Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt

Gregorio Guidi <> Sat, 07 October 2017 23:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 48C8D133207 for <>; Sat, 7 Oct 2017 16:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gAs_MCnmedSz for <>; Sat, 7 Oct 2017 16:33:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 70BF6133205 for <>; Sat, 7 Oct 2017 16:33:39 -0700 (PDT)
Received: from submission ( []) by (Postfix) with ESMTPS id 29FD920AF7 for <>; Sun, 8 Oct 2017 01:33:36 +0200 (CEST)
Received: from customer (localhost []) by submission ( with ESMTPSA id 3y8jW26fR7zypX; Sun, 8 Oct 2017 01:33:34 +0200 (CEST)
To: "Mirja Kuehlewind (IETF)" <>
Cc: Daniel B Giffin <>, David Mazieres expires 2017-12-29 PST <>, tcpinc <>
References: <> <> <> <> <> <> <> <>
From: Gregorio Guidi <>
Message-ID: <>
Date: Sun, 08 Oct 2017 01:33:34 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Oct 2017 23:33:44 -0000

On 10/05/2017 01:42 PM, Mirja Kuehlewind (IETF) wrote:
> Hi Daniel, hi all,
> thanks for all the work and changes. I just realized that I didn’t answer (yet) David’s last mail but the resolution now is fine. Thanks for the additional explanation!
> I’ve just requested IETF last call for both docs and put them on the telechat agenda for Oct 26. Likely there will be more comments from different directorates and the ADs and we potentially need another version then (just before the telechat or right after) but I’m not expecting any real issues.
> Thanks for the good work!
> Mirja

Hi all,

Having followed the standardization of tcpcrypt on the tpcinc mailing 
list (as a passive observer), I wanted to check with you on a point that 
was not heavily discussed as far as I can see: the choice of the 
"mandatory to implement" (MTI) algorithms for key agreement.

I explain my concern: tcpcrypt defines ECDHE-P256 and ECDHE-P521 as MTI 
algorithms, however these are based on the NIST elliptic curves that - 
while widely deployed and offering great security - have been subject to 
some criticism in the last years. You have probably seen many times the 
arguments raised against them. The following is a good summary:

Not all arguments in the paper are relevant for the key agreement used 
in tcpcrypt, but many are. It is especially relevant the fact that 
tcpcrypt is "tailored to TCP implementations, which often reside in 
kernels or other environments in which large external software 
dependencies can be undesirable". This means that the usual path to 
integrate P256 and P521, that is, linking to a big library such as 
OpenSSL, will be impractical in many cases. This opens up the potential 
pitfalls described in the paper, since new low-level code will be needed 
to integrate the primitives into the TCP stack.

 From a more detached point of view, the choice of ECDHE-P256 and 
ECDHE-P521 is a "conservative" one that is not likely to do any damage 
in practice. But still, I would say that as of 2017, the rough consensus 
is that the choice of the NIST curves does not reflect anymore the state 
of the art in the field, especially for new applications.

Looking back at the archives, I can find an exchange from last year on 
the topic:

Having ECDHE-Curve25519 and ECDHE-Curve448 as MTI was suggested, but the 
lack of implementations for Curve448 was mentioned. Unfortunately this 
is still an issue: there are implementations available but no stable and 
well-proved implementation of Curve448 is there yet, as shown here:

Nonetheless, in the time passed since that exchange, the adoption of 
Curve25519 has consolidated further, so the option to have 
ECDHE-Curve25519 as the only MTI would not look so bad in my view.

All in all, I feel that the current choice of algorithm could have a 
slight detrimental effect on the adoption of tcpcrypt, but how much is 
difficult to tell. I leave to you to judge whether this could be 
considered a valid concern or not.

Thanks for all the work,