Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno

"Holland, Jake" <jholland@akamai.com> Mon, 06 February 2017 21:04 UTC

Return-Path: <jholland@akamai.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D575F1293F9 for <tcpinc@ietfa.amsl.com>; Mon, 6 Feb 2017 13:04:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjgYb8jqEGze for <tcpinc@ietfa.amsl.com>; Mon, 6 Feb 2017 13:04:33 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 260E81295ED for <tcpinc@ietf.org>; Mon, 6 Feb 2017 13:04:33 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id A842E433451; Mon, 6 Feb 2017 21:04:32 +0000 (GMT)
Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id 8836043340B; Mon, 6 Feb 2017 21:04:32 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1486415072; bh=sxzilUMWDiNHUPebqe7xpoclP2/qBqbaWgvI+zNoymU=; l=2800; h=From:To:Date:References:In-Reply-To:From; b=tgxYxgmLEJvDKovBtjuchS3FJRGdo83qxpiKPiEWH2sEJMxkKjfCq+4zM2H401nQr TlinSHs35yZP7w6boWIsD5iKkR7tC9ltGOh/hB9IRT3hn1TcboKy2RRATrHuZCsjAI aj6XvcV4Wb+8hQhXHkKfJofe25dju3IAn3MySekg=
Received: from email.msg.corp.akamai.com (ustx2ex-cas4.msg.corp.akamai.com [172.27.25.33]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 693AF1FC90; Mon, 6 Feb 2017 21:04:32 +0000 (GMT)
Received: from ustx2ex-dag1mb6.msg.corp.akamai.com (172.27.27.107) by ustx2ex-dag1mb3.msg.corp.akamai.com (172.27.27.103) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 6 Feb 2017 15:04:31 -0600
Received: from ustx2ex-dag1mb6.msg.corp.akamai.com ([172.27.27.107]) by ustx2ex-dag1mb6.msg.corp.akamai.com ([172.27.27.107]) with mapi id 15.00.1178.000; Mon, 6 Feb 2017 13:04:31 -0800
From: "Holland, Jake" <jholland@akamai.com>
To: David Mazieres expires 2017-05-05 PDT <mazieres-gj57ihurinrx3a8rbkcc6pdpia@temporary-address.scs.stanford.edu>, "tcpinc@ietf.org" <tcpinc@ietf.org>
Thread-Topic: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno
Thread-Index: AQHSfaH8bHX24B8Ba06t1pm3vEt1naFXQ4GAgAC4JQCAAKuKAP//y7SAgAFVG4CAArX1gA==
Date: Mon, 06 Feb 2017 21:04:31 +0000
Message-ID: <BEB9F118-087D-471B-84C9-A57A005D0861@akamai.com>
References: <D668D28F-42BB-40A4-81D1-1FF2D3D95ECB@akamai.com> <87fujvonza.fsf@ta.scs.stanford.edu> <1FD85C9B-BE52-4E9F-A6D9-54BAD0425C8A@akamai.com> <87o9yin11j.fsf@ta.scs.stanford.edu> <A0905A32-A224-4F51-8AC3-8CA01E259AE2@akamai.com> <87bmuh218i.fsf@ta.scs.stanford.edu>
In-Reply-To: <87bmuh218i.fsf@ta.scs.stanford.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1d.0.161209
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.114.181]
Content-Type: text/plain; charset="utf-8"
Content-ID: <6D75E8ED2C3EA44E8DD0850614BF68A5@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/Xnwho82c_K7l5A1Y5AaW9IEXqaQ>
Subject: Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2017 21:04:36 -0000

On 2/4/17, 11:40 AM, "David Mazieres" <dm-list-tcpcrypt@scs.stanford.edu> wrote:
>   Achieving stronger security with TCP-ENO requires verifying session
>   IDs.  Any application relying on ENO for communications security MUST
>   incorporate session IDs into its endpoint authentication.  By way of
>   example, an authentication mechanism based on keyed digests (such

nit: I think you want an “as” here

>   Digest Access Authentication [RFC7616]) can be extended to include
>   the role and session ID in the input of the keyed digest.

>   Applications MAY use the application-aware "a" bit to negotiate the
>   inclusion of session IDs in authentication even when there is no in-
>   band way to carry out such a negotiation

In this particular sentence (“Applications MAY use the ...”) I would prefer to see something like “Higher-layer protocols”, or “Higher-layer authentication mechanisms” instead of “Applications”, as the thing which MAY use the ...

The reason is because this negotiation is something that every application which connects to the same service has to do in a coherent manner. In other words, this is inherently NOT a negotiation that an individual application could perform in a different way from another different application that uses the same higher layer protocol for communication. Using “Applications” in that sentence seems to imply that it’s an application-level negotiation, when in fact it’s a higher-layer-protocol negotiation. Using “Applications” might still have left some confusion about this point for me on my first reading.

(Also, I still think you’d be better served by changing the name of the a-bit from “application-aware” to something like “Legacy protocol updated” or “Higher-layer negotiation”, or another phrase that more narrowly describes the usage of the a-bit. But outside from this one final mention I won’t quibble with your decision.)

Otherwise I’m satisfied with your proposed changes, and thanks again.