IETF Logo Mail Archive

Re: [tcpinc] Revised version of TCP-ENO

David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> Fri, 14 August 2015 20:34 UTC

Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D88771A88FA for <tcpinc@ietfa.amsl.com>; Fri, 14 Aug 2015 13:34:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.91
X-Spam-Level:
X-Spam-Status: No, score=-0.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ywr3X1_tT4X0 for <tcpinc@ietfa.amsl.com>; Fri, 14 Aug 2015 13:34:01 -0700 (PDT)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20C2D1A88F9 for <tcpinc@ietf.org>; Fri, 14 Aug 2015 13:34:01 -0700 (PDT)
Received: from market.scs.stanford.edu (localhost.scs.stanford.edu [127.0.0.1]) by market.scs.stanford.edu (8.14.7/8.14.7) with ESMTP id t7EKY0Ts011141; Fri, 14 Aug 2015 13:34:00 -0700 (PDT)
Received: (from dm@localhost) by market.scs.stanford.edu (8.14.7/8.14.7/Submit) id t7EKY0dX015406; Fri, 14 Aug 2015 13:34:00 -0700 (PDT)
X-Authentication-Warning: market.scs.stanford.edu: dm set sender to dm-list-tcpcrypt@scs.stanford.edu using -f
From: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
To: Martin Thomson <martin.thomson@gmail.com>
In-Reply-To: <CABkgnnXu0BpdTxi138BU_GRSGGq+nKgLg2M0nFwJY+fFevayvg@mail.gmail.com>
References: <87pp2vqplu.fsf@ta.scs.stanford.edu> <CAJU8_nXAHhf6dqqs0gUEGz49bG7YUO1qaGwaLm04+vstPTyfWg@mail.gmail.com> <87h9o4rqwz.fsf@ta.scs.stanford.edu> <874mk2kj56.fsf@alice.fifthhorseman.net> <CAJU8_nVcDmCw-0KYviJ5GWZL+-YcCg3wLMJqpkuh=iN8RppA+A@mail.gmail.com> <87y4hej2vf.fsf@alice.fifthhorseman.net> <87egj67sac.fsf@ta.scs.stanford.edu> <87bnea7rr6.fsf@ta.scs.stanford.edu> <CABkgnnUF-byT2MH8mrmZJaMY2PTsspWJ8W3wJmddXdgMqGHCkQ@mail.gmail.com> <87614i7o2l.fsf@ta.scs.stanford.edu> <CABkgnnU8eeX3QV+D_g2XJqWGf9YzUZ1v-eqjg9HsioGJP8-GqQ@mail.gmail.com> <87io8hwznh.fsf@ta.scs.stanford.edu> <CABkgnnXDomgQJSiCTdxETomPB7H+n2DggZ4VX0Q8hpqvoyq=8A@mail.gmail.com> <874mk1wxs5.fsf@ta.scs.stanford.edu> <CABkgnnXo67ZM9Qa0-rHdNty1ewaGnn8G30Fn2WQZh6fh9-0KvA@mail.gmail.com> <87d1ypsoxk.fsf@ta.scs.stanford.edu> <CABkgnnXu0BpdTxi138BU_GRSGGq+nKgLg2M0nFwJY+fFevayvg@mail.gmail.com>
Date: Fri, 14 Aug 2015 13:33:59 -0700
Message-ID: <87io8hfw3s.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/H2K6czQvinMSxwFQVHFZGaTIcwk>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] Revised version of TCP-ENO
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2015 20:34:02 -0000

Martin Thomson <martin.thomson@gmail.com> writes:

> On 14 August 2015 at 11:30,  <dm-list-tcpcrypt@scs.stanford.edu> wrote:
>> Do you think TCP-ENO should specify the
>> mechanism or the requirement?
>
> Perhaps neither.  At one level, this need only negotiate what crypto
> is in effect.

Well, the charter requires TCPINC to have some kind of session ID or
other authentication mechanism.  If by neither you mean you don't want
that mechanism to be part of TCP-ENO, then TCP-ENO won't be very useful.
Strip out the session ID and you're mostly left with option kind
multiplexing, which could equally well be achieved through some simpler
RFC6994-like thing.  (The negotiation and aa bits can't be secured
without some sort of cross-spec requirements on the session ID.)

> At this stage, not knowing what is going to happen where, bundling
> things together doesn't help.

I don't understand this comment.  The whole point of TCP-ENO is to make
progress on knowing what is going to happen where, so as to facilitate
agreement on the crypto spec itself.  ENO can facilitate agreement on a
spec because it enables a spec-independent API.  Hence, if we
standardize TCPINC before TLS 1.3 or large options have been
standardized, we haven't given up the ability to leverage those other
technologies in the future.

Is your objection that this is the wrong goal (because there is no
useful spec-agnostic API), or that TCP-ENO fails to meet the goal
(because you envision specs unable to accommodate TCP-ENO's session ID
requirements), or that there's some better way to try to break the
working group deadlock (which I'd be glad to try)?

If you don't object to the basic premise of TCP-ENO, it would be helpful
if you could provide a specific suggestion for how you would like to see
the the draft changed.  Additionally, if you can cook up a specific
(albeit contrived) example that demonstrates the shortcomings of the
existing TCP-ENO draft (maybe with added computational
indistinguishability of session IDs in response to list feedback), this
would be quite helpful in framing the discussion.

Thanks,
David

v2.23.0 | Report a Bug | By Email