Re: [TICTOC] IPsec security for packet based synchronization
Cui Yang <cuiyang@huawei.com> Wed, 07 March 2012 11:45 UTC
Return-Path: <cuiyang@huawei.com>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93F0321F8670 for <tictoc@ietfa.amsl.com>; Wed, 7 Mar 2012 03:45:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.82
X-Spam-Level:
X-Spam-Status: No, score=-2.82 tagged_above=-999 required=5 tests=[AWL=-0.763, BAYES_00=-2.599, CN_BODY_35=0.339, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LvMglBKh58kc for <tictoc@ietfa.amsl.com>; Wed, 7 Mar 2012 03:45:00 -0800 (PST)
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [119.145.14.64]) by ietfa.amsl.com (Postfix) with ESMTP id 0C82B21F866E for <tictoc@ietf.org>; Wed, 7 Mar 2012 03:45:00 -0800 (PST)
Received: from huawei.com (szxga05-in [172.24.2.49]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0M0I00DWVJAR2N@szxga05-in.huawei.com> for tictoc@ietf.org; Wed, 07 Mar 2012 19:44:51 +0800 (CST)
Received: from szxrg02-dlp.huawei.com ([172.24.2.119]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0M0I004D0JAR01@szxga05-in.huawei.com> for tictoc@ietf.org; Wed, 07 Mar 2012 19:44:51 +0800 (CST)
Received: from szxeml209-edg.china.huawei.com ([172.24.2.119]) by szxrg02-dlp.huawei.com (MOS 4.1.9-GA) with ESMTP id AHQ75324; Wed, 07 Mar 2012 19:44:50 +0800
Received: from SZXEML421-HUB.china.huawei.com (10.82.67.160) by szxeml209-edg.china.huawei.com (172.24.2.184) with Microsoft SMTP Server (TLS) id 14.1.323.3; Wed, 07 Mar 2012 19:44:07 +0800
Received: from SZXEML508-MBS.china.huawei.com ([169.254.6.229]) by szxeml421-hub.china.huawei.com ([10.82.67.160]) with mapi id 14.01.0323.003; Wed, 07 Mar 2012 19:44:46 +0800
Date: Wed, 07 Mar 2012 11:44:45 +0000
From: Cui Yang <cuiyang@huawei.com>
In-reply-to: <4EF7E5BF.9050609@ntp.org>
X-Originating-IP: [10.111.49.55]
To: Danny Mayer <mayer@ntp.org>, "tictoc@ietf.org" <tictoc@ietf.org>
Message-id: <8CC0CB0BCAE52F46882E17828A9AE2161A032C33@SZXEML508-MBS.china.huawei.com>
MIME-version: 1.0
Content-type: text/plain; charset="gb2312"
Content-language: zh-CN
Content-transfer-encoding: base64
Accept-Language: zh-CN, en-US
Thread-topic: [TICTOC] IPsec security for packet based synchronization
Thread-index: AQHMw3wFHmWvlGZDb0mFRDyNrSuR35ZfG+uw
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-cr-hashedpuzzle: BRET B91p CJfz FLyS FTax JFgn JKBo JQyr KxvP LULQ NRya Ni6p NkLT Nrt8 PthQ TG1Q; 2; bQBhAHkAZQByAEAAbgB0AHAALgBvAHIAZwA7AHQAaQBjAHQAbwBjAEAAaQBlAHQAZgAuAG8AcgBnAA==; Sosha1_v1; 7; {A048D7F1-C639-4EE2-B83B-3738823DE155}; YwB1AGkAeQBhAG4AZwBAAGgAdQBhAHcAZQBpAC4AYwBvAG0A; Wed, 07 Mar 2012 11:44:25 GMT; UgBlADoAIABbAFQASQBDAFQATwBDAF0AIABJAFAAcwBlAGMAIABzAGUAYwB1AHIAaQB0AHkAIABmAG8AcgAgAHAAYQBjAGsAZQB0ACAAYgBhAHMAZQBkACAAcwB5AG4AYwBoAHIAbwBuAGkAegBhAHQAaQBvAG4A
x-cr-puzzleid: {A048D7F1-C639-4EE2-B83B-3738823DE155}
X-CFilter-Loop: Reflected
References: <4EF7E5BF.9050609@ntp.org>
Subject: Re: [TICTOC] IPsec security for packet based synchronization
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tictoc>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2012 11:45:02 -0000
Hi, Danny, Sorry for the very late response! m(_ _)m I tried to include this correspondence in updated/new draft. The answer is in the following, 1. 3GPP Technical Specification TS.33.320 http://www.3gpp.org/ftp/specs/html-info/33320.htm -4.3.1 Backhaul link -4.4.5 Requirements on Backhaul Link -7.4 IPsec Tunnel Establishment In which, the mandatory implementation of IPsec ESP tunnel is described, or in other words "SHALL be provided" 2. In Taipei meeting, I disagreed with the opinion that identified timing packets weaken the synchronization protocol against the packet hijacking attack, because normal synchronization protocol is originally insecure to the underlying attack, no matter identifier is employed or not. More discussion is also provided in a new draft, Sec 3.2 http://datatracker.ietf.org/doc/draft-cui-tictoc-encrypted-synchronization Drafts are still being revised, any comment is highly appreciated. Thanks, Yang ================== Yang Cui, Ph.D. Huawei Technologies cuiyang@huawei.com > -----邮件原件----- > 发件人: tictoc-bounces@ietf.org [mailto:tictoc-bounces@ietf.org] 代表 > Danny Mayer > 发送时间: 2011年12月26日 11:11 > 收件人: tictoc@ietf.org > 主题: [TICTOC] IPsec security for packet based synchronization > > The minutes of the taipei meeting state this: > > 6. IPsec security for packet based synchronization > > Yang Cui on behalf of the author, Yixian Xu, presented > > draft-xu-tictoc-ipsec-security-for-synchronization-02. This draft has had a > > large volume of discussion on list . There have been two basic questions > that > > have been brought up on the list: Do we need to encrypt timing packets? > Do > > we need to identify and decrypt timing packets right away (before > decrypting > > all traffic)? Yang indicated that the answer to question 1 is yes for 3GPPP > > Femtocell and that the draft provided the only efficient mechanism for > > carrying out a solution to the second question. It had been brought up on > the > > list that if timing packets were easily identified then they were more > susceptible > > to attackers, for which Yang disagreed. The authors a preparing a new > version of > > the draft which addresses the points discussed on the list. > > If the answer to question 1 is yes for 3GPP Femtocell then there needs > to be an explicit answer to why and what this is with a reference to > supporting documents and the section of the documents. > > Also Yang disagreed about the vunerability of identified timing packets > so he should state exactly why he disagrees along with any supporting > documents and sections of those documents. > > Danny > _______________________________________________ > TICTOC mailing list > TICTOC@ietf.org > https://www.ietf.org/mailman/listinfo/tictoc