IETF Logo Mail Archive

Re: [Secdispatch] EDHOC Summary

Göran Selander <goran.selander@ericsson.com> Thu, 18 April 2019 12:55 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD1D112030B for <secdispatch@ietfa.amsl.com>; Thu, 18 Apr 2019 05:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.023
X-Spam-Level:
X-Spam-Status: No, score=-1.023 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmI3dM3mnsKi for <secdispatch@ietfa.amsl.com>; Thu, 18 Apr 2019 05:55:15 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130072.outbound.protection.outlook.com [40.107.13.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DB5112030D for <secdispatch@ietf.org>; Thu, 18 Apr 2019 05:55:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9AzAMmPgkHzmDU3zqeiVbEsGxv4HX5j+w5AWOf7ra5A=; b=MV3Wv23WI1n+1jNuPTeOD2BiTh2ArKEfP0kfiOlygxA7TbxsOm6em60bO9U2AZWWSG390apBItVtmH/VBOOyVW6EP4qHVKZbbvaGOldW9k6E0cQxjREvNyOuQpR8fEhRZNnqpVub2JGlxW/dj/cMz+0GUYjM0rFzwXhr6zHOdEE=
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.166.25) by HE1PR07MB3100.eurprd07.prod.outlook.com (10.170.245.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1835.6; Thu, 18 Apr 2019 12:55:11 +0000
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::c587:c2ec:e227:84fd]) by HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::c587:c2ec:e227:84fd%4]) with mapi id 15.20.1835.007; Thu, 18 Apr 2019 12:55:11 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Richard Barnes <rlb@ipv.sx>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: Carsten Bormann <cabo@tzi.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Martin Thomson <mt@lowentropy.net>
Thread-Topic: [Secdispatch] EDHOC Summary
Thread-Index: AQHU9bryBp4FMEo1v0OmeS0uE21muKZBv2TQgAA2YwD//97IsIAALWsA
Date: Thu, 18 Apr 2019 12:55:11 +0000
Message-ID: <0EE8E3B3-DCEE-4B23-8669-15F7080F73AF@ericsson.com>
References: <8BCAAD78-74D7-414C-82B2-EFB98D711D1E@ericsson.com> <AM6PR08MB36860F9597EBB248142E357EFA260@AM6PR08MB3686.eurprd08.prod.outlook.com> <2C9EADDC-2221-4321-9DE1-688DD7F97D34@ericsson.com> <AM6PR08MB3686F22C994D48D399033701FA260@AM6PR08MB3686.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB3686F22C994D48D399033701FA260@AM6PR08MB3686.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.18.0.190414
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [213.89.213.86]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7047d356-9078-450d-6ecf-08d6c3fd17c1
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:HE1PR07MB3100;
x-ms-traffictypediagnostic: HE1PR07MB3100:
x-microsoft-antispam-prvs: <HE1PR07MB3100CFDBC35890DDB9923E5DF4260@HE1PR07MB3100.eurprd07.prod.outlook.com>
x-forefront-prvs: 0011612A55
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(346002)(396003)(39860400002)(366004)(376002)(199004)(189003)(446003)(66066001)(229853002)(14454004)(26005)(186003)(8936002)(97736004)(478600001)(256004)(7736002)(14444005)(2616005)(6486002)(33656002)(99286004)(4326008)(93886005)(53936002)(11346002)(68736007)(5660300002)(85202003)(102836004)(66574012)(316002)(6436002)(6116002)(36756003)(76176011)(54906003)(110136005)(86362001)(85182001)(486006)(58126008)(81166006)(8676002)(81156014)(71200400001)(305945005)(2906002)(71190400001)(6246003)(476003)(3846002)(82746002)(6512007)(25786009)(6506007)(83716004); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3100; H:HE1PR07MB4172.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: IIISckNkY/dY8gDLdPFYlxzxvYSqmcu0t/WypXTtquEWHsqpz4ISGCqHY9XnRy39ta0RzcTXLU6irlvodYWHylQ7euj1xttgkEqQ8M7Z1gSo60Ikm1Bu8ei6p8l/UK2vT+DCK7lLnij5es/MRogXdx8JVC+njmhjxteAW1WzmamrA+v8XULs0ZaAAMTzeX/97aBegmeFmfertWBa9LCfYUe9PwmF/UQ1aq/VgYAcAKoXJcxmKZDOP3xFYRX+zIvNSdvy62E/4FStc1Cu4g3zTdU+k4dLqfftSWak7LMTY4MZiTFotgQY8y42+1BocOOLA+2Oet7iG3Ri2U4qmpayCpz63l1Nw7/q1Z8PfXMcHNcNlAQk0X6zFlJj6XxVMse6MGyO9f4cr45GHxNMS8y2+B2kT8iwZgXiTbyIIp2FWuI=
Content-Type: text/plain; charset="utf-8"
Content-ID: <50CFDAB4696EB14EBB733CE30AFD55B1@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7047d356-9078-450d-6ecf-08d6c3fd17c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2019 12:55:11.1268 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3100
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/_a5M8FbURz9wToSe-ZzhqrrnbBI>
Subject: Re: [Secdispatch] EDHOC Summary
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 12:55:18 -0000

