IETF Logo Mail Archive

Re: [perpass] tcpcrypt applicability (Was: Re: Violating end-to-end principle: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt)

Stephen Kent <kent@bbn.com> Tue, 21 January 2014 15:25 UTC

Return-Path: <kent@bbn.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0375F1A02D8 for <perpass@ietfa.amsl.com>; Tue, 21 Jan 2014 07:25:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.736
X-Spam-Level:
X-Spam-Status: No, score=-4.736 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBhAP2DjTvM1 for <perpass@ietfa.amsl.com>; Tue, 21 Jan 2014 07:25:41 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 522FF1A0150 for <perpass@ietf.org>; Tue, 21 Jan 2014 07:25:41 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:44671 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1W5dCu-000Fe6-K9; Tue, 21 Jan 2014 10:25:40 -0500
Message-ID: <52DE9174.7000504@bbn.com>
Date: Tue, 21 Jan 2014 10:25:40 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <hallam@gmail.com>
References: <04c001cf1123$7e5c00c0$7b140240$@olddog.co.uk> <CAMm+Lwj0r3PNoBC0Y1ydibD3piioZ57Z1Ks-Ea6o58xahjXKwQ@mail.gmail.com> <20140116192320.GD32098@thunk.org> <52D84F68.7030100@cs.tcd.ie> <52DD3CAA.6010004@bbn.com> <52DD3E64.2000707@cs.tcd.ie> <52DD404B.1080705@bbiw.net> <CAMm+Lwh0Lm0NbTjAO0h4weUUQhi_oS230r6wxsE09Pc8enKoRw@mail.gmail.com>
In-Reply-To: <CAMm+Lwh0Lm0NbTjAO0h4weUUQhi_oS230r6wxsE09Pc8enKoRw@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: perpass <perpass@ietf.org>
Subject: Re: [perpass] tcpcrypt applicability (Was: Re: Violating end-to-end principle: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt)
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2014 15:25:43 -0000

PHB,
...
>
> One major design limit in IPSEC and TLS is that both view the key 
> exchange as being integral to the security layer rather than a 
> separate service. I would like to separate out consideration of how 
> chunks of data passing over the net are tagged and bagged for 
> encryption and authentication from the question of key setup.
IKE is separate from ESP and AH. ESP and AH can be used independently of 
IKE, although manual keying
is obviously not attractive in most cases. TLS is a different matter, in 
that the handshake that
puts keys in place is integral to the data security protocol. However, 
DTLS is used with SRTP
to secure VoIP, showing that the key exchange there can be used to 
support other protocols.
>
> There is no logical reason why the key negotiation for TLS, IPSEC and 
> tcpcrypt cant be shared.
yes, it could be, despite the erroneous assertions above ;-)

Steve

v2.23.0 | Report a Bug | By Email