IETF Logo Mail Archive

Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt

"nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com> Mon, 05 July 2021 16:27 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E31803A1D74 for <ippm@ietfa.amsl.com>; Mon, 5 Jul 2021 09:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jARhQZPF7EIu for <ippm@ietfa.amsl.com>; Mon, 5 Jul 2021 09:27:17 -0700 (PDT)
Received: from sonic306-27.consmr.mail.ne1.yahoo.com (sonic306-27.consmr.mail.ne1.yahoo.com [66.163.189.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F4523A1D6F for <ippm@ietf.org>; Mon, 5 Jul 2021 09:27:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1625502434; bh=e6FnK6Rz/cUhUxbABEtb5eUUQswP+LC3rWGxKwNZYjs=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject:Reply-To; b=Q1G/UM8eCSIfI+YzFkr/sayORCFB6668LsJu72RcIln7Mh3RFmzzXwZkF61+4+xQ2yseCSOIXBGbvAptqLzc0fc2dcKtLKHtlppBlsUfOcl8bQetSo+amZT6TQE1kgYgqaGwemFFcaTWEEq6WmOG7DWaaktyUbXqx9262MFBmD49bcvR9ZkLXSTJx5qLNQ5Ag4EIUgMG7Z6KM6mW22/o10f5wbUUPva4AQgb+Xa1HO7JdgN6yUykO6Kyj9mLRWaADZKg+nuuoEoQ0h0lOqKaftQ6eH8jvmc+njNH27P2hmiPjZ1OT+JTDG0z5Xk5TvMjBJOeQC0kJWowlzXt+3+atA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1625502434; bh=hwTG192xd+CDwkyj/STzcVT9ItQ+mz5PeHmRCX6+th5=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=CQDVetPbSodRSjK0KJ3nMK9eiPfv+WGikr37Yc4Jta2oxrGqNe04jNr1sfE9+6nco47fjQVGrPGcJlC3hKP0SpsAkyuFAhk3xe1cB/72ozuaUnyqde44Cu0hQjFwjZqmOYnIKscU8vywYWj1F4RHVjaYxGYQQpMA6CkKfez1cSrAq7ksT7XZ3PyKFNh460KHqlt46jGs4jhPNBmYMlvZMr6t1BI0rcysoFBs/W8mb2JhXWdqi8yeca5J4NRY4mjUkHPLXy3AlAhJ5ojCHW0kA29Cg6tBRuEQYEGv6B1GlUOLFFnAYc5/1D9G7Ct6V1YIyN/5UgIO7by26KEjKTfbXA==
X-YMail-OSG: jHKBR8IVM1kvqbLUVXypqZNk6pQYnfSyHs5xpTWPuX0_cP48Wad8lc3AmDVMOvA i4m1aX0lp3KaSiVt2drniNyVEUF5hFNFutaWFpBxykiglQv43p.A3OUPYv2WsIhq0JnzvK7XiJr5 tol_VvkYGcb.1YLwAb2xfhdzkGF7Ejdn23A028dhXKNGA6LLW2_8Tu.KJwdOYuPhGrUYpspymyP3 Wac2tfMPeZrjfd.gdt5Iz4HKAcEHuMakaN_cvi0gmUtbO6bNn5VFkYZpFAf1nFzRFncv2z0WVp3y jUPJng.2r9thA3aZLlc9pz00qIyLTKc8devDSccmi1ZE255Q4J0gRNK4b_Rhpw_fhTil7o6MI4qa aOsrogSLIyg9OM0NsZWnGcfT_rrQL.FFpIRd1GFYMkbVRb4MDDU7nkHNeyCP4lOI1PtYFZdpTv_3 Zx87NOHgH3N9zoujVpDCDwIKFOcvc1BfXEg7aGFmy5.3uAClupzQExduaYHC7zR6Vjk.TSSFdBbh 2FP7uIll2c8InWIpr9G.Cb8Y76ODcrr9hHFRtWovHSjHOAGA75rCstAc3DmKP2OeXaxJkOI_iP6O AiwnWMvCTdgyOYk4z_uizxKGnrNyNB1n0TqgGAxriOBrFLYCSdoQR2wKQwGYfpLcoO1SNdOddwU6 C52GZI2HZVX9wVyfQ4YQzPjzyD3.zHz0msG_Gr80HqxyndlttOSUPEBhMr3MslGd5SPPWo6Ky7C8 48TatL2fXWxJy8p2s2hFUdSrPPj6tCkU0wMq0lf3sGKY1GiDIG1j23FHalrjop75gghThqoPndh. 