IETF Logo Mail Archive

Re: [ipwave] draft-ietf-ipwave-ipv6-over-80211ocb-00 encryption at MAC or above LLC?

Rex Buddenberg <buddenbergr@gmail.com> Fri, 03 February 2017 16:37 UTC

Return-Path: <buddenbergr@gmail.com>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F2E812947F for <its@ietfa.amsl.com>; Fri, 3 Feb 2017 08:37:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yb4ySVLnOSxj for <its@ietfa.amsl.com>; Fri, 3 Feb 2017 08:37:11 -0800 (PST)
Received: from mail-pf0-x22c.google.com (mail-pf0-x22c.google.com [IPv6:2607:f8b0:400e:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC7231289C4 for <its@ietf.org>; Fri, 3 Feb 2017 08:37:11 -0800 (PST)
Received: by mail-pf0-x22c.google.com with SMTP id e4so7024915pfg.1 for <its@ietf.org>; Fri, 03 Feb 2017 08:37:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:date:in-reply-to:references:mime-version :content-transfer-encoding; bh=pH3SwQwmmDSx/66gI9PBzntCLJuGknBMzqTQ3DoC0no=; b=h/DDfIGPnNdAxn8iuAoYQJ8xss9hqgwFzZbgbeO6aOKgNY4UGuEJBn6yu2dN1uI/HF 2YZa3umKkNN6SBBIWVV5WFdn/hLkNX1hKkA/lpKObfMsbBtOPK2+MVrjBvcvfvWMvrxB dXi+eEt2lJj6o+klszHnksZRqmNPr+z4AK3imfIqcyqhgCefTyllel6Y7w2YckhnfBZW SqO+vCxfdSiAZKKezneJjbtHbEX+kmdwcDYF1VDskb27N/S8Mfp9QLSB8SehjKd0q350 8HX18T1lNvGkccmFCQz4CNqJKJ0h4cYqRxO72oi04Mw/YjewvXiAiXh1I+YlydUfmWbz cEow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=pH3SwQwmmDSx/66gI9PBzntCLJuGknBMzqTQ3DoC0no=; b=TBmkJuWhTHornMg5ystm7wRrH8JgXn+f72zDkBo2DTueZvHWobJpVWhADLYSyIT5cj IP1JSsMamx0BSbSabLHjPaEjTyHEVfABtgdcbLmaRVh3VTun2/nOvDtM0m1/8hIfzABf awTI8c6/5rDdeT+2IBGqtUIne/bZrEqMunfQwc8YX8S8RMqcNUKJYxB4jRqCnylhY1sB PAUQLDRXWIrEILjcoXY0OPB/SKHoF7lmaGvT2bd6E/V77m0+8TJ5PTcOdXxJyan94Au7 PW1CDCl+TEytL8UOB14P3fcxBHyLo+Dmsj1eELt5TUCFEVok+qGyWq3PJucJ180hLCgv zxaw==
X-Gm-Message-State: AIkVDXIoxVbxGPguKocsJdvrI6Emv+dtvKzmdFFj4AMCxV1tR/6leIX/foPe+zOD5n7xAQ==
X-Received: by 10.84.215.149 with SMTP id l21mr22533426pli.16.1486139831194; Fri, 03 Feb 2017 08:37:11 -0800 (PST)
Received: from localhost.localdomain (c-71-198-163-21.hsd1.ca.comcast.net. [71.198.163.21]) by smtp.gmail.com with ESMTPSA id u24sm68448294pfi.25.2017.02.03.08.37.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Feb 2017 08:37:10 -0800 (PST)
Message-ID: <1486139829.10706.139.camel@gmail.com>
From: Rex Buddenberg <buddenbergr@gmail.com>
To: Jérôme Härri <jerome.haerri@eurecom.fr>, 'Alexandre Petrescu' <alexandre.petrescu@gmail.com>, its@ietf.org
Date: Fri, 03 Feb 2017 08:37:09 -0800
In-Reply-To: <028601d27e24$8bc6cdf0$a35469d0$@eurecom.fr>
References: <148052970170.9607.12043916621198119260.idtracker@ietfa.amsl.com> <8a65d141-4e77-c7db-93ee-59ac08421685@cea.fr> <028601d27e24$8bc6cdf0$a35469d0$@eurecom.fr>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.18.5.2 (3.18.5.2-1.fc23)
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/pxFauQsLQP3G4Qcqvomsw6g9vY4>
Subject: Re: [ipwave] draft-ietf-ipwave-ipv6-over-80211ocb-00 encryption at MAC or above LLC?
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2017 16:37:13 -0000

Jerome,

Right.

Scope. Encryption at layer 2 limits the scope to the network segment.
 Like the rest of the header, encryption has to be removed before
router. Similarly, L3 (and L4/L5) encryption has to be removed before
the data reaches the end system (usually in the TCP socket).  Thus the
data has no protection within the end system.  L6/7 (aka end-to-end)
can provide protection in the end system.  
     
Requirement. Further, in this set of applications, authenticity is more
important than confidentiality.  Encryption (at least using public key)
provides no authenticity.  

I think the interoperability requirements will make encryption at any
layer below 6 to be very difficult to scale.  By the time you've gotten
everybody who needs the keys properly endowed, you've gotten keys into
the hands of those you didn't want.

b



On Fri, 2017-02-03 at 14:50 +0100, Jérôme Härri wrote:
> Hello Alex,
> 
> I agree with you. Encryption can only be done at L3 and above in our
> case, as OCB disconnects any security mechanisms at the MAC layer and
> it is possible for IETF to make changes to a lower layer. 
> 
> And I would more generally tend to think that encryption should be
> 'end-2-end', so at a service/application layer (e.g. IoT
> applications)... MAC headers will be sent in clear, and the question
> would be: what would we need to transmit at the L3 layer, which would
> not be coming from a higher layer (thus L3 headers), and which would
> need to be encrypted? 
> 
> Nevertheless, we should leave the possibility to encrypt at L3 (as
> you suggest), although I have the feeling that encryption will
> actually be done at an application level.
> 
> Best Regards,
> 
> Jérôme 
> 
> -----Original Message-----
> From: its [mailto:its-bounces@ietf.org] On Behalf Of Alexandre
> Petrescu
> Sent: Friday 03 February 2017 13:56
> To: its@ietf.org
> Subject: [ipwave] draft-ietf-ipwave-ipv6-over-80211ocb-00 encryption
> at MAC or above LLC?
> 
> draft-ietf-ipwave-ipv6-over-80211ocb-00
> encryption at MAC or above LLC?
> 
> Hello IPWAVErs,
> 
> A question was raised about whether encryption would take place at
> MAC layer or above the LLC layer (i.e. IP layer)?
> 
> My answer is that encryption should be performed at at least at the
> IP layer, namely IPsec and Encapsulated Security Payload (ESP)
> header.
> 
> The details about how the encryption is performed should be described
> in a different I-D.
> 
> But in the IPv6/OCB draft we can tell that "encryption MAY be
> performed at least in the IPsec layer (and potentially in the MAC
> layer as well)".
> 
> Alex
> 
> 
> _______________________________________________
> its mailing list
> its@ietf.org
> https://www.ietf.org/mailman/listinfo/its

v2.23.0 | Report a Bug | By Email