Hi Hannes,

On 2019-04-18, 14:21, "Secdispatch on behalf of Hannes Tschofenig" <secdispatch-bounces@ietf.org on behalf of Hannes.Tschofenig@arm.com> wrote:

         [GS] The AKE for OSCORE clearly must support the same transport as OSCORE.
    
        No, it doesn't.
    
    [GS] Strike "clearly", this is a requirement coming from use cases implementing OSCORE and in need for an AKE.
    
    [Hannes] I don't see where this requirement comes from. From the DTLS/TLS experience I have seen several solutions in the IETF where the handshake was separate from the protection of the data.
    It wasn't a problem there...
    
    I actually see advantages if we untangle it from the transport because we keep inventing new transports. FWIW I see QUIC as a new transport as well and one that has not been explored enough in the IoT space.

[GS] The context is this: OSCORE is deployed over a number of hops with different transports. The key exchange protocol must at least be able to travel the same path.
    

        > From first individual submission to the approved version of OSCORE, the introduction section states that OSCORE may or may not be used over TLS/DTLS.
        > (The approved version recommends the use of additional TLS for certain hops, but not over constrained networks.)
        You see what I am talking about...
    
    [GS] No.
    
    [Hannes] First you say "it may be used over TLS/DTLS" even in the draft. Later, you add that it shouldn't be done over constrained networks. 

[GS] I don't understand how you got from "it may be used over TLS/DTLS" which has been stated in the draft since day 0 to "it must be used with TLS/DTLS" which never has been stated in the draft. The draft does not state "it must/should not be used with TLS/DTLS"  -- you may deploy OSCORE and TLS/DTLS in tandem if you like.

I am sure I can dig out meeting meetings where you deny that OSCORE/EDHOC are in any competition to TLS/DTLS.
    
[GS] Be my guest.

    
        > OSCORE/AKE over TLS is similar to TLS over IPsec/IKEv2.
        You know that nobody uses IPsec / IKEv2 in an IoT context (even though some of your co-workers even argued for it some time ago).
    
    [GS] The analogy I wanted to make is that security protocols may be applied at multiple layers on a particular leg of a communication path.
    This has nothing to do with IoT context.
    
    [Hannes] But it was a good example because back then I was also the only one voicing concerns about the large number of security options we provide in the IoT space. It seems that you agree with me in the meanwhile. More options does not necessarily lead to better interoperability.
    
[GS] I did not make any statement about the use of IPsec for IoT. I just wanted to explain the analogy.

Göran

v2.23.0 | Report a Bug | By Email