Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpeno-13: (with DISCUSS and COMMENT)

"Black, David" <David.Black@dell.com> Tue, 14 November 2017 03:48 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AB7F12704A; Mon, 13 Nov 2017 19:48:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.501
X-Spam-Level:
X-Spam-Status: No, score=-5.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=aLSB6yQ4; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=mjFT+WVx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5_Q7WJG6x_pl; Mon, 13 Nov 2017 19:48:18 -0800 (PST)
Received: from esa1.dell-outbound.iphmx.com (esa1.dell-outbound.iphmx.com [68.232.153.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84DE2126C2F; Mon, 13 Nov 2017 19:48:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1510630879; x=1542166879; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=o+YaAJgLICe0P8uaCBXwCS2EmsmN6uRp3zKonWwHfsA=; b=aLSB6yQ4AP9ZTOYATVQyZ2sE46gpAvi/Krs7RSLiXncMUYa4TWmqbI8G EWd4wS7Ne1i3rRBmOkWAXwOw3s2m4x7GvknzEIoSEmT3W0XM/DKYxP2cm jwACI0jflo/yEvV72fkhO6k3VTwfyapyd2E0nK0XQlsutQhWkvBYq57a6 Q=;
IronPort-PHdr: =?us-ascii?q?9a23=3AVxz2NBPIwPEu28WASV4l6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0K/z/o8bcNUDSrc9gkEXOFd2CrakV26yO6+jJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?= =?us-ascii?q?JvjvGo7Vks+7y/2+94fdbghMhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfO?= =?us-ascii?q?pWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnM?= =?us-ascii?q?VhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iS?= =?us-ascii?q?cHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOg?= =?us-ascii?q?YYUBDOQBMuRZr4bhqFUBogCzBRW3C+7r1jNEmmP60K883u88EQ/GxgsgH9cWvX?= =?us-ascii?q?jasdj1ML0dXvy2zKXQ0D7NYelZ2Sn86IfVfBwqvPaBU7xqfsrPyEkgChnJg0iU?= =?us-ascii?q?qYP/IzyV1f8AvHWF4OpkUeKjkXIoqwZ0ojW2wMonl4rHhpoNx13F9ih12pg5KN?= =?us-ascii?q?OmREJhfNKpEJVduzuEO4dqXM8uW3xktDogxrEbpZK2fDIGxZc9yxLCZfGKc5CE?= =?us-ascii?q?4hz9W+uSPTt1gXdodbGwihu2/0itz+3xWdSu31pUqydJj8TAuWsI2hHc5MWKSf?= =?us-ascii?q?tw80G80jiVzQ/T8PtLIUUsmKreLJ4u36A/m4IIsUTGAi/2gEL2jLKKdkk8+uin?= =?us-ascii?q?9eDnYrL+q5CCLI97kB/yPr4zlcOhBeQ4NhECX2+G+eSgz7Lj+lD5QLNXgfEoiK?= =?us-ascii?q?XZsYjaJcQepq+2GQNazoEj6xOnAzen1tQXg2UHIUpEdR+ElYTlJV/DLO7iAfui?= =?us-ascii?q?g1mhni1ny+7aMrH/GpnNK2LMkLblfbZz8U5czw8zwMhR6Z1OFLEBIe/8VlXsud?= =?us-ascii?q?zcFBA2Lw+0zv36B9pj0oMeXXiDDbOeMKPXqVOI/P4gI/GQZI8JvzbwM+Uq5+T0?= =?us-ascii?q?gn83hV8RZKip0oULaHC2B/hmP1mWYWLtgtcHDWgGpxY+Q/DyiFKcVz5TYG2/X6?= =?us-ascii?q?Mi6TEnBoKqF4DDRpqigLaZxie0AoVWZnxaClCLCXrodpuLW+wDaC+JI89ujCAE?= =?us-ascii?q?Vba7R48mzxGuuxfwy6B7IerM5i0YqZXj2cBp5+LPjREy9Dp0ANiE326RT2F7hG?= =?us-ascii?q?IIRyUt3K1koExy1EuD0aZij/xfD9xT6OtDUh0mOp7E0+x6F9fyVxrdftiVUFam?= =?us-ascii?q?Q9OmDi0qQ9Iw3dAOf0h9F8+ljhDZ0Cr5S4MSwoCGHpt80aPC3n78IY4pyHfY1a?= =?us-ascii?q?8siXEnQcoJO2zw1YBl8A2GTaTNmk6a0+6GfLod0GSFoEuK02uC+mtcWQVzeanI?= =?us-ascii?q?WXRZbUzT+4eqrnjeRqOjXOx0ejBKztSPf+4TMoXk?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2FHAABKZgpah8qZ6ERbHAEBAQQBAQoBA?= =?us-ascii?q?YJmgSN+JweDd4ofjy+BfZZQEIE+QwqFOwIahEs/GAEBAQEBAQEBAQECEAEBAQo?= =?us-ascii?q?LCQgoL4I4JAENRyEFMgEBAQEBAQEBAQEBAQEBAQEBARcCPRMBARgBAQEBAgEjE?= =?us-ascii?q?QwfDAMLAQQHBAIBCBEEAQEDAgYdAwICAjAUAQgIAgQOBQiKEggBqziCJ4MQiAE?= =?us-ascii?q?BAQEBAQEBAQEBAQEBAQEBAQEBAQEVCIEPgiWBNlGBVoFogyqEZAESAQ0UFYJ+M?= =?us-ascii?q?YIyoikGAqhElXcCBAIEBQIagTkfgTxvel6CZIJbEQwZgU53hhSBJIERAQEB?=
X-IPAS-Result: =?us-ascii?q?A2FHAABKZgpah8qZ6ERbHAEBAQQBAQoBAYJmgSN+JweDd4o?= =?us-ascii?q?fjy+BfZZQEIE+QwqFOwIahEs/GAEBAQEBAQEBAQECEAEBAQoLCQgoL4I4JAENR?= =?us-ascii?q?yEFMgEBAQEBAQEBAQEBAQEBAQEBARcCPRMBARgBAQEBAgEjEQwfDAMLAQQHBAI?= =?us-ascii?q?BCBEEAQEDAgYdAwICAjAUAQgIAgQOBQiKEggBqziCJ4MQiAEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEVCIEPgiWBNlGBVoFogyqEZAESAQ0UFYJ+MYIyoikGAqhElXc?= =?us-ascii?q?CBAIEBQIagTkfgTxvel6CZIJbEQwZgU53hhSBJIERAQEB?=
