IETF Logo Mail Archive

Re: [Tcpcrypt] Initial questions

Tero Kivinen <kivinen@iki.fi> Fri, 27 June 2014 12:37 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 484281B2B35 for <tcpcrypt@ietfa.amsl.com>; Fri, 27 Jun 2014 05:37:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.928
X-Spam-Level:
X-Spam-Status: No, score=0.928 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.651, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ws2lBIApUBL for <tcpcrypt@ietfa.amsl.com>; Fri, 27 Jun 2014 05:37:48 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E88B1B2AB5 for <tcpcrypt@ietf.org>; Fri, 27 Jun 2014 05:37:48 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s5RCbXEC000669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 27 Jun 2014 15:37:33 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s5RCbXwR001513; Fri, 27 Jun 2014 15:37:33 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21421.25997.54400.11141@fireball.kivinen.iki.fi>
Date: Fri, 27 Jun 2014 15:37:33 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ianG <iang@iang.org>
In-Reply-To: <53A9CF27.9040600@iang.org>
References: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com> <53A98F00.4000702@bbn.com> <53A9CF27.9040600@iang.org>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 12 min
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/Knx7n472Z6uW5hyt2BFaoHs-Im0
Cc: tcpcrypt@ietf.org, Stephen Kent <kent@bbn.com>
Subject: Re: [Tcpcrypt] Initial questions
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jun 2014 12:37:51 -0000

ianG writes:
> > I can say that failure to accommodate alg agility will almost
> > certainly cause the IESG to reject this as a standard, based on
> > precedents for some time.
> 
> Interesting point!  Probably worth reaching out to those folk and asking
> whether they are serious about enforced alg agility.

I at least think that we do need algorithm agility. We do not need to
deploy multiple algorithms, but we need option to be able to implement
multiple algorithms and select common one between peers. 

> And why they care so much in the context of TCPcrypt, which is
> opportunistic anyway, and as such provides not much of a guarantee.

To provide upgrade path. 

> > recall that AES has 256-bit keys as an option as a counter to possible
> > quantum computing attacks. Why rule out that option?
> 
> Because this is TCPcrypt.  The enemy is the unavailability of any
> encryption at at all, not the QC bogeyman.
> 
> If we deploy TCPcrypt to 99% of all nodes, and they're all vulnerable to
> QC, we still win.
> 
> (Because, to spell it out, we can always upgrade later on when the
> bogeyman starts deploying QC in the mega-scale, and meanwhile we won
> against everyone else.)

So you seem to prefer algorithm agility yourself, by saying "we can
always upgrade later". To be able to upgrade later do require
algorithm agility.

When we need to do upgrade that will take YEARS, or DECADES, as we
need to update every single implementation in the world. This means
that upgrade is never done completely, there will most likely always
be old devices which have not been updated, thus future devices need
to be able to talk to old and new devices both, thus requiring
algorithm agility.

IKEv1 was obsoleted 2005 and replaced with IKEv2. Still lots of
implementations only support IKEv1, even when it is quite broken (and
I know Dan will disagree with me about this, but in my personal
opinion IKEv1 is quite broken, there is no point of arguing it here,
IKEv2 is much better protocol), and even those which support IKEv1 and
IKEv2 still use IKEv1 as default because the IKEv1 didn't have good
enough algorithm agility, i.e. there was lots of implementations who
just drop all packets whose version number is not 1.0 causing timeout
if you start out with IKEv2. Also lots of people when they comment
about IKE list the problems in the IKEv1 which were already fixed in
IKEv2.

Another example is that SSL 3.0 is still used in some implementations
even when newer versions of TLS have been out for some time. If you
now go and only allow connections using TLS 1.2 there will lots of
clients who cannot connect to you anymore, and TLS 1.2 came out 2008.

With these examples about IKEv2 and TLS 1.2, I am trying to tell you
that upgrading protocols takes lots of time, especially if there is
new protocol version involved. Its much easier to implement new
ciphers etc with old protocol than to deploy completely new protocol.
Thus algorithm agility is important feature, and it needs to be there
from the beginning, otherwise we are stuck with the first version for
long time.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email