IETF Logo Mail Archive

Re: [TLS] EXTERNAL: Re: integrity only ciphersuites

Ted Lemon <mellon@fugue.com> Mon, 20 August 2018 22:47 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4246130E32 for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 15:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M7FHpfe6GP-f for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 15:47:56 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89A49130E22 for <tls@ietf.org>; Mon, 20 Aug 2018 15:47:56 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id h20-v6so1665387itf.2 for <tls@ietf.org>; Mon, 20 Aug 2018 15:47:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tgXuicAZAyGIpvPFbr+8xUAPzohTFhXQkYLf8X107Mo=; b=Kqi2/MRB73w2pzuCasjljNc1yfloyMrUfA/gIvOtqxnRSy/ukJ4w5EAKZjNMh9o7oJ F0eJFH4bs0o2ccPqGkw0qEeXSAnn6vs5zX3cpmTks1ePSnKfSqCrf7TKuJDOV5mkRM7l BqGK7qLvUK9Y1WwchmPL66KQhN6ExeTnX5Qh3GUSi1SuFq3U4V6LvzxSqojE4UOm1K0i C5LFbN+5FWj2ZYT5CYtJx0NoKeOZwA4ND8wq3VEu4VBlcacqXUaLegdRQXH+hqjJljAG iBPARuosapIrW/7zJzbWQQxNqqLqI+qzzQDIRSAu4Qo9nYnI9v/oHMXbrhttCsLkW4Jx TEJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tgXuicAZAyGIpvPFbr+8xUAPzohTFhXQkYLf8X107Mo=; b=afKr8V9gPCKCBHpaPbGqW/ZD5C/u662wdNE5zxE6B7KkKUh4tVDA3daYOOKBBDs26G llacJWuXbdFr7hdjMlmzzb+aqOlmYCfjackRNvI9jPoLWJMTiZl2BBvVzFUN7uojO2Ly 4FWJQwOnFh5HvSKBkjsJMYjb8o4qi2z0LKUqPBK3ShaHe0IB+yeDqwxibU/+ywKFgbc9 /5Oqjq0tXC33CLDHeWF2i3OnvmsHCZYT0C+bji7xME5UXYU0uJ8SajbJ/kXLLsVTp7L3 Jp6ZXTLK76VLOp5HvkkvwXUhTdBYZJDn26RSHUjlr1MENup4A8/4uGWX05jqRQKcJRAg W3Mg==
X-Gm-Message-State: AOUpUlHLMonDkdCORsnEBVx3IV3kUBEUaTuLfgBMRoxOHKu9t5J1zNCQ CTT/Id0pu0UtEXOabAKtdtcNqb/HmywkT3VUVjp/eQ==
X-Google-Smtp-Source: AA+uWPzz4yTl5i1Ny97Hc1As2NmGUTG2vXt4b9a51Zu2+ca1quSB2qRGQU5kKjDuOqRA6bUGJX2r8YxMjZEm+jWipi0=
X-Received: by 2002:a24:374d:: with SMTP id r74-v6mr35415578itr.57.1534805275794; Mon, 20 Aug 2018 15:47:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 15:47:15 -0700 (PDT)
In-Reply-To: <DM5PR2201MB1433AABB629D610944E470D899320@DM5PR2201MB1433.namprd22.prod.outlook.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <CABcZeBNpgnfBerkutLB0jKA4vF_FrpXNHnEeKQhAOFm-y=xJsA@mail.gmail.com> <DM5PR2201MB1433AABB629D610944E470D899320@DM5PR2201MB1433.namprd22.prod.outlook.com>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 20 Aug 2018 18:47:15 -0400
Message-ID: <CAPt1N1my2Jv_ErJidY-hYnYPi4czPkM2gabYR_rjcidr5474xA@mail.gmail.com>
To: Jack Visoky <jmvisoky@ra.rockwell.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000043ac680573e5b3a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5mPNdrKgDvnHQB4BTUFwhWFce2I>
Subject: Re: [TLS] EXTERNAL: Re: integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 22:48:00 -0000

On Mon, Aug 20, 2018 at 5:36 PM, Jack Visoky <jmvisoky@ra.rockwell.com>
wrote:

> 2. In some cases the code size is quite important.  It’s not uncommon for
> hardware to be in the field in Industrial Automation for 15 or more years,
> so in some cases the hardware is already stretched pretty thin and might
> not be able to handle the demands of encryption.  At the same time it is
> hugely beneficial to take advantage of the security of TLS for many of
> these installations.
>

Given that you work for Rockwell, I'm assuming that you have specific
devices in mind, that these devices are already in the field, and that you
intend to upgrade their firmware to support CORE or something like that.
 Is this the use case you're talking about?


> 3. Another use case for these NULL encryption suites is around inspection
> of data.  I think this has been discussed in this forum already, but these
> cipher suites could support that as well.
>

I would really encourage you to take a look at MUD (Manufacturer Usage
Description) <https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/> as a
way to configure these devices.   I presume that the use case here is that
you have a device that could be pwned, and you want to be able to see what
it is sending.   But really it shouldn't even be having the conversation,
right?   MUD lets you configure your firewall automatically, preventing the
device, if it's pwned, from talking to the controlling botnet.

v2.23.0 | Report a Bug | By Email