Received: from esa2.dell-outbound2.iphmx.com ([68.232.153.202]) by esa1.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Nov 2017 21:41:19 -0600
From: "Black, David" <David.Black@dell.com>
Received: from mailuogwdur.emc.com ([128.221.224.79]) by esa2.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Nov 2017 09:41:23 +0600
Received: from maildlpprd55.lss.emc.com (maildlpprd55.lss.emc.com [10.106.48.159]) by mailuogwprd53.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id vAE3mFBs017750 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 13 Nov 2017 22:48:15 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com vAE3mFBs017750
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1510631296; bh=hr2ZwCwJ9e9Yo7GoGrjzclPWF8c=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=mjFT+WVxvWGOLOt0314hhwH5lo3vbHlImEO/rmeCoOnHsqj0pfr3ouvDNHRr97NL3 VhImv5Ox/ghxmFBW20oRTv7YfrDCdQ8EbagRHFptgZKX/WHH+BPHF8l31+t5ftc8Wb +dKpE82Wbda6HvdLfl70fgjxnxUr6RU6RopogZvM=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com vAE3mFBs017750
Received: from mailusrhubprd52.lss.emc.com (mailusrhubprd52.lss.emc.com [10.106.48.25]) by maildlpprd55.lss.emc.com (RSA Interceptor); Mon, 13 Nov 2017 22:48:03 -0500
Received: from MXHUB314.corp.emc.com (MXHUB314.corp.emc.com [10.146.3.92]) by mailusrhubprd52.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id vAE3m3ZM015531 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL); Mon, 13 Nov 2017 22:48:03 -0500
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB314.corp.emc.com ([10.146.3.92]) with mapi id 14.03.0352.000; Mon, 13 Nov 2017 22:48:03 -0500
To: Tero Kivinen <kivinen@iki.fi>
CC: Eric Rescorla <ekr@rtfm.com>, David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>, "tcpinc@ietf.org" <tcpinc@ietf.org>, Kyle Rose <krose@krose.org>, "tcpinc-chairs@ietf.org" <tcpinc-chairs@ietf.org>, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>, "draft-ietf-tcpinc-tcpeno@ietf.org" <draft-ietf-tcpinc-tcpeno@ietf.org>
Thread-Topic: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpeno-13: (with DISCUSS and COMMENT)
Thread-Index: AQHTWpFI+r6/uZGf7EaERFdyZEp+YKMQLzowgABZgQCAACMUgIAAAKYAgAAE5YCAANlEoIAAWgoA//+w/FCAAKv8gP//vj6AgAD9N4CAACDegIAADGyQgABpiAD//6y4EA==
Date: Tue, 14 Nov 2017 03:48:02 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949362FD4FF5E@MX307CL04.corp.emc.com>
References: <151036581280.449.10740505473540594433.idtracker@ietfa.amsl.com> <CE03DB3D7B45C245BCA0D243277949362FD495EF@MX307CL04.corp.emc.com> <CABcZeBPfk6Pi=_UPvTBaS9jQBYjExUdqkdX5Q--iUuyCv_qZtw@mail.gmail.com> <CAJU8_nWpVhm4oTT+SLyG-nk=ww7nBU-DaVe86rUU-LGGqJvHvQ@mail.gmail.com> <CABcZeBO0TD0KnpTfe6CbHUoiS=FmGiGW6r_mFMH_9bYFWKqKLA@mail.gmail.com> <CABcZeBNp=1c1cx0+nJezjWy_Q4N9-PUeQuqOU_k7A7KhRj18EQ@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD4BB57@MX307CL04.corp.emc.com> <CABcZeBPL2mVFtsL77Bdr=BUf7cb+qe_+Wxq42AtoohHmSmJaCg@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD4BDAB@MX307CL04.corp.emc.com> <877euu7hy0.fsf@ta.scs.stanford.edu> <CE03DB3D7B45C245BCA0D243277949362FD4D450@MX307CL04.corp.emc.com> <87vaieow9k.fsf@ta.scs.stanford.edu> <CABcZeBPxOaK3DN5u0ohizt8rAQ+tShMuOcdpJBJ-2fmMJuQWgA@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949362FD4FC09@MX307CL04.corp.emc.com> <23050.26156.887026.454347@fireball.acr.fi>
In-Reply-To: <23050.26156.887026.454347@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.105.8.135]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd52.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/_doOXG1cLxFNAC_NVGD4GWNTT3s>
Subject: Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpeno-13: (with DISCUSS and COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 03:48:20 -0000

