IETF Logo Mail Archive

[TLS] ticket_lifetime and generic network layer

"Mark Dunn" <mark.dunn@objectiveintegration.uk> Thu, 09 February 2017 12:39 UTC

Return-Path: <mark.dunn@objectiveintegration.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86CA31299D6 for <tls@ietfa.amsl.com>; Thu, 9 Feb 2017 04:39:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJ5FMKGH5V10 for <tls@ietfa.amsl.com>; Thu, 9 Feb 2017 04:39:15 -0800 (PST)
Received: from mail.objectiveintegration.uk (objectiveintegration.uk [134.213.135.47]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E905B1299C8 for <tls@ietf.org>; Thu, 9 Feb 2017 04:39:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.objectiveintegration.uk (Postfix) with ESMTP id 946DD1A02E40 for <tls@ietf.org>; Thu, 9 Feb 2017 12:39:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at objectiveintegration.uk
Received: from mail.objectiveintegration.uk ([127.0.0.1]) by localhost (mail.objectiveintegration.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rhymPVnZS-eP for <tls@ietf.org>; Thu, 9 Feb 2017 12:38:50 +0000 (UTC)
Received: from gamma (host86-157-188-235.range86-157.btcentralplus.com [86.157.188.235]) by mail.objectiveintegration.uk (Postfix) with ESMTPA id D4F171A01A96 for <tls@ietf.org>; Thu, 9 Feb 2017 12:38:50 +0000 (UTC)
From: Mark Dunn <mark.dunn@objectiveintegration.uk>
To: tls@ietf.org
Date: Thu, 09 Feb 2017 12:38:50 -0000
Message-ID: <000001d282d1$7769bdc0$663d3940$@objectiveintegration.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01D282D1.776E78B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdKCz+xcEVNI4lxORaa5rhflb37RVQ==
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aJpKkHHz08bCx8SGbZbQhld-bbU>
X-Mailman-Approved-At: Thu, 09 Feb 2017 04:59:44 -0800
Subject: [TLS] ticket_lifetime and generic network layer
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 12:49:51 -0000

I am reading your TLS 3.1 Standard and the mailing list.

It looks great. 

I am particularly interested in using the 0-RTT feature for IoT timestamped
data, which would seem immune from replay attacks

 

I have a couple of questions

 

1) The maximum ticket lifetime is set to 7 days. Is this based on hard
science or arbitrary?

If it is arbitrary then 8 days for weekly intervals or 32 for days for
monthly intervals would  make better commercial sense

               (allowing for variability in wake-up times for constrained
devices)

2) Have you considered using TLS for a generic network layer?

               I am thinking along the lines of a protocol like geneve
(https://datatracker.ietf.org/doc/draft-ietf-nvo3-geneve/ )

 

Use cases would be

               Insert TLS 1.3 between the physical layer and the MAC (data
link) layer

               For WAN and WWAN devices

 

               Insert TLS 1.3 between the MAC layer and IP layer or
IP/TLS/VXLAN/IP

               Use any of your favourite virtualisation protocols here.

               For securing virtual networks

 

               Insert TLS 1.3 between IP layer and UDP/TCP layers 

For securing  legacy network applications (SIP, RTP and RTCP for example)

 

It looks, from my point of view, that a small addition  could transform this
protocol from an application oriented

security mechanism, into a general internet workhorse. Providing a simpler
solution for both the IoT and Cloud

Other protocols call this 

               Protocol (IPv4)

               Next Header (IPv6)

               Ethertype (Ethernet)

And then you would also need to register this generic TLS 1.3 protocol with
Iana to register your own protocol Id

v2.23.0 | Report a Bug | By Email