IETF Logo Mail Archive

Re: [TLS] [EXTERNAL] Re: Use-case for non-AEAD ciphers in network monitoring

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 17 May 2021 21:12 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9B73A451B for <tls@ietfa.amsl.com>; Mon, 17 May 2021 14:12:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.787
X-Spam-Level:
X-Spam-Status: No, score=-2.787 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnIin_uya-AN for <tls@ietfa.amsl.com>; Mon, 17 May 2021 14:12:05 -0700 (PDT)
Received: from outbound.mail.eo.outlook.com (mail-oln040093003006.outbound.protection.outlook.com [40.93.3.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A9113A44AD for <tls@ietf.org>; Mon, 17 May 2021 14:12:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CSbyW5jDlxxsmTK0dukJzDhGO6mOkjUG7fHdHVpDTclomwQ42JIxkeSkcLHigt7RyVxa0ua0kmtT00UFohPfGLoXGQ5iKR1NN12KQYOAnTWkZk4HZpnmCBe71ugo19OjMf/mUTA/pSgnLRYFcXWZBb2Quq0kSQ3ePWkb83snYBejtS3HFAVkH5SI4wu9EcHVWtQfnBYt2q2pyCo8OajF248Jfrerq19JAr+HnTPfZfzczkwGyXju4IL+EIaapxbPwD1QPUII18DgOyz07fj+2O75H+rS2/TMTYF3Pba8i5ysC97gg4xWPJfH7XHREi+d/sIoZO2rJKlMpNUbzGJP3w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SYKo41zUV2E2qCuwRiZSXYANtWLkE8hM+dySI3GdA28=; b=DHN+x6UVzvTEXysMkUsclDntoaLwn8ILE2Vqg5FZGiP/R071UxVpeFaadZ5lngBReO2h4Y0thAyURnPpDD6s77OFQzD0fEwgS3stvajMvXCKloqjVFxhw9WaniUkwb0XBB/naVSBopd7d6DjZUXJsCUodk5/TVAeMRc7QT2rJC7czEWMQk3lireyaFMYGiAQe2738AUA3NOsou3avAEETYced7kgOq6lLXS4FXLCYyeAoSQGGPKl6jkPZ9Anh7o4CeLMHF8zxxnGkdtd3kdYw6VeNSi0qpv3NT2m3f/FNN/cdgaoQbaUbgwHGWTZsnJ4BIt7BUhRnxd7NWsq66V2qg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SYKo41zUV2E2qCuwRiZSXYANtWLkE8hM+dySI3GdA28=; b=afPH8sCfUXqSN0gct5PPl4VMGXos1Wq3cSGiWpg1UXWESmRa2HsofO1aWjdnUq3RiLxWgGzOckWNVOg35mYncTBa0qCo4JLL1Xwg0KWcYNuAPiEIhQA/9JhxRze1oxxY39sYN20oh+6OHMuJu6/hJ0ibPz/A0BmkYPxFoGmUYfE=
Received: from DM6PR00MB0715.namprd00.prod.outlook.com (2603:10b6:5:21c::13) by DM6PR00MB0473.namprd00.prod.outlook.com (2603:10b6:5:116::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4176.0; Mon, 17 May 2021 21:11:59 +0000
Received: from DM6PR00MB0715.namprd00.prod.outlook.com ([fe80::cb0:a6f:6759:86af]) by DM6PR00MB0715.namprd00.prod.outlook.com ([fe80::cb0:a6f:6759:86af%6]) with mapi id 15.20.4186.000; Mon, 17 May 2021 21:11:59 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "dpp.standards@gmail.com" <dpp.standards@gmail.com>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [EXTERNAL] Re: [TLS] Use-case for non-AEAD ciphers in network monitoring
Thread-Index: AQHXS1d1kwKKCQraE0ibRK7jEMmWWKroIQ2AgAAEJ4CAAASNAIAAAWLQ
Date: Mon, 17 May 2021 21:11:59 +0000
Message-ID: <DM6PR00MB0715C251BCFBC351A401011B8C2D9@DM6PR00MB0715.namprd00.prod.outlook.com>
References: <b084b7a8-80a9-c7d9-fca7-dabb12ad6949@informatik.uni-hamburg.de> <CABcZeBNQRYwyFmwSwnGMXjN-U8UuDHdJCYpg_=YVqfYrRFFByQ@mail.gmail.com> <CAEMoRCuhMPVe=3cT10mgPAjTXNwnsZ2xkiFVL2qtmrbFsz6JVg@mail.gmail.com> <0fc98cd5-ab73-d284-82c3-677a32828fda@cs.tcd.ie> <CAEMoRCvVxq0LjeUTUpXCF3FgUBYNO_Y2Y-+jnG+B=7vQG0rNdQ@mail.gmail.com>
In-Reply-To: <CAEMoRCvVxq0LjeUTUpXCF3FgUBYNO_Y2Y-+jnG+B=7vQG0rNdQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=01fe8d70-003f-4a06-8201-71d3c19a619a; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-05-17T21:09:22Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.106.23.3]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 11f367ea-18ff-4b74-f962-08d9197868fb
x-ms-traffictypediagnostic: DM6PR00MB0473:
