IETF Logo Mail Archive

Re: [Tcpcrypt] New version of the charter text

marcelo bagnulo braun <marcelo@it.uc3m.es> Sun, 27 April 2014 20:43 UTC

Return-Path: <marcelo@it.uc3m.es>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1349C1A07A7 for <tcpcrypt@ietfa.amsl.com>; Sun, 27 Apr 2014 13:43:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.852
X-Spam-Level:
X-Spam-Status: No, score=-104.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KnztrSlwJJFF for <tcpcrypt@ietfa.amsl.com>; Sun, 27 Apr 2014 13:43:31 -0700 (PDT)
Received: from smtp03.uc3m.es (smtp03.uc3m.es [163.117.176.133]) by ietfa.amsl.com (Postfix) with ESMTP id D25351A07A2 for <tcpcrypt@ietf.org>; Sun, 27 Apr 2014 13:43:30 -0700 (PDT)
Received: from smtp03.uc3m.es (localhost [127.0.0.1]) by localhost.uc3m.es (Postfix) with ESMTP id AB7699D71BC for <tcpcrypt@ietf.org>; Sun, 27 Apr 2014 22:43:29 +0200 (CEST)
X-uc3m-safe: yes
X-uc3m-safe: yes
Received: from [10.0.1.2] (232.174.78.188.dynamic.jazztel.es [188.78.174.232]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: marcelo@smtp03.uc3m.es) by smtp03.uc3m.es (Postfix) with ESMTPSA id 6316B9C49F8 for <tcpcrypt@ietf.org>; Sun, 27 Apr 2014 22:43:29 +0200 (CEST)
Message-ID: <535D6BF2.6040304@it.uc3m.es>
Date: Sun, 27 Apr 2014 22:43:30 +0200
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: tcpcrypt@ietf.org
References: <53576572.5030805@it.uc3m.es> <535D636D.8050108@iang.org>
In-Reply-To: <535D636D.8050108@iang.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-TM-AS-Product-Ver: IMSS-7.1.0.1224-7.5.0.1017-20660.002
X-TM-AS-Result: No--25.901-7.0-31-1
X-imss-scan-details: No--25.901-7.0-31-1
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/1dRxPRMbJHy2QN8hZtbvDHdYhLk
Subject: Re: [Tcpcrypt] New version of the charter text
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Apr 2014 20:43:35 -0000

thanks for the comments, replies below...


El 27/04/14 22:07, ianG escribió:
> Hi Marcelo
>
> On 23/04/2014 08:02 am, marcelo bagnulo braun wrote:
>> Hi,
>>
>> Thanks for the lively discussion on the charter text.
>> I attach a new version of the charter trying to include the received
>> comments.
>> I have tried to be carefull using the should and the must, so please
>> look into those.
>
> As this is a charter, I'm not sure MUST is appropriate with every thing
> we want.
>

I dont follow.
It is perfectly appropriate to have musts in the charter.
>> I tried to reflect the different levels of requirements for the
>> resulting protocol.
>> As usual comments are welcome.
>>
>>
>>
>> TCP Increased Security (TCP Inc.)
>>
>> The TCP Inc. WG will develop the TCP extensions to provide unauthenticated
>> encryption and integrity protection of TCP streams. The WG will define the
>> TCP extensions to perform an unauthenticated key exchange resulting in
>> encryption
>> without authentication.  This is better than plain-text because it thwarts
>> passive eavesdropping, but is weaker than using authenticated keys,
>> because it
>> is vulnerable to man-in-the-middle attacks.  This work is part of the IETF
>> effort to harness the Internet architecture given the latest events of
>> pervasive
>> monitoring (see draft-farrell-perpass-attack).
>>
>> The working group is looking to produce experimental documents
>> specifying the
>> required TCP extensions and any additional informational documents needed.
>
> It would be nice to have something about goals here.  Something like:
>
> We are looking for the designs that find the sweet spot between
> conflicting requirements:  to provide reasonable security for the
> majority of connections.  Because we are dealing with unprotected
> connections, we are more focussed on improving from baseline of no
> security than achieving the high standard of security that is already
> available to users of TLS.
>
sounds good to me

>> The high-level requirements for the protocol for providing TCP
>> unauthenticated
>> encryption and integrity protection are:
>>
>> - Deployable and usable without significant changes to existing Internet
>>    infrastructure, in particular it must be compatible with NATs (at the
>>    very minimum with the NATs that comply with BEHAVE requirements as
>> documented
>>    in RFC4787, RFC5382 and RFC5508);
>>
>> - The protocol must be usable by unmodified applications.  This effort
>> is complementary
>>    to other security protocols developed in the IETF (such as TLS) as it
>> protects
>>    those applications and protocols that are difficult to change or may
>> even not
>>    be changed in a backward compatible way.  It also provides some
>> protection in
>>    scenarios where people are unwilling to do any change just for the
>> sake of
>>    security (e.g., like configure encryption in an application).
>>
>> - When encryption is enabled, it must at least provide protection against
>>    passive eavesdropping by default,
>
> So, in the above, we see the "When encryption is enabled," which is
> repeated through out.  I would suggest this immediate above para be
> swapped with the below para, as then the flowchart is more clear.  Then,
> that phrase be dropped because it is an implementation detail.
>
> Like this:
>
>
> - If encryption cannot be achieved, must gracefully fall-back to TCP.
>
> - Elsewise, must at least provide protection against passive
> eavesdropping by default,
>
> - must ...
>

In the first version of the charter it was not explict that these things 
were required when encryption is enabled, and i received several 
comments about it, so i made it explicit. I think it is more imprtnat 
for the charter to be clear than to read nicely, so i think we should 
keep it.

