Re: [saag] Fw:Fw:New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt
Nico Williams <nico@cryptonector.com> Mon, 03 August 2015 16:07 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A0D1ACD35 for <saag@ietfa.amsl.com>; Mon, 3 Aug 2015 09:07:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOryhToNCAse for <saag@ietfa.amsl.com>; Mon, 3 Aug 2015 09:07:46 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 223BB1ACD37 for <saag@ietf.org>; Mon, 3 Aug 2015 09:07:38 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 8992F3600D1; Mon, 3 Aug 2015 09:07:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=R8qMk/LRO/zpOD Q59J3aSHff0M4=; b=WZh6V9mcMz0jN9/F+EcUeQ+pTOYl15MI7npk/jXmx9W5Z6 d3FPLqUbYY/XgR7vf9xSrbsmenK44cnWzLuDa3f6JUPxNhY2TW571y8Y5jB9uY1n h3c+2scSY7vBZL2WJd7S1a+L51KGB7n+Qb1W9+uBPS1qmPNuFP+fea8602iUc=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPA id 6BEEC360087; Mon, 3 Aug 2015 09:07:36 -0700 (PDT)
Date: Mon, 03 Aug 2015 11:07:34 -0500
From: Nico Williams <nico@cryptonector.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <20150803160733.GM2957@localhost>
References: <313da830.6be8.14ed8564467.Coremail.lilishan48@126.com> <m2mvyfh1re.wl%randy@psg.com> <55B8A692.8080409@cs.tcd.ie> <m2a8ufgpjn.wl%randy@psg.com> <55B8D49A.1010402@cs.tcd.ie> <165fe8ce.ef05.14eda273b12.Coremail.lilishan48@126.com> <55B8E0F2.3000403@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55B8E0F2.3000403@cs.tcd.ie>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/AlP9OvB1ECyvV7I8W_uFTjROLmU>
Cc: Security Area Advisory Group <saag@ietf.org>
Subject: Re: [saag] Fw:Fw:New Version Notification for draft-cui-dhc-dhcpv6-encryption-02.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2015 16:07:47 -0000
On Wed, Jul 29, 2015 at 03:19:30PM +0100, Stephen Farrell wrote: > We do I think have proof that symmetric keying for everything > fails, thanks to RFC3118, but for all the rest, as far as I know > we'd just be guessing right now. Ignoring weak passwords and applying a Kerberos-ish (but EAP-ified, meaning using IAKERB to authenticate to the infrastructure and then user-to-user Kebreros to authenticate the NAS to the client) I think symmetric keying for everything ought to work just fine. (Also ignoring the lack of PKCROSS.) Not that that's something I care to push. Just sayin'. Weak passwords obviously are a good argument for a PAKE or for at least having DH + server authentication, so PK does seem necessary, yes, but mostly for that reason, and for the bootstrapping of cross-domain trusts that a purely-symmetric Needham-Schroeder protocol has trouble with. Nico --
- [saag] Fw:Fw:New Version Notification for draft-c… Lishan Li
- Re: [saag] Fw:Fw:New Version Notification for dra… Randy Bush
- Re: [saag] Fw:Fw:New Version Notification for dra… Stephen Farrell
- Re: [saag] Fw:Fw:New Version Notification for dra… Randy Bush
- Re: [saag] Fw:Fw:New Version Notification for dra… Lishan Li
- Re: [saag] Fw:Fw:New Version Notification for dra… Stephen Farrell
- Re: [saag] Fw:Fw:New Version Notification for dra… Stephen Farrell
- Re: [saag] Fw:Fw:New Version Notification for dra… Lishan Li
- Re: [saag] Fw:Fw:New Version Notification for dra… Stephen Farrell
- Re: [saag] Fw:Fw:New Version Notification for dra… Randy Bush
- Re: [saag] Fw:Fw:New Version Notification for dra… Christian Huitema
- Re: [saag] Fw:Fw:New Version Notification for dra… Lishan Li
- Re: [saag] [dhcwg] Fw:Fw:New Version Notification… Erik Kline
- Re: [saag] Fw:Fw:New Version Notification for dra… ianG
- Re: [saag] Fw:Fw:New Version Notification for dra… Randy Bush
- Re: [saag] New Version Notification for draft-cui… Alan DeKok
- Re: [saag] New Version Notification for draft-cui… Alan DeKok
- Re: [saag] New Version Notification for draft-cui… Bernard Aboba
- Re: [saag] New Version Notification for draft-cui… Alan DeKok
- Re: [saag] New Version Notification for draft-cui… Randy Bush
- Re: [saag] New Version Notification for draft-cui… Sam Hartman
- Re: [saag] Fw:Fw:New Version Notification for dra… Nico Williams
- Re: [saag] Fw:Fw:New Version Notification for dra… Nico Williams
- Re: [saag] New Version Notification for draft-cui… Alan DeKok
- Re: [saag] [dhcwg] Fw:Fw:New Version Notification… 李丽姗