x-microsoft-antispam-prvs: <DM6PR00MB04732C3CFDCB9D87A652EBA88C2D9@DM6PR00MB0473.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3ZlnMDY3Uw4dwYZwKNjivoTsywyHBLutPFBhigV0Ma25rj8cVifoj0WfudDzD/1F4SKsN2aPTegxw1FTBuFH44rVL1UAW8DDR0Zsbc0kCzutiw2KA4/30i+FAwVGlUZ+LyQh10Gg+6wSdjqZFfrp0Tui6ooOWFysUp6LgATtKw4TJ5yTv4s/2hpmtlx90HTS2BNS1kDXTsXFJ1Hl/vBH8O/n6uPVMGtOESNqD3Z4+fXW/385Q1nFJbXwgeDZqmVuOs32paaO0ymPbQEcqJNNh8YlRXOUT2PE4rP9ytifEPlv5ZKRuAQ4SNR4joQbB5rk7XGFG9tyG+xc+doQ+Pejvq7dBcVyeJLCWVreY/sWhPxuCztRRYDaNf6zbZ1Ma2kXNQCHACh4FNj7QU/V5IozpwuTvuhscF+o1ibPqpK20VK/ESVNhvA3Jw9NRzAcam9LTsQ/G3kfrHIWHdO74PB73wvGsXSeBPu3TrBwYklHYM5Kn7a0sUULz2CzRQlSlLFVeDY+3G6BigPWTkY6cYJJ0wcz1BXbaUPQ+u4PrlwlhWIYKT6yujgw7b4ptBoKt+zwUHWGrdJxFkdO/UWlaFdchjUt8Y8eRuy2J9licuiUhImtHNn4BI0XNAUbe5PM27EFOYGw+4UArGdp4X6HBQnqDL5On9eQUWKQHungmmlMZH76X/sdSn8x2ZSL4n3iiMZu9c/k6F4hjqpimIhRb3SOs3Yrvwo1qh6mJSivnak0cmBgbYtgSxHR7/0xtM3QoScJ09ZkmHbUKrV2ia3R6Wt9Bg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR00MB0715.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(38100700002)(186003)(66946007)(76116006)(33656002)(66556008)(66446008)(66476007)(82960400001)(82950400001)(64756008)(316002)(52536014)(2906002)(6506007)(166002)(7696005)(478600001)(10290500003)(8676002)(26005)(8936002)(53546011)(8990500004)(9686003)(55016002)(122000001)(110136005)(5660300002)(4326008)(86362001)(66574015)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 3
x-ms-exchange-antispam-messagedata-0: DQMADE6Jzzb+MBrauXi/sqsme9+xm4QnK2JU1Pg6wklA8LrF2UDoB1bk9/TpjsGGpdS43A0tSi8gG19Vh9O5N9C2OtP/bdCgR2egpuCWsMuXihOMXTLo+kTg74CHu5LH2b8zNE5xreNVQn92c2JTddFhlReVV9vn4xXlbZzNwu9SUmtsJ8N0G6aQ/ZsEmIlCKo1NMHJfLAh3SRzX6NGTp4er+ti0x4DsP2q5rWrxsP9Emn/F7IbyXeFRtmdUSMdx7neCiUBQ+3MiJVGpuEArw7tUaxvoddRmHhx0buZYOpWU8Xndyyht1ca8xHHbqvAXMvQIEhkvHjFU3Z86LjiIbNlM7IqRWXhTEGP+2s5qnHN0gVKzO98TlqabDOHst9KHykNnoESLyo1wWgxknQAqJ20EESJboOHWVejx+6prH+RaKcK7IC7Z1/2aA6vzGQ8WkgPBCx6K72Fax6KzxYjzGB5J7/fAJfveda9taSBh2ys/eJE4kjvZ
x-ms-exchange-antispam-messagedata-1: n2onujmiKLP5PYtR3YCWoqjGL25FAOIGyk307SzC1E4Iun0UyIwApgjhlcrxHB9MD9A/0JnNQzm/QWZsrmC/ZHh0miroFUU9QeZu1xlVYJnTZZ71MLEQomiEVIyXhoJf+NIO0a1F3Gj0G6qSHT7OLsWocgLCnaj/kYAnrDeHjtkL/nkS2+voZx99OpWu2RC/vhCLK3M3sOeAfx13N3FjK/NvtpK23aZUho7vCLNy9URfFxRdHKRmHd0rN6RRxj6MT79jWrPcQC0pu7T5Peo8/jN+qN7wwcBoAEMbVJvc3spil8sKJGP0MtxNlFSFxfxV9XG5uRNbP1j+sve7n3fFMJMdqcdLeYnvBFTwNca2tQ1HNYEtb3ac8cch8U4uYrenZKXQ6I2AZYijVIhobiOYIxjWaI1WXDQvsQTrTgr8k25sviz//yM0EMdQXSYsm108hw3TfOqNNWK0vAgP7Le5cZ2oDoY3kuTpCKg8L3YVTZuGlZ/vWrcn
x-ms-exchange-antispam-messagedata-2: w0cZNA/NQgLs6UJNPzPclE6a95YUei3k4cX8evDCmu16gra0ITCHSuLRJsAxrNtzG9NHNy6i8DtVqIRUk6TVhSsAKeJMGzJgg0v+SKhaydmhTdw06ZgD0p52lxJ8KiAC8IcHcwEvxKk0sZOd7nTFQnT6zluQwh3NbBhnLIhUIZXH2oUoV7BBb/EgLAmMtsndR/PDnXES5Ko952F2hEJD1YYlPrff4qJmQO/6efTNnqi0wpRHy/wqNfcAmSRVgg178W4HSJjC1IrM/s1u8SoRLIj16PNeZ/ELDUsqHbK1HYMUuxI0USAWyzLOhP+zEz+opok=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB0715C251BCFBC351A401011B8C2D9DM6PR00MB0715namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR00MB0715.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 11f367ea-18ff-4b74-f962-08d9197868fb
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 May 2021 21:11:59.6982 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NICRr+e+31fyfq2F3us/cA+M3ALmwbvxbbFiTOVtBaJzoW0gVd0bwbwWCSXaP+/tLmLGi5a/dPVkZ8JDWPE4iQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0473
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/USDFVWTxCldsiB8Gx9IDbWse7_w>
Subject: Re: [TLS] [EXTERNAL] Re: Use-case for non-AEAD ciphers in network monitoring
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2021 21:12:10 -0000

