IETF Logo Mail Archive

Re: [Tls-reg-review] [IANA #1132414] Re: Request to register TLS integrity only cipher suites for TLS 1.3

"Salz, Rich" <rsalz@akamai.com> Thu, 10 December 2020 02:54 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls-reg-review@ietfa.amsl.com
Delivered-To: tls-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39BDC3A0800 for <tls-reg-review@ietfa.amsl.com>; Wed, 9 Dec 2020 18:54:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FU7DR_DPfJ-J for <tls-reg-review@ietfa.amsl.com>; Wed, 9 Dec 2020 18:54:32 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 916D93A07F5 for <tls-reg-review@ietf.org>; Wed, 9 Dec 2020 18:54:32 -0800 (PST)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.43/8.16.0.43) with SMTP id 0BA2YjCF020639; Thu, 10 Dec 2020 02:54:10 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=pe8zV9mzHfaIBi/dt1SYB4967ScOFga5XfLoZIafSDA=; b=Gz7oxbo3DF6Ty/TasLczOg03nEA/Yqqis+SWWg+yMS/AXoXJtOSUTT+9HOvqBxgdZG1q HRf9pg8f2KfMsiLUP07xOIkkhCs5JZwxZK1oTBWq3bNKGtpkhrwUpCwypwranUDwuo3V qNsxw5+a6yXIHDlTmthuvDUCKZhL3GCVvHqiAIbRLOFhZLzZLUuJq5U5HpscB2E2Qj93 O27hnngkarLR4oVTWF1S/oiSjAYPScdwNrX5S/Vi+XDbDZoqoINh5RyEViAB9y/7cow4 Gn0nyKzrIKpbyEhZZv+g9SuFfZlWb8pVbX2B/TzOy42wlbq+TPIOX5SmONWFlphnpyRS xg==
Received: from prod-mail-ppoint7 (a72-247-45-33.deploy.static.akamaitechnologies.com [72.247.45.33] (may be forged)) by m0050095.ppops.net-00190b01. with ESMTP id 3583nf2j16-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Dec 2020 02:54:10 +0000
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 0BA2Z3UA001739; Wed, 9 Dec 2020 21:54:09 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint7.akamai.com with ESMTP id 3586e3a8n5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 09 Dec 2020 21:54:09 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 9 Dec 2020 21:54:08 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.008; Wed, 9 Dec 2020 21:54:08 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "iana-prot-param@iana.org" <iana-prot-param@iana.org>, "ncamwing@cisco.com" <ncamwing@cisco.com>, "tls-reg-review@ietf.org" <tls-reg-review@ietf.org>, "jmvisoky@ra.rockwell.com" <jmvisoky@ra.rockwell.com>
Thread-Topic: [Tls-reg-review] [IANA #1132414] Re: Request to register TLS integrity only cipher suites for TLS 1.3
Thread-Index: AQHWzo2sFT79G0nplkqnyYpnX7fdf6nvolIA
Date: Thu, 10 Dec 2020 02:54:07 +0000
Message-ID: <96E22077-B954-4C3C-82AC-E311594D71A3@akamai.com>
References: <RT-Ticket-1132414@icann.org> <CFEF8F6B-9136-4B4C-B6DE-0E635786A240@akamai.com> <rt-4.4.3-21493-1544578196-1273.1132414-37-0@icann.org> <B8FCF390-4B0A-46BC-B3AB-E92A7C7D4FCF@akamai.com> <rt-4.4.3-23334-1544633480-1124.1132414-37-0@icann.org> <rt-4.4.3-4154-1544656355-1253.1132414-37-0@icann.org> <6D19FB88-FBA8-4F50-A004-067AE6218344@akamai.com> <20201210004439.GB64351@kduck.mit.edu>
In-Reply-To: <20201210004439.GB64351@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.44.20120703
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <3F0149739AB65E45A13D5B778E2DCBBA@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-09_19:2020-12-09, 2020-12-09 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 mlxscore=0 phishscore=0 bulkscore=0 mlxlogscore=999 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012100018
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-09_19:2020-12-09, 2020-12-09 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 lowpriorityscore=0 clxscore=1011 impostorscore=0 mlxscore=0 malwarescore=0 adultscore=0 suspectscore=0 mlxlogscore=999 spamscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012100018
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 72.247.45.33) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint7
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls-reg-review/fjefzmKBG2RIXpk6CUWUr_pDgMQ>
Subject: Re: [Tls-reg-review] [IANA #1132414] Re: Request to register TLS integrity only cipher suites for TLS 1.3
X-BeenThere: tls-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TLS REVIEW <tls-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls-reg-review/>
List-Post: <mailto:tls-reg-review@ietf.org>
List-Help: <mailto:tls-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls-reg-review>, <mailto:tls-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2020 02:54:37 -0000

Not sure what "these ciphers" means, but in retrospect it was ambiguous to say DTLS-OK because that doesn't have version info and DTLS 1.3 was still a draft.

