Re: [manet] Ben Campbell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
"Ben Campbell" <ben@nostrum.com> Thu, 15 December 2016 15:08 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A7FA1296BF; Thu, 15 Dec 2016 07:08:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.796
X-Spam-Level:
X-Spam-Status: No, score=-4.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.896] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XB4Xuftz1EQZ; Thu, 15 Dec 2016 07:08:10 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BA66129654; Thu, 15 Dec 2016 07:08:09 -0800 (PST)
Received: from [10.0.1.39] (cpe-66-25-7-22.tx.res.rr.com [66.25.7.22]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id uBFF86Ft075155 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 15 Dec 2016 09:08:06 -0600 (CST) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-7-22.tx.res.rr.com [66.25.7.22] claimed to be [10.0.1.39]
From: Ben Campbell <ben@nostrum.com>
To: Rick Taylor <rick@tropicalstormsoftware.com>
Date: Thu, 15 Dec 2016 09:07:54 -0600
Message-ID: <51386411-8457-43F1-A081-86290630E762@nostrum.com>
In-Reply-To: <1481813907.2566.16.camel@tropicalstormsoftware.com>
References: <148167372944.10880.17965532160271098693.idtracker@ietfa.amsl.com> <CALtoyokUNSOypVaiVXk=_6fx7TfsQr5ETGatd3t-Qa=edr=Tmw@mail.gmail.com> <D0192C79-F7EC-4DED-9AE8-23EC89F2DA8C@nostrum.com> <CAGnRvupCTaXwDf1y4k0FDeOjTYTjRG0P4twcw4Fzxc1zsKPcrg@mail.gmail.com> <770ED361-BE84-4C10-918D-1A99C6D5EDC2@nostrum.com> <1481813907.2566.16.camel@tropicalstormsoftware.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.6r5310)
Archived-At: <https://mailarchive.ietf.org/arch/msg/manet/kqU08Adq69WS9HcrcO-ZT2SaaaY>
Cc: "manet@ietf.org" <manet@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-manet-dlep@ietf.org" <draft-ietf-manet-dlep@ietf.org>, "manet-chairs@ietf.org" <manet-chairs@ietf.org>
Subject: Re: [manet] Ben Campbell's No Objection on draft-ietf-manet-dlep-26: (with COMMENT)
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 15:08:13 -0000
On 15 Dec 2016, at 8:58, Rick Taylor wrote: > On Thu, 2016-12-15 at 08:53 -0600, Ben Campbell wrote: >> On 15 Dec 2016, at 2:45, Henning Rogge wrote: >> >>> >>> On Wed, Dec 14, 2016 at 5:31 PM, Ben Campbell <ben@nostrum.com> >>> wrote: >>>> >>>>> >>>>> We (the co-authors) have received feedback from some radio >>>>> vendors >>>>> stating >>>>> that a "MUST use TLS" in all cases would be a show-stopper. We >>>>> see >>>>> deployments where a small number of devices co-exist on the >>>>> LAN >>>>> segment - >>>>> for example, a router, a line-of-sight radio, a satellite >>>>> terminal, >>>>> and a >>>>> small number of other devices. We're open to the construction >>>>> you >>>>> suggest, >>>>> and will discuss it. >>>> Understood. That suggests there are reasons to not _use_ TLS >>>> other >>>> than the >>>> listed one, so "MUST unless" may not be what you want. Any >>>> thoughts >>>> on why >>>> TLS should not be mandatory to _implement_? >>> I might exaggerate it a little bit but I think using TLS for DLEP >>> is >>> at best a waste of time to implement. I have yet to hear about an >>> attacker model for a single hop DLEP connection (which is necessary >>> because otherwise the bridged datapath is broken!) which is not >>> easily >>> dealt with MAC-layer security. >>> >>> At worst TLS will kill one of the most important aspects of DLEP, >>> easy >>> integration and autodiscovery of radios by different vendors to any >>> kind of router. >>> >>> TLS also opens can of worms (additional questions). How is the >>> DLEP >>> certificates be handled? Are there mandatory types of certificate >>> algorithms (if not, you break interoperability)? How do you secure >>> the >>> UDP part of DLEP for discovery (DTLS?) ? How do you make sure that >>> the >>> DTLS connection is to the same endpoint as the TLS connection? >>> >>> There is a LOT of work in this direction without any gain. >> IIRC, you are arguing against even the existing "SHOULD implement" >> requirement? >> >> When you talk about a single-hop connection, are you assuming a >> direct >> connection from the router to the modem, or that the router and >> modem >> are on the same LAN segment? > > Most of the discussed use-cases where TLS is viewed as unnecessary are > direct connections, but some are single-hop with an 'externally > secured > perimeter'. > > The authors are happy with 'SHOULD' if it removes any blocks from the > IESG, and the WG consensus is that 'MUST' will not work for > implementers. Am I hearing that this is one of those proverbial "SHOULD BUT WE KNOW YOU WON'T" requirements :-) > > Rick
- [manet] Ben Campbell's No Objection on draft-ietf… Ben Campbell
- Re: [manet] Ben Campbell's No Objection on draft-… Stan Ratliff
- Re: [manet] Ben Campbell's No Objection on draft-… Ben Campbell
- Re: [manet] Ben Campbell's No Objection on draft-… Henning Rogge
- Re: [manet] Ben Campbell's No Objection on draft-… Ben Campbell
- Re: [manet] Ben Campbell's No Objection on draft-… Rick Taylor
- Re: [manet] Ben Campbell's No Objection on draft-… Ben Campbell
- Re: [manet] Ben Campbell's No Objection on draft-… Henning Rogge