> We (talking as secdir secretary) do not do security reviews on the
> independent submission documents. Area review teams only review IETF
> stream documents and ignore other streams (Independent, IAB, IRTF
> etc).

Hmm - the process that I'd expect is that a SEC AD notices something odd, suspicious or peculiar in an independent submission TEP spec during conflict review and asks an expert on the secdir to take a closer look.   Given the threat of a weak TEP hash to all other TEPs, I would think/hope that independent submission publication of a TEP with a weak hash could be blocked then and there.

Thanks, --David


> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@iki.fi]
> Sent: Monday, November 13, 2017 10:43 PM
> To: Black, David <david.black@emc.com>
> Cc: Eric Rescorla <ekr@rtfm.com>om>; David Mazieres <dm-list-
> tcpcrypt@scs.stanford.edu>gt;; tcpinc@ietf.org; Kyle Rose <krose@krose.org>rg>;
> tcpinc-chairs@ietf.org; Mirja Kuehlewind (IETF) <ietf@kuehlewind.net>et>; The
> IESG <iesg@ietf.org>rg>; draft-ietf-tcpinc-tcpeno@ietf.org
> Subject: Re: [tcpinc] Eric Rescorla's Discuss on draft-ietf-tcpinc-tcpeno-13:
> (with DISCUSS and COMMENT)
> 
> Black, David writes:
> > I like Amanda’s suggestion of: “Expert Review with RFC Required”
> > That should result in two security reviews of a new TEP, both of
> > which could halt a weak one. Looking at the Independent Submission
> > track as the “path of least resistance” that would be the IETF
> > Security Area (ADs and Directorate) as part of RFC publication plus
> > an IANA expert review as part of codepoint assignment. Thank you,
> > Amanda.
> 
> We (talking as secdir secretary) do not do security reviews on the
> independent submission documents. Area review teams only review IETF
> stream documents and ignore other streams (Independent, IAB, IRTF
> etc).
> 
> Expert can of course do whatever checks he wants, and the IANA section
> can set some instructions for expert, for example ask him to verify in
> the specific mailing list before doing assignments etc.
> 
> I as an IANA expert for the IKEv2 related registries (it is just
> expert review, no specification or RFC required) usually do require
> stable reference before I say assignment is ok. I also quite often
> send email to the ipsec@ietf.org list before doing assignments, if I
> think there is something that might be important to people there.
> 
> Anyways everything this boils down getting expert for the IANA
> registry that we (as an IETF) can trust do good job of blocking bad
> ideas...
> --
> kivinen@iki.fi