Re: [Pce] Use of TCP AO and TLS in PCEP
Joe Touch <touch@isi.edu> Tue, 11 February 2014 14:53 UTC
Return-Path: <touch@isi.edu>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04F611A03E6 for <pce@ietfa.amsl.com>; Tue, 11 Feb 2014 06:53:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Loxouii8jCVB for <pce@ietfa.amsl.com>; Tue, 11 Feb 2014 06:53:08 -0800 (PST)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id 074E21A042A for <pce@ietf.org>; Tue, 11 Feb 2014 06:52:54 -0800 (PST)
Received: from [192.168.1.93] (pool-71-105-87-112.lsanca.dsl-w.verizon.net [71.105.87.112]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id s1BEqBBG013201 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 11 Feb 2014 06:52:15 -0800 (PST)
Message-ID: <52FA391E.5010000@isi.edu>
Date: Tue, 11 Feb 2014 06:52:14 -0800
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "Diego R. Lopez" <diego@tid.es>
References: <07b801cf1534$bec46b60$3c4d4220$@olddog.co.uk> <4698EB6C-9BEC-4E76-8291-FBCA51753950@tid.es> <52F401A1.7040209@isi.edu> <AC3F0A3D-76E2-4E75-8C80-47BC36129636@tid.es>
In-Reply-To: <AC3F0A3D-76E2-4E75-8C80-47BC36129636@tid.es>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Mailman-Approved-At: Tue, 11 Feb 2014 07:17:36 -0800
Cc: "pce@ietf.org" <pce@ietf.org>
Subject: Re: [Pce] Use of TCP AO and TLS in PCEP
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2014 14:53:11 -0000
On 2/11/2014 6:26 AM, Diego R. Lopez wrote: > Hi Joe, > > Too much travel making my email backlog grow, I'm afraid... > > On 6 Feb 2014, at 22:41 , Joe Touch <touch@isi.edu> wrote: >>> The rationale is the common practice derived from the TLS layered >>> approach, so a client knows how and when require the server to start a >>> TLS connection, and the server knows in advance what the client is >>> requiring and match it against its policy. >> >> That is common when there is no other way to determine whether a connection uses TLS or not (and even then is at best a performance optimization). > > I'd say is not only performance, but a security optimization. Unless > the server is sure that starting a TLS session is explicitly required by > the client, how can a server know whether there has been an intentional > downgrade by a man-in-the-middle? It cannot, but let's look at the case where there are different ports. The MITM in that case can rewrite packets to the different port. Same problem. The conclusion is that the server cannot know about the downgrade until the connection fails because the MITM can't spoof the server's TLS credentials back to the client. > Furthermore, the client and server > codes become completely independent of what happens at the TCP layer, > and I think this is in general a good design practice. Ports are a critical global community resource, not a programming convenience. > And even if you find counterarguments to the two reasons above, the > common practice is the use of either a dedicated port or a dedicated > command. We should be aiming for best practice, not common practice. > And that implies that developers will find plenty of choices to > implement this, widely validated and understood by the community. And > when it comes to security, this is of great value, mostly when PCEP peer > developers will not usually be security experts. Agreed, but they need to be protocol experts or they won't get the protocols right. If they do get the protocols right, then they can trivially determine the type of connection - at connection start - simply from the configuration of keys. >> The use of TCP protection must be orthogonal to the use of TLS, so it >>> can not be used for the server making a guess of the protocol >>> security encapsulation. >> >> TCP protection isn't orthogonal to TLS for pcep as currently specified; see the table above. The only connections that can use TLS would be those that do not use TCP MD5 (see the list of cases above). >> >>> Either we have a protocol-specific mechanism (a-la-STARTTLS) or we >>> usea specific port. >> ... >> >> For every connection, you already know the mode before the >> connectionstarts. If the connection is configured to require TCP MD5, then there >> is no TLS. If not, then there must be TLS. > > What I cannot see is why the combination of TCP MD5 with TLS could > nothappen, It isn't specified, therefore you can say that if it happens you can cancel the connection attempt. > or the combination of TCP AO without TLS. Same thing. > We are talking about > independent layers, or am I missing something? FWIW, you could use any > of them on an IPsec connection as well... You could, but they should all fail except the ones that you specify. That's a basic tenet of security design. This is why I concluded that the protocol specifications - existing and the one currently under review - are easily distinguished. Ports are assigned for current use, not potential future use. So unless you're proposing to revise the doc to include these other cases, they're irrelevant. And if you are, we can then talk about whether it's good security design to consider so may alternatives without specific use cases in mind. >> There are no protocol changes required to make this happen; you >> just need to use the information you already have. > > By not having TCP protection and TLS orthogonal we are mixing > securitymechanisms at two different layers, and assuming there is some kind of > cross-layer exchange that may not necessarily happen because is out of > the common practice, and that is a recipe for security holes. TCP is - and needs to be - aware of both TCP and TLS protection. It has to have all the information needed anyway. (yes, if we throw in other protocol layers here, that might not be true, but again we're talking about what has been proposed, not what might be). > Maybe that the current writing of the PCEPS draft is not clear > enough in that respect. We would really appreciate any suggestion in improving it. If you intend the protections to be orthogonal, you need to say that, and you need to justify why all possible combinations are needed. At that point I would argue against that set of combinations. Joe
- [Pce] Use of TCP AO and TLS in PCEP Adrian Farrel
- Re: [Pce] Use of TCP AO and TLS in PCEP Diego R. Lopez
- Re: [Pce] Use of TCP AO and TLS in PCEP Joe Touch
- Re: [Pce] Use of TCP AO and TLS in PCEP Diego R. Lopez
- Re: [Pce] Use of TCP AO and TLS in PCEP Joe Touch
- Re: [Pce] Use of TCP AO and TLS in PCEP Diego R. Lopez
- Re: [Pce] Use of TCP AO and TLS in PCEP Joe Touch