Re: [Spud] Declarations: Authentication and encryption
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 05 March 2015 17:16 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 357CF1A1BB8 for <spud@ietfa.amsl.com>; Thu, 5 Mar 2015 09:16:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CkVi2LsDp216 for <spud@ietfa.amsl.com>; Thu, 5 Mar 2015 09:16:32 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 031971A1BCE for <spud@ietf.org>; Thu, 5 Mar 2015 09:11:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6865; q=dns/txt; s=iport; t=1425575512; x=1426785112; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=dNQeNnGKpUfH3M4gdaooHAG8EjWLbQlh7yp35nacqyQ=; b=bzq99IiCQuQVTi1rCGmYupxgn+jG2ny6GbLsv2Grcxn7OYbuBM4h/uU5 d1a4lC6iQuwlwRVb/hXfOXANyEyLN19Mc6LpooZg+Qcspa7LVu/maRSk4 71+mNHwBDrEgp2Peyvs0bDRgmQck3S/lJXQKp40CsCY5cfbs/KKWY0Kqh A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CrBwAXjfhU/51dJa1RCYJDQ1JaBL5+PIF6hXACgThNAQEBAQEBfIQPAQEBBC1FFwIBCBEEAQELHQcyFAkIAQEEARIIiCcN2BQBAQEBAQEBAQEBAQEBAQEBAQEBAQEXixeEEyo3AYMXgRQFkAeDY4c9khwjg25vgUR/AQEB
X-IronPort-AV: E=Sophos;i="5.11,348,1422921600"; d="scan'208,217";a="129274581"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-6.cisco.com with ESMTP; 05 Mar 2015 17:11:50 +0000
Received: from xhc-aln-x15.cisco.com (xhc-aln-x15.cisco.com [173.36.12.89]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t25HBotu004956 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 5 Mar 2015 17:11:50 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.156]) by xhc-aln-x15.cisco.com ([173.36.12.89]) with mapi id 14.03.0195.001; Thu, 5 Mar 2015 11:11:50 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Szilveszter Nadas <Szilveszter.Nadas@ericsson.com>, "spud@ietf.org" <spud@ietf.org>
Thread-Topic: Declarations: Authentication and encryption
Thread-Index: AdBXY2MAP8c8eV5hRTutLmFxuvIZQgAAzXLA
Date: Thu, 05 Mar 2015 17:11:49 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A366AFBD3@xmb-rcd-x10.cisco.com>
References: <EA4C43BE752A194597B002779DF69BAE23C9FBE5@ESESSMB303.ericsson.se>
In-Reply-To: <EA4C43BE752A194597B002779DF69BAE23C9FBE5@ESESSMB303.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.73.245]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A366AFBD3xmbrcdx10ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/Fg8zxl2tZwQ3Xr7XhKrb9KuzC5E>
Subject: Re: [Spud] Declarations: Authentication and encryption
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 17:16:34 -0000
I think authentication is important to prevent MIM from modifying the SPUD packets. http://tools.ietf.org/html/draft-ietf-pcp-authentication-02 discusses authentication mechanism b/w the endpoint and PCP-aware firewall; the transport key derived from authentication can be used to generate authentication tag for the SPUD packet. -Tiru From: Spud [mailto:spud-bounces@ietf.org] On Behalf Of Szilveszter Nadas Sent: Thursday, March 05, 2015 10:26 PM To: spud@ietf.org Subject: [Spud] Declarations: Authentication and encryption Hi, I am aware that security is not the main scope at the moment, but still I am interested about opinions about this. The principle of declarations is to "trust but verify". I think still authentication can help this trust quite much. If the two points communicating have some relationship or history and have a proof about their identity a more "brave" trust can be the default behavior. Verification of declarations can still happen. Also authentication can be verified by the middlebox, even after choosing appropriate actions based on the content of the declarations so not delaying the flow and deceisons. The other thing is that I see the privacy of both endhosts and of middleboxes important. Middleboxes might not want to allow others (e.g. other middleboxes) to collect data about their answers as these are partly consequences of business decisions. Endpoints might have similar concerns. Encryption can easily solve this. In summary what do you think about authentication and encryption of declarations? Cheers, Szilveszter
- [Spud] Declarations: Authentication and encryption Szilveszter Nadas
- Re: [Spud] Declarations: Authentication and encry… Tirumaleswar Reddy (tireddy)
- Re: [Spud] Declarations: Authentication and encry… Joe Hildebrand (jhildebr)