Re: [multipathtcp] [tcpinc] MPTCP external auth drafts
Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch> Mon, 20 June 2016 14:18 UTC
Return-Path: <mirja.kuehlewind@tik.ee.ethz.ch>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD6FC12B02C; Mon, 20 Jun 2016 07:18:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.626
X-Spam-Level:
X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bw-HwY8LP72n; Mon, 20 Jun 2016 07:18:47 -0700 (PDT)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58CEA12D0B6; Mon, 20 Jun 2016 07:18:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id A5B72D931B; Mon, 20 Jun 2016 16:18:45 +0200 (MEST)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id LpqB8+wpYkcT; Mon, 20 Jun 2016 16:18:45 +0200 (MEST)
Received: from [192.168.178.33] (p5DEC2E4F.dip0.t-ipconnect.de [93.236.46.79]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mirjak) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id 41C7DD9316; Mon, 20 Jun 2016 16:18:45 +0200 (MEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
In-Reply-To: <A4F5A237-681C-40E5-80EF-0D30A9894E35@apple.com>
Date: Mon, 20 Jun 2016 16:18:44 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DCD4BCB3-5AA8-471C-8418-8849AFE1CE39@tik.ee.ethz.ch>
References: <4E6D9951-D1EB-4F1F-8666-7189357053C0@gmail.com> <9158F6E6-F21D-4EB6-828D-C89191554C79@tik.ee.ethz.ch> <A4F5A237-681C-40E5-80EF-0D30A9894E35@apple.com>
To: Christoph Paasch <cpaasch@apple.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/zbibFQBJM4U9ebBMVB1FUmmNnBE>
Cc: MultiPath TCP - IETF WG <multipathtcp@ietf.org>, tcpinc <tcpinc@ietf.org>
Subject: Re: [multipathtcp] [tcpinc] MPTCP external auth drafts
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2016 14:18:57 -0000
Hi Christoph, please note that tcpinc also discusses to use the tcpinc option to negotiate application layer TLS. Maybe it would make sense to use tcpinc directly instead of defining yet another negotiation mechanism? Mirja > Am 19.06.2016 um 23:55 schrieb Christoph Paasch <cpaasch@apple.com>: > > Hello Mirja, > >> On Jun 17, 2016, at 8:14 AM, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch> wrote: >> adding tcpinc. How does this relate to working tcpinc? > > in a tcpinc-deployment, MPTCP could use a derivate of tcpinc's key to authenticate new subflows. > > A draft similar to http://www.ietf.org/id/draft-paasch-mptcp-tls-authentication-00.txt would need to describe how the MPTCP-key is derived from the tcpinc-secret. > > > Christoph > > >> >> Mirja >> >> >>> Am 28.05.2016 um 10:32 schrieb Alan Ford <alan.ford@gmail.com>: >>> >>> Hi all, >>> >>> Following on from the discussion at the previous two IETFs, we have submitted two drafts proposing a way forward for resolving the loadbalancers issue (or in other words, separating tokens and keys), and in turn have a proposal for using TLS keying material with MPTCP. >>> >>> This proposal comes in the form of two drafts, to separate protocol changes (which we would be proposing for adoption into rfc6824bis), and TLS-specific extensions (which we would suggest are kept separate). >>> >>> The protocol changes (http://www.ietf.org/id/draft-paasch-mptcp-application-authentication-00.txt) propose an additional handshake mechanism to be negotiated in the MP_CAPABLE flags - the "G" bit, allocated to "application-layer". This means that MPTCP queries the application layer for Token and Key materials. This is negotiated by being offered by the initiator, and chosen by the answerer. >>> >>> Only tokens are sent on the wire, and these can be used to contain any information that could assist a far end to demultiplex connections (e.g. including routing data which would help front-end proxies). >>> >>> Minor changes that fall out of this also mean the IDSN, in that scenario, would be generated from the Token not the Key. >>> >>> Keying information may not be available at the SYN/ACK exchange, but will be provided by the application when available. Only once that has occurred can subflow setup continue. >>> >>> The TLS draft (http://www.ietf.org/id/draft-paasch-mptcp-tls-authentication-00.txt) shows how we can interface this proposal with TLS, using RFC5705 key export from TLS. This requires no changes to the protocol, but would register a new RFC5705 exporter with IANA. Exported keys from a TLS session would be passed to the MPTCP layer and used in the HMAC authentication algorithm. >>> >>> We would like to present and discuss these points in the upcoming interim, to see if there is consensus to add the necessary protocol changes to rfc6824bis. >>> >>> Best regards, >>> Alan & Christoph >>> _______________________________________________ >>> multipathtcp mailing list >>> multipathtcp@ietf.org >>> https://www.ietf.org/mailman/listinfo/multipathtcp >> >> _______________________________________________ >> Tcpinc mailing list >> Tcpinc@ietf.org >> https://www.ietf.org/mailman/listinfo/tcpinc > > _______________________________________________ > Tcpinc mailing list > Tcpinc@ietf.org > https://www.ietf.org/mailman/listinfo/tcpinc
- Re: [multipathtcp] [tcpinc] MPTCP external auth d… Mirja Kühlewind
- Re: [multipathtcp] [tcpinc] MPTCP external auth d… Christoph Paasch
- Re: [multipathtcp] MPTCP external auth drafts Mirja Kühlewind
- [multipathtcp] MPTCP external auth drafts Alan Ford
- [multipathtcp] Load balancing MPTCP Costin Raiciu