Re: [Tcpcrypt] New version of the charter text
Wesley Eddy <wes@mti-systems.com> Thu, 24 April 2014 04:22 UTC
Return-Path: <wes@mti-systems.com>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0272A1A02D0 for <tcpcrypt@ietfa.amsl.com>; Wed, 23 Apr 2014 21:22:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.346
X-Spam-Level: *
X-Spam-Status: No, score=1.346 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_BL_SPAMCOP_NET=1.347] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jtgklqxil6i4 for <tcpcrypt@ietfa.amsl.com>; Wed, 23 Apr 2014 21:22:05 -0700 (PDT)
Received: from atl4mhob17.myregisteredsite.com (atl4mhob17.myregisteredsite.com [209.17.115.110]) by ietfa.amsl.com (Postfix) with ESMTP id 375F51A02A3 for <tcpcrypt@ietf.org>; Wed, 23 Apr 2014 21:22:05 -0700 (PDT)
Received: from mailpod.hostingplatform.com ([10.30.71.206]) by atl4mhob17.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id s3O4LvtG014183 for <tcpcrypt@ietf.org>; Thu, 24 Apr 2014 00:21:57 -0400
Received: (qmail 24771 invoked by uid 0); 24 Apr 2014 04:21:57 -0000
X-TCPREMOTEIP: 69.81.143.143
X-Authenticated-UID: wes@mti-systems.com
Received: from unknown (HELO ?192.168.1.108?) (wes@mti-systems.com@69.81.143.143) by 0 with ESMTPA; 24 Apr 2014 04:21:57 -0000
Message-ID: <53589161.4090700@mti-systems.com>
Date: Thu, 24 Apr 2014 00:21:53 -0400
From: Wesley Eddy <wes@mti-systems.com>
Organization: MTI Systems
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: tcpcrypt@ietf.org
References: <53576572.5030805@it.uc3m.es>
In-Reply-To: <53576572.5030805@it.uc3m.es>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/xMEO4XK4EzCLLIaxAIpRf_UB3uY
Subject: Re: [Tcpcrypt] New version of the charter text
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 04:22:07 -0000
On 4/23/2014 3:02 AM, marcelo bagnulo braun wrote: > > The TCP Inc. WG will develop the TCP extensions to provide unauthenticated > encryption and integrity protection of TCP streams. The WG will define the > TCP extensions to perform an unauthenticated key exchange resulting in > encryption > without authentication. This is better than plain-text because it thwarts > passive eavesdropping, but is weaker than using authenticated keys, > because it > is vulnerable to man-in-the-middle attacks. This work is part of the IETF > effort to harness the Internet architecture given the latest events of > pervasive > monitoring (see draft-farrell-perpass-attack). > I'm probably just very bad at locating this in all the discussion, but I have a sort of fundamental question ... why are we trying to do this inside TCP rather than just running TCP over IPsec w/ BTNS (over UDP, if NAT is the concern), or over DTLS? I know it's more fun to do it inside TCP, of course, but I wonder a little bit whether building a security sub-layer inside TCP (which is already hella complex and full of edge cases) is really a good idea when there are already a couple of reasonably decent security protocols designed to be layered over. Sorry for such a silly question, but it seems like it will come up during chartering and should be clearly motivated, as reading the requirements later on in the draft charter, it looks like you could cook up something with BTNS or DTLS under normal TCP to do all that, and it would protect the SYNs (which Joe mentioned is a challenge for TCP-based approaches). I think the charter should speak to this, at least very briefly. -- Wes Eddy MTI Systems
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text Scharf, Michael (Michael)
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text John-Mark Gurney
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text Tero Kivinen
- Re: [Tcpcrypt] New version of the charter text Wesley Eddy
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text Wesley Eddy
- Re: [Tcpcrypt] New version of the charter text John-Mark Gurney
- Re: [Tcpcrypt] New version of the charter text Wesley Eddy
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text ianG
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text ianG
- Re: [Tcpcrypt] New version of the charter text Tony Arcieri
- Re: [Tcpcrypt] New version of the charter text Stephen Farrell
- Re: [Tcpcrypt] New version of the charter text ianG
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text ianG
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text Tero Kivinen
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text Tero Kivinen