Re: [Tcpcrypt] v3 of the charter
Joe Touch <touch@isi.edu> Wed, 30 April 2014 15:28 UTC
Return-Path: <touch@isi.edu>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 788FF1A6FC8 for <tcpcrypt@ietfa.amsl.com>; Wed, 30 Apr 2014 08:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6WQP4gz7zVr for <tcpcrypt@ietfa.amsl.com>; Wed, 30 Apr 2014 08:28:46 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id D853C1A091F for <tcpcrypt@ietf.org>; Wed, 30 Apr 2014 08:28:46 -0700 (PDT)
Received: from [192.168.1.93] (pool-71-105-87-112.lsanca.dsl-w.verizon.net [71.105.87.112]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id s3UFSGG3018873 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 30 Apr 2014 08:28:19 -0700 (PDT)
Message-ID: <53611690.4040008@isi.edu>
Date: Wed, 30 Apr 2014 08:28:16 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: David Mazieres expires 2014-07-29 CEST <mazieres-n37rkn7y8d5xpuk5sgvuvmuzki@temporary-address.scs.stanford.edu>, marcelo bagnulo braun <marcelo@it.uc3m.es>, tcpcrypt@ietf.org
References: <536099A0.30900@it.uc3m.es> <8738gv5e67.fsf@ta.scs.stanford.edu>
In-Reply-To: <8738gv5e67.fsf@ta.scs.stanford.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/CRBExdrlTxzuK5bKXcCmV6zczJk
Subject: Re: [Tcpcrypt] v3 of the charter
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 15:28:51 -0000
On 4/30/2014 3:01 AM, David Mazieres wrote: > marcelo bagnulo braun <marcelo@it.uc3m.es> writes: ... > Saying "The protocol must have acceptable performance" is superfluous. > By definition performance must be acceptable or we won't accept it, > unless you want to invite a debate on what is and is not acceptable > performance, which would then bifurcate into setup cost/latency and > per-byte/packet overhead. > > How about, "In order to minimize connection latency, the protocol may > amortize the cost of public key operations over multiple connections > between the same pair of hosts." The protocol may do a lot of things; I don't think we should require this, necessarily - for the reason I already posted (configuration coordination complexity). The text Marcelo proposed, IMO, left it open as to whether amortization was needed vs. the cost. ... >> Makes sense. Suggest to express it this way, e.g., "the protocol extension >> must not increase the possibility for endpoint fingerprinting compared to what >> is possible already". > > seem problematic to me. The very fact that you are enabling a new TCP > extension is going to increase the ability to fingerprint (vs. hosts > that have not deployed TCP Inc. yet). > > I think the right thing to do is for the informational RFC to suggest > APIs allowing hosts to be "virtualized" in some way, so that a single > physical host actively opening TCP connections through a NAT can appear > the same as an arbitrary number of hosts, subject to existing TCP > fingerprinting techniques and the fact that TCP Inc. is installed. But > I'm wary of trying to specify that in the charter. Me too, esp. because that's a completely new capability that hasn't been demonstrated for non-secure TCP. > Would it be possible to drop the requirement in favor of something more > open-ended to the effect that consideration should be given to the > anonymity of hosts that change IP addresses or reside behind NATs? Again, IMO, that's getting too specific. I think the charter as-is is enough to proceed with a few possible approaches. Joe
- Re: [Tcpcrypt] v3 of the charter David Mazieres
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Eggert, Lars
- Re: [Tcpcrypt] v3 of the charter Eggert, Lars
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Eggert, Lars
- Re: [Tcpcrypt] v3 of the charter Stephen Farrell
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter ianG
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Tony Arcieri
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Tony Arcieri
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter David Mazieres
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter ianG
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Christian Huitema
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Erik Nygren
- Re: [Tcpcrypt] v3 of the charter David Mazieres