IETF Logo Mail Archive

[Tcpcrypt] Initial questions

Sandy Harris <sandyinchina@gmail.com> Wed, 18 June 2014 21:15 UTC

Return-Path: <sandyinchina@gmail.com>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCFB1A0195 for <tcpcrypt@ietfa.amsl.com>; Wed, 18 Jun 2014 14:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g9W1BCaDHG_X for <tcpcrypt@ietfa.amsl.com>; Wed, 18 Jun 2014 14:15:07 -0700 (PDT)
Received: from mail-vc0-x236.google.com (mail-vc0-x236.google.com [IPv6:2607:f8b0:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BD3E1A0314 for <tcpcrypt@ietf.org>; Wed, 18 Jun 2014 14:15:07 -0700 (PDT)
Received: by mail-vc0-f182.google.com with SMTP id il7so1386602vcb.41 for <tcpcrypt@ietf.org>; Wed, 18 Jun 2014 14:15:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=W6OIBqEwgTPKZUT9LYy52Z0hTl6Hhg2JZd+LiRaJktw=; b=WuQSOoz7Q3/nvkBdokXeYzCCBQKi24TM9h8eYvu84HlL2f7nDa7W7n8sz4b7lxoReS QqdZpg+Vgc7Hfpm5RO0KZ+APaAih7vDPA/oc0PuWmm095XqSID6jpz9yh3AzJ/cmwU3n MLjUb+ZMq1l55fI8HK9Z47GfuOS/YGEEMbZYXc2zvEZvTfb+1fii+DIujEn75f3EnG1L uIiC4wYQvQ3Di4irLpTgt2YEv/SSNO82eFhhpnc6PfQphBKgE9F3b0XtQeCX+L1zw4XI DgGXJ+CgZYSESrNaxyi34j5cmvtrB8ciGiKQZxb07giPLoEcpTbg3ENeu/7TDveMBOoT IKHA==
MIME-Version: 1.0
X-Received: by 10.52.29.236 with SMTP id n12mr327284vdh.38.1403126106337; Wed, 18 Jun 2014 14:15:06 -0700 (PDT)
Received: by 10.58.235.34 with HTTP; Wed, 18 Jun 2014 14:15:06 -0700 (PDT)
Date: Wed, 18 Jun 2014 17:15:06 -0400
Message-ID: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com>
From: Sandy Harris <sandyinchina@gmail.com>
To: tcpcrypt@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/6OgjfhX8CzDu-51ThS3VESU_1nA
Subject: [Tcpcrypt] Initial questions
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jun 2014 21:15:09 -0000

This is basically a fine idea & I'm glad to see people working on it.

Some comments in the archive had me somewhat worried, and the current
draft charter has the following:

- When encryption is enabled, it must at least provide protection against
  passive eavesdropping by default,
...
When encryption is enabled, then the protocol:
- must always provide forward secrecy.
- must always provide integrity protection of the payload data ...
- must always provide payload encryption.

Why on Earth do these have "When encryption is enabled"? As others
have said quite eloquently in various posts, there is no reason at all
to even consider a null encryption mode; anyone who needs that can
just fall back to TCP.

I'd go further. At a bare minimum, reject the insecure things
FreeS/WAN refused to do 15 years ago even though they were in the
IPsec RFCs -- single DES, small DH groups and null encryption.
http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/compat.html#dropped

Probably today we should go much further. No MD5 or SHA1 since there
are known problems. No 3DES since newer ciphers are far faster. No
reliance on the whole X.509 cert infrastructure SLL/TLS uses; that
also has known problems. I'm not sure what else.

The draft charter also has:

- The protocol must provide cryptographic algorithm agility.

OK, but there is a balance to be struck. IPsec & TLS both have
problems from arguably excessive complexity and in general complexity
is the enemy of security. It makes all of design, implementation,
testing & auditing much harder. TCPcrypt has a rather narrow niche to
fill; that can be done with a fairly simple protocol. We really must
strive to keep it simple.

Here's a first cut at what we might support:

Block ciphers: MUST do AES. SHOULD do the other three AES finalists
with open licenses: Mars, Twofish & Serpent. MAY do compatible ciphers
which are national standards: Aria for Korea, Camellia for Japan,
maybe others. Nothing else.

Overhead for those is minimal since they all have same block size as
AES and same range of key sizes, so they are drop-in replacements.
Also, all the AES candidates and Aria have readily available open
source code; I have not checked for Camellia.

Key size? I'd mandate 128 bits everywhere to keep it simple.

Authentication: The draft has:

- must always provide integrity protection of the payload data (it is open for
  discussion for the WG if the TCP header should or not be protected)

AEAD (authenticated encryption with additional data) algorithms have
partly replaced the cipher+HMAC combination in both IPsec and TLS.
They are often faster, and the "additional data" feature would let us
protect the TCP header at negligible extra cost. I'd say they are
obviously what we should use.

I'd just take two with existing RFCs -- AES-GCM RFC 5288 and OCB RFC
7253 --  and make them both MUST. Leave HMAC out to keep it simple.

The draft also has:

- Must gracefully fall-back to TCP if the remote peer does not support the
  proposed extensions

Aren't there a set of policy questions there? Some users might prefer
to drop the connection rather than communicate insecurely. Perhaps
they need a mechansim to set policy, globally and/or on a
per-connection basis. FreeS/WAN had something like this for IPsec over
a decade ago:
http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/policygroups.html

At an absolute minimum, I think there must be a requirement that any
fallback action is logged.

Another question is whether we could achieve the goals of this group
with almost no work just by deploying existing stuff.

The now-closed BTNS working group did RFCs 5386 & 5387 on "Better than
nothing security", which they implemented as an unauthenticated mode
for IPsec. That sounds much like what we are aiming at. Can we just
work on getting BTNS deployed, thereby protecting both TCP and other
protocols?

The draft has:

- Must not require any authentication or configuration from
applications or users. However, hooks for external authentication must
be made available.

RFC 4322 describes an authentication mechansim for IPsec opportunistic
encryption using keys stored in DNS. Could we make that the external
hook and fall back to BTNS if the right record is not found?

Even if we choose to avoid the complexity of IPsec and design
something specifically for TCP instead of just using BTNS, the idea of
using DNS for keys may be useful. I do not know details, but it looks
as though the DANE working group is doing this sort of thing:
https://datatracker.ietf.org/wg/dane/

v2.23.0 | Report a Bug | By Email