On 12/9/20, 7:44 PM, "Benjamin Kaduk" <kaduk@mit.edu> wrote:

    Digging up this old thread since we may have to revisit the DTLS-OK
    value...
    My AD review of draft-ietf-tls-dtls13 notes that the mechanism for sequence
    number encryption makes some assumptions on the underlying cipher of the
    AEAD construction.  One proposal for changing the draft to make different
    assumptions that are more future-proof may involve setting DTLS-OK to 'N'
    for these ciphers (https://urldefense.com/v3/__https://github.com/tlswg/dtls13-spec/pull/166/files__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF_-zfT79$ ).
    Regardless, the authors of this draft might do well to provide some
    indication of the expected sequence number (non-)protection mechanism.

    -Ben

    On Thu, Dec 13, 2018 at 03:55:03AM +0000, Salz, Rich wrote:
    > DLTS-OK is Y
    > 
    > On 12/12/18, 6:12 PM, "Sabrina Tanamal via RT" <iana-prot-param@iana.org> wrote:
    > 
    >     Hi Rich, all, 
    >     
    >     Sorry we have one more question. Can you let us know how to fill in the "DTLS-OK" column in the TLS Cipher Suites registry?
    >     
    >     Thanks,
    >     
    >     Sabrina Tanamal (filling in for Amanda)
    >     Senior IANA Services Specialist
    >     
    >     On Wed Dec 12 16:51:20 2018, rsalz@akamai.com wrote:
    >     > To avoid creating new holes, how about right after dragonfly:
    >     > 0xC0,0xB3       TLS_ECCPWD_WITH_AES_256_CCM_SHA384      Y       N
    >     > [RFC-harkins-tls-dragonfly-03]
    >     > 0xC0,0xB4-FF    Unassigned
    >     > 
    >     > On 12/11/18, 8:29 PM, "Amanda Baber via RT" <iana-prot-
    >     > param@iana.org> wrote:
    >     > 
    >     > Hi Rich,
    >     > 
    >     > Which values should we assign? There are a number of ranges available,
    >     > and I haven't been able to find any text in RFC 8447 or RFC 8446 that
    >     > identifies which section is for "Not Recommended" assignments:
    >     > 
    >     > https://urldefense.com/v3/__https://www.iana.org/assignments/tls-parameters/tls-__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF5GSbsmF$ 
    >     > parameters.xhtml#tls-parameters-4
    >     > 
    >     > Thanks for your patience,
    >     > 
    >     > Amanda Baber
    >     > Lead IANA Services Specialist
    >     > 
    >     > On Tue Dec 11 20:34:22 2018, rsalz@akamai.com wrote:
    >     > > We discussed this and approve.  Please assign two numbers in the "not
    >     > > recommended" space.
    >     > >
    >     > > Thanks!
    >     > >
    >     > > On 12/5/18, 2:54 PM, "Nancy Cam-Winget (ncamwing)"
    >     > > <ncamwing@cisco.com> wrote:
    >     > >
    >     > > > Contact Name:
    >     > > > Nancy Cam-Winget
    >     > > >
    >     > > > Contact Email:
    >     > > > ncamwing@cisco.com
    >     > > >
    >     > > > Type of Assignment:
    >     > > > "Not Recommended" TLS Cipher suite assignment
    >     > > >
    >     > > > Registry:
    >     > > > TLS 1.3 cipher suite
    >     > > >
    >     > > > Description:
    >     > > > At least two IoT (ODVA and IEC) forums are requesting the need for
    >     > > > enabling TLS 1.3 with integrity only protection in the data plane.
    >     > > > Under security considerations, we are not recommending this cipher
    >     > > > suite to be widely used and note that no privacy is provided when
    >     > > > this
    >     > > > cipher suite is used and several use cases have been noted where
    >     > > > privacy is not required.
    >     > > >
    >     > > > Additional Info:
    >     > > > We have noted the use cases and security (and privacy)
    >     > > > considerations
    >     > > > in https://urldefense.com/v3/__https://tools.ietf.org/html/draft-camwinget-tls-ts13-__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF7v813C7$ 
    >     > > > macciphersuites-01 as well as how the cipher suite would be used
    >     > > > with
    >     > > > TLS 1.3
    >     > >
    >     > >
    >     > >
    >     > > _______________________________________________
    >     > > tls-reg-review mailing list
    >     > > tls-reg-review@ietf.org
    >     > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/tls-reg-review__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF_vbCWlv$ 
    >     > >
    >     > >
    >     > 
    >     > 
    >     > 
    >     
    >     _______________________________________________
    >     tls-reg-review mailing list
    >     tls-reg-review@ietf.org
    >     https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/tls-reg-review__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF_vbCWlv$ 
    >     
    > 
    > _______________________________________________
    > tls-reg-review mailing list
    > tls-reg-review@ietf.org
    > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/tls-reg-review__;!!GjvTz_vk!Cgmij5Wt0oMzNbDoeK1U8AEo73neLzwjrH9H6QeltjN1eUHWkywBF_vbCWlv$

v2.23.0 | Report a Bug | By Email