IETF Logo Mail Archive

RE: Request for Authenticated but not Encrypted Traffic

"Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org> Fri, 30 September 2022 03:57 UTC

Return-Path: <randy.armstrong@opcfoundation.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6415C15257E for <quic@ietfa.amsl.com>; Thu, 29 Sep 2022 20:57:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=opcfoundation.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y1kfPztDeMFF for <quic@ietfa.amsl.com>; Thu, 29 Sep 2022 20:57:03 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2080.outbound.protection.outlook.com [40.107.223.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EEA6C15257D for <quic@ietf.org>; Thu, 29 Sep 2022 20:57:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h654/0mBjd8gvvD61NDZu6dgum1U38JBMcUjHbCO5rld2xcsiO13vwu2yOy2vhW2HGxLyJx9Sy10CrfsF1VbefH6aOOP+WxQ7j7VoZBssvZp98A7ss4X0aUbOks9FEOCBbyQrEAJB6JrSfKEYYZpL7tiZrpPeRfJCIsPJaAtN2j7mhhWDV5EP9LW0fAcJ77nahiCXYrm/cN+jb7e6a6Iz3YqrLNPATX/tpiVvo+kaiADFaxgyARxAwJIErZd8G2qW3WVB6CxKVjmha4SCv7Byg5hhRHfrjCcle2nSfHoYAUIJnB51idYKZHTmkgQxzhlF60v9EZZggn1sBkQtqd+9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yhwXuVc8gi2+fP2lH+SAHwApatGmu5+3utCQpwo/fMs=; b=jErUNBKim31IHjjyw4REIIH60iXFNrtAnGlAThkuv4LK6hOSIG3Bg6hKomKPmZqDY9RiMMtfPhnX40gzrD11zW9wRsjQhMcYgjn2Gc7Q89qrZKYHYAXSJsBAGorMULB+WvfGQfZLWlFBwuNqGtL0kaTnB+qZzD4oruncBl7aV2b2XzsOBgHMeZ8Kf272jpTAVyW9gbSWv1cqt+OYiXxInGRos5M9qA65o/8m/qKp0lC74CRYP8lRhg9mq98Yey3OmNSdeJayEdx7S+POCf7DCIQD4kagpyrkMR88etqdIjd76AB2PkS6BAdpbmLWByfofMYcH7SK+61YxrIM4nDPYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=opcfoundation.org; dmarc=pass action=none header.from=opcfoundation.org; dkim=pass header.d=opcfoundation.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opcfoundation.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yhwXuVc8gi2+fP2lH+SAHwApatGmu5+3utCQpwo/fMs=; b=ASh0YJvOhoZnzm3wnJgtrN9YMV+yHyRCljH+9iR11Ke9i1uscybf4PKS4ns3s/OdirsOhzgVy0Ya3O5YzscrXoOOV4+dQuiZeH64kQC/ug6sDv6CUI4TOLju6MGGa6PYaqq1dhqRoLvEXG1iiXXXmHE9SkR+WKwgRp4UAD2z9TQ=
Received: from SJ0PR08MB8288.namprd08.prod.outlook.com (2603:10b6:a03:41a::13) by BLAPR08MB6915.namprd08.prod.outlook.com (2603:10b6:208:320::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.26; Fri, 30 Sep 2022 03:56:59 +0000
Received: from SJ0PR08MB8288.namprd08.prod.outlook.com ([fe80::708f:4a6d:ca77:cef0]) by SJ0PR08MB8288.namprd08.prod.outlook.com ([fe80::708f:4a6d:ca77:cef0%9]) with mapi id 15.20.5676.017; Fri, 30 Sep 2022 03:56:59 +0000
From: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
To: Phillip Hallam-Baker <phill@hallambaker.com>
CC: "quic@ietf.org" <quic@ietf.org>
Subject: RE: Request for Authenticated but not Encrypted Traffic
Thread-Topic: Request for Authenticated but not Encrypted Traffic
Thread-Index: AdjT/etteyPc96T0SA+BuKbhQ9/5AQAeZlEAAAE43xA=
Date: Fri, 30 Sep 2022 03:56:59 +0000
Message-ID: <SJ0PR08MB82888EE2140D219EF758CF76FA569@SJ0PR08MB8288.namprd08.prod.outlook.com>
References: <SJ0PR08MB82889F488CCA7D8FC4997ACEFA579@SJ0PR08MB8288.namprd08.prod.outlook.com> <CAMm+Lwh1DWyVNL7M6q0gAS77HyN5KXRa3cNn732ivbAMGSFVDg@mail.gmail.com>
In-Reply-To: <CAMm+Lwh1DWyVNL7M6q0gAS77HyN5KXRa3cNn732ivbAMGSFVDg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=opcfoundation.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR08MB8288:EE_|BLAPR08MB6915:EE_