4n1ee.6iZIoBJBpQtPX.qdROdHvjkT6TdHra51yh0Sds_.tiHCMHpq0vtswj50AjMqJJF00xeB1I xkiWacQOalrZZSCHBMJ3W79M8u4Q_ig4u6M8EeHR8BxPH2xyIneDSmoRVNgEWdDgO18KdgXEP0qB QmdQk_g4iLV79.BV_WzqfcGRUGB7xuygnKE61oOoP5VbeYbYA5f8v5cjxpzbMj.AVtrUmgb73bjv LOEoEoKEedzvIax_IYA53Yy_7Luo7THZrILxBSJhvWHdyoSnBfgqKBUv_mv1XmQ55fndNb5S5FYZ _rkYeSwz3bAkWFWN070aCPgPzOKUi9Ua1pan8PRWi.WznRS1CE5uiCBkeJdhJhAgxpXS4jabwvHi avSW.gJldnUfjkAPjTkuHZZh2DGIYlaAWyAAsqBjmsj1yacgOB2SfJa6vYjR2boBh2uoxU9RwXKZ 4ugslJAEn8f_qx1Ab1bxWinfa9ex2s9C.O8yug1k9wx_8KTMkyeLwQa.KDOS1R0QiaqoVcoEuFSl R34ahBT4DtxxX6cLVKvATgTe7oY6sJc52XzS7HuZWF5ug_FGvzxAfL_cPUDu5XKPPV.2gc4EIakT 0SbSjkTORLOZ8l4rGkucElA0g7MwwQ68wPvfmT_EksU10urFpWxVxcKFu1.RTWqFg6wBo8GdcIQE S1WDn9jYGlSDzt3dplhsWnDCR_35x9GNCmKajurGUwjif9xfE.N3sZmLCMSFQHLZ2jkU6N.ReUBd Jkj9ht3ri2nUT6qdqDwNLG8wanDFr6pJdRXa0JSFwMr56YIukfyPFCXDJZkKRSLRKHkgE1cgAdMx b7fwNG9fp.IzjupZUin6DL_cEZIo3FqJL6HG8FTVXNeAkeH08FrAHePNJLTjgJjQRT0snoD0gqn4 2yiODV.BTvsFKaWQzMeMeaUBofMoovJRO1ki695WbF7mqYNLIuMVqB4bxygg4MDJn6UKxQhc6PTH m45iVj5etdp0nRxJgMcYxginAUiOSNLmr2TCW9WYAdaie6Ird4m7o9ex7gigtKY8mJFpqYGseLzP Alu4lUacj43mmd4geN_cYXjpkELi9PbjQ7fm8NE_oMMy9.XhzWaq8EUBNiWf_rgfroCMj1aiOtmm roqCggdeWDbXV7jij_KS.GDJdTmnetjX40a9doxLw5SrCHRJuaEaaLq1YuXTWOy8BZ39qPhVt4Gp gd342ZEeVf6FL9tL_FLdpww7g9TUYjBC5wPYx4w4vfWLVKjvxFQlZt6.ddeXsUqf7riQbC7DsgPg yg2c.J354iRgzdwY2kEQQiilOQhKONJp_fBUzsRVAsyq3YlevRyvmD9SmlGqKH2Q1YhelMNZ8sVp EC5SFPNyQd3cX4oxzPgQCyn.lu3gEC6l_KVWC8KVSQqSDrapd6r_eEgQc0w9dTN1X_HlcjIQU4a3 zqEHk06hA.yJ6jOojWHmsjGGhVDNV3YLiZj0RQH9QXkE4ISkVPe_OvCz6AU12cnxMtj6Cr42HvIv Y39sIA57Or6CcXH6C7TrckdFfS9YH.tQDy9eHmHLVQJxKUB8q__VaOW73Fui5W2OVyagMwu7kARN te2EJaIGbn3HWjgridKyLI5rtQdpuBCejPBqe7HSU8b4u9CxwIazyCMVfzFmQ86OnoeMZgWos3TK Y5Obr2SblKwLpI7TgSvFQl06M26XCHeeRbOXJC3Hn6jVXD1aRj2BrJyu3gU8EEX7aN8ysE0jIeTO ffsEM97_lt6fv5WsMIcOJKmLrhMzGpurmDy46s4eCi5cwbuzRQ.4bFDoNpEAa1vObPWXIdzEli5c zhZ1QkhsCl28-
X-Sonic-MF: <nalini.elkins@insidethestack.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Mon, 5 Jul 2021 16:27:14 +0000
Date: Mon, 05 Jul 2021 16:27:12 +0000
From: "nalini.elkins@insidethestack.com" <nalini.elkins@insidethestack.com>
To: "ippm@ietf.org" <ippm@ietf.org>, "Hamilton, Robert" <RHamilton=40cas.org@dmarc.ietf.org>
Message-ID: <1732873610.1690997.1625502432340@mail.yahoo.com>
In-Reply-To: <c0651506a3fb437c9300b1fc14206560@cas.org>
References: <162256330634.19677.3885804345914692467@ietfa.amsl.com> <28584824.2341925.1622563579715@mail.yahoo.com> <721002155.671981.1625161479360@mail.yahoo.com> <c0651506a3fb437c9300b1fc14206560@cas.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1690996_1353231007.1625502432337"
X-Mailer: WebService/1.1.18469 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/E8D0WIBdYY8ju27M8kdCyhHB2KU>
Subject: Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 16:27:31 -0000

