Re: [Tcpcrypt] New version of the charter text
Joe Touch <touch@isi.edu> Wed, 23 April 2014 16:55 UTC
Return-Path: <touch@isi.edu>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4381A037F for <tcpcrypt@ietfa.amsl.com>; Wed, 23 Apr 2014 09:55:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.172
X-Spam-Level:
X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJI4XDieRp3n for <tcpcrypt@ietfa.amsl.com>; Wed, 23 Apr 2014 09:55:23 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id B21031A026A for <tcpcrypt@ietf.org>; Wed, 23 Apr 2014 09:55:23 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id s3NGsqpv024335 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 23 Apr 2014 09:54:55 -0700 (PDT)
Message-ID: <5357F05C.3060507@isi.edu>
Date: Wed, 23 Apr 2014 09:54:52 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: marcelo bagnulo braun <marcelo@it.uc3m.es>, tcpcrypt@ietf.org
References: <53576572.5030805@it.uc3m.es>
In-Reply-To: <53576572.5030805@it.uc3m.es>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/yEXaOBLbxZ16KisGn3v7AeJtbqY
Subject: Re: [Tcpcrypt] New version of the charter text
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 16:55:25 -0000
Hi, all, Comments below... Joe On 4/23/2014 12:02 AM, marcelo bagnulo braun wrote: ... > TCP Increased Security (TCP Inc.) I like the title, FWIW. > The TCP Inc. WG will develop the TCP extensions to provide unauthenticated > encryption and integrity protection of TCP streams. OK so far... > The WG will define the > TCP extensions to perform an unauthenticated key exchange resulting in > encryption > without authentication. This implies in-band. I don't think in-band key exchange is viable; there's no way to protect the SYNs, and it might sufficiently increase SYN processing and server state to make a much larger attack surface. I would optimally prefer out-of-band exchange, perhaps that could be bootstrapped with an initial in-band exchange. Less optimal would be to leave this issue open for the WG to discuss, but I definitely don't agree with mandating only in-band key exchange. I would thus prefer: The WG will define the TCP extensions to utilize unauthenticated keys, resulting in encryption and integrity protection without authentication. > This is better than plain-text because it thwarts > passive eavesdropping, but is weaker than using authenticated keys, > because it > is vulnerable to man-in-the-middle attacks. This work is part of the IETF > effort to harness the Internet architecture given the latest events of > pervasive > monitoring (see draft-farrell-perpass-attack). It also leverages the original principle of BTNS, FWIW. > The working group is looking to produce experimental documents > specifying the > required TCP extensions and any additional informational documents needed. > > The high-level requirements for the protocol for providing TCP > unauthenticated > encryption and integrity protection are: > > - Deployable and usable without significant changes to existing Internet > infrastructure, in particular it must be compatible with NATs (at the > very minimum with the NATs that comply with BEHAVE requirements as > documented > in RFC4787, RFC5382 and RFC5508); > > - The protocol must be usable by unmodified applications. This effort > is complementary > to other security protocols developed in the IETF (such as TLS) as it > protects > those applications and protocols that are difficult to change or may > even not > be changed in a backward compatible way. It also provides some > protection in > scenarios where people are unwilling to do any change just for the > sake of > security (e.g., like configure encryption in an application). > > - When encryption is enabled, it must at least provide protection against > passive eavesdropping by default, > > - Must gracefully fall-back to TCP if the remote peer does not support the > proposed extensions > > - When encryption is enabled, it must always provide forward secrecy. > > - When encryption is enabled, it must always provide integrity > protection of the > payload data (it is open for discussion for the WG if the TCP header > should or > not be protected) > > - When encryption is enabled, it must always provide payload encryption. > > - Should attempt to use the least amount of TCP option space. ...especially in SYN segments. > - Must not require any authentication or configuration from > applications or users. However, hooks for external authentication > must be > made available. The WG will not work on new authentication mechanisms. > > - The protocol must have acceptable performance. For example, the > protocol may > try to re-use existing cryptographic material for future > communication between the > same endpoints to avoid expensive public key operations on connection > set up. > > - Hooks for allowing upper layers to disable encryption must be made > available. > The protocol may try to avoid redundant encryption when it is > possible e.g. > by detecting encryption performed by upper layers (notably, when TLS > is used). When TLS is used, this defeats TCP-INC's ability to protect the TCP header. It's OK to allow hooks to turn this off, but a better use case should be provided as motivation. > - No extra linkability: when encryption is enabled the TCP traffic > should not > give a third party observer any extra way to associate those packets > with the > specific peers beyond information that would have been present in a > cleartext session. > > - Client fingerprinting: some clients may want to avoid appearing as the > same > client when connecting to a remote peer on subsequent occasions. This > should either > be the default (clients cannot be "fingerprinted" by the server based > on shared state) > or some mechanism should be available for clients to drop or ignore > shared state to avoid > being fingerprintable. This should also include "any more than would be present for a cleartext session". > Security features at the TCP-level can benefit other TCP extensions. For > example, both Multipath TCP and TCP Fast Open require proof that some > connections are > related. Session resumption and Message Authentication Codes (MACs) can > provide > this evidence. The working group should identify synergies and design the > security protocol in such a way that other TCP efforts can benefit from > it. Of > course, TCP extensions that break must be identified too, and kept to a > minimum. > > The working group will produce the following documents: > > - A framework for unauthenticated encryption and integrity protection of > TCP connections. > This document will describe basic design considerations, including the > motivation and the > applicability of the proposed mechanism, the interaction with other > security mechanisms in > different layers of the stack, the interaction with external > authentication mechanisms, the > expected protection, privacy considerations and residual threats. > > - Extensions to current TCP to support unauthenticated key exchange and > encryption and > integrity protection. This covers all the protocol changes required. > This will be a > experimental document. > > - An extended API describing how applications can obtain further > benefits of the > proposed extensions. In particular, the hooks for supporting external > authentication > will be defined in this document and the hooks for disabling encryption. > This will be an informational document. > > _______________________________________________ > Tcpcrypt mailing list > Tcpcrypt@ietf.org > https://www.ietf.org/mailman/listinfo/tcpcrypt
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text Scharf, Michael (Michael)
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text John-Mark Gurney
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text Tero Kivinen
- Re: [Tcpcrypt] New version of the charter text Wesley Eddy
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text Wesley Eddy
- Re: [Tcpcrypt] New version of the charter text John-Mark Gurney
- Re: [Tcpcrypt] New version of the charter text Wesley Eddy
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text ianG
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text ianG
- Re: [Tcpcrypt] New version of the charter text Tony Arcieri
- Re: [Tcpcrypt] New version of the charter text Stephen Farrell
- Re: [Tcpcrypt] New version of the charter text ianG
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text ianG
- Re: [Tcpcrypt] New version of the charter text marcelo bagnulo braun
- Re: [Tcpcrypt] New version of the charter text Tero Kivinen
- Re: [Tcpcrypt] New version of the charter text Joe Touch
- Re: [Tcpcrypt] New version of the charter text Tero Kivinen