x-ms-office365-filtering-correlation-id: 964ae50d-04ae-4a58-4fe3-08daa297d33f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9yb4C4ZeWWoyGURaLT/rFnhTTkkrUV4dHwfmZXQeRETyOdGNHywPeAt/QIE00LbSPe2KjUGsPKEjrat7qn8ROyCTfttXrFqysQGATuew3mfP9esB+wgxntuIJKif6PcEzHKsnAlQc/zlrDdfcqBtfwOPpmy9+87XDLe5R/EeRP7XE+pxm1XYDulRVhIDQRytvGUOGqxK53eYFEf7fJ5X2lXEtZjjFFq3kZq+E57tyvKoBYTl4znRVeR0TU3Mzvdt73Y92dwDsN1+erpbq8TioQ/icSm586TdWhNZdM6B3O8jQtHvfWYmNK1sT6yCeXhHNhiYpy1fwrhIbBQNchj06D/7ZKyF2nZu2MgXl0ea4BI7+NkZl2nZCVke8mw1DucTtboqJHMRxqugsP5O8kfByaVkLJXgEKCTcoQk+w7mp8hnlDGFEaiUUT+SrjeovU5m2vDJXv/sF4xD4+f0y+HAYWfzlU5gDkqaKIzZQMAqIF5jZ6QVoc8RGplgelA/dxpiSn0d+1hTJ5cQ+piMuym2cLTWdQld8gjtzqXuLZsQ6cbKHpwpHsxIxG6gRw7vdQyWqxzoEFW+i2K8Ywv5swV8c2DyosYZX4GfZY/gC9/RacRe4d9DuKTv9KA/S5nxlMW7pnvmmYNekWA87DA2jeQlfvEO8ulzA0xbdc++UdN7pVfTISPtJiDZX37No+2nCGDRSjw2jlz/1MQLZzTE/Gj8Gh22LDWe1jfDc4sym/oqTcT4j2Pb3yt6xQUWTD8SIMHtHDQmHI7JBf4bcWC5gPlsOnN4Po2e2kL8OMHFxuXQsUhnQkVkf6TPXkUvh/6EfzOb
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR08MB8288.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(346002)(136003)(376002)(39840400004)(396003)(366004)(451199015)(9686003)(2906002)(66946007)(8676002)(64756008)(76116006)(66446008)(66556008)(122000001)(52536014)(66476007)(38100700002)(5660300002)(4326008)(41300700001)(8936002)(6916009)(316002)(86362001)(71200400001)(478600001)(33656002)(53546011)(186003)(6506007)(55016003)(7696005)(38070700005)(26005)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dNbFweRt9jSiZ6QHNDY52Aq4DUe6B85FfbR7y2O9czDX/pYshCTZtT6yleWkr9J3eqjszNK0xvz0aKu+Vd/tUaD/fLFXFmCLFyxaBvNiWkZYujQdH1LJTve67BFzmT/Va2YdCQpqmw1mZOLJCWWjn6w4cvkHIXdhS6m1cB6Ltd/+ZhuXjQKPGelBJ0emRlbSs8Wmg0+P4mNiy3su7C+HyJy+kPY3GxbD1PbYwdCbhWpewQ5J18EoOKVP3QIo2jyuoe6sDvsnI0l+R4rsRJo4Rm9+/lDRAtlto5gnG05H+WS38upCxtX6icfkeBwac5Ktxsp8wLciOlE4rE+l4TIZbfOFsnb2Z+g+lY7f9hDp9iy1oKIQQRvcesz0r3RLGC2oiMG2PLkAGqbGEE+t+tJ1mtK30k0mczrJ+IsBqPuU5dJXFb/BBxH4bIVu84dYC9tLoE+h8/zF3GAfG5KlVNmNl+HDbCSaW1IAfPrAuV2oUQQDOtr+8x1db7liP/SGPqEsOw5eajTfoX64YEzSF8NHSXrIIzGbhXcFLvgQ8cMn3wh9MkanVg6xvaHLRpqhWBgNeGmKNFWUqAxFjqte2cM/qIYO3uv6zcXEG8i06UVBkhGcl9KcHYCkQfNzQ+LZwdwUoRrP8tjgavL8/Qh8VQv6gtgin+hOxV+4QenrHpnH3q9KMC4Xafb3bObjFO5MmDHfEODTP4W6cIQKHbzURWxnXTvS7jRcWTe4tr0MAl6XRSZ6C1LpmbHMbPEo+xKhPSkOA7PnI3xnwQRfuVqfRByNOULf2PSnzirFuaLfCIITcnl1vxcx8yWk5+g5w1ZmeIR2Mc3zYxj+TGdsEo0qCqO4m3qwXNroRX/2gjoddHDa02pnkv4LXBB0RSf1jL4Dvu6yavGEpvHQv0WVbPRh+U8MML5oHJF+yRzWJJf/B5mUh6A48j2dmIn3hTeThkj5u/VYlAyldfMvioQVyQKJ04izV2j490/jKRuketeJjcAPxdICGYDDA9DJbJcA2XaF19dzF0Y7xpLAgjxXx0oxdb1e4NwKTQl5leMuINeb1DVrQOvJzM0WIapUCJzZlNJYISHml/5ANMf/zjWwgsR34Dynbji5qCZd9zfqWAYCJhMClej97cR0uRT2yFTWXFcUyJHwALIZ8gPFvWkuV0SfXGPE2LYiqGfjJ8QfHQhODmjj+Bf4CKF10IznzOttCbdYk0fDoV7nXQpSKCVDwTrB1mpgGndaAFSecrAnDHIfL3IFyJSFzwistjsicjOFf+0sXf78QbBgkJcvRG+ZYZ1yfu5D9JrqoM75Gdg8brIZU0kty+JVaJT9lwUdPpsB2b0OUe1WcxKHA2Ztb0T7KJ7rUYHNnZAXl0QiasUB+Zedc5PVT52MMA0qgceo8jEeeK6FLIGE83QnMMn3WD7BFmc8bRlX0fo71y6+arOzb5d08B3VQTO5vQrIUefRecy5VbYSHafj1ICm95iA7wnoaFoMoKpPNo7gU3h6S/bhK6flYdOlcNWqQvvwb1igS8alz05/gwjTIqIzHVB9P+6QaRzad2DqkFMe0PA8RbKAQoOi7dJzVhX+i0NjOUmy44vLlHSS5xU1nnrmydaTlMqn6QLeGvDe81btWxAUs6lhqz/oBk/GdTs=
Content-Type: multipart/alternative; boundary="_000_SJ0PR08MB82888EE2140D219EF758CF76FA569SJ0PR08MB8288namp_"
MIME-Version: 1.0
X-OriginatorOrg: opcfoundation.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR08MB8288.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 964ae50d-04ae-4a58-4fe3-08daa297d33f
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Sep 2022 03:56:59.3624 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2d8ef4e4-d41c-489c-8004-bb99304b60fe
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: M4YkDkk7S1+Bc7eU77ZfxrdvbSXyiBGFHS0HNVXIXoCK/hxM4z47oh5vq2pL378b2Pzuquf7IVvQxfGNJ7whmY1PHh7hOyarBsZ3cBzDC7EApOyTB5dyFqEha9Dsfp/2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR08MB6915
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/7MPm_GawSTnehprSthtNnxPqapo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 03:57:07 -0000


