Re: [TLS] EXTERNAL: Re: integrity only ciphersuites
Ted Lemon <mellon@fugue.com> Mon, 20 August 2018 22:47 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4246130E32 for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 15:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M7FHpfe6GP-f for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 15:47:56 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89A49130E22 for <tls@ietf.org>; Mon, 20 Aug 2018 15:47:56 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id h20-v6so1665387itf.2 for <tls@ietf.org>; Mon, 20 Aug 2018 15:47:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tgXuicAZAyGIpvPFbr+8xUAPzohTFhXQkYLf8X107Mo=; b=Kqi2/MRB73w2pzuCasjljNc1yfloyMrUfA/gIvOtqxnRSy/ukJ4w5EAKZjNMh9o7oJ F0eJFH4bs0o2ccPqGkw0qEeXSAnn6vs5zX3cpmTks1ePSnKfSqCrf7TKuJDOV5mkRM7l BqGK7qLvUK9Y1WwchmPL66KQhN6ExeTnX5Qh3GUSi1SuFq3U4V6LvzxSqojE4UOm1K0i C5LFbN+5FWj2ZYT5CYtJx0NoKeOZwA4ND8wq3VEu4VBlcacqXUaLegdRQXH+hqjJljAG iBPARuosapIrW/7zJzbWQQxNqqLqI+qzzQDIRSAu4Qo9nYnI9v/oHMXbrhttCsLkW4Jx TEJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tgXuicAZAyGIpvPFbr+8xUAPzohTFhXQkYLf8X107Mo=; b=afKr8V9gPCKCBHpaPbGqW/ZD5C/u662wdNE5zxE6B7KkKUh4tVDA3daYOOKBBDs26G llacJWuXbdFr7hdjMlmzzb+aqOlmYCfjackRNvI9jPoLWJMTiZl2BBvVzFUN7uojO2Ly 4FWJQwOnFh5HvSKBkjsJMYjb8o4qi2z0LKUqPBK3ShaHe0IB+yeDqwxibU/+ywKFgbc9 /5Oqjq0tXC33CLDHeWF2i3OnvmsHCZYT0C+bji7xME5UXYU0uJ8SajbJ/kXLLsVTp7L3 Jp6ZXTLK76VLOp5HvkkvwXUhTdBYZJDn26RSHUjlr1MENup4A8/4uGWX05jqRQKcJRAg W3Mg==
X-Gm-Message-State: AOUpUlHLMonDkdCORsnEBVx3IV3kUBEUaTuLfgBMRoxOHKu9t5J1zNCQ CTT/Id0pu0UtEXOabAKtdtcNqb/HmywkT3VUVjp/eQ==
X-Google-Smtp-Source: AA+uWPzz4yTl5i1Ny97Hc1As2NmGUTG2vXt4b9a51Zu2+ca1quSB2qRGQU5kKjDuOqRA6bUGJX2r8YxMjZEm+jWipi0=
X-Received: by 2002:a24:374d:: with SMTP id r74-v6mr35415578itr.57.1534805275794; Mon, 20 Aug 2018 15:47:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:a009:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 15:47:15 -0700 (PDT)
In-Reply-To: <DM5PR2201MB1433AABB629D610944E470D899320@DM5PR2201MB1433.namprd22.prod.outlook.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <CABcZeBNpgnfBerkutLB0jKA4vF_FrpXNHnEeKQhAOFm-y=xJsA@mail.gmail.com> <DM5PR2201MB1433AABB629D610944E470D899320@DM5PR2201MB1433.namprd22.prod.outlook.com>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 20 Aug 2018 18:47:15 -0400
Message-ID: <CAPt1N1my2Jv_ErJidY-hYnYPi4czPkM2gabYR_rjcidr5474xA@mail.gmail.com>
To: Jack Visoky <jmvisoky@ra.rockwell.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000043ac680573e5b3a0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5mPNdrKgDvnHQB4BTUFwhWFce2I>
Subject: Re: [TLS] EXTERNAL: Re: integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 22:48:00 -0000
On Mon, Aug 20, 2018 at 5:36 PM, Jack Visoky <jmvisoky@ra.rockwell.com> wrote: > 2. In some cases the code size is quite important. It’s not uncommon for > hardware to be in the field in Industrial Automation for 15 or more years, > so in some cases the hardware is already stretched pretty thin and might > not be able to handle the demands of encryption. At the same time it is > hugely beneficial to take advantage of the security of TLS for many of > these installations. > Given that you work for Rockwell, I'm assuming that you have specific devices in mind, that these devices are already in the field, and that you intend to upgrade their firmware to support CORE or something like that. Is this the use case you're talking about? > 3. Another use case for these NULL encryption suites is around inspection > of data. I think this has been discussed in this forum already, but these > cipher suites could support that as well. > I would really encourage you to take a look at MUD (Manufacturer Usage Description) <https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/> as a way to configure these devices. I presume that the use case here is that you have a device that could be pwned, and you want to be able to see what it is sending. But really it shouldn't even be having the conversation, right? MUD lets you configure your firewall automatically, preventing the device, if it's pwned, from talking to the controlling botnet.
