[TLS] ticket_lifetime and generic network layer
"Mark Dunn" <mark.dunn@objectiveintegration.uk> Thu, 09 February 2017 12:39 UTC
Return-Path: <mark.dunn@objectiveintegration.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86CA31299D6 for <tls@ietfa.amsl.com>; Thu, 9 Feb 2017 04:39:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJ5FMKGH5V10 for <tls@ietfa.amsl.com>; Thu, 9 Feb 2017 04:39:15 -0800 (PST)
Received: from mail.objectiveintegration.uk (objectiveintegration.uk [134.213.135.47]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E905B1299C8 for <tls@ietf.org>; Thu, 9 Feb 2017 04:39:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.objectiveintegration.uk (Postfix) with ESMTP id 946DD1A02E40 for <tls@ietf.org>; Thu, 9 Feb 2017 12:39:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at objectiveintegration.uk
Received: from mail.objectiveintegration.uk ([127.0.0.1]) by localhost (mail.objectiveintegration.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rhymPVnZS-eP for <tls@ietf.org>; Thu, 9 Feb 2017 12:38:50 +0000 (UTC)
Received: from gamma (host86-157-188-235.range86-157.btcentralplus.com [86.157.188.235]) by mail.objectiveintegration.uk (Postfix) with ESMTPA id D4F171A01A96 for <tls@ietf.org>; Thu, 9 Feb 2017 12:38:50 +0000 (UTC)
From: Mark Dunn <mark.dunn@objectiveintegration.uk>
To: tls@ietf.org
Date: Thu, 09 Feb 2017 12:38:50 -0000
Message-ID: <000001d282d1$7769bdc0$663d3940$@objectiveintegration.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01D282D1.776E78B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdKCz+xcEVNI4lxORaa5rhflb37RVQ==
Content-Language: en-gb
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aJpKkHHz08bCx8SGbZbQhld-bbU>
X-Mailman-Approved-At: Thu, 09 Feb 2017 04:59:44 -0800
Subject: [TLS] ticket_lifetime and generic network layer
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 12:49:51 -0000
I am reading your TLS 3.1 Standard and the mailing list. It looks great. I am particularly interested in using the 0-RTT feature for IoT timestamped data, which would seem immune from replay attacks I have a couple of questions 1) The maximum ticket lifetime is set to 7 days. Is this based on hard science or arbitrary? If it is arbitrary then 8 days for weekly intervals or 32 for days for monthly intervals would make better commercial sense (allowing for variability in wake-up times for constrained devices) 2) Have you considered using TLS for a generic network layer? I am thinking along the lines of a protocol like geneve (https://datatracker.ietf.org/doc/draft-ietf-nvo3-geneve/ ) Use cases would be Insert TLS 1.3 between the physical layer and the MAC (data link) layer For WAN and WWAN devices Insert TLS 1.3 between the MAC layer and IP layer or IP/TLS/VXLAN/IP Use any of your favourite virtualisation protocols here. For securing virtual networks Insert TