IETF Logo Mail Archive

Re: [Tcpcrypt] New version of the charter text

Wesley Eddy <wes@mti-systems.com> Thu, 24 April 2014 18:53 UTC

Return-Path: <wes@mti-systems.com>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F94A1A038E for <tcpcrypt@ietfa.amsl.com>; Thu, 24 Apr 2014 11:53:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TFipmckJVymd for <tcpcrypt@ietfa.amsl.com>; Thu, 24 Apr 2014 11:52:58 -0700 (PDT)
Received: from atl4mhob06.myregisteredsite.com (atl4mhob06.myregisteredsite.com [209.17.115.44]) by ietfa.amsl.com (Postfix) with ESMTP id 8E2C01A0381 for <tcpcrypt@ietf.org>; Thu, 24 Apr 2014 11:52:58 -0700 (PDT)
Received: from mailpod.hostingplatform.com ([10.30.71.206]) by atl4mhob06.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id s3OIqoFY012874 for <tcpcrypt@ietf.org>; Thu, 24 Apr 2014 14:52:50 -0400
Received: (qmail 7162 invoked by uid 0); 24 Apr 2014 18:52:50 -0000
X-TCPREMOTEIP: 107.45.66.66
X-Authenticated-UID: wes@mti-systems.com
Received: from unknown (HELO ?192.168.43.65?) (wes@mti-systems.com@107.45.66.66) by 0 with ESMTPA; 24 Apr 2014 18:52:47 -0000
Message-ID: <53595D7A.2030503@mti-systems.com>
Date: Thu, 24 Apr 2014 14:52:42 -0400
From: Wesley Eddy <wes@mti-systems.com>
Organization: MTI Systems
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: John-Mark Gurney <jmg@funkthat.com>
References: <53576572.5030805@it.uc3m.es> <53589161.4090700@mti-systems.com> <20140424155532.GR43976@funkthat.com>
In-Reply-To: <20140424155532.GR43976@funkthat.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/Xm7Mnmub93NHvLwc96O64J-pki0
Cc: tcpcrypt@ietf.org
Subject: Re: [Tcpcrypt] New version of the charter text
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 18:53:02 -0000

On 4/24/2014 11:55 AM, John-Mark Gurney wrote:
> Wesley Eddy wrote this message on Thu, Apr 24, 2014 at 00:21 -0400:
>> On 4/23/2014 3:02 AM, marcelo bagnulo braun wrote:
>>> 
>>> The TCP Inc. WG will develop the TCP extensions to provide
>>> unauthenticated encryption and integrity protection of TCP
>>> streams. The WG will define the TCP extensions to perform an
>>> unauthenticated key exchange resulting in encryption without
>>> authentication.  This is better than plain-text because it
>>> thwarts passive eavesdropping, but is weaker than using
>>> authenticated keys, because it is vulnerable to man-in-the-middle
>>> attacks.  This work is part of the IETF effort to harness the
>>> Internet architecture given the latest events of pervasive 
>>> monitoring (see draft-farrell-perpass-attack).
>> 
>> 
>> I'm probably just very bad at locating this in all the discussion,
>> but I have a sort of fundamental question ... why are we trying to
>> do this inside TCP rather than just running TCP over IPsec w/ BTNS
>> (over UDP, if NAT is the concern), or over DTLS?
> 
> Have you read the original tcpcrypt paper?


Yes (assuming you mean USENIX 2010).


>> 
>> I think the charter should speak to this, at least very briefly.
> 
> It does very briefly: - The protocol must be usable by unmodified
> applications.
> 
> All the things you mentioned seems like it would require agreement 
> between systems and management by a sysadmin, but this is targeted
> to end users system (like smart phones) too...  If TCP is the only 
> protocol allowed through a firewall, how are any of your other
> solutions going to work?


Automation only requires a little imagination, so I guess while I know
the claims about configuration and management are based on some reality,
I don't find them very compelling.

TCP being the only way through a particular firewall does indeed sound
like a good scenario to motivate this work over other options though.
Thanks for that example.

Personally, I think applicability for MPTCP and TFO is another good
motivation, and might even find those as more compelling than the
the data encryption functionality.  Marcelo's draft already nicely
mentions those, and I'm fine with what he has written there.  Using
some odd layering of DTLS or IPsec+UDP would seem less easy to apply to
the MPTCP and TFO problems than a tcpcrypt-like approach.


-- 
Wes Eddy
MTI Systems

v2.23.0 | Report a Bug | By Email