IETF Logo Mail Archive

Re: [TLS] EXTERNAL: Re: integrity only ciphersuites

Jack Visoky <jmvisoky@ra.rockwell.com> Tue, 21 August 2018 18:08 UTC

Return-Path: <jmvisoky@ra.rockwell.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B007130DF0 for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 11:08:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IqRqu-k6y_Dv for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 11:08:27 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0065.outbound.protection.outlook.com [104.47.32.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E38AC130E7B for <tls@ietf.org>; Tue, 21 Aug 2018 11:08:26 -0700 (PDT)
Received: from DM5PR2201MB1433.namprd22.prod.outlook.com (10.174.186.154) by DM5PR2201MB1722.namprd22.prod.outlook.com (10.164.253.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1080.14; Tue, 21 Aug 2018 18:08:25 +0000
Received: from DM5PR2201MB1433.namprd22.prod.outlook.com ([fe80::49f1:7875:b984:9a65]) by DM5PR2201MB1433.namprd22.prod.outlook.com ([fe80::49f1:7875:b984:9a65%2]) with mapi id 15.20.1059.023; Tue, 21 Aug 2018 18:08:25 +0000
From: Jack Visoky <jmvisoky@ra.rockwell.com>
To: Ted Lemon <mellon@fugue.com>
CC: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "Fries, Steffen" <steffen.fries@siemens.com>, "ncamwing=40cisco.com@dmarc.ietf.org" <ncamwing=40cisco.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] EXTERNAL: Re: integrity only ciphersuites
Thread-Index: AQHUOXX4D/UPTTu0A0yVJYh9fFiMkqTKfBBAgAABlQCAAAFQwA==
Date: Tue, 21 Aug 2018 18:08:25 +0000
Message-ID: <DM5PR2201MB1433E09B441548D8E482EDD599310@DM5PR2201MB1433.namprd22.prod.outlook.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <64d23891-2f32-9bb8-1ec8-f4fad13cdfb9@cs.tcd.ie> <982363FD-A839-4175-BA53-7CA242F9ADA6@ll.mit.edu> <2D7F2926-6376-4B2C-BDE9-7A6F1C0FA748@gmail.com> <5B7C1571020000AC0015C330@gwia2.rz.hs-offenburg.de> <E6C9F0E527F94F4692731382340B337804AEFA24@DENBGAT9EH2MSX.ww902.siemens.net> <A51CF46A-8C5F-4013-A4CE-EB90A9EE94CA@akamai.com> <E6C9F0E527F94F4692731382340B337804AEFB10@DENBGAT9EH2MSX.ww902.siemens.net> <D5FF0E0E-F9C3-4843-AB77-19F45E3C00D5@akamai.com> <8A2746A8-6B41-45C3-9D77-6AF3536C6E2D@siemens.com> <B91DE602-C4C2-4A20-9D18-8AE676D3ED2D@akamai.com> <DM5PR2201MB143394A86DA30B3A98D4FC3A99310@DM5PR2201MB1433.namprd22.prod.outlook.com> <CAPt1N1kOmemXAxSiZWhFYdeDL=5RkBzeEPc=r3k6E5WmAUgbQw@mail.gmail.com> <DM5PR2201MB14337FB5126A11B21CA6532699310@DM5PR2201MB1433.namprd22.prod.outlook.com> <CAPt1N1kB0vF0Eeae1Fgo+5xNM6LK0=Zru9Vghy1Gy2HoAWBg3A@mail.gmail.com>
In-Reply-To: <CAPt1N1kB0vF0Eeae1Fgo+5xNM6LK0=Zru9Vghy1Gy2HoAWBg3A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jmvisoky@ra.rockwell.com;
