Re: [perpass] Fwd: FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt
Watson Ladd <watsonbladd@gmail.com> Fri, 10 January 2014 16:42 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E0911AE0D9 for <perpass@ietfa.amsl.com>; Fri, 10 Jan 2014 08:42:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZPyOAxujtHl for <perpass@ietfa.amsl.com>; Fri, 10 Jan 2014 08:42:49 -0800 (PST)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) by ietfa.amsl.com (Postfix) with ESMTP id 72FED1ACCE2 for <perpass@ietf.org>; Fri, 10 Jan 2014 08:42:49 -0800 (PST)
Received: by mail-wi0-f178.google.com with SMTP id bz8so5083917wib.11 for <perpass@ietf.org>; Fri, 10 Jan 2014 08:42:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+oSKtuqJVFMVJm3OOo3Qs7JXh/lnI0MZq/K3r4GA6cs=; b=xBM6E1F57i9xVwOOlZMaQAESOrA6MMQO5en8kc5mRBgBtthPXKsGLk5Ah2Tcj8mG1S 7w2U91261rLSTYFamvhZg9u25YM1bHw4wSISagt/ODD0+D9qX0lDvfnDuZOdyF6xs1fG +gDvs7nEw3iLMA68foACdnknLANh4ATynVR5FzYm38q9cYEKl5gjys2mggTNTzfp0G0T a0FK8mHnjSJOcjomeOZt8LgxGFZbkyAfbdtsaVhffBbhj2E7PUgibCd2+Mi4Mi0CYgIc wKh3ug9WimrCBtT9RERtTldJalrpyNT394uKWI09qU/OpMbMqtuqQppTMh1DAxfEUnm6 WzAQ==
MIME-Version: 1.0
X-Received: by 10.180.149.175 with SMTP id ub15mr3652202wib.44.1389372158985; Fri, 10 Jan 2014 08:42:38 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Fri, 10 Jan 2014 08:42:38 -0800 (PST)
In-Reply-To: <52CE9383.8050006@cs.tcd.ie>
References: <01be01cf0d31$13fdea40$3bf9bec0$@olddog.co.uk> <52CE9383.8050006@cs.tcd.ie>
Date: Fri, 10 Jan 2014 08:42:38 -0800
Message-ID: <CACsn0c=6_EYSaAh0QbZWYTRvUPnRKm5iSgOoZ7yqWmqQC4x8VQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Cc: Adrian Farrel <adrian@olddog.co.uk>, perpass <perpass@ietf.org>
Subject: Re: [perpass] Fwd: FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 16:42:52 -0000
On Thu, Jan 9, 2014 at 4:18 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > See below. Adrian and I (the Farrelll twins, he seemingly can't > spell it right:-) have cooked up an idea for MPLS opportunistic > encryption. As he says, its very early days, but if this was > something that MPLS folk wanted to implement, I think that'd be > a fine thing. As of now, I've no real clue if they would or not, > but Adrian I'm sure knows better. And as you can also see from > the mail below, Adrian has already posted to the MPLS WG list, > so comments about whether this is good or bad for MPLS etc are > probably better handled on that list rather than here. > > So my question for this list is mainly to look for comments > on how we've handled the opportunistic crypto thing, especially > from the pov of whether that's something that could be copied > in other protocols. The meaty bit of that is really section > 4.2 of the draft which is quite short. I think prime field elliptic curves would be more amenable to implementation in restricted router hardware. How the receiver computes the nonce that goes with the packet is not obvious to me from what is written. Otherwise this seems reasonable: it might be worth considering if this can be extended to authenticate both sides cleanly if some large networks want to be safe against that. > > One particular question to consider is whether or not a > generic MITM-detection protocol for OE-using protocols might > be interesting or better/worse than the idea of having each > protocol define ways in which you might post-facto catch a MITM. > > Section 2 of the draft has some introductory text about OE. I'd > also be interested in comments on that but as our draft says, we > expect that to be superseded by a more generic OE draft. (I know > that Steve Kent is working on one like that, and maybe others are > too.) So your comments on that might really end up improving > some other draft and not this one, but that's fine. > > Thanks, > S. > > > > -------- Original Message -------- > Subject: FW: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt > Date: Thu, 9 Jan 2014 11:51:03 -0000 > From: Adrian Farrel <adrian@olddog.co.uk> > Reply-To: <adrian@olddog.co.uk> > To: <mpls@ietf.org> > CC: <stephen.farrell@cs.tcd.ie> > > Hi MPLS working group, > > Stephen and I have been looking at MPLS data plane security and wondering > whether anything could be done to help protect against various types of bulk > surveillance achieved by tapping entire links without requiring full and > management-heavy establishment of security associations. > > This I-D is very rough! it is a first attempt to show what might be > achieved. We > are confident that there are problems with what we have suggested both > from a > security and an MPLS perspective. Your thoughts and comments are encouraged. > > Thanks, > The Farrel twins. > >> -----Original Message----- >> From: I-D-Announce [mailto:i-d-announce-bounces@ietf.org] On Behalf Of >> internet-drafts@ietf.org >> Sent: 09 January 2014 11:44 >> To: i-d-announce@ietf.org >> Subject: I-D Action: draft-farrelll-mpls-opportunistic-encrypt-00.txt >> >> >> A New Internet-Draft is available from the on-line Internet-Drafts > directories. >> >> >> Title : Opportunistic Encryption in MPLS Networks >> Authors : Adrian Farrel >> Stephen Farrell >> Filename : draft-farrelll-mpls-opportunistic-encrypt-00.txt >> Pages : 22 >> Date : 2014-01-09 >> >> Abstract: >> This document describes a way to apply opportunistic encryption >> between adjacent nodes on an MPLS Label Switched Path (LSP) or >> between end points of an LSP. It explains how keys may be exchanged >> to enable the encryption, and indicates how key identifiers are >> exchanged in encrypted MPLS packets. Finally, this document >> describes the applicability of opportunistic encryption in MPLS >> networks with an indication of the level of improved security as well >> as the continued vulnerabilities. >> >> This document does not describe security for MPLS control plane >> protocols. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-farrelll-mpls-opportunistic-encrypt/ >> >> There's also a htmlized version available at: >> http://tools.ietf.org/html/draft-farrelll-mpls-opportunistic-encrypt-00 >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> _______________________________________________ >> I-D-Announce mailing list >> I-D-Announce@ietf.org >> https://www.ietf.org/mailman/listinfo/i-d-announce >> Internet-Draft directories: http://www.ietf.org/shadow.html >> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [perpass] Fwd: FW: I-D Action: draft-farrelll-mpl… Stephen Farrell
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Watson Ladd
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Farrell
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Watson Ladd
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Yaron Sheffer
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Farrell
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Paul Wouters
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Leif Johansson
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Yaron Sheffer
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Kent
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Theodore Ts'o
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Kent
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Theodore Ts'o
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Kent
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Stephen Farrell
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Michael Richardson
- Re: [perpass] Fwd: FW: I-D Action: draft-farrelll… Alex Elsayed