IETF Logo Mail Archive

Re: Request for Authenticated but not Encrypted Traffic

Roberto Peon <fenix@meta.com> Thu, 29 September 2022 21:19 UTC

Return-Path: <prvs=127119a689=fenix@meta.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95CBEC14F74D for <quic@ietfa.amsl.com>; Thu, 29 Sep 2022 14:19:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGYHj8MrO6pd for <quic@ietfa.amsl.com>; Thu, 29 Sep 2022 14:19:13 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C179C14F744 for <quic@ietf.org>; Thu, 29 Sep 2022 14:19:08 -0700 (PDT)
Received: from pps.filterd (m0148461.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 28TJIfmB006128; Thu, 29 Sep 2022 14:19:08 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=i5028aD9fwW7jjvGA+PTcAJQe8icauMCUZr4+DTWAAo=; b=k3MlQmyZb6dMLZdQiemtPm9ppjeWQRkayoYCNOlvpgSAhim1ld33SrDcoUfBcnTuYMeH NGNpTLMOITISCyqiavC09FiL2vH9MipFg81nMFKNjnKWWysM36eeHI7Z4V8wKSvcodyW 7cGrhBfdWYWJYJLWUu1dMRZ/0gnLePRkpyt4Hr2zDARTbhl89jERdE3qhLQcocq6cnNf pUvw74ues2LkTo39VnaGC8RbML0GlaShxBLslM+qNbzb1ydg3YsM2bsSTf/f8AcsQlFE duxhAmoMGdHs8r8IljT3SAkihiwvOHz3uU4h4KdMl70H+lN4DlTJ9qsMjURQQQSb/5z3 Qg==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2101.outbound.protection.outlook.com [104.47.70.101]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3jwdp1355m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 29 Sep 2022 14:19:07 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ffC/oC/SuK0ZSI26hmVTCthYzUm5nT+9KnfjIETPJSWWPr/t1E9WvZcSwg61uEHt0i7VnNjUbms8R4TtZsd2nX+c33z0afBQayMG47cPBct1RrYW6790JNH0oSVZO+7frt7hfOZV0uYSbxXUIgh2kqnGPgWI0UZGeWyllUV2ClXT/RUmhS2e/dOG+sRnJ9c5UPd4gz1FUJcRN2p/7J+LfK9Y+wyS6VPTBo05bYH1d7914SDenvTOwXXvnYZWHMy3BmaYUVX6HxEdIU6tSc0V6IX77eW3tdwU2+EjydJrOX5TRsIeUsM2vmgx3H2NEkX/bYVJMYrzWrm7NslMV4YySg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i5028aD9fwW7jjvGA+PTcAJQe8icauMCUZr4+DTWAAo=; b=JUp1njnE4kTnZYANW39CDgTewvCjFcXUwV8sBni27QQzflaNt8eh9kEmrYntRbl/ybSKXDOPGpcBVfjVkKETxWW1c7kDRB3wmGwmh7xCOgRDXOBxfhtEW7eT54dtVpcPSAsVFTWhvJYoMAU/PjDGA1AGyNv1vXvBh427FQXPFGM5mzQCKsqz+v9o9JJIQDmysp6Q/73J3aSkRrVqGhu61AgZsOg/Fb5QBf0CBbxD/uBti3nABopHXYQdw8Zfnq4zA68/17DvHGtjnVMECZWSqLjpW7Mq5W88pafAown5MG44rYaeTyzoQuLgr59vdTpKsoq9gLjPPjbZm+CQY06duQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from MW5PR15MB5145.namprd15.prod.outlook.com (2603:10b6:303:197::5) by DM6PR15MB2922.namprd15.prod.outlook.com (2603:10b6:5:141::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5632.19; Thu, 29 Sep 2022 21:19:05 +0000
Received: from MW5PR15MB5145.namprd15.prod.outlook.com ([fe80::f37f:6fb2:b046:9f0b]) by MW5PR15MB5145.namprd15.prod.outlook.com ([fe80::f37f:6fb2:b046:9f0b%6]) with mapi id 15.20.5676.020; Thu, 29 Sep 2022 21:19:05 +0000
From: Roberto Peon <fenix@meta.com>
To: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>, Paul Vixie <paul@redbarn.org>
CC: "quic@ietf.org" <quic@ietf.org>
Subject: Re: Request for Authenticated but not Encrypted Traffic
Thread-Topic: Request for Authenticated but not Encrypted Traffic
Thread-Index: AdjT/etteyPc96T0SA+BuKbhQ9/5AQAPBNYAAABhQAAAAw3BEw==
Date: Thu, 29 Sep 2022 21:19:05 +0000
Message-ID: <MW5PR15MB51459BB0DCAD6E47A5A89C49D4579@MW5PR15MB5145.namprd15.prod.outlook.com>
References: <SJ0PR08MB82889F488CCA7D8FC4997ACEFA579@SJ0PR08MB8288.namprd08.prod.outlook.com> <e0c93db9-785b-fbfc-604a-5aa047d3c25b@redbarn.org> <SJ0PR08MB8288E1364214A9BCA4DBC6A5FA579@SJ0PR08MB8288.namprd08.prod.outlook.com>
In-Reply-To: <SJ0PR08MB8288E1364214A9BCA4DBC6A5FA579@SJ0PR08MB8288.namprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW5PR15MB5145:EE_|DM6PR15MB2922:EE_
x-ms-office365-filtering-correlation-id: c5860572-3692-415a-a2bf-08daa2603d0c