x-originating-ip: [205.175.250.246]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR2201MB1722; 6:yyMeo/3pNS1ZjeFPJvkv03+LXmw3iIVoDgMptERyI0skFobmZi8MB/oKZyuRCDh/4Oj1D4iBhX/+Ub01wtFMKSQoJLI5+btTfOuv50/jj+sjMQrGnJSyHiCAbO4ieie7xCmws/t8DSRsC6IJ+ERvQg9MXWbIc6EdvW7Dnerbr8xukA890Qb7H1sJhFYSGzWI7UrwjBoSvBQgFwxU5KE1H6l9D3QnCRgvyoux1Q9Z/mvm0md0Z3DJWk1nFBM1F7YEfuCdF1FUyUEWJsM3uImvqtbwlZ/uv+96MlVzl/KdzJNR1QsXJ1jExLj1LQRz0pxPOieFKvTbwpAX0qgZsz8TmkFNgHiAQKs3eVCeQXpGl7k8VwwXQs6QzDViQabG9Zor9p5u9hfgCdIINRFcH1CIzaEcx/Wda/v8MHfvDUA9BOhusS4A+GRdl3kulrduJ0NQskMqxjwg+J7Mzj4Rb0nvGg==; 5:Gr8PBotb59Sc+DdOGUL/p5Px8pgwt8eLn8F721jUqD83fe5ZzRAsa67we7HISEsisVVq09p5Uh6KR5zpXn4aW4NaLvpQWbHleqT3iTgHY6Gl418qbBOqH4piNo0+IM0NoOZS41Wj5dhRLQaqcSxlmT9o+2f7/YkGWirPJrciW6Y=; 7:ZlPiPL9mSuvDu5QZex60F9ZTRSQR4DnlB3dUqFBU7GWdNQud2DyraIr4WKrZUmXtnB+g09ECbeRgoZmlPKIcn+d/n/FTsDTzbxMGMEGOULn9FBOep8jMTiyyy95bQKv/C+q7FotYbu8L3Q3CG9KGnH29zZUWTULG38l+jNtVxGq/MX9BwU6B34xmGIF1JcCqmk9h3Q3M/XgbiJQXG1WgktQBMnNigmOJm4MJMi+KSS3RpwyepAFxF6MEpHRZNQ4I
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 2ee91c46-934c-45ec-5b98-08d6079116f5
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM5PR2201MB1722;
x-ms-traffictypediagnostic: DM5PR2201MB1722:
x-microsoft-antispam-prvs: <DM5PR2201MB172274F2DDB40F0DA398E96399310@DM5PR2201MB1722.namprd22.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(181554191321653)(269231077054813)(126837547833334)(21748063052155)(33711482430040);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699016); SRVR:DM5PR2201MB1722; BCL:0; PCL:0; RULEID:; SRVR:DM5PR2201MB1722;
x-forefront-prvs: 0771670921
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(346002)(136003)(376002)(39860400002)(199004)(189003)(93886005)(606006)(3846002)(7736002)(105586002)(6916009)(316002)(86362001)(106356001)(6116002)(790700001)(5024004)(256004)(102836004)(8936002)(19609705001)(14444005)(446003)(53546011)(11346002)(6506007)(26005)(2900100001)(68736007)(476003)(66066001)(186003)(486006)(966005)(25786009)(2906002)(97736004)(4326008)(5250100002)(6246003)(33656002)(236005)(6436002)(76176011)(99286004)(5660300001)(8676002)(81156014)(81166006)(478600001)(14454004)(229853002)(53936002)(9686003)(54906003)(7696005)(74316002)(54896002)(6306002)(55016002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR2201MB1722; H:DM5PR2201MB1433.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ra.rockwell.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 8kZs0frMYfcsOtZuhfp5sd9jMlUXPUChy4cFGk6HAossPQcto05wZK1c3LHdUFqGoMHpC57tBdoQcQn6NunJdNTYrgp+vRVjr3vN5b0Lk9RHKM3QykGkqfMHjGnPnTrdSqLmy/8cY4pnHID/4Pk4nnGWmdX+wOUmpjBu749nYoxi0vsGeXYDys8rO08ryjuNvycI8S4NLGtMXbxdyUhdz0Y4Jr/KMbFsRTlxS9uKK4xkNBZ8lGCBls9YLTMIIXNGquD72RdCS3y9GbzuoPUMy8Lg9L92k6epqErgtykpe0NiNyvRzUeY9Sp3aTHqv1lMA6uNAZEyOHsysjNHoFtcuSjsqWAeMhk26V1vsD56Csg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR2201MB1433E09B441548D8E482EDD599310DM5PR2201MB1433_"
MIME-Version: 1.0
X-OriginatorOrg: ra.rockwell.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2ee91c46-934c-45ec-5b98-08d6079116f5
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2018 18:08:25.4773 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 855b093e-7340-45c7-9f0c-96150415893e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2201MB1722
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/f2_aAHqdxv7M8UEvJpdoSdGl9qg>
Subject: Re: [TLS] EXTERNAL: Re: integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 18:08:31 -0000

