IETF Logo Mail Archive

Re: [Tcpcrypt] v3 of the charter

"Eggert, Lars" <lars@netapp.com> Wed, 30 April 2014 08:20 UTC

Return-Path: <lars@netapp.com>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB1051A6F14 for <tcpcrypt@ietfa.amsl.com>; Wed, 30 Apr 2014 01:20:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.553
X-Spam-Level:
X-Spam-Status: No, score=-7.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M_HFrpvr9V3o for <tcpcrypt@ietfa.amsl.com>; Wed, 30 Apr 2014 01:20:12 -0700 (PDT)
Received: from mx12.netapp.com (mx12.netapp.com [216.240.18.77]) by ietfa.amsl.com (Postfix) with ESMTP id 8AA0D1A6F11 for <tcpcrypt@ietf.org>; Wed, 30 Apr 2014 01:20:12 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.97,956,1389772800"; d="asc'?scan'208"; a="161229411"
Received: from vmwexceht04-prd.hq.netapp.com ([10.106.77.34]) by mx12-out.netapp.com with ESMTP; 30 Apr 2014 01:20:11 -0700
Received: from SACEXCMBX01-PRD.hq.netapp.com ([169.254.2.246]) by vmwexceht04-prd.hq.netapp.com ([10.106.77.34]) with mapi id 14.03.0123.003; Wed, 30 Apr 2014 01:20:11 -0700
From: "Eggert, Lars" <lars@netapp.com>
To: Marcelo Bagnulo <marcelo@it.uc3m.es>
Thread-Topic: [Tcpcrypt] v3 of the charter
Thread-Index: AQHPZD5fGlguXnvFmU2xabuFLE2C2ZsqRtmA
Date: Wed, 30 Apr 2014 08:20:10 +0000
Message-ID: <23862F2E-9D56-4651-9202-FC676D15720B@netapp.com>
References: <536099A0.30900@it.uc3m.es>
In-Reply-To: <536099A0.30900@it.uc3m.es>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.122.105.27]
Content-Type: multipart/signed; boundary="Apple-Mail=_03F8A87B-82F2-4DB0-BC95-3CEC311C2D58"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/UDLjOF-Tul9PbbQoOwAt-eXK-1k
Cc: "tcpcrypt@ietf.org" <tcpcrypt@ietf.org>
Subject: Re: [Tcpcrypt] v3 of the charter
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 08:20:18 -0000

Hi,

a few comments. This is looking good overall.

On 2014-4-30, at 8:35, marcelo bagnulo braun <marcelo@it.uc3m.es> wrote:
> TCP Increased Security (TCP Inc.)

am not in love with the name, but don't want to start a bikeshed.

> This is better than plain-text
> because it thwarts passive eavesdropping, but is weaker than using
> authenticated keys, because it is vulnerable to man-in-the-middle attacks.

Is it desirable to have a model where you're vulnerable to MiM the first time you connect to a server, but not afterwards? (Like what SSH provides in terms of warning when the server key has changed?)

> - Deployable and usable without significant changes to existing Internet
>  infrastructure, in particular it must be compatible with NATs (at the
>  very minimum with the NATs that comply with BEHAVE requirements as documented
>  in RFC4787, RFC5382 and RFC5508);

What does "insignificant" mean here? I don't think we can require any changes to the current infrastructure.

> - The protocol must have acceptable performance.  For example, the protocol may
>  try to re-use existing cryptographic material for future communication between the
>  same endpoints to avoid expensive public key operations on connection set up.

There are two aspects to performance that this paragraph mixes together. One is latency, the other processing overhead. Reusing crypto material from previous instances may help with reducing latency overheads. But processing overhead matters, too. Servers wont be able to offload TCP Inc. (at least initially), and clients w/o crypto hardware acceleration of some sort will need to burn cycles (= battery). I don't want to compromise security (or latency) for reducing processing overheads, but we should be mindful of it.

> - must allow client to avoid fingerprinting: some clients may want to avoid appearing as the same
>  client when connecting to a remote peer on subsequent occasions.  This should either
>  be the default (clients cannot be "fingerprinted" by the server based on shared state)
>  or some mechanism should be available for clients to drop or ignore shared state to avoid
>  being fingerprintable any more than would be present for a cleartext session.

Not sure if this achievable if you can already fingerprint clients based on existing IP and TCP header fields.

As I said, none of these are major.

Lars

v2.23.0 | Report a Bug | By Email