>> - Must gracefully fall-back to TCP if the remote peer does not support the
>>    proposed extensions
>>
>> - When encryption is enabled, it must always provide forward secrecy.
>>
>> - When encryption is enabled, it must always provide integrity
>> protection of the
>>    payload data (it is open for discussion for the WG if the TCP header
>> should or
>>    not be protected)
>>
>> - When encryption is enabled, it must always provide payload encryption.
>>
>> - Should attempt to use the least amount of TCP option space.
>
> All of those above, and some below, are the sort of thing that any
> protocol is going to aim for anyway.  They could be simply collapsed
> into something like:
>
> - should provide the best mix possible of the following features:
>     - forward and backward secrecy
>     - encryption and integrity protection over the payload
>     - most efficient use of the TCP option space
>     - efficient performance, including restart using previously exchanged
> keys
>     - minimise scope for linkability and fingerprinting
>     - synergies with other aspects such as multipath and fast open.

mmm, but the problem si that you are not making distinctions between 
thing we want to be mandatory (encryption) and other things that we 
would like but it is not clear how much we will achieve (like efficient 
use of option space ). To make a very silly example, if we dont do 
encryption, we do a very optimal use of the option space, but that is 
not what we want.

> Otherwise you're sort of teaching grandma to suck eggs, which is right
> to do in a WG but not in the charter... ;)
>
>
>> - Must not require any authentication or configuration from
>>    applications or users.  However, hooks for external authentication
>> must be
>>    made available.  The WG will not work on new authentication mechanisms.
>>
>> - The protocol must have acceptable performance.  For example, the
>> protocol may
>>    try to re-use existing cryptographic material for future communication
>> between the
>>    same endpoints to avoid expensive public key operations on connection
>> set up.
>>
>> - Hooks for allowing upper layers to disable encryption must be made
>> available.
>>    The protocol may try to avoid redundant encryption when it is possible
>> e.g.
>>    by detecting encryption performed by upper layers (notably, when TLS
>> is used).
>
> Disagree.  The protocol may have it in there (sad!), and devs will have
> this in their code for development phase, but mandating it is just
> opening a can of worms.  Especially in the charter.

You think this should be a should?

Regards, marcelo


>> - No extra linkability: when encryption is enabled the TCP traffic
>> should not
>>    give a third party observer any extra way to associate those packets
>> with the
>>    specific peers beyond information that would have been present in a
>> cleartext session.
>>
>> - Client fingerprinting: some clients may want to avoid appearing as the
>> same
>>    client when connecting to a remote peer on subsequent occasions.  This
>> should either
>>    be the default (clients cannot be "fingerprinted" by the server based
>> on shared state)
>>    or some mechanism should be available for clients to drop or ignore
>> shared state to avoid
>>    being fingerprintable.
>>
>> Security features at the TCP-level can benefit other TCP extensions.  For
>> example, both Multipath TCP and TCP Fast Open require proof that some
>> connections are
>> related.  Session resumption and Message Authentication Codes (MACs) can
>> provide
>> this evidence.  The working group should identify synergies and design the
>> security protocol in such a way that other TCP efforts can benefit from
>> it.  Of
>> course, TCP extensions that break must be identified too, and kept to a
>> minimum.
>>
>> The working group will produce the following documents:
>>
>> - A framework for unauthenticated encryption and integrity protection of
>> TCP connections.
>> This document will describe basic design considerations, including the
>> motivation and the
>> applicability of the proposed mechanism, the interaction with other
>> security mechanisms in
>> different layers of the stack, the interaction with external
>> authentication mechanisms, the
>> expected protection, privacy considerations and residual threats.
>>
>> - Extensions to current TCP to support unauthenticated key exchange and
>> encryption and
>> integrity protection. This covers all the protocol changes required.
>> This will be a
>> experimental document.
>>
>> - An extended API describing how applications can obtain further
>> benefits of the
>> proposed extensions. In particular, the hooks for supporting external
>> authentication
>> will be defined in this document and the hooks for disabling encryption.
>> This will be an informational document.
>
>
> some thoughts.
>
> iang
>
> _______________________________________________
> Tcpcrypt mailing list
> Tcpcrypt@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpcrypt
>

v2.23.0 | Report a Bug | By Email