Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01
Eric Rescorla <ekr@rtfm.com> Fri, 28 August 2015 17:15 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C6151A1A86 for <tcpinc@ietfa.amsl.com>; Fri, 28 Aug 2015 10:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPeu3KCQ3VrJ for <tcpinc@ietfa.amsl.com>; Fri, 28 Aug 2015 10:15:32 -0700 (PDT)
Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com [209.85.212.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 508471A01FC for <tcpinc@ietf.org>; Fri, 28 Aug 2015 10:15:32 -0700 (PDT)
Received: by wiae7 with SMTP id e7so2964248wia.0 for <tcpinc@ietf.org>; Fri, 28 Aug 2015 10:15:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=2ofXiQb96toxiw5Ki95dsq/bydN9PE1wkxhmSYHOJU0=; b=eY0nUE5RqRjAe8zKnkaMrtJgtxcDPotVv/NVr9RU5ztuMpIeEV06oPk7GAYsE72uL4 n4e3wVDMvJXmHUaDOD4n5QergpEbgcRaujUw4zPjL462QU6w7O4UnfIQlDMeJuNHsm+E yLHaQUYxAaTjCp9BoErIvDTXuybzuTgIBlY8x9INAVhPlGdhkljL8SBjPg54Yr5bJsVZ QfZPhiOx2coV2qmH/JweI7T72dW6H1e3NLSRk+8Fp2GoC74hU0rZ9kKP0rsx/8WTx36x PidWBtRn2rjP9TYDQXHzI5PJFRnGAYWGpNYX95rNnUJbmWcLgZJ29sYj3G8zV4DJnWC4 iXWA==
X-Gm-Message-State: ALoCoQmdLfNmiOVqzdBQn9eLDaG/DoHtfsxn1W2y0UDsoYKenSqeopya8qT0SdFAQVgaLBeXfK9y
X-Received: by 10.194.216.68 with SMTP id oo4mr12117865wjc.81.1440782131018; Fri, 28 Aug 2015 10:15:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.179.221 with HTTP; Fri, 28 Aug 2015 10:14:51 -0700 (PDT)
In-Reply-To: <87si75jo4s.fsf@ta.scs.stanford.edu>
References: <CABcZeBNEFVkDi38y3G-C2nQF=dzW2mGDsj5DVK_OKVkPwK=G0g@mail.gmail.com> <878u92oadf.fsf@ta.scs.stanford.edu> <CABcZeBMfk5C4-LF0fDLKpJktV3hJyzRUNfe0gO8RYDnzcs3yMA@mail.gmail.com> <87zj1inf7n.fsf@ta.scs.stanford.edu> <CABcZeBMZCjrwpTH+CkZS_p8TYGEFsXwxGn=KfPe28hY5f=2oXw@mail.gmail.com> <87oahuta7j.fsf@ta.scs.stanford.edu> <CABcZeBPiUxByxUVJ3cb5LaeH5T1LX3iZFetP4cXM3O9avzBkCA@mail.gmail.com> <87si75jo4s.fsf@ta.scs.stanford.edu>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 28 Aug 2015 10:14:51 -0700
Message-ID: <CABcZeBOat0mKPDQcf=Z9FjtJ_VV7MjdhqYnpMedOcREPsg6TDg@mail.gmail.com>
To: David Mazieres expires 2015-11-24 PST <mazieres-g6du8km82n4q6g98dpqkaiyuu6@temporary-address.scs.stanford.edu>
Content-Type: multipart/alternative; boundary="089e0141a0921e7233051e623bad"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/CjiFW2vHUtxPDNfg9gT3y9Iaegc>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2015 17:15:35 -0000
On Wed, Aug 26, 2015 at 10:28 PM, David Mazieres < dm-list-tcpcrypt@scs.stanford.edu> wrote: > Eric Rescorla <ekr@rtfm.com> writes: > > > Note: you can't really build a reliable NAT traversal system where you > > use STUN to learn your public address and then register it because > > too many NATs have unstable bindings or require you to open pinholes. > > We tried that and it didn't work which is why ICE is the way it is. > > Can you demonstrate simultaneous open without stable NAT bindings? I > don't see how that could work. The issue is how stable they are over time. My point is that you need real-time signaling because you can't publish something and have it be valid 10 minutes later, not that it's not stable over 5-15 second intervals. >> If you remove the b bit from TCP-ENO, there will be pairs of hosts that > >> can communicate via simultaneously opened TCP connections that cannot > >> use TCP-level encryption. > > > > OK, I don't understand that. Can you please provide an example of a case > > where the "b" bit helps that the sides couldn't have already broken the > > tie via out-of-band signaling. > > I'm not sure I understand your comment. The "b" bit assumes the > applications have broken the tie via out-of-band signaling. It is the > mechanism that permits you to have encryption when applications break > the tie. So no "b" bit means no encryption on simultaneous open, ever. I don't think that's true. See Mirja's point below. > > I haven't seen anyone argue that the b bit fails to achieve its goal. > > > > That's precisely what I am arguing with the example above. > > So to be clear, the goal is that if applications can break the tie, the > "b" bit allows encryption with simultaneous open. If you believe > there's a case where simultaneous open will still fail to encrypt, even > with the "b" bits correctly set, can you break it down on a > packet-by-packet basis (for the first 4 packets of the connection)? > Such a four-segment example with two SYNs and two ACKs would really > advance the