Re: [Taps] IETF last call comments on draft-ietf-taps-transport-security
"Philipp S. Tiesel" <phils@in-panik.de> Tue, 29 October 2019 12:35 UTC
Return-Path: <phils@in-panik.de>
X-Original-To: taps@ietfa.amsl.com
Delivered-To: taps@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5077120074; Tue, 29 Oct 2019 05:35:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ajqWG-9k_U5; Tue, 29 Oct 2019 05:35:21 -0700 (PDT)
Received: from einhorn-mail.in-berlin.de (einhorn-mail.in-berlin.de [217.197.80.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67FCB1200F9; Tue, 29 Oct 2019 05:35:21 -0700 (PDT)
X-Envelope-From: phils@in-panik.de
Received: from x-berg.in-berlin.de (x-change.in-berlin.de [217.197.86.40]) by einhorn.in-berlin.de with ESMTPS id x9TCZGEI026078 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Oct 2019 13:35:16 +0100
Received: from [217.7.22.35] (helo=c02z21drlvdm.dhcp.xxp.sap.corp) by x-berg.in-berlin.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <phils@in-panik.de>) id 1iPQg5-0003hI-Rk; Tue, 29 Oct 2019 13:32:49 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
From: "Philipp S. Tiesel" <phils@in-panik.de>
In-Reply-To: <ce2ae5fafdd4a4971b65a903f8f1d2cb2b8db6d0.camel@ericsson.com>
Date: Tue, 29 Oct 2019 13:35:14 +0100
Cc: "draft-ietf-taps-transport-security.all@ietf.org" <draft-ietf-taps-transport-security.all@ietf.org>, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2EDC8909-135A-4E09-A245-EA680C0545CD@in-panik.de>
References: <ce2ae5fafdd4a4971b65a903f8f1d2cb2b8db6d0.camel@ericsson.com>
To: "taps@ietf.org" <taps@ietf.org>
X-Mailer: Apple Mail (2.3594.4.19)
Archived-At: <https://mailarchive.ietf.org/arch/msg/taps/9qh79Vjp33ptXfMHvYSHGV4g270>
Subject: Re: [Taps] IETF last call comments on draft-ietf-taps-transport-security
X-BeenThere: taps@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IETF Transport Services \(TAPS\) Working Group" <taps.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/taps>, <mailto:taps-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/taps/>
List-Post: <mailto:taps@ietf.org>
List-Help: <mailto:taps-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/taps>, <mailto:taps-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 12:35:23 -0000
Hi, as shepherd of the document and contributor to the WG, I am a little puzzled about the way this document got stalled after overall successful reviews. The major criticism I extracted from Eric's and Christian's reviews is neither new nor surprising, but maybe we should iterate them again to make the document more useful – especially for people that are generally skeptical towards TAPS' mission. Here are my thoghts on the major points of criticism: General skepticism towards TAPS: De-coupling the API contract from the actual transport used is an ambitious project. It is easy to state that this is not going to happen and that we can not fight (protocol) ossification, but this does not remove the need to evolve, it just shifts the responsibility towards the application developers. In the security domain, De-coupling the API contract from the actual security protocol may look like a bad idea at first glance, as every bad choice can lead to an additional attack vector, but this is only true under the assumption that all application developers are security experts. Using a "TAPS autopilot" for your applications' secure transport can never be as secure as a complete security design, but is certainly better than copy&paste from Stack Overflow. This holds especially when looking at the software lifecycle. The TLS library example from 2017 might still be acceptable today, but won't be in 2023. The decision made in the TAPS system can be changed with an OS update – the application code won't. The question is whether we must make this argument again and again or accept that this form of general criticism can only prove right or wrong over time. Security work outside of the Security area: This document is clearly in Security scope. We had not a real an alternative to writing this: • Excluding security protocols from TAPS makes the whole approach useless. • Asking the security area to write the document for us is not how the IETF works. As we have people with strong security background among the authors and in the group and asked for reviews from the Security area early on, I see not how we could have approached this need differently. What we can do is try to involve the Security area more than just asking for reviews: approach the Security area, have this presented in secdispatch, and ask for more input – Not sure if this will help. Mixed bag of things: This document is clearly two things: A survey of security protocols and a description of the security-related transport features they provide we need as input in the API and implementation documents. As the document is still of an acceptable size, we had a WG consensus that this is acceptable. When reading EKR's review, I am not sure whether this was a good decision. Having a clear separation of a survey and MINSET-like feature document, like we did with RFC 8303 + RFC 8304 and MINSET, would make the survey much cleaner and the feature document better digestible, especially for people who are skeptical towards the general TAPS idea. I think none of these are a reason to abandon the document, but things we should briefly discuss here and now. Afterwards, we should use the meeting in Singapore to coordinate the action items resulting from this discussion. AVE! Philipp S. Tiesel > On 24. Oct 2019, at 10:06, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org> wrote: > > Authors and WG, > > Considering the IETF last call comments by Eric Rescorla and Christian Huitema I > would like to see discussion on the points they bring up. I can understand that > addressing this fully could be a very significant change to the document. > > I do see the point they are bringing up about the architectural view of how the > protocols are used. I get the impression that TAPS does have a small set of > viable security architectures and the choices do affect properties seen from the > TAPS API level. Also there are details beyond the properties that gets affected > by the layering of security and transport mechanisms and what implementation > parts you have to trust for the security properties. So discussion of these > aspects may be needed. > > So please discuss how these are addressed. > > Cheers > > Magnus Westerlund -- Philipp S. Tiesel https://philipp.tiesel.net/
- [Taps] IETF last call comments on draft-ietf-taps… Magnus Westerlund
- Re: [Taps] IETF last call comments on draft-ietf-… Philipp S. Tiesel