Re: [tcpinc] Adam Roach's Yes on draft-ietf-tcpinc-tcpeno-13: (with COMMENT)

Adam Roach <adam@nostrum.com> Tue, 07 November 2017 22:07 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43EC11293DB; Tue, 7 Nov 2017 14:07:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZBJCe_f105zh; Tue, 7 Nov 2017 14:07:06 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4685512940C; Tue, 7 Nov 2017 14:07:06 -0800 (PST)
Received: from Svantevit.roach.at (cpe-70-122-154-80.tx.res.rr.com [70.122.154.80]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id vA7M72Px086933 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 7 Nov 2017 16:07:03 -0600 (CST) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-70-122-154-80.tx.res.rr.com [70.122.154.80] claimed to be Svantevit.roach.at
To: David Mazieres expires 2018-02-04 PST <mazieres-ssx5pqjh8w8whg6cfa6vghyqf2@temporary-address.scs.stanford.edu>, The IESG <iesg@ietf.org>
Cc: tcpinc@ietf.org, david.black@dell.com, tcpinc-chairs@ietf.org, draft-ietf-tcpinc-tcpeno@ietf.org
References: <151001922219.18923.9484861233493952977.idtracker@ietfa.amsl.com> <877ev2ya5a.fsf@ta.scs.stanford.edu>
From: Adam Roach <adam@nostrum.com>
Message-ID: <fed0a79e-c2a7-a5e3-8b74-1ce5aca000c8@nostrum.com>
Date: Tue, 7 Nov 2017 16:07:01 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <877ev2ya5a.fsf@ta.scs.stanford.edu>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/VkqAN_aj6oTWWRJoQapA3wnhr8A>
Subject: Re: [tcpinc] Adam Roach's Yes on draft-ietf-tcpinc-tcpeno-13: (with COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 22:07:09 -0000

On 11/6/17 10:40 PM, David Mazieres wrote:
> Adam Roach <adam@nostrum.com> writes:
>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Thanks for a well-thought-out and well written document. I'm looking
>> forward to seeing how this experiment goes. I have a few minor
>> comments for possible improvements.
>>
>> Section 4 indicates that applications can be made aware of whether TCP
>> encryption is occurring:
>>
>>     o  A bit available to higher-layer protocols at each endpoint for
>>        out-of-band negotiation of updated behavior in the presence of TCP
>>        encryption.
>>
>> I see that this is used to bind the TEP to certain TCP-ENO
>> information, which is obviously good -- but I think some guidance in
>> here cautioning about the hazards of exposing opportunistically
>> encrypted connections to users as "secure" would be helpful. In
>> general, because of the MITM considerations that are already covered,
>> conveying opportunistic encryption to users as "secure" is dangerous.
> Thanks for the vote and the feedback.  Applications can already tell if
> the connection is encrypted.  The intent of this bit is in fact
> precisely to negotiate some higher level authentication, as discussed
> later on in the security considerations section.  Ideally the beginning
> of section four would not get into too many details, as the point is
> just to sketch out the API so readers can contextualize the following
> details.  What would you think of a parenthetical remark, like:
>
>     o  A bit available to higher-layer protocols at each endpoint for
>        out-of-band negotiation of updated behavior in the presence of TCP
>        encryption.  (As discussed in Section 10, higher-layer protocols
>        MAY use this bit to strengthen security in a backwards-compatible
>        way.)
>
> I'm still not crazy about that because it's both verbose and vague in a
> place I was trying to keep things concise, but maybe worth it, or maybe
> there is a better way.

On reflection, I agree with you that the original, more concise version 
is better for this section. In any case, the important part of my 
comment was the final clause, starting with the word "conveying." I 
think a helpful treatment of this issue would be to conclude the final 
paragraph of the Security Considerations section with something like:

    Moreover, opportunistic encryption
    emphatically does not protect against targeted attacks that employ
    trivial spoofing to redirect a specific high-value connection to a
    man-in-the-middle attacker. For this reason, applications making use
    of TCP-ENO need to be careful not to represent such connections as
    "secure" to their users, unless end-to-end confidentiality and
    integrity can otherwise be guaranteed.



>
>> Section 4.2:
>>     b
>>        The passive role bit MUST be 1 for all passive openers.  For
>>        active openers, it MUST default to 0, but implementations MUST
>>        provide an API through which an application can explicitly set "b
>>        = 1" before initiating an active open.  (Manual configuration of
>>        "b" is only necessary to enable encryption with a simultaneous
>>        open.)
>>
>> I think this could be made clearer (thinking in particular of Spencer's
>> question) if this text indicated that implementations making use of
>> simultaneous open need to have some out-of-band negotiation of role before the
>> TCP connection is attempted.
> Good point.  I added the word only in response to Spencer's feedback,
> but I think we should just make the thing abundantly clear.  How about:
>
>         The passive role bit MUST be 1 for all passive openers.  For
>         active openers, it MUST default to 0, but implementations MUST
>         provide an API through which an application can explicitly set "b
>         = 1" before initiating an active open.  (Manual configuration of
>         "b" is only necessary to enable encryption with a simultaneous
>         open, and requires some prior agreement by which exactly one
>         endpoint sets "b = 1".)

That's exactly the kind of thing I had in mind. Thanks!

/a