Re: [Tcpcrypt] v3 of the charter
Joe Touch <touch@isi.edu> Wed, 30 April 2014 15:24 UTC
Return-Path: <touch@isi.edu>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABDE21A6FEE for <tcpcrypt@ietfa.amsl.com>; Wed, 30 Apr 2014 08:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DHr9eEsqnGuk for <tcpcrypt@ietfa.amsl.com>; Wed, 30 Apr 2014 08:24:12 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id 9AB9D1A6F88 for <tcpcrypt@ietf.org>; Wed, 30 Apr 2014 08:24:12 -0700 (PDT)
Received: from [192.168.1.93] (pool-71-105-87-112.lsanca.dsl-w.verizon.net [71.105.87.112]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id s3UFNcFc017565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 30 Apr 2014 08:23:41 -0700 (PDT)
Message-ID: <5361157B.9060501@isi.edu>
Date: Wed, 30 Apr 2014 08:23:39 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: "Eggert, Lars" <lars@netapp.com>, Marcelo Bagnulo <marcelo@it.uc3m.es>
References: <536099A0.30900@it.uc3m.es> <23862F2E-9D56-4651-9202-FC676D15720B@netapp.com>
In-Reply-To: <23862F2E-9D56-4651-9202-FC676D15720B@netapp.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/aQ1wt29vaVYhFLxKMUIVhVLgESk
Cc: "tcpcrypt@ietf.org" <tcpcrypt@ietf.org>
Subject: Re: [Tcpcrypt] v3 of the charter
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 15:24:18 -0000
On 4/30/2014 1:20 AM, Eggert, Lars wrote: > Hi, > > a few comments. This is looking good overall. > > On 2014-4-30, at 8:35, marcelo bagnulo braun <marcelo@it.uc3m.es> wrote: >> TCP Increased Security (TCP Inc.) > > am not in love with the name, but don't want to start a bikeshed. > >> This is better than plain-text >> because it thwarts passive eavesdropping, but is weaker than using >> authenticated keys, because it is vulnerable to man-in-the-middle attacks. > > Is it desirable to have a model where you're vulnerable to MiM the > first time you connect to a server, but not afterwards? (Like what SSH > provides in terms of warning when the server key has changed?) It might be, but this might require configuration coordination between hosts that share ID info - whether at a load-server or behind a NAT. ... >> - must allow client to avoid fingerprinting: some clients may want to avoid appearing as the same >> client when connecting to a remote peer on subsequent occasions. This should either >> be the default (clients cannot be "fingerprinted" by the server based on shared state) >> or some mechanism should be available for clients to drop or ignore shared state to avoid >> being fingerprintable any more than would be present for a cleartext session. > > Not sure if this achievable if you can already fingerprint clients based on existing IP and TCP header fields. It already says "any more than would be present for a cleartext session". Sure, you get the info that TCP-Inc is supported, but shouldn't need to expose more about the client than that. Joe
- Re: [Tcpcrypt] v3 of the charter David Mazieres
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Eggert, Lars
- Re: [Tcpcrypt] v3 of the charter Eggert, Lars
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Eggert, Lars
- Re: [Tcpcrypt] v3 of the charter Stephen Farrell
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter ianG
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Tony Arcieri
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter Tony Arcieri
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter David Mazieres
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Joe Touch
- Re: [Tcpcrypt] v3 of the charter ianG
- Re: [Tcpcrypt] v3 of the charter Daniel Kahn Gillmor
- Re: [Tcpcrypt] v3 of the charter Christian Huitema
- Re: [Tcpcrypt] v3 of the charter marcelo bagnulo braun
- Re: [Tcpcrypt] v3 of the charter Erik Nygren
- Re: [Tcpcrypt] v3 of the charter David Mazieres