  *   The problem being that a lot of systems depend on confidentiality of certain data to provide for integrity. Particularly to protect against replay attacks. So I don't think turning off encryption entirely is the right move.

When I talk of disabling encryption I am only talking about the messages sent using the session keys. Key negotiation could still be encrypted if needed for security.

I don’t understand the point about replay attacks. There are lots of ways to protect against replay without encrypting the message payload.


  *   A better approach for this particular requirement is to have a mechanism which uses encryption but explicitly provides the necessary observer decryption capabilities. But that approach has been repeatedly rejected in IETF.

I feel that putting backdoors into encryption protocols is a recipe for disaster. Encryption, once applied, should not be breakable or vulnerable to man-in-the-middle attacks. Applications should make the choice based on the tasks they need to do when a connection is established and have access to APIs that clearly tell them that they are using an unencrypted communication channel.

From: Phillip Hallam-Baker <phill@hallambaker.com>
Sent: Friday, September 30, 2022 11:51 AM
To: Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>
Cc: quic@ietf.org
Subject: Re: Request for Authenticated but not Encrypted Traffic

I see a requirement here being presented as an implementation.

The requirement is the ability of an authorized party within the network to observe network traffic for debugging purposes. That is a very normal requirement in process control. Process control networks are typically run in a fashion that most IETF-ers would find unusual. The networks are typically very quiet with absolutely no extraneous traffic. The traffic is typically unencrypted so that systems can be monitored continuously.

The overriding objective is to protect integrity and availability. Confidentiality is not (typically) considered a concern. The problem being that a lot of systems depend on confidentiality of certain data to provide for integrity. Particularly to protect against replay attacks. So I don't think turning off encryption entirely is the right move.

A better approach for this particular requirement is to have a mechanism which uses encryption but explicitly provides the necessary observer decryption capabilities. But that approach has been repeatedly rejected in IETF.



On Thu, Sep 29, 2022 at 8:31 AM Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org<mailto:randy.armstrong@opcfoundation.org>> wrote:
The OPC Foundation is looking at deploying QUIC within factories as means for different OT devices to communicate with each other. In this environment, factory owners often wish to monitor traffic to check for anomalies. Encryption prevents this.

For this reason, an authentication only option is essential to making QUIC a viable choice for communication within factories.

Regards,

Randy Armstrong
OPC UA Security WG Chair

v2.23.0 | Report a Bug | By Email