Re: [manet] Ben Campbell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
"Ben Campbell" <ben@nostrum.com> Thu, 15 December 2016 14:54 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EDFE12965A; Thu, 15 Dec 2016 06:54:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.796
X-Spam-Level:
X-Spam-Status: No, score=-4.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.896] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hfQo1mGXyJbk; Thu, 15 Dec 2016 06:54:04 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAFAB12963D; Thu, 15 Dec 2016 06:54:03 -0800 (PST)
Received: from [10.0.1.39] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id uBFErwnx073648 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 15 Dec 2016 08:53:58 -0600 (CST) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.39]
From: Ben Campbell <ben@nostrum.com>
To: Henning Rogge <hrogge@gmail.com>
Date: Thu, 15 Dec 2016 08:53:58 -0600
Message-ID: <770ED361-BE84-4C10-918D-1A99C6D5EDC2@nostrum.com>
In-Reply-To: <CAGnRvupCTaXwDf1y4k0FDeOjTYTjRG0P4twcw4Fzxc1zsKPcrg@mail.gmail.com>
References: <148167372944.10880.17965532160271098693.idtracker@ietfa.amsl.com> <CALtoyokUNSOypVaiVXk=_6fx7TfsQr5ETGatd3t-Qa=edr=Tmw@mail.gmail.com> <D0192C79-F7EC-4DED-9AE8-23EC89F2DA8C@nostrum.com> <CAGnRvupCTaXwDf1y4k0FDeOjTYTjRG0P4twcw4Fzxc1zsKPcrg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5310)
Archived-At: <https://mailarchive.ietf.org/arch/msg/manet/TKTl364i24iCMKsY6yb7CXHpzkM>
Cc: draft-ietf-manet-dlep@ietf.org, MANET IETF <manet@ietf.org>, The IESG <iesg@ietf.org>, manet-chairs@ietf.org
Subject: Re: [manet] Ben Campbell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 14:54:05 -0000
On 15 Dec 2016, at 2:45, Henning Rogge wrote: > On Wed, Dec 14, 2016 at 5:31 PM, Ben Campbell <ben@nostrum.com> wrote: >>> We (the co-authors) have received feedback from some radio vendors >>> stating >>> that a "MUST use TLS" in all cases would be a show-stopper. We see >>> deployments where a small number of devices co-exist on the LAN >>> segment - >>> for example, a router, a line-of-sight radio, a satellite terminal, >>> and a >>> small number of other devices. We're open to the construction you >>> suggest, >>> and will discuss it. >> >> Understood. That suggests there are reasons to not _use_ TLS other >> than the >> listed one, so "MUST unless" may not be what you want. Any thoughts >> on why >> TLS should not be mandatory to _implement_? > > I might exaggerate it a little bit but I think using TLS for DLEP is > at best a waste of time to implement. I have yet to hear about an > attacker model for a single hop DLEP connection (which is necessary > because otherwise the bridged datapath is broken!) which is not easily > dealt with MAC-layer security. > > At worst TLS will kill one of the most important aspects of DLEP, easy > integration and autodiscovery of radios by different vendors to any > kind of router. > > TLS also opens can of worms (additional questions). How is the DLEP > certificates be handled? Are there mandatory types of certificate > algorithms (if not, you break interoperability)? How do you secure the > UDP part of DLEP for discovery (DTLS?) ? How do you make sure that the > DTLS connection is to the same endpoint as the TLS connection? > > There is a LOT of work in this direction without any gain. IIRC, you are arguing against even the existing "SHOULD implement" requirement? When you talk about a single-hop connection, are you assuming a direct connection from the router to the modem, or that the router and modem are on the same LAN segment? Thanks! Ben.
- [manet] Ben Campbell's No Objection on draft-ietf… Ben Campbell
- Re: [manet] Ben Campbell's No Objection on draft-… Stan Ratliff
- Re: [manet] Ben Campbell's No Objection on draft-… Ben Campbell
- Re: [manet] Ben Campbell's No Objection on draft-… Henning Rogge
- Re: [manet] Ben Campbell's No Objection on draft-… Ben Campbell
- Re: [manet] Ben Campbell's No Objection on draft-… Rick Taylor
- Re: [manet] Ben Campbell's No Objection on draft-… Ben Campbell
- Re: [manet] Ben Campbell's No Objection on draft-… Henning Rogge