IETF Logo Mail Archive

Re: [Tcpcrypt] New version of the charter text

marcelo bagnulo braun <marcelo@it.uc3m.es> Mon, 28 April 2014 05:31 UTC

Return-Path: <marcelo@it.uc3m.es>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 681231A070F for <tcpcrypt@ietfa.amsl.com>; Sun, 27 Apr 2014 22:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.852
X-Spam-Level:
X-Spam-Status: No, score=-104.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jXI5DguGSGpK for <tcpcrypt@ietfa.amsl.com>; Sun, 27 Apr 2014 22:31:52 -0700 (PDT)
Received: from smtp03.uc3m.es (smtp03.uc3m.es [163.117.176.133]) by ietfa.amsl.com (Postfix) with ESMTP id 3B6221A06F1 for <tcpcrypt@ietf.org>; Sun, 27 Apr 2014 22:31:52 -0700 (PDT)
Received: from smtp03.uc3m.es (localhost [127.0.0.1]) by localhost.uc3m.es (Postfix) with ESMTP id C928E9D352E for <tcpcrypt@ietf.org>; Mon, 28 Apr 2014 07:31:50 +0200 (CEST)
X-uc3m-safe: yes
X-uc3m-safe: yes
Received: from [10.0.1.2] (232.174.78.188.dynamic.jazztel.es [188.78.174.232]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: marcelo@smtp03.uc3m.es) by smtp03.uc3m.es (Postfix) with ESMTPSA id 973159D2FF6 for <tcpcrypt@ietf.org>; Mon, 28 Apr 2014 07:31:50 +0200 (CEST)
Message-ID: <535DE7C6.80902@it.uc3m.es>
Date: Mon, 28 Apr 2014 07:31:50 +0200
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: tcpcrypt@ietf.org
References: <53576572.5030805@it.uc3m.es> <535D636D.8050108@iang.org> <535D6BF2.6040304@it.uc3m.es> <535D76BC.4060007@cs.tcd.ie>
In-Reply-To: <535D76BC.4060007@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-TM-AS-Product-Ver: IMSS-7.1.0.1224-7.5.0.1017-20660.005
X-TM-AS-Result: No--22.627-7.0-31-1
X-imss-scan-details: No--22.627-7.0-31-1
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/zpmZKDlMS32cijiIuwWI_rCcQ20
Subject: Re: [Tcpcrypt] New version of the charter text
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 05:31:55 -0000

El 27/04/14 23:29, Stephen Farrell escribió:
> Hi Marcelo,
>
> On 27/04/14 21:43, marcelo bagnulo braun wrote:
>> - Hooks for allowing upper layers to disable encryption must be made
>> available.
>>     The protocol may try to avoid redundant encryption when it is possible
>> e.g.
>>     by detecting encryption performed by upper layers (notably, when TLS
>> is used).
> Based on all the discussion on this so far, I'd also suggest
> deleting this bit. I agree with Ian that the reasons for
> including this stated so far are arm-wavy. And "detecting"
> that higher layers are encrypting vs. compressing seems unlikely
> in the general case too. If something is using TLS then the
> TLS code (which normally calls the socket API I think) can
> presumably determine if TCP Inc. would be on by default and
> do the right thing so there's no need for TCP Inc. to do
> anything for that case even if someone concludes that double
> wrapping isn't what they want.
>
> So count me as another -1 on inclusion of the above.

mmm, I guess i misread the previous discussion or i didnt managed to 
explain what i had in mind.

Let me try to explain myself (not trying to push for this, just want to 
clarify).

What i had in mind was _not_ about allowing the upper layer to disable 
the encryption in the middle of a connection.
What i had in mind was to allow the upper layer to say: "please for this 
connection, dont use TCP-INC, just use plain old TCP". This is because 
the upperlayer may knwo better, for instance, it is building its onw 
security.

If we dont provide this hook, then it is always encrypted if both ends 
support and there is nothing the upper layer can do in order to avoid it.

Please also note that this does not allow for the peer to downgrade the 
connection or terminate encryption, as this has no impact in the wire, 
it is only at the begining of the connection.

Does this clarify things? What do you think?

That being said, I am perfectly fine with removing it from the charter.

Regards, marcelo


>
> That said, I think that the argument for null ciphers could
> still be made later (which might be one way to deal with the
> wish expressed above), and I'm sure someone will inevitably
> make the argument for that for debugging purposes so since
> we know it'll happen we don't really need to argue about
> whether that's ok or not now:-) As I've also said before,
> I'd need to be convinced that those are worthwhile myself
> so as of now I'd say not defining 'em is the right thing.
>
> S.
>
> _______________________________________________
> Tcpcrypt mailing list
> Tcpcrypt@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpcrypt
>

v2.23.0 | Report a Bug | By Email