Re: [Tcpcrypt] Initial questions
Joe Touch <touch@isi.edu> Thu, 19 June 2014 17:56 UTC
Return-Path: <touch@isi.edu>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A33E1A0294 for <tcpcrypt@ietfa.amsl.com>; Thu, 19 Jun 2014 10:56:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Level:
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CSiloJj8cHoB for <tcpcrypt@ietfa.amsl.com>; Thu, 19 Jun 2014 10:56:18 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 331A71A0083 for <tcpcrypt@ietf.org>; Thu, 19 Jun 2014 10:56:18 -0700 (PDT)
Received: from [128.9.160.81] (nib.isi.edu [128.9.160.81]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id s5JHtsOv026625 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 19 Jun 2014 10:55:54 -0700 (PDT)
Message-ID: <53A3242E.7020106@isi.edu>
Date: Thu, 19 Jun 2014 10:55:58 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: ianG <iang@iang.org>, tcpcrypt@ietf.org
References: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com> <53A2066A.4090802@isi.edu> <53A2BF69.3040001@iang.org>
In-Reply-To: <53A2BF69.3040001@iang.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/HP-FGQIfGBNfiG3KTBzKum4ZMEI
Subject: Re: [Tcpcrypt] Initial questions
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jun 2014 17:56:19 -0000
On 6/19/2014 3:46 AM, ianG wrote: > On 18/06/2014 22:36 pm, Joe Touch wrote: >> Comments on your other points: >> >> On 6/18/2014 2:15 PM, Sandy Harris wrote: >> >> As to the specific algorithms and how many, we probably all agree that a >> small number of required algorithms is preferable. I think 2 is a good >> upper bound on the MUST algorithms, though. > > Actually, no. I for one disagree. There should be one true cipher > suite [0]. If you have only one, then if (or when) you urgently decide it's vulnerable and want an alternate you need to wait for deployment of an update (e.g., as happened to TCP MD5). That will undermine the utility of a solution. That's why TCP-AO included two 'must implement' algorithms from the start, and why it's important to do so here as well. Joe
- [Tcpcrypt] Initial questions Sandy Harris
- Re: [Tcpcrypt] Initial questions Tony Arcieri
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions marcelo bagnulo braun
- Re: [Tcpcrypt] Initial questions marcelo bagnulo braun
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions Tony Arcieri
- Re: [Tcpcrypt] Initial questions Derek Fawcus
- Re: [Tcpcrypt] Initial questions Derek Fawcus
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions Stephen Kent
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions ianG
- Re: [Tcpcrypt] Initial questions Sandy Harris
- Re: [Tcpcrypt] Initial questions Joe Touch
- Re: [Tcpcrypt] Initial questions Stephen Farrell
- Re: [Tcpcrypt] Initial questions Stephen Farrell
- Re: [Tcpcrypt] Initial questions Tero Kivinen