[tcpinc] Spencer Dawkins' Yes on draft-ietf-tcpinc-tcpcrypt-08: (with COMMENT)

Spencer Dawkins <spencerdawkins.ietf@gmail.com> Wed, 25 October 2017 19:53 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: tcpinc@ietf.org
Delivered-To: tcpinc@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id F1B7713954E; Wed, 25 Oct 2017 12:53:46 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Spencer Dawkins <spencerdawkins.ietf@gmail.com>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-tcpinc-tcpcrypt@ietf.org, Kyle Rose <krose@krose.org>, tcpinc-chairs@ietf.org, krose@krose.org, tcpinc@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.63.2
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <150896122698.4705.6610152257692277567.idtracker@ietfa.amsl.com>
Date: Wed, 25 Oct 2017 12:53:46 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/JqlFbx0Z0kbRYYBS034x2-2_anw>
Subject: [tcpinc] Spencer Dawkins' Yes on draft-ietf-tcpinc-tcpcrypt-08: (with COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 19:53:47 -0000

Spencer Dawkins has entered the following ballot position for
draft-ietf-tcpinc-tcpcrypt-08: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tcpinc-tcpcrypt/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I really like this draft, and I can understand it fairly well. I do have some
questions to go along with my Yes ballot.

This SHOULD NOT

  o  "PK_A", "PK_B": ephemeral public keys for hosts A and B,
      respectively.  These, as well as their corresponding private keys,
      are short-lived values that SHOULD be refreshed periodically.  The
      private keys SHOULD NOT ever be written to persistent storage.

is just begging for some justification as to why this is important enough to be
a SHOULD NOT, and not important enough to be a MUST NOT. Could you give an
example of a reason why this would be a good idea?

It's likely that everyone but me knows why

                resume[i] = CPRF(ss[i], CONST_RESUME, 18)

is "18" and not some other integer, but there's no explanation or reference
that I could find explaining why.

It would be helpful to explain why

  In a particular SYN segment, a host SHOULD NOT send more than one
   resumption suboption,

is a SHOULD NOT, since it's allowed, so doing so must have some purpose.

This

  A host SHOULD NOT initiate more than one concurrent re-key operation
   if it has no data to send; that is, it should not initiate re-keying
   with an empty encryption frame more than once while its record of the
   remote generation number is less than its own.

is allowed - could you explain why a host would need to violate that SHOULD NOT?

Just for my benefit - Section 8.3 explains why ECDHE using Curve25519 has been
chosen as MTI, but also explains why ECDHE using P-256 has not been chosen as a
second MTI. Is the intention to discourage use of ECDHE using P-256 at all,
based on the concerns expressed about making it MTI?

Also for my benefit, but somewhat more worrying - is the working group fairly
confident that a specifying second MTI key management scheme will be possible
at some point, that does not trip over the problems described in [nist-ecc] and
can be implemented in kernels, or is conforming to the guidance in [RFC7696]
going to be problematic? I see Mirja mentioned SEC discussions about only one
MTI key management mechanism being chosen now, but my question is a little
different - I'm asking if the situation is likely to improve anytime soon.