for
       the analysis after an accident.
    
    I found this compelling, as it has nothing at all to do with relative speeds,
    or perceived latencies, but on audit trails.
    
    
    
    
    
    -- 
    Iot-directorate mailing list
    Iot-directorate@ietf.org
    https://www.ietf.org/mailman/listinfo/iot-directorate

v2.23.0 | Report a Bug | By Email