IETF Logo Mail Archive

Re: [saag] NULL encryption mode in RFC 5202-bis

ianG <iang@iang.org> Tue, 08 July 2014 12:06 UTC

Return-Path: <iang@iang.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD5D71B2853 for <saag@ietfa.amsl.com>; Tue, 8 Jul 2014 05:06:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cC59CVdDwwVd for <saag@ietfa.amsl.com>; Tue, 8 Jul 2014 05:06:06 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D65041B2A29 for <saag@ietf.org>; Tue, 8 Jul 2014 05:06:06 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 50AE56D613; Tue, 8 Jul 2014 08:06:02 -0400 (EDT)
Message-ID: <53BBDEA8.7090706@iang.org>
Date: Tue, 08 Jul 2014 13:06:00 +0100
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: saag@ietf.org
References: <53BB798A.3080101@tomh.org>
In-Reply-To: <53BB798A.3080101@tomh.org>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/JPf8bmB-VWEotHyRVicZ12yPm9A
Subject: Re: [saag] NULL encryption mode in RFC 5202-bis
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 12:06:09 -0000

On 8/07/2014 05:54 am, Tom Henderson wrote:
> Hi all,
> 
> Apologies for cross-posting, but Stephen Farrell raised a DISCUSS
> (seconded by Kathleen Moriarty) in the IESG evaluation of RFC 5202-bis:
>   Using the Encapsulating Security Payload (ESP) Transport Format with
> the Host Identity Protocol (HIP).  Stephen asked me to raise this
> question for discussion on both the HIP and SAAG lists.
> 
> Stephen's discuss questions the specification of "MUST to implement" for
> the NULL encryption option of the ESP_TRANSFORM parameter:
> 
> http://tools.ietf.org/html/draft-ietf-hip-rfc5202-bis-05#section-5.1.2
> 
> Stephen asks why is this a MUST to implement?  The history behind this
> that I'm aware of is that since HIP does not have an AH, only ESP, the
> ESP with NULL encryption mode can provide authentication.


IIUC, this derives from old arguments that encryption is expensive so
there might be a use case [0] where it is desirable to turn it off, and
users should have that option because it's cost free.

This is more or less a deprecated argument.  Encryption is no longer
expensive.  The history of users is that they don't have a need to turn
it off, they aren't equipped to make the decision properly, and giving
them one more knob to play with creates one more support headache.

And, it isn't cost free:  null ciphers introduce a lovely downgrade
attack, and marginal internal fault possibilities.

It also relates to a bygone age where active MITM was believed a greater
enemy than passive eavesdropping, so auth was king.  History hasn't been
kind to that view.


> It was also
> stated in previous drafts that this mode supports debugging.


If it is debugging, the advice is backwards, IMHO.  NULL ciohers should
not be mandatory to implement.  Developers will do what they will, if
they need a mode like that they will add it, they don't need to be told
they must do it.

Better advice would be that that production code MUST be shipped with
all dangerous debugging modes stripped out, not implemented.



iang



[0] curiously, a modern use case might be found in Bitcoin where
encryption isn't needed because the tx are all published anyway.  I find
this a tough mental barrier.

v2.23.0 | Report a Bug | By Email