This NIST workshop<https://www.nccoe.nist.gov/events/virtual-workshop-challenges-compliance-operations-and-security-tls-13> is investigating the exact problem discussed on this thread. Several types of solutions have been proposed there.

Cheers,

Andrei

From: TLS <tls-bounces@ietf.org> On Behalf Of Darin Pettis
Sent: Monday, May 17, 2021 2:04 PM
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: tls@ietf.org
Subject: [EXTERNAL] Re: [TLS] Use-case for non-AEAD ciphers in network monitoring

Hi Stephen,
Thanks for the quick reply as I know it is getting late in Ireland.

I’m sure you do remember the conversation as you spent a lot of time at the microphone around it.  :-)

It is certainly not an easy question to answer but this group comprises the smartest people that I know!!  Surely someone must be up for the challenge as fully half of the people in that London hall voiced the need for it.  Furthermore, when the day comes that TLS 1.2 can’t be used anymore, for whatever the reason, this need is going to come racing down the tracks…

So, while everyone is breathing easy right now, it would be great to address the need proactively.

Respectfully,
Darin

On Mon, May 17, 2021 at 3:48 PM Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:

Hiya,

On 17/05/2021 21:33, Darin Pettis wrote:
> TLS 1.3 did a great job regarding safety of data on the Internet. For the
> next version, let’s focus on how to best meet this used case

I think we had this discussion a few years ago. There is
no sensible boundary at which TLS can apply different
cryptographic treatment.

There were also many many other points raised at that
time that I don't think we'll benefit from repeating.

Cheers,
S.

v2.23.0 | Report a Bug | By Email