IETF Logo Mail Archive

Re: Request for Authenticated but not Encrypted Traffic

Behcet Sarikaya <sarikaya2012@gmail.com> Fri, 30 September 2022 14:58 UTC

Return-Path: <sarikaya2012@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E841C14F738 for <quic@ietfa.amsl.com>; Fri, 30 Sep 2022 07:58:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.857
X-Spam-Level:
X-Spam-Status: No, score=-1.857 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QZ6-MUkpuAYX for <quic@ietfa.amsl.com>; Fri, 30 Sep 2022 07:58:36 -0700 (PDT)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B27F3C14F731 for <quic@ietf.org>; Fri, 30 Sep 2022 07:58:36 -0700 (PDT)
Received: by mail-vs1-xe2b.google.com with SMTP id j123so5057955vsc.3 for <quic@ietf.org>; Fri, 30 Sep 2022 07:58:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=beKDkCG7b/EPTrF02uW/OB8UztajYqzayGiJSNzTtAk=; b=HiVFpxcWG5kC81/N0DBhkFEnqaK/mD5cfNfDSsK3iupcljdrEKDdvnhBwLystD+eI5 l86f3DoWswd+SxLq+LzodrxODxO2ytD/r7GroxrkitTLZQomMdK1n2hTu9ssIywCLzX7 o6UAV8+hyJ3jonv5o5PgS5Nl9DodH0GRvL4Yef6KqGD/baN62jVHyB4T8HF1igqLFVF9 J4H23EwXKPZ3DsJVW1UYUSJZwLXl+MmV5X37pYImCCvP4i47JJvt3jop12/G/VADzRId MX6KO7VO7QBUvflxPFpbslbPuwPbHp76vgNPA8FYpyi793q+Dhed6MxaVRZ1cSQtymD1 lrGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=beKDkCG7b/EPTrF02uW/OB8UztajYqzayGiJSNzTtAk=; b=UrCwSiYFLYb7mgfyttSkgie7E2ZfOa4vsOxpP1zkidBscZTRxrhpgZhEH5HwduQLQL V4e8H0zpJs2InCg4fMRQLpLccp4HDO5uPeg54ZmKyoXKTMLisDDltuzRv/+cjgcVlkha 4mf9y2slhefHGfUzR7dQ7VBH9AS/mEZe5d1InAk+EPVSIWWcORFWhzsHQ3K1liUjixna 3aufOBvoUJX3bDZIfCNPBuXJi9CRoSzm2VgHYk/kum/1xbZVy/6LYXggcr2LsXI3z64Z 0AXq7PJCfMt54uw7J0IK2dkoqIRCejf6mCgADLFtubuWYMyeaFH4l7xjQEvZpHVfvr39 QnFg==
X-Gm-Message-State: ACrzQf1M9iWB9Wn1vSN4ulFb5rwa9/hE3M0edSu+punKjcWlwOcZn+V3 atw2vZpzdys95+MiN7YkKpPX5+/21GFWUiK48LHuxaX4Lxg=
X-Google-Smtp-Source: AMsMyM6WzrsG8amztbuwKa4npl/oQyRDshrXl7KXi0iVggOb4vOH4eUX8zIM575joPlmIkR2vCaGrOFeuUxzY9o2zNg=
X-Received: by 2002:a05:6102:3c8d:b0:39c:2f54:9f7c with SMTP id c13-20020a0561023c8d00b0039c2f549f7cmr4427010vsv.32.1664549915621; Fri, 30 Sep 2022 07:58:35 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR08MB82889F488CCA7D8FC4997ACEFA579@SJ0PR08MB8288.namprd08.prod.outlook.com> <e0c93db9-785b-fbfc-604a-5aa047d3c25b@redbarn.org> <SJ0PR08MB8288E1364214A9BCA4DBC6A5FA579@SJ0PR08MB8288.namprd08.prod.outlook.com> <MW5PR15MB51459BB0DCAD6E47A5A89C49D4579@MW5PR15MB5145.namprd15.prod.outlook.com> <SJ0PR08MB8288533C964762C760477D46FA579@SJ0PR08MB8288.namprd08.prod.outlook.com>
In-Reply-To: <SJ0PR08MB8288533C964762C760477D46FA579@SJ0PR08MB8288.namprd08.prod.outlook.com>
Reply-To: sarikaya@ieee.org
From: Behcet Sarikaya <sarikaya2012@gmail.com>
Date: Fri, 30 Sep 2022 09:58:24 -0500
Message-ID: <CAC8QAcfuVnr0UMii8kR-RZ_n3i8hOSDZTD=fHbkXVy5-3JJKNw@mail.gmail.com>
Subject: Re: Request for Authenticated but not Encrypted Traffic
To: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
Cc: "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006e7e1105e9e63afc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/S8vYED7hrITlrxuHKtJvL69Nzc4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 14:58:37 -0000