debate. In order to assess the issue, you actually need to see how it interacts with the NAT traversal algorithm. Here's the example I sent before, with the following NAT topology. A: 10.0.0.1 (host), 198.51.100.1 (srflx) B: 192.0.2.1 (srflx and host). A Signaling B STUN STUN Check -------------------------> Host Cand ----> Host Cand --> <-- Candidate <--- Candidate SYN --------------------------------> X <---------------------- STUN Response What appears in the "b" bit in the packet marked with "X"? > >> Since TCPINC has been around for over a year and neither of the two main > >> candidate drafts has yet attempted goal #4, perhaps we should say that > >> fully-transparent encryption with simultaneous open is not a high enough > >> priority to delay TCPINC progress. If some subdelegation wants to > >> investigate the problem in parallel and report back with some data, > >> there's no reason the WG couldn't later move to accommodate the results. > > > > This seems like a good proposal. FWIW, the major applications that I > know of > > that use TCP-SO for NAT traversal have their own COMSEC anyway and > > in fact often treat TCP as if it were UDP. > > Ah... great. Sounds like progress. Also, do you mind sharing what > those major TCP-SO applications are? It would add some badly needed > context to this discussion. > The one I am mostly familiar with VoIP, whether of the SIP (3261, etc.) variety or WebRTC. In either case, you use ICE (RFC 5245, 6544) and try to set up a channel in parallel via both UDP and TCP (preferring UDP). -Ekr
- [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01 Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Ilari Liusvaara
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Mark Handley
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Yoav Nir
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Kyle Rose
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Kent
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Farrell
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Martin Thomson
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Farrell
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Scharf, Michael (Michael)
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Farrell
- [tcpinc] Simultaneous open tie breaking Tero Kivinen
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Kent
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Kent
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Kyle Rose
- Re: [tcpinc] Simultaneous open tie breaking David Mazieres
- Re: [tcpinc] Simultaneous open tie breaking Kyle Rose
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Watson Ladd
- Re: [tcpinc] Simultaneous open tie breaking David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Farrell
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… John Leslie
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Kyle Rose
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Kent
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Farrell
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… ianG
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Mirja Kühlewind
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… ianG
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… ianG
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… ianG
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Kyle Rose
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Kyle Rose
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Farrell
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… ianG
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… ianG
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Mirja Kühlewind
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Stephen Farrell
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Mirja Kühlewind
- Re: [tcpinc] Simultaneous open tie breaking Tero Kivinen
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Mirja Kühlewind
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Simultaneous open tie breaking dm-list-tcpcrypt
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… dm-list-tcpcrypt
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Kyle Rose
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… David Mazieres
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… Eric Rescorla
- Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno… dm-list-tcpcrypt