IETF Logo Mail Archive

Re: [ipwave] draft-ietf-ipwave-ipv6-over-80211ocb-00 encryption at MAC or above LLC?

Jérôme Härri <jerome.haerri@eurecom.fr> Fri, 03 February 2017 13:50 UTC

Return-Path: <jerome.haerri@eurecom.fr>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0A57129CFF for <its@ietfa.amsl.com>; Fri, 3 Feb 2017 05:50:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.098
X-Spam-Level:
X-Spam-Status: No, score=-5.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sow0PanaQq0u for <its@ietfa.amsl.com>; Fri, 3 Feb 2017 05:50:58 -0800 (PST)
Received: from smtp2.eurecom.fr (smtp3.eurecom.fr [193.55.113.213]) by ietfa.amsl.com (Postfix) with ESMTP id 7A27E1293DA for <its@ietf.org>; Fri, 3 Feb 2017 05:50:58 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.33,328,1477954800"; d="scan'208";a="5720636"
Received: from monza.eurecom.fr ([192.168.106.15]) by drago2i.eurecom.fr with ESMTP; 03 Feb 2017 14:50:57 +0100
Received: from xerus29 (xerus29.eurecom.fr [172.17.31.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by monza.eurecom.fr (Postfix) with ESMTPSA id 94F03199E; Fri, 3 Feb 2017 14:50:57 +0100 (CET)
From: Jérôme Härri <jerome.haerri@eurecom.fr>
To: 'Alexandre Petrescu' <alexandre.petrescu@gmail.com>, its@ietf.org
References: <148052970170.9607.12043916621198119260.idtracker@ietfa.amsl.com> <8a65d141-4e77-c7db-93ee-59ac08421685@cea.fr>
In-Reply-To: <8a65d141-4e77-c7db-93ee-59ac08421685@cea.fr>
Date: Fri, 03 Feb 2017 14:50:57 +0100
Organization: EURECOM
Message-ID: <028601d27e24$8bc6cdf0$a35469d0$@eurecom.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJOjypQjcVLCnmBW2ydKpCtKDvNtwCNHq15oFq4VeA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/aXQlcyGHJO8ppnlICfaPEc113Kk>
Subject: Re: [ipwave] draft-ietf-ipwave-ipv6-over-80211ocb-00 encryption at MAC or above LLC?
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2017 13:51:00 -0000

Hello Alex,

I agree with you. Encryption can only be done at L3 and above in our case, as OCB disconnects any security mechanisms at the MAC layer and it is possible for IETF to make changes to a lower layer. 

And I would more generally tend to think that encryption should be 'end-2-end', so at a service/application layer (e.g. IoT applications)... MAC headers will be sent in clear, and the question would be: what would we need to transmit at the L3 layer, which would not be coming from a higher layer (thus L3 headers), and which would need to be encrypted? 

Nevertheless, we should leave the possibility to encrypt at L3 (as you suggest), although I have the feeling that encryption will actually be done at an application level.

Best Regards,

Jérôme 

-----Original Message-----
From: its [mailto:its-bounces@ietf.org] On Behalf Of Alexandre Petrescu
Sent: Friday 03 February 2017 13:56
To: its@ietf.org
Subject: [ipwave] draft-ietf-ipwave-ipv6-over-80211ocb-00 encryption at MAC or above LLC?

draft-ietf-ipwave-ipv6-over-80211ocb-00
encryption at MAC or above LLC?

Hello IPWAVErs,

A question was raised about whether encryption would take place at MAC layer or above the LLC layer (i.e. IP layer)?

My answer is that encryption should be performed at at least at the IP layer, namely IPsec and Encapsulated Security Payload (ESP) header.

The details about how the encryption is performed should be described in a different I-D.

But in the IPv6/OCB draft we can tell that "encryption MAY be performed at least in the IPsec layer (and potentially in the MAC layer as well)".

Alex

v2.23.0 | Report a Bug | By Email