- [TLS] integrity only ciphersuites Nancy Cam-Winget (ncamwing)
- Re: [TLS] integrity only ciphersuites Eric Rescorla
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Eric Rescorla
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] integrity only ciphersuites Mike Bishop
- Re: [TLS] integrity only ciphersuites Nancy Cam-Winget (ncamwing)
- Re: [TLS] integrity only ciphersuites Judson Wilson
- Re: [TLS] integrity only ciphersuites Geoffrey Keating
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Lyndon Nerenberg
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Judson Wilson
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Peter Gutmann
- Re: [TLS] integrity only ciphersuites Stephen Farrell
- Re: [TLS] integrity only ciphersuites Viktor Dukhovni
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Judson Wilson
- Re: [TLS] integrity only ciphersuites Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] integrity only ciphersuites Viktor Dukhovni
- Re: [TLS] integrity only ciphersuites Kathleen Moriarty
- Re: [TLS] integrity only ciphersuites Stephen Farrell
- Re: [TLS] integrity only ciphersuites Bill Frantz
- Re: [TLS] integrity only ciphersuites Andreas Walz
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] integrity only ciphersuites Richard Barnes
- Re: [TLS] integrity only ciphersuites Stephen Farrell
- Re: [TLS] integrity only ciphersuites Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] integrity only ciphersuites Fries, Steffen
- Re: [TLS] integrity only ciphersuites Salz, Rich
- Re: [TLS] integrity only ciphersuites Fries, Steffen
- Re: [TLS] integrity only ciphersuites Ted Lemon
- Re: [TLS] integrity only ciphersuites Salz, Rich
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Stephen Farrell
- Re: [TLS] integrity only ciphersuites Fries, Steffen
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] integrity only ciphersuites Salz, Rich
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] integrity only ciphersuites Bill Frantz
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Salz, Rich
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Ted Lemon
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Jack Visoky
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Viktor Dukhovni
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Eric Rescorla
- Re: [TLS] null auth ciphers for TLS 1.3? Viktor Dukhovni
- Re: [TLS] null auth ciphers for TLS 1.3? Eric Rescorla
- Re: [TLS] null auth ciphers for TLS 1.3? David Benjamin
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] integrity only ciphersuites Martin Thomson
- Re: [TLS] null auth ciphers for TLS 1.3? Peter Gutmann
- Re: [TLS] integrity only ciphersuites Peter Gutmann
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Peter Gutmann
- Re: [TLS] raw public keys in the wild? Viktor Dukhovni
- Re: [TLS] raw public keys in the wild? Peter Gutmann
- Re: [TLS] null auth ciphers for TLS 1.3? Wang Haiguang
- Re: [TLS] null auth ciphers for TLS 1.3? Bill Frantz
- Re: [TLS] EXTERNAL: Re: integrity only ciphersuit… Nancy Cam-Winget (ncamwing)
- Re: [TLS] integrity only ciphersuites Nancy Cam-Winget (ncamwing)
- Re: [TLS] raw public keys in the wild? Richard Barnes
- Re: [TLS] raw public keys in the wild? Viktor Dukhovni