Hi Robert,[Posting for some of the co-authors.]We fully agree with your concerns. However, we’re confident that HPKE will reach the RFC status soon. Moreover, also other protocols (e.g., MLS, see https://www.ietf.org/archive/id/draft-ietf-mls-architecture-06.txt) are using it.About HPKE itself, there are two different aspects to consider: HPKE (as an architecture, API, etc.) and the cryptographic functions used by HKPE. While HPKE is still in draft, the cryptographic functions are well-known and proven. Hence, we don’t expect any concern related to the encryption methods used by HPKE.The fact that Tommy confirms that it is being implemented and deployed reinforces our confidence on the fact that its availability is not going to be a critical point.
In any case, we will take this point into consideration, as it is a valid concern.
Best regards,
Nalini, Tom, and Adnan
  

    On Thursday, July 1, 2021, 02:05:31 PM PDT, Hamilton, Robert <rhamilton=40cas.org@dmarc.ietf.org> wrote:  
 
 I am interested in the encryption of the PDM header, just because I've done symmetric-key encryption with pseudorandom numbers and pseudorandom obfuscation algorithms for key management. I see that we are interested in using HPKE. I have just a few concerns:

 - The latest HPKE draft expired just last week. That means it's some time before general implementation. I'm a mainframer, mostly, so I suspect that makes it even longer before I'll see implementation for _production_ use. Further, I don't want the implementation of PDM in more secure environments delayed because of encryption-method concerns.

 - When we generate the PDM structure and determine the timing, we want that to be as close to the wire as possible. The PDM timing was very granular, so this will add a variable amount of time to the time the packet is determined to be spending in transmission; the encryption delay is now part of the transmission time.

Still reviewing; I'll be back with more thoughts.

