Re: [saag] NULL encryption mode in RFC 5202-bis
ianG <iang@iang.org> Tue, 08 July 2014 12:06 UTC
Return-Path: <iang@iang.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD5D71B2853 for <saag@ietfa.amsl.com>; Tue, 8 Jul 2014 05:06:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cC59CVdDwwVd for <saag@ietfa.amsl.com>; Tue, 8 Jul 2014 05:06:06 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D65041B2A29 for <saag@ietf.org>; Tue, 8 Jul 2014 05:06:06 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 50AE56D613; Tue, 8 Jul 2014 08:06:02 -0400 (EDT)
Message-ID: <53BBDEA8.7090706@iang.org>
Date: Tue, 08 Jul 2014 13:06:00 +0100
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: saag@ietf.org
References: <53BB798A.3080101@tomh.org>
In-Reply-To: <53BB798A.3080101@tomh.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/JPf8bmB-VWEotHyRVicZ12yPm9A
Subject: Re: [saag] NULL encryption mode in RFC 5202-bis
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 12:06:09 -0000
On 8/07/2014 05:54 am, Tom Henderson wrote: > Hi all, > > Apologies for cross-posting, but Stephen Farrell raised a DISCUSS > (seconded by Kathleen Moriarty) in the IESG evaluation of RFC 5202-bis: > Using the Encapsulating Security Payload (ESP) Transport Format with > the Host Identity Protocol (HIP). Stephen asked me to raise this > question for discussion on both the HIP and SAAG lists. > > Stephen's discuss questions the specification of "MUST to implement" for > the NULL encryption option of the ESP_TRANSFORM parameter: > > http://tools.ietf.org/html/draft-ietf-hip-rfc5202-bis-05#section-5.1.2 > > Stephen asks why is this a MUST to implement? The history behind this > that I'm aware of is that since HIP does not have an AH, only ESP, the > ESP with NULL encryption mode can provide authentication. IIUC, this derives from old arguments that encryption is expensive so there might be a use case [0] where it is desirable to turn it off, and users should have that option because it's cost free. This is more or less a deprecated argument. Encryption is no longer expensive. The history of users is that they don't have a need to turn it off, they aren't equipped to make the decision properly, and giving them one more knob to play with creates one more support headache. And, it isn't cost free: null ciphers introduce a lovely downgrade attack, and marginal internal fault possibilities. It also relates to a bygone age where active MITM was believed a greater enemy than passive eavesdropping, so auth was king. History hasn't been kind to that view. > It was also > stated in previous drafts that this mode supports debugging. If it is debugging, the advice is backwards, IMHO. NULL ciohers should not be mandatory to implement. Developers will do what they will, if they need a mode like that they will add it, they don't need to be told they must do it. Better advice would be that that production code MUST be shipped with all dangerous debugging modes stripped out, not implemented. iang [0] curiously, a modern use case might be found in Bitcoin where encryption isn't needed because the tx are all published anyway. I find this a tough mental barrier.
- [saag] NULL encryption mode in RFC 5202-bis Tom Henderson
- Re: [saag] NULL encryption mode in RFC 5202-bis Stephen Farrell
- Re: [saag] NULL encryption mode in RFC 5202-bis ianG
- Re: [saag] NULL encryption mode in RFC 5202-bis Yaron Sheffer
- Re: [saag] NULL encryption mode in RFC 5202-bis Mouse
- Re: [saag] NULL encryption mode in RFC 5202-bis Paul Hoffman
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Miika Komu
- Re: [saag] NULL encryption mode in RFC 5202-bis James Cloos
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [saag] NULL encryption mode in RFC 5202-bis Stephen Farrell
- Re: [saag] NULL encryption mode in RFC 5202-bis Jeffrey Walton
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… James Cloos
- Re: [saag] NULL encryption mode in RFC 5202-bis Michael Richardson
- Re: [saag] NULL encryption mode in RFC 5202-bis Paul Lambert
- Re: [saag] NULL encryption mode in RFC 5202-bis Michael Richardson
- Re: [saag] NULL encryption mode in RFC 5202-bis Paul Lambert
- Re: [saag] NULL encryption mode in RFC 5202-bis Robert Moskowitz
- Re: [saag] NULL encryption mode in RFC 5202-bis Henry B Hotz
- Re: [saag] NULL encryption mode in RFC 5202-bis Michael Richardson
- Re: [saag] NULL encryption mode in RFC 5202-bis Christian Huitema
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Paul Lambert
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Henry B Hotz
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Ted Lemon
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Ted Lemon
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Michael Richardson
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Michael Richardson
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Edward Lopez
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Mouse
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Robert Moskowitz
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Ted Lemon
- Re: [saag] [Hipsec] NULL encryption mode in RFC 5… Stephen Kent