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MxYg4PFZPBrXR2ZzbeOwIKSegrY6fLOXf8tn0brqOLjrRvcAk7baPcNJ/y87N9PEWpBoEYRYitsSoRz2aMgOOdc1P8Y1ZD7H60EFB4Vg0Myi3duaoBsNyvql78+NGgYIRH2z+hr0aBKh4hI/ZHUj6I9AbbLLbmWU7QwWYXdvfiFDpHuHhPb2jneJQfsM5OlVdb8b8DH7Hw9MBj2htMJJHldjYW1VGSHpe//WPOAzaU8krY32Yog8OAJWQ2TAl0vuSUgc97rdzXSZ9ftoXqLD1qYBpCAwligZh3j5GtdO96RM3XivNySsQoud5X28P4R1ggbUiUETlIFPpsCfenH+KrQAcOM8gyC+baEhsLwKfIC4CTbN8Tp1kU/IGWWSzTrsJiVENvEooh9Nk6yLXZq0Lo+ywA4ffluLN011Z/gb0XXEE6GD0hLHVkDeblXBsNlKp6e25MANKJwISuBeQzelAknoq/LW7HyMwDFjQkz4d78vXJUbL9KucvU4STxQuhYVoyka/gUZUydqwOa698TUMU5U8OiLGCLjkl1i+gfstlRbGK6OJbZ6RvZqKbBwB0nk2kkeDl8kRXkwaIfIJN+Z+1LMyOa2RAVhQBljdE11DqfdZnKWCoXWoVdE+AmStO1QG9TpImmCaMpeLJNX2B0R1Bb3bEfANaCxTHGD3gYF0YTCgyVXtkUxlCgHYSWKfnBQMPVWF2RqmFQEVfVNl0QBadCYprdWsOTU96j+lz/mACIyyjuOkvCog7uxuYl3Z2Pun5vCDOF+q3oxTBw5a5k9aA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW5PR15MB5145.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(346002)(136003)(366004)(39860400002)(376002)(451199015)(316002)(41300700001)(110136005)(83380400001)(478600001)(71200400001)(53546011)(26005)(6506007)(7696005)(9686003)(2906002)(33656002)(86362001)(8936002)(5660300002)(186003)(52536014)(55016003)(38100700002)(38070700005)(64756008)(66476007)(122000001)(66556008)(66946007)(66446008)(76116006)(4326008)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: AOCmHh4uURigTeZmPDAIj0EDHWgGBW7X0AMrQ3KmPO3Hzrl61kC4IokwUxVm5LWZ5MJiykthWHS0YeenKPXFsUjOrpwncCJcBp/LpFmfa2L1VJvCwLvEAZIov7niIK1LAPnK52YtAApJ7pd5NoFNlOCdVaqU5j5z36bH6ZgXhCXrN7EqLQxNZqRUuRIzZywCTk9IxAfKdr/K+jbNHzkkAg3aUNPdyPd5Fbnd4hcnPthowLOo0UIV8shSCyDTIf3ndzqg/EVuZsVP3j8V7xxg2CJX11MZHjJWQ+2/ZAu9zhF+yuwHwT8XqBaZPxaYCZWQSYSfh+kKif0Q4NQA8/5OSLCNiORDGVUMzLVl8/NmLe+/ZwftqdnIhQvpAkI4LZE7s6XudbiA553/ugJvD/4zcYA75LHenRKpdNioVZXqDpnpG4UxJgMqL3m93NDUlZnMtf3awHlfrXNBqC5JBpp+6xnnyd12BSSHmz2kXtQ/5SYCpTLKaPwYe+UmCWoZMtIgtkxMs6+Y4xVVwiu7RJ0Btn7OakWD8IICxO+yVVTYeIs8KP4/cxp4ioneQI6CpyMJPYk9bJi1hPQ/CnWD4jwd/Q1nKg6CvY0KvpFXbtnCxQwQ0LA+IZmXUapgo/a9oy31PPzA/vw/Jwazoi50mVF9uD5BJfUJd/TzCWzjN2qNl2NCfxMVbhn48DKTYS8ydFs71rSrk848OsMY6qcvwlj4BFJXufjKd3fKRjXX41SJWOlTDZORaOKrcnTVwKimGRSx0G0XDm3Wj3IfFUNCLhRV/CbcyUZ14s4yNSUrln1DJ4II/4PCQ19k8V0BlYKq4WAyD2XDcoX9VUwGGs0no5CgVEdVQmEGPSs6mpAdAzmhmprU77w0Rg1Zpy8iCWItUxUY67ATk5dnHFTs8f2IQUPnOqbIIgl38YjnPVuVPiwUF6JSsE4KAsrQ5fgEiPmBLwDUZkRXV145aK9H5RUQsOIeAbq7xAEqQ8Iip4jDZsKCxs3VE58b0PDSUmY5eg8+6jmfHTnXP1l7ek3uIa948d2i4d9VoZpHrzebzwY+JLuup7Cm2SG6Q+LBA0VeAXV4dJvjgZ48CKU1YA7qdczsiB9RIu7kNmY98d37X4wOAVElQA9KojEQ9Kqg89kvPQUiLN41HjRyZxlTSCDxDpr4no7YTTbQUH2juZE4AkeYMX2jwZYPgl7ndPW+60TriuMCdBH7bs3qxrcOCLQGYfk+ojYf97OXeOt67Q6MAkCsgdjZX3Z4A5LeXD/5404NK4oI+xNEu2+6SqEOGTkhED+rhcKnYbfxO2/LbchBUhKPtuzAg0G79Uob8RhlyV6bw9esVCpQ52mXBqsON3Jyh6+e2oKPXFnN5anTJyPgeofibiRdDjJd3M7jF7QgMlVMvcLgaPu0cq+COrqwWM2CTGZt6J9/DTRlU5hveEpx9tqM9TCDsldDyxNXilQZ8gExVpRW73dkpQVTA5GkYr8mWZYnsqKGDgIIlFe+15RRqAOaDUOOD7n0hcdHAmKg6RN3yPurK7CfIh5UiO4GOOlwgG6i+H8OdUEXgOvVnbwzSh/0INM3m354EekJdAalxPA2SpuscoLj
Content-Type: multipart/alternative; boundary="_000_MW5PR15MB51459BB0DCAD6E47A5A89C49D4579MW5PR15MB5145namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW5PR15MB5145.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c5860572-3692-415a-a2bf-08daa2603d0c
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Sep 2022 21:19:05.0988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VpqqqgWkRuRuho5C8TIRHNaaC6crox3xyr1L+5/rjspfY7ACFWiHrkxKiLLBwlE/
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR15MB2922
X-Proofpoint-ORIG-GUID: 0znAC2jfPrlhtIPXOjEIVQ2IWft3xeAI
X-Proofpoint-GUID: 0znAC2jfPrlhtIPXOjEIVQ2IWft3xeAI
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-09-29_13,2022-09-29_03,2022-06-22_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/vWRXu2fi44BLF6vf8DpgR6RPKVU>
X-Mailman-Approved-At: Thu, 29 Sep 2022 14:38:00 -0700
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2022 21:35:06 -0000