On Thu, Sep 29, 2022 at 4:42 PM Randy Armstrong (OPC) <
randy.armstrong@opcfoundation.org> wrote:

> At this point we have not determined that QUIC will actually be better
> than TCP for OT applications. That said, we see the potential because there
> is a need for UDP based protocols on some embedded devices because the OS
> does not support TCP and QUIC offers the potential for prioritizing traffic
> with multiple streams.
>
>
>
> There is also some effort to deploy 5G networks within factories which
> would mean the lower latency recovering after IP address changes could be a
> benefit.
>
>
>
> One risk for QUIC in this setting comes from the memory consumption needed
> to handle out of order/repeated messages. TCP has had decades to optimize
> this problem which means it could be more efficient.
>
>
>
> If the WG already knows that QUIC will not work so well on low end
> embedded devices then we would like to learn more about the issues.
>
>
>


Hi Randy,

I read the above. I think that TCP for IoT has been researched a lot and
now we have some stripped down versions of TCP that are being used.
Not sure or not familiar with anything similar for Quic.
Quic is not like TCP, i.e. as far as I know, for Quic there is only one
sender, that is HTTP.
So you may be opening a can of worms with this proposal.

Good luck,
Behcet

> *From:* Roberto Peon <fenix@meta.com>
> *Sent:* Friday, September 30, 2022 6:19 AM
> *To:* Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>; Paul
> Vixie <paul@redbarn.org>
> *Cc:* quic@ietf.org
> *Subject:* Re: Request for Authenticated but not Encrypted Traffic
>
>
>
> So I understand the background here:
>
> Why do we need/want QUIC in this setting instead of TCP?
>
>
> -=R
>
> *From: *QUIC <quic-bounces@ietf.org> on behalf of Randy Armstrong (OPC) <
> randy.armstrong@opcfoundation.org>
> *Date: *Thursday, September 29, 2022 at 1:13 PM
> *To: *Paul Vixie <paul@redbarn.org>
> *Cc: *quic@ietf.org <quic@ietf.org>
> *Subject: *RE: Request for Authenticated but not Encrypted Traffic
>
> !-------------------------------------------------------------------|
>   This Message Is From an External Sender
>
> |-------------------------------------------------------------------!
>
> Hi Paul,
>
> Thanks for the support.
>
> I think it is important to note: we already have our own TCP based
> protocol that supports authentication only. If QUIC cannot meet our
> requirements we may not recommend the use of QUIC at all.
>
> Also note that factory owners sometimes owners disable security entirely
> if they have s/w that uses TLS/HTTPS with no sign only option. IOW, forcing
> people to use encryption when they have a compelling business justification
> to turn it off can result in more security risks - not less.
>
> Regards,
>
> Randy
>
> -----Original Message-----
> From: Paul Vixie <paul@redbarn.org>
> Sent: Friday, September 30, 2022 4:31 AM
> To: Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>
> Cc: quic@ietf.org
> Subject: Re: Request for Authenticated but not Encrypted Traffic
>
> i understand this ask and i resonate positively to it. however, i predict
> it will be seen as controversial in this community, based on my prior
> experience trying to get ssh/scp to support clear text for use inside a
> campus, datacenter, VPC, or VM server. i've also been trying to get an SMTP
> library's author team to have an option to ignore STARTTLS when talking to
> my own localhost. in each case i was told that the risk of accidental
> nonencryption across a wide area network was too great.
> so, good luck with this use case. --vixie
>
> re:
>
> Randy Armstrong (OPC) wrote on 2022-09-29 05:31:
> > The OPC Foundation is looking at deploying QUIC within factories as
> > means for different OT devices to communicate with each other. In this
> > environment, factory owners often wish to monitor traffic to check for
> > anomalies. Encryption prevents this.
> >
> > For this reason, an authentication only option is essential to making
> > QUIC a viable choice for communication within factories.
> >
> > Regards,
> >
> > Randy Armstrong
> >
> > OPC UA Security WG Chair
> >
>
>
> --
> P Vixie
>

v2.23.0 | Report a Bug | By Email