[multipathtcp] MPTCP external auth drafts
Alan Ford <alan.ford@gmail.com> Sat, 28 May 2016 08:32 UTC
Return-Path: <alan.ford@gmail.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F7B412D5B3 for <multipathtcp@ietfa.amsl.com>; Sat, 28 May 2016 01:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a9GUe_y5a8YK for <multipathtcp@ietfa.amsl.com>; Sat, 28 May 2016 01:32:36 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5629D12B05F for <multipathtcp@ietf.org>; Sat, 28 May 2016 01:32:36 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id a136so20231796wme.0 for <multipathtcp@ietf.org>; Sat, 28 May 2016 01:32:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:date:message-id:to :mime-version; bh=gZYagOYxs53S8KQJkkUMZj8xXZ3H/tRfHhOpGgbMgVQ=; b=JzYPEC9Eel4lY6Tcd0tpkKZ1WgIa74SsDwKSZgXFcuuYLv6UZpn8wJ6NxAU182C8LN XQhP/1Z8ETD/qFaq4oCaDEBZ/AiCTTkPYd4qer0mmiYBMjilS3no1jLiwX64ScAuGZKf CL8Dd1CV2Ptl5guLuHz9o0wLIxULyuuiSkCiheNzdDvdZEis9cq+887HhU0d2FdI+hvf jvEB3QNUJfM9iEXV2QpapGT2nOkXVVZ1uNHcjp8fj8PUV3pGz9bxeeVpngYjb7W5UAu3 ppLytOuywtYGsIJYpoF2sLYYtL1zAkFihwVSc+vZ2kvtxUEC5biU3wW5bUpxaFt8y5BA URMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject:date :message-id:to:mime-version; bh=gZYagOYxs53S8KQJkkUMZj8xXZ3H/tRfHhOpGgbMgVQ=; b=UkRgrYU+8RawFJHQXYcPiEycQ0aAQKdbvdCIxLrnWhS3Re/TBjkh+jxyuJEwPYUfI2 8jEqDiJZg3osn5f1X9NyQG7VEnxkW+ZTHdA0/LI/M3FMksoutv7sncaMLbjzy/jyOhvv yw07AbUqDMvce9GXQCpgqU7tem2wRjefN3M7tWBtp3PRYtYpUDTsWSSex/+UZb1xzrMm M2roIyB/e+UpPtK1RfKJE1zTjr6FHGae81rjLXMxaw10O5YLjLs6l9Vn/ieYu0/egFUu NQQSLh8TaTQj1C3BkTbu5JSRmG92ksPHvmo8zpubJf7DwIuE05/5Pc/Wb/bNpKkJd6wt QOBA==
X-Gm-Message-State: ALyK8tIeYwOrAiMtHv5VeLtKWQB/0g4K2fTPA3m4BsY1BjVXvRS1D7uDie8tRm7pw3YEdw==
X-Received: by 10.28.91.209 with SMTP id p200mr2359093wmb.19.1464424354896; Sat, 28 May 2016 01:32:34 -0700 (PDT)
Received: from [192.168.0.29] (cpc99614-brnt2-2-0-cust252.4-2.cable.virginm.net. [81.98.160.253]) by smtp.gmail.com with ESMTPSA id x124sm12498475wmg.24.2016.05.28.01.32.34 for <multipathtcp@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 28 May 2016 01:32:34 -0700 (PDT)
From: Alan Ford <alan.ford@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 28 May 2016 09:32:37 +0100
Message-Id: <4E6D9951-D1EB-4F1F-8666-7189357053C0@gmail.com>
To: multipathtcp <multipathtcp@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1283)
X-Mailer: Apple Mail (2.1283)
Archived-At: <http://mailarchive.ietf.org/arch/msg/multipathtcp/4lgoBI3gfdu8bui9RYAkF279y2M>
Subject: [multipathtcp] MPTCP external auth drafts
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 May 2016 08:32:38 -0000
Hi all, Following on from the discussion at the previous two IETFs, we have submitted two drafts proposing a way forward for resolving the loadbalancers issue (or in other words, separating tokens and keys), and in turn have a proposal for using TLS keying material with MPTCP. This proposal comes in the form of two drafts, to separate protocol changes (which we would be proposing for adoption into rfc6824bis), and TLS-specific extensions (which we would suggest are kept separate). The protocol changes (http://www.ietf.org/id/draft-paasch-mptcp-application-authentication-00.txt) propose an additional handshake mechanism to be negotiated in the MP_CAPABLE flags - the "G" bit, allocated to "application-layer". This means that MPTCP queries the application layer for Token and Key materials. This is negotiated by being offered by the initiator, and chosen by the answerer. Only tokens are sent on the wire, and these can be used to contain any information that could assist a far end to demultiplex connections (e.g. including routing data which would help front-end proxies). Minor changes that fall out of this also mean the IDSN, in that scenario, would be generated from the Token not the Key. Keying information may not be available at the SYN/ACK exchange, but will be provided by the application when available. Only once that has occurred can subflow setup continue. The TLS draft (http://www.ietf.org/id/draft-paasch-mptcp-tls-authentication-00.txt) shows how we can interface this proposal with TLS, using RFC5705 key export from TLS. This requires no changes to the protocol, but would register a new RFC5705 exporter with IANA. Exported keys from a TLS session would be passed to the MPTCP layer and used in the HMAC authentication algorithm. We would like to present and discuss these points in the upcoming interim, to see if there is consensus to add the necessary protocol changes to rfc6824bis. Best regards, Alan & Christoph
- Re: [multipathtcp] [tcpinc] MPTCP external auth d… Mirja Kühlewind
- Re: [multipathtcp] [tcpinc] MPTCP external auth d… Christoph Paasch
- Re: [multipathtcp] MPTCP external auth drafts Mirja Kühlewind
- [multipathtcp] MPTCP external auth drafts Alan Ford
- [multipathtcp] Load balancing MPTCP Costin Raiciu