So I understand the background here:

Why do we need/want QUIC in this setting instead of TCP?

-=R

From: QUIC <quic-bounces@ietf.org> on behalf of Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>
Date: Thursday, September 29, 2022 at 1:13 PM
To: Paul Vixie <paul@redbarn.org>
Cc: quic@ietf.org <quic@ietf.org>
Subject: RE: Request for Authenticated but not Encrypted Traffic
!-------------------------------------------------------------------|
  This Message Is From an External Sender

|-------------------------------------------------------------------!

Hi Paul,

Thanks for the support.

I think it is important to note: we already have our own TCP based protocol that supports authentication only. If QUIC cannot meet our requirements we may not recommend the use of QUIC at all.

Also note that factory owners sometimes owners disable security entirely if they have s/w that uses TLS/HTTPS with no sign only option. IOW, forcing people to use encryption when they have a compelling business justification to turn it off can result in more security risks - not less.

Regards,

Randy

-----Original Message-----
From: Paul Vixie <paul@redbarn.org>
Sent: Friday, September 30, 2022 4:31 AM
To: Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>
Cc: quic@ietf.org
Subject: Re: Request for Authenticated but not Encrypted Traffic

i understand this ask and i resonate positively to it. however, i predict it will be seen as controversial in this community, based on my prior experience trying to get ssh/scp to support clear text for use inside a campus, datacenter, VPC, or VM server. i've also been trying to get an SMTP library's author team to have an option to ignore STARTTLS when talking to my own localhost. in each case i was told that the risk of accidental nonencryption across a wide area network was too great.
so, good luck with this use case. --vixie

re:

Randy Armstrong (OPC) wrote on 2022-09-29 05:31:
> The OPC Foundation is looking at deploying QUIC within factories as
> means for different OT devices to communicate with each other. In this
> environment, factory owners often wish to monitor traffic to check for
> anomalies. Encryption prevents this.
>
> For this reason, an authentication only option is essential to making
> QUIC a viable choice for communication within factories.
>
> Regards,
>
> Randy Armstrong
>
> OPC UA Security WG Chair
>


--
P Vixie

v2.23.0 | Report a Bug | By Email