Could you please clarify on what you mean by bandwidth?  Are you talking about if a device has a 100 Mb connection or 10 Mb connection, or something else?  Also, processor speed and device capability is often a limiting factor so I’m not sure how relevant bandwidth is, but I might just not be following your train of thought.

IPsec was something that was looked at it detail, and tried in some installations.  It certainly has a place but we’ve found it’s not as generally applicable as TLS.  Reasons have to do with the complexity of configuration as well as difficulty setting up the network.  Another way to put this is that the market was not receptive to IPsec as a general solution.

In general we have a lot of respect for what was done with TLS and it’s wide adoption.  We’ve adopted it in a number of protocols under TLS 1.2 and would like to do the same with TLS 1.3.

Thanks and Best Regards,

--Jack

From: Ted Lemon [mailto:mellon@fugue.com]
Sent: Tuesday, August 21, 2018 1:56 PM
To: Jack Visoky <jmvisoky@ra.rockwell.com>
Cc: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>; Fries, Steffen <steffen.fries@siemens.com>; ncamwing=40cisco.com@dmarc.ietf.org; tls@ietf.org
Subject: Re: [TLS] EXTERNAL: Re: integrity only ciphersuites

What kind of bandwidth are we talking about here?   Also, could you answer my question about IPsec?

On Tue, Aug 21, 2018 at 1:53 PM, Jack Visoky <jmvisoky@ra.rockwell.com<mailto:jmvisoky@ra.rockwell.com>> wrote:
Hi Ted,

A few points:


1.       Don’t assume there is any browser involved.  There is often no browser.

2.       Even if there is a browser (and see point 1 before assuming) any HTTP communication would be at a much much slower rate than machine to machine I/O

Hope that clears it up.

Thanks and Best Regards,

--Jack

From: Ted Lemon [mailto:mellon@fugue.com<mailto:mellon@fugue.com>]
Sent: Tuesday, August 21, 2018 1:39 PM
To: Jack Visoky <jmvisoky@ra.rockwell.com<mailto:jmvisoky@ra.rockwell.com>>
Cc: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>>; Fries, Steffen <steffen.fries@siemens.com<mailto:steffen.fries@siemens.com>>; ncamwing=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>; tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] EXTERNAL: Re: integrity only ciphersuites

If the device implements the cipher so as to talk to the browser, it's clearly capable of implementing the cipher...

On Tue, Aug 21, 2018 at 1:34 PM, Jack Visoky <jmvisoky@ra.rockwell.com<mailto:jmvisoky@ra.rockwell.com>> wrote:
Hi Rich,

I’m not sure if I’m following the question, but what was meant was that these ciphers are generally NOT used for browser access.  Machine to machine communication usually does not involve a browser.  Apologies if I’ve misunderstood the question.

Thanks and Best Regards,

--Jack

From: TLS [mailto:tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>] On Behalf Of Salz, Rich
Sent: Tuesday, August 21, 2018 1:12 PM
To: Fries, Steffen <steffen.fries@siemens.com<mailto:steffen.fries@siemens.com>>
Cc: ncamwing=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>; tls@ietf.org<mailto:tls@ietf.org>
Subject: EXTERNAL: Re: [TLS] integrity only ciphersuites


[Use caution with links & attachments]


Now I think I am as confused as Stephen and others.

One justification was “small footprint.”  But now you’re saying that for debugging encryption (standard?) ciphers are used for browser access?


_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email