Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt
Gregorio Guidi <greg_g@posteo.net> Sat, 07 October 2017 23:33 UTC
Return-Path: <greg_g@posteo.net>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48C8D133207 for <tcpinc@ietfa.amsl.com>; Sat, 7 Oct 2017 16:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gAs_MCnmedSz for <tcpinc@ietfa.amsl.com>; Sat, 7 Oct 2017 16:33:40 -0700 (PDT)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70BF6133205 for <tcpinc@ietf.org>; Sat, 7 Oct 2017 16:33:39 -0700 (PDT)
Received: from submission (posteo.de [89.146.220.130]) by mout02.posteo.de (Postfix) with ESMTPS id 29FD920AF7 for <tcpinc@ietf.org>; Sun, 8 Oct 2017 01:33:36 +0200 (CEST)
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 3y8jW26fR7zypX; Sun, 8 Oct 2017 01:33:34 +0200 (CEST)
To: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
Cc: Daniel B Giffin <dbg@scs.stanford.edu>, David Mazieres expires 2017-12-29 PST <mazieres-b6y844gfkp899wcr7iwrxxztue@temporary-address.scs.stanford.edu>, tcpinc <tcpinc@ietf.org>
References: <D38E22E9-FBB6-40D1-BF85-D5A77F5C2365@kuehlewind.net> <20170830223758.GA73969@scs.stanford.edu> <3a8ac0e0-cd41-57c8-85a4-79c5f179385f@kuehlewind.net> <20170929203434.GA73214@scs.stanford.edu> <D78092B0-4C01-47D6-9B5D-9DB1DA5EFA83@kuehlewind.net> <877ewgrtp8.fsf@ta.scs.stanford.edu> <20171004233140.GB84701@scs.stanford.edu> <BDB8460A-E193-4C9C-BCBA-99B805F93D0A@kuehlewind.net>
From: Gregorio Guidi <greg_g@posteo.net>
Message-ID: <e2ae6028-6ed2-c547-2a1f-f3c170b0fb89@posteo.net>
Date: Sun, 08 Oct 2017 01:33:34 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <BDB8460A-E193-4C9C-BCBA-99B805F93D0A@kuehlewind.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/j61B52Ff_-IT2CUyHi7Sr8VwZyE>
Subject: Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Oct 2017 23:33:44 -0000
On 10/05/2017 01:42 PM, Mirja Kuehlewind (IETF) wrote: > Hi Daniel, hi all, > > thanks for all the work and changes. I just realized that I didn’t answer (yet) David’s last mail but the resolution now is fine. Thanks for the additional explanation! > > I’ve just requested IETF last call for both docs and put them on the telechat agenda for Oct 26. Likely there will be more comments from different directorates and the ADs and we potentially need another version then (just before the telechat or right after) but I’m not expecting any real issues. > > Thanks for the good work! > Mirja Hi all, Having followed the standardization of tcpcrypt on the tpcinc mailing list (as a passive observer), I wanted to check with you on a point that was not heavily discussed as far as I can see: the choice of the "mandatory to implement" (MTI) algorithms for key agreement. I explain my concern: tcpcrypt defines ECDHE-P256 and ECDHE-P521 as MTI algorithms, however these are based on the NIST elliptic curves that - while widely deployed and offering great security - have been subject to some criticism in the last years. You have probably seen many times the arguments raised against them. The following is a good summary: https://cr.yp.to/newelliptic/nistecc-20160106.pdf Not all arguments in the paper are relevant for the key agreement used in tcpcrypt, but many are. It is especially relevant the fact that tcpcrypt is "tailored to TCP implementations, which often reside in kernels or other environments in which large external software dependencies can be undesirable". This means that the usual path to integrate P256 and P521, that is, linking to a big library such as OpenSSL, will be impractical in many cases. This opens up the potential pitfalls described in the paper, since new low-level code will be needed to integrate the primitives into the TCP stack. From a more detached point of view, the choice of ECDHE-P256 and ECDHE-P521 is a "conservative" one that is not likely to do any damage in practice. But still, I would say that as of 2017, the rough consensus is that the choice of the NIST curves does not reflect anymore the state of the art in the field, especially for new applications. Looking back at the archives, I can find an exchange from last year on the topic: https://mailarchive.ietf.org/arch/msg/tcpinc/QWLophMkudMGU_X0_w_8YcRl910 Having ECDHE-Curve25519 and ECDHE-Curve448 as MTI was suggested, but the lack of implementations for Curve448 was mentioned. Unfortunately this is still an issue: there are implementations available but no stable and well-proved implementation of Curve448 is there yet, as shown here: https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves Nonetheless, in the time passed since that exchange, the adoption of Curve25519 has consolidated further, so the option to have ECDHE-Curve25519 as the only MTI would not look so bad in my view. All in all, I feel that the current choice of algorithm could have a slight detrimental effect on the adoption of tcpcrypt, but how much is difficult to tell. I leave to you to judge whether this could be considered a valid concern or not. Thanks for all the work, Gregorio
- Re: [tcpinc] AD review of draft-ietf-tcpinc-tcpcr… Daniel B Giffin
- Re: [tcpinc] AD review of draft-ietf-tcpinc-tcpcr… Mirja Kuehlewind (IETF)
- Re: [tcpinc] AD review of draft-ietf-tcpinc-tcpcr… David Mazieres
- [tcpinc] AD review of draft-ietf-tcpinc-tcpcrypt Mirja Kuehlewind (IETF)
- Re: [tcpinc] AD review of draft-ietf-tcpinc-tcpcr… Daniel B Giffin
- Re: [tcpinc] AD review of draft-ietf-tcpinc-tcpcr… Mirja Kühlewind
- Re: [tcpinc] AD review of draft-ietf-tcpinc-tcpcr… Black, David
- [tcpinc] new drafts of TCP-ENO and tcpcrypt Daniel B Giffin
- Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt Mirja Kuehlewind (IETF)
- Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt Gregorio Guidi
- Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt dm-list-tcpcrypt
- Re: [tcpinc] new drafts of TCP-ENO and tcpcrypt iang
- [tcpinc] Making ECDHE-Curve25519 the only MTI for… David Mazieres
- Re: [tcpinc] Making ECDHE-Curve25519 the only MTI… Kyle Rose
- Re: [tcpinc] Making ECDHE-Curve25519 the only MTI… Mirja Kühlewind
- Re: [tcpinc] Making ECDHE-Curve25519 the only MTI… Black, David
- Re: [tcpinc] Making ECDHE-Curve25519 the only MTI… Mirja Kuehlewind (IETF)
- [tcpinc] tcpcrypt MTI key exchange (speak now or … David Mazieres
- Re: [tcpinc] tcpcrypt MTI key exchange (speak now… Rene Struik
- Re: [tcpinc] tcpcrypt MTI key exchange (speak now… David Mazieres
- Re: [tcpinc] tcpcrypt MTI key exchange (speak now… iang
- Re: [tcpinc] tcpcrypt MTI key exchange (speak now… David Mazieres
- Re: [tcpinc] tcpcrypt MTI key exchange (speak now… iang
- Re: [tcpinc] tcpcrypt MTI key exchange (speak now… Gregorio Guidi