R;


Rob Hamilton
Infrastructure Engineer
Chemical Abstracts Service

-----Original Message-----
From: ippm <ippm-bounces@ietf.org> On Behalf Of nalini.elkins@insidethestack.com
Sent: Thursday, July 1, 2021 1:45 PM
To: IETF IPPM WG <ippm@ietf.org>
Cc: draft-elkins-ippm-encrypted-pdmv2@ietf.org
Subject: [EXT] Re: [ippm] Fw: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt

[Actual Sender is ippm-bounces@ietf.org]

IPPM,

Please do take a look at this draft.

I think that iOAM will need encryption as well.   We have spent quite a bit of time thinking over these issues.  We even have 2 cryptographers from Italy involved as co-authors.   I want to do a side meeting where we can have quite a bit more time to discuss this but would love to have comments from the group on the list.

I am very reluctant to push PDM out to the wider world without encryption.  I feel that we will become the attacker's best friend.
We have modified the Linux kernel to include PDM but as I say, without encryption, we do not wish to release.


Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
https://smex12-5-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702
(831) 659-8360






On Tuesday, June 1, 2021, 09:06:39 AM PDT, nalini.elkins@insidethestack.com <nalini.elkins@insidethestack.com> wrote: 





Hello IPPMers!

We have just posted a new draft to encrypt PDM data.   We feel that this is an important feature to add before promoting widespread adoption of PDM.

We would appreciate any thoughts or comments from the group.

Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
https://smex12-5-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=www.insidethestack.com&umid=61654d20-9615-453c-80b2-c06c82268e9d&auth=3c97381e9a30865a1a3f3ad58750d85b2b059558-86a3cb083390e2163fd0daaf45646c2a55adf702
(831) 659-8360






----- Forwarded Message -----

From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
To: mackermann@bcbsm.com <mackermann@bcbsm.com>; Adnan Rashid <adnan.rashid@unifi.it>; Ameya Deshpande <ameyanrd@gmail.com>; Michael Ackermann <mackermann@bcbsm.com>; Nalini Elkins <nalini.elkins@insidethestack.com>; Tommaso Pecorella <tommaso.pecorella@unifi.it>
Sent: Tuesday, June 1, 2021, 12:01:47 PM EDT
Subject: New Version Notification for draft-elkins-ippm-encrypted-pdmv2-00.txt



A new version of I-D, draft-elkins-ippm-encrypted-pdmv2-00.txt
has been successfully submitted by Nalini Elkins and posted to the
IETF repository.

Name:        draft-elkins-ippm-encrypted-pdmv2
Revision:    00
Title:        Encrypted IPv6 Performance and Diagnostic Metrics Version 2 (EPDMv2) Destination Option
Document date:    2021-06-01
Group:        Individual Submission
Pages:        16
URL:            https://www.ietf.org/archive/id/draft-elkins-ippm-encrypted-pdmv2-00.txt
Status:        https://datatracker.ietf.org/doc/draft-elkins-ippm-encrypted-pdmv2/
Htmlized:      https://datatracker.ietf.org/doc/html/draft-elkins-ippm-encrypted-pdmv2


Abstract:
  RFC8250 describes an optional Destination Option (DO) header embedded
  in each packet to provide sequence numbers and timing information as
  a basis for measurements.  As this data is sent in clear- text, this
  may create an opportunity for malicious actors to get information for
  subsequent attacks.  This document defines PDMv2 which has a
  lightweight handshake (registration procedure) and encryption to
  secure this data.  Additional performance metrics which may be of use
  are also defined.

                                                                                  


The IETF Secretariat




_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm

_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm
Confidentiality Notice: This electronic message transmission, including any attachment(s), may contain confidential, proprietary, or privileged information from CAS, a division of the American Chemical Society ("ACS"). If you have received this transmission in error, be advised that any disclosure, copying, distribution, or use of the contents of this information is strictly prohibited. Please destroy all copies of the message and contact the sender immediately by either replying to this message or calling 614-447-3600.
_______________________________________________
ippm mailing list
ippm@ietf.org
https://www.ietf.org/mailman/listinfo/ippm

v2.23.0 | Report a Bug | By Email