Re: [Tcpcrypt] Initial questions
Tony Arcieri <bascule@gmail.com> Sat, 21 June 2014 02:33 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31F341A02F6 for <tcpcrypt@ietfa.amsl.com>; Fri, 20 Jun 2014 19:33:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8H29ss3UYbDN for <tcpcrypt@ietfa.amsl.com>; Fri, 20 Jun 2014 19:33:38 -0700 (PDT)
Received: from mail-ve0-x235.google.com (mail-ve0-x235.google.com [IPv6:2607:f8b0:400c:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 043871A0096 for <tcpcrypt@ietf.org>; Fri, 20 Jun 2014 19:33:37 -0700 (PDT)
Received: by mail-ve0-f181.google.com with SMTP id db11so4215506veb.40 for <tcpcrypt@ietf.org>; Fri, 20 Jun 2014 19:33:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=E2XYK6ZAILjS7GUIu0KoKIdi1hxLAOFbFfiQcard6AU=; b=FI64kEZLz0faumfvs3uTMFaFfk6p8LwFptRG7THgRpNBmxWYwgvg4i/H/YQzyyWnZo +rfBKrQYZCDCh/Y8tbs//f1znH/BDtAdpVdy7rvjZkRRttWt87HAHudhKLpKA2P0Ikx6 2Qiik7phGUUNM3nc9KMcn1UvoXuzLVTvtQ5M661sG9XxpjhYEFtf1iWDvR2upibx+BF/ uNBp1H7n0FYwlDZO8OH9eNtnC2Qqqq4fKgL7l8K7vM41IT7onh4Ij8hZNNrdzxec5t3S BfOHgub2vfuGpoB53+1cbOwumct7Luf/wpUyprNNwNjMHftMv+UyaDvR/6ZremPbl6rE Z1ZQ==
X-Received: by 10.220.250.203 with SMTP id mp11mr6241691vcb.2.1403318017089; Fri, 20 Jun 2014 19:33:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.168.133 with HTTP; Fri, 20 Jun 2014 19:33:17 -0700 (PDT)
In-Reply-To: <53A3242E.7020106@isi.edu>
References: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com> <53A2066A.4090802@isi.edu> <53A2BF69.3040001@iang.org> <53A3242E.7020106@isi.edu>
From: Tony Arcieri <bascule@gmail.com>
Date: Fri, 20 Jun 2014 19:33:17 -0700
Message-ID: <CAHOTMV+UVubHDR7etgjuGJo4hWtsgriWfKoh=9Nz1ud_dYuVJg@mail.gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: multipart/alternative; boundary="089e013d0502ea688f04fc4f6f41"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/3FCe-0VBgoqXHyD1qmYq0g-4bZg
Cc: "tcpcrypt@ietf.org" <tcpcrypt@ietf.org>, ianG <iang@iang.org>
Subject: Re: [Tcpcrypt] Initial questions
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jun 2014 02:33:40 -0000
On Thu, Jun 19, 2014 at 10:55 AM, Joe Touch <touch@isi.edu> wrote: > If you have only one, then if (or when) you urgently decide it's > vulnerable and want an alternate you need to wait for deployment of an > update (e.g., as happened to TCP MD5). That will undermine the utility of a > solution. > Hey Joe, Perhaps you should pay attention to 2014, and not look at things through a historical glass, darkly. In case you haven't been paying attention, vulnerabilities have been accelerating at something of an exponential rate, and pretty much everything that hasn't happened in 2014 is practically irrelevant at this point. Cipher agility is clearly not the problem. Implementation vulnerabilities are the problem. In fact, the rate at which cipher vulnerabilities have been discovered is practically glacial at this point. Things have gotten a lot more complicated since MD5 is even a hash function anyone with a clue would use for any reason whatsoever. Perhaps you should stop referencing anything that has anything to do with MD5, period. It's not germane to the discussion of any modern protocol, except perhaps if you want to discuss historical failures. -- Tony Arcieri
- [Tcpcrypt] Initial questions Sandy Harris
- Re: [Tcpcrypt] Initial questions Tony Arcieri
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions marcelo bagnulo braun
- Re: [Tcpcrypt] Initial questions marcelo bagnulo braun
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions Tony Arcieri
- Re: [Tcpcrypt] Initial questions Derek Fawcus
- Re: [Tcpcrypt] Initial questions Derek Fawcus
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions Stephen Kent
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions Sandy Harris
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions Stephen Farrell
- Re: [Tcpcrypt] Initial questions Stephen Farrell
- Re: [Tcpcrypt] Initial questions Tero Kivinen