IETF Logo Mail Archive

Re: [secdir] [Taps] Secdir last call review of draft-ietf-taps-minset-06

Yaron Sheffer <yaronf.ietf@gmail.com> Tue, 28 August 2018 06:39 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12A22130DEC; Mon, 27 Aug 2018 23:39:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tbjPwE3_p7r; Mon, 27 Aug 2018 23:39:34 -0700 (PDT)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31D3D130DDB; Mon, 27 Aug 2018 23:39:34 -0700 (PDT)
Received: by mail-pg1-x52d.google.com with SMTP id z25-v6so306434pgu.7; Mon, 27 Aug 2018 23:39:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=+z5V0AFLi8r96xHmkKJSO4q+GUPsFJCQjrrQQPBqC04=; b=jA1MV7GucB4bICQcd+ENQs5ZJBswv4ULx4998/lcYon9ml1ydsVF8ihP4VBnnlS6Ec 1ptXj13r8rc9KucAJS8k0fe9BrYtRRWyI2U4zQrJZbEoa865HZB40vfY+Tqx8DAOjlbz gVY8uk+MGPp5oEH+qlwstlHHEQTREzMJh6lltRsXgclP64xyBOwi1R1rjjTv+zcdF5rE OVBPXnPoQ1zYYC7uSxywwS8jO2AvsQBogQYWasnCpwpogTb4JxbtdiOBtIYNn//MUjl+ 9czvLrrGhibvT8f1tD+ifBWiPkd+x/9CwyYxgxX8RVeHYE0Cbo93Wm8B3dHym4Dozufs fMdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=+z5V0AFLi8r96xHmkKJSO4q+GUPsFJCQjrrQQPBqC04=; b=cPsTZ7a/1N9WpTzkmtSAJIHsLrRwAqxL8t4wMP7uNSOLuQFoJI82dgmA/wqlwu25/s qTdUPVCTcSp8o4veZDwPIi0XnhTfhofNWsT8gp+TVx8POY5iAZx0a7aKrsno7YctALyM maUhjKu5DBK40GHQG2UwzevrfNJJPkfnHzGeWyLkR0kG9xXIU2pPbsVR+C8svH7zRXC8 6F1/U0k/4LxRnWilY1oC9+95v7Vor83JJRiBWJmzK1NoTD6Dg+Aw9pCVIxqoNMQhgvOR 0ZuZqXMmbtYMGsn7MrgDkpPEHLreb2ACUR1uWzkvWphuvDnP74lRVbBZujVh21chPOKl +B5g==
X-Gm-Message-State: APzg51AzZ1xoOF88JFZ2HcSUdEpTA/MFKEFEecKWrm3PyTlaSzMNxDbZ OR9pTH2KHZGFJxqsRse/z5ZdlO+ZWls=
X-Google-Smtp-Source: ANB0VdalwBEVwtnPw6pMFzqtQQAvyccBaPA42ZIAagkXB1QoGppmdjkA8YTnnakRrhIzKXu+zu83fg==
X-Received: by 2002:a62:34c4:: with SMTP id b187-v6mr128278pfa.15.1535438373503; Mon, 27 Aug 2018 23:39:33 -0700 (PDT)
Received: from [10.20.8.46] ([209.37.97.194]) by smtp.gmail.com with ESMTPSA id h10-v6sm658340pfj.78.2018.08.27.23.39.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Aug 2018 23:39:32 -0700 (PDT)
To: Tommy Pauly <tpauly@apple.com>
Cc: secdir@ietf.org, draft-ietf-taps-minset.all@ietf.org, ietf@ietf.org, taps@ietf.org
References: <153534622572.11764.16971261463087249495@ietfa.amsl.com> <11A6EDDC-06EE-47E5-B61B-ED6F7B5999A6@apple.com>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <6c3e25c8-de15-a0dd-3706-72ca47475840@gmail.com>
Date: Mon, 27 Aug 2018 23:39:31 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <11A6EDDC-06EE-47E5-B61B-ED6F7B5999A6@apple.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/hwf1bsAknN_94QpkTJydAfVvs5c>
Subject: Re: [secdir] [Taps] Secdir last call review of draft-ietf-taps-minset-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2018 06:39:36 -0000

Thank you Tommy for setting me straight on this. I appreciate the 
additional context.

I looked at draft-ietf-taps-interface and it does seem to cover secure 
connection establishment well enough.

With that in mind, I am OK with the Security Considerations in 
draft-ietf-taps-minset.

Regards,
	Yaron

On 27/08/18 08:53, Tommy Pauly wrote:
> Hi Yaron,
> 
> This minimal set is a description of the surface that any generic API must have to cover the common *transport* features of protocols only. This document is not meant in itself to describe an API that applications use directly, but instead describe the distilled feature set from transport services (such as reliable/unreliable sending, etc). To that end, it essentially describes what you need to be able to use basic things like TCP, UDP, etc. Even without security considered, this distillation is a non-trivial task, thus it required this document.
> 
> The security document that is referenced (draft-ietf-taps-transport-security) provides a similar survey and distillation for how transport security interfaces add more surface to control and interact with handshake and record layers used on top of/in conjunction with the base transport.
> 
> The set of documents that actually describe the API surface that we want applications to use (draft-ietf-taps-arch, draft-ietf-taps-api, draft-ietf-taps-interface, draft-ietf-taps-impl) does indeed provide a unified abstraction for a secure transport connection. However, this surface depends upon both the distillation from draft-ietf-taps-minset and draft-ietf-taps-transport-security. There is no intention of promoting insecure connections for applications.
> 
> Thanks,
> Tommy
> 
>> On Aug 26, 2018, at 10:03 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
>>
>> Reviewer: Yaron Sheffer
>> Review result: Not Ready
>>
>> The whole notion of TAPS is new to me, so I may be missing the point here. This
>> document defines a minimal set of network APIs that should be available to
>> applications, in order to allow multiple different transport protocols to be
>> used as interchangeable plug-ins with minimal or no change to applications.
>>
>> However the document does not cover security, and instead refers readers to a
>> security protocol survey (draft-ietf-taps-transport-security).
>>
>> There's a disconnect here: in many cases we want applications to be aware of
>> security features. For example, a typical TCP-using application should choose
>> whether to enable TLS encryption of the connection (or as a receiver, whether
>> to require encryption), and if TLS is selected, should at the very least
>> receive access to the authenticated address of the connection's peer. In other
>> words, a meaningful minimal set of APIs cannot be defined without considering
>> the effects and requirements of security protocols.
>>
>> Put differently, the application normally treats the transport protocol and the
>> security protocol layered on it as one protocol. Hence the old name of TLS:
>> Secure Socket Layer. The application sees a single socket, not one socket for
>> transport and another for security. This has been the case for TCP for the last
>> 20-odd years, and is unlikely to change any time soon.
>>
>> I have not surveyed the protocols discussed in this draft, and I don't know
>> whether a viable transport-level security protocol exists for each of them. If
>> this is not the case, then I guess the industry is not yet ready for the kind
>> of solution proposed here.
>>
>> _______________________________________________
>> Taps mailing list
>> Taps@ietf.org
>> https://www.ietf.org/mailman/listinfo/taps
>

v2.23.0 | Report a Bug | By Email