IETF Logo Mail Archive

Re: [Tcpcrypt] v3 of the charter

Erik Nygren <erik+ietf@nygren.org> Fri, 02 May 2014 13:29 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37EC91A0829 for <tcpcrypt@ietfa.amsl.com>; Fri, 2 May 2014 06:29:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xbm__aZpY4OB for <tcpcrypt@ietfa.amsl.com>; Fri, 2 May 2014 06:29:38 -0700 (PDT)
Received: from mail-vc0-x22a.google.com (mail-vc0-x22a.google.com [IPv6:2607:f8b0:400c:c03::22a]) by ietfa.amsl.com (Postfix) with ESMTP id EF4091A08F7 for <tcpcrypt@ietf.org>; Fri, 2 May 2014 06:29:37 -0700 (PDT)
Received: by mail-vc0-f170.google.com with SMTP id hr9so5379456vcb.15 for <tcpcrypt@ietf.org>; Fri, 02 May 2014 06:29:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=1b0r2rWKMcfuKOFsLBnKJKU+fadeZmqeVjQajGctIEo=; b=zSgzHYEu/may9Jytf3j8/isqjMeXhhuGKlQ9hSYK2cSnZno3bfF5RHNzTc8s1iTsnC CZlqMqbUh6voo2CAMgq1GNj7bDQfJfxNssXyRP/0m3YKvn4TpeFU4BA4xo0Xxd4tV1H8 AD4YGA1jd7yttVs3hJY5tvbHIdpztApjGVj1f6Ae2iWcueHXyxdoDDey8c4gWpd9xsnw 2wc0dahOfi5EEidJANBQLHlUtoI6iJNXxDo7okzC9sHl6XKwmBSBUfX7qgpTNTVm55Ma rxTu9g2hhFbCtloR1+k5BqBd5NUrTUQANT33pacgst+Y65RNrfzx729MOfktuRfT+zaY Czdg==
MIME-Version: 1.0
X-Received: by 10.220.105.4 with SMTP id r4mr998821vco.27.1399037375471; Fri, 02 May 2014 06:29:35 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.220.189.195 with HTTP; Fri, 2 May 2014 06:29:35 -0700 (PDT)
In-Reply-To: <536334D7.9080706@it.uc3m.es>
References: <536099A0.30900@it.uc3m.es> <23862F2E-9D56-4651-9202-FC676D15720B@netapp.com> <07C2D017-9342-4742-990C-7D3BC795049F@netapp.com> <536157E1.2060202@fifthhorseman.net> <53615A40.9050903@isi.edu> <536165C6.20909@fifthhorseman.net> <536167CC.8010703@isi.edu> <536168FA.2010800@fifthhorseman.net> <53616AD4.6010309@isi.edu> <53616D52.3090504@fifthhorseman.net> <5361824F.8080506@iang.org> <536187C1.3060009@isi.edu> <5361FCBD.6010509@it.uc3m.es> <87ha59zgjo.fsf@ta.scs.stanford.edu> <5362A891.1070300@it.uc3m.es> <046601cf65bf$e95cdd90$bc1698b0$@huitema.net> <536334D7.9080706@it.uc3m.es>
Date: Fri, 02 May 2014 09:29:35 -0400
X-Google-Sender-Auth: 8b99BHssrGkhZK4y8x36DfloIqI
Message-ID: <CAKC-DJj-=9G+3Z9z4ZiOrnWMs1VKC9tWH-OD+PEiU9O=kaYG+A@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: marcelo bagnulo braun <marcelo@it.uc3m.es>
Content-Type: multipart/alternative; boundary="089e0122f332cae7e504f86ac51e"
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/bkPZax8yzoZPqo9ao2Ad4xZKWi4
Cc: tcpcrypt@ietf.org
Subject: Re: [Tcpcrypt] v3 of the charter
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 13:29:39 -0000

On Fri, May 2, 2014 at 2:01 AM, marcelo bagnulo braun <marcelo@it.uc3m.es>wrote:

> crypto material reuse and avoiding finger printing are contradictory
> requirements, i guess.
> So, i guess it is up to the initiator to decide which one should it get,
> no?
> This should be done through the API (which i guess is what David was
> referring to and i failed to understand)
>

The use-cases mentioned in the charter for multi-path TCP and TCP Fast Open
are also potentially contradictory, since the whole point of this for those
is authenticating a session as relating to another session (from other IP
addresses in the MPTCP use-case, even).


On 05/01/2014 04:17 PM, Joe Touch wrote:
> - must not increase information available for fingerprinting: endpoints
> should be identified by their IP address and port and no additional
> information should be provided that indicates the persistence of an
> endpoint or identity other than the IP address and port.

This opens up a server-side naming question:  does there need to be a way
to name service end-points beyond just IP address?  Given the limitations
of IPv4 address availability, TLS has found it necessary to introduce a
Server Name Indicator.  As long as tcpcrypt is doing just
anonymous/unauthenticated/etc encryption it may be that this isn't an issue
in some cases, but once we start introducing ways to configure keys
associated with service end-points, we start needing to have ways to name
those keys which starts to be hard without exposing additional
naming/routing/identity information.

v2.23.0 | Report a Bug | By Email