Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01

Kyle Rose <> Tue, 25 August 2015 17:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 52DE41ACEC1 for <>; Tue, 25 Aug 2015 10:56:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.921
X-Spam-Status: No, score=0.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, MANGLED_BACK=2.3, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gcSej-XYZXZc for <>; Tue, 25 Aug 2015 10:56:02 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DEC241B29C4 for <>; Tue, 25 Aug 2015 10:55:53 -0700 (PDT)
Received: by iodb91 with SMTP id b91so195511927iod.1 for <>; Tue, 25 Aug 2015 10:55:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=C3zB4GGUjBBTjvBU2cEiwmC46Gzs9kbMYQ1IYufzpc4=; b=MTCFxSkQRGLTNSNWsaZzkxc45u1wqQ/PN/1SX4wSOvd20SJSQmzFlCXKdBcEnQD8OZ aiFto2bq02ohHFgXVV1nQGN6s5xjQ0XA4Rxd/zqiuh2H3YEXInO7QlvB1uLunYbHN8dX XZqrBuBYYvRSq3zY8EeNDmgCBATofHd49xLTU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=C3zB4GGUjBBTjvBU2cEiwmC46Gzs9kbMYQ1IYufzpc4=; b=X8M57i5MpOPkRI22RbmreIKkorNAQ55GPvVwWlGjtOelnEJu1bJ7y1mQH5EKXjglaP tZi6E43Za/4vLFd0fINvCz1da7me5fvv54d1Uwg2ouKVCk7jYALpRVedRMoAjCYG0pv7 000FRB+LHkQvOf7mccgOYZaRiLqm9sGU5dNZi5vSL08gvDcAv2XOPaphvUmSYxKsMQRQ wzbbx71Hgy2h8LEsqEspcLVNkYBVdJ5UQeF+f1BQ1o7CFAFXn08W0x4BSPfXfe2NQGxK BnUpxG0GtWAPjL/205BtS3vdpN04ck7EaV5zvBArTxA21xjLajeQE9bReqA8LIe5ZGKU UymQ==
X-Gm-Message-State: ALoCoQmFkT2rIjxbr+zljw0o1KDoFEwtoJgO00XsL7sE+Zwta5tWuszE1AN0PW9zwUK9vmQo/PE/
MIME-Version: 1.0
X-Received: by with SMTP id x39mr25688431ioi.156.1440525353249; Tue, 25 Aug 2015 10:55:53 -0700 (PDT)
Received: by with HTTP; Tue, 25 Aug 2015 10:55:53 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Tue, 25 Aug 2015 13:55:53 -0400
Message-ID: <>
From: Kyle Rose <>
To: David Mazieres expires 2015-11-23 PST <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: tcpinc <>, Stephen Kent <>, Stephen Farrell <>
Subject: Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Aug 2015 17:56:03 -0000

>   A->B: SYN      "Hey, I support tcpcrypt and TLS"
>   B->A: SYN      "Hey, I support tcpcrypt"
>   A->B: ACK(+)   "Great, let's use tcpcrypt with cipher suite X or Y"
>   B->A: ACK(+)   "Great, let's use tcpcrypt with cipher suite Z"
>   A->B: ACK(*)   DH parameter, etc.

One way to resolve this for TLS is to just make TLS one of the cipher suites:

A->B: SYN "Hey, I support (TLS, tcpcryptX, tcpcryptY)"
B->A: SYN "Hey, I support (TLS)"
A->B: ACK "Great, let's use TLS"
B->A: ACK "Great, let's use TLS"

And then switch to straight-up TLS, whether in userspace or in the
kernel. In userspace this is a little tricky in that a software or
administrative change to the cipher suite preference list should be
made when TCP-ENO is activated by default in the kernel: as long as
one of the two endpoints is properly configured, tcpcrypt-unaware
endpoints will do the right thing, but if both endpoints are
improperly configured you'll get two key exchanges and connections
will be doubly-encrypted. (An HTTPS server implementor might just
choose to turn off TCP-ENO for port 443, which would have the desired

For passive/active, the same basic logic applies:

A->B: SYN "Hey, I support (TLS, tcpcryptX, tcpcryptY)"
B->A: SYN-ACK "Great, let's use TLS"
B->A: ACK "Ok, let's use TLS"