IETF Logo Mail Archive

Re: [Tcpcrypt] Initial questions

Stephen Kent <kent@bbn.com> Tue, 24 June 2014 14:45 UTC

Return-Path: <kent@bbn.com>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD4E11B2ACE for <tcpcrypt@ietfa.amsl.com>; Tue, 24 Jun 2014 07:45:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.152
X-Spam-Level:
X-Spam-Status: No, score=-2.152 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8mdWZam_FvIy for <tcpcrypt@ietfa.amsl.com>; Tue, 24 Jun 2014 07:45:22 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A1FB1B2A4E for <tcpcrypt@ietf.org>; Tue, 24 Jun 2014 07:45:22 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:46016 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WzRyX-000K3v-CL for tcpcrypt@ietf.org; Tue, 24 Jun 2014 10:45:33 -0400
Message-ID: <53A98F00.4000702@bbn.com>
Date: Tue, 24 Jun 2014 10:45:20 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tcpcrypt@ietf.org
References: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com>
In-Reply-To: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/y9QSzV_ZW7KHYbOhr6FQRPbzz0Q
Subject: Re: [Tcpcrypt] Initial questions
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jun 2014 14:45:27 -0000

Sandy,

> ...
>
> Probably today we should go much further. No MD5 or SHA1 since there
> are known problems. No 3DES since newer ciphers are far faster. No
> reliance on the whole X.509 cert infrastructure SLL/TLS uses; that
> also has known problems. I'm not sure what else.
To which X.509 cert infrastructure problems are you referring? Do you
mean the Web PKI or PKI in general? IPsec, for example, does not make
use of the Web PKI. Just curious.
> The draft charter also has:
>
> - The protocol must provide cryptographic algorithm agility.
>
> OK, but there is a balance to be struck. IPsec & TLS both have
> problems from arguably excessive complexity and in general complexity
> is the enemy of security. It makes all of design, implementation,
> testing & auditing much harder. TCPcrypt has a rather narrow niche to
> fill; that can be done with a fairly simple protocol. We really must
> strive to keep it simple.
I'm not sure what your position is re alg agility, based on the 
paragraph above.
I can say that failure to accommodate alg agility will almost certainly 
cause
the IESG to reject this as a standard, based on precedents for some time.

> Here's a first cut at what we might support:
>
> Block ciphers: MUST do AES. SHOULD do the other three AES finalists
> with open licenses: Mars, Twofish & Serpent. MAY do compatible ciphers
> which are national standards: Aria for Korea, Camellia for Japan,
> maybe others. Nothing else.
why would one make the other AES finalists SHOULD? They didn't make the cut.
> Key size? I'd mandate 128 bits everywhere to keep it simple.
recall that AES has 256-bit keys as an option as a counter to possible
quantum computing attacks. Why rule out that option?
> The draft also has:
>
> - Must gracefully fall-back to TCP if the remote peer does not support the
>    proposed extensions
>
> Aren't there a set of policy questions there? Some users might prefer
> to drop the connection rather than communicate insecurely. Perhaps
> they need a mechansim to set policy, globally and/or on a
> per-connection basis. FreeS/WAN had something like this for IPsec over
> a decade ago:
> http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/policygroups.html
This is a different context. I believe the goal is to try to negotiate
use of encryption silently, and thus failing silently makes sense. There
was a session in the STRINT workshop that addressed a topic very close
to this. It's conclusion was to fail silently (and to use PFS, and ...)
> At an absolute minimum, I think there must be a requirement that any
> fallback action is logged.
And who will check the logs? A log on a user machine will likely go
unread in 99.99% of cases, unless there is a plan to submit the logs
to some central monitoring source. But that would raise a set of
privacy questions, so ...

> Another question is whether we could achieve the goals of this group
> with almost no work just by deploying existing stuff.
Always a good question.
> The now-closed BTNS working group did RFCs 5386 & 5387 on "Better than
> nothing security", which they implemented as an unauthenticated mode
> for IPsec. That sounds much like what we are aiming at. Can we just
> work on getting BTNS deployed, thereby protecting both TCP and other
> protocols?
I think the folks who pursue BTNS are best-equipped to address that
question. Ask Sam Hartman, maybe Joe would like to comment as well.

Steve

v2.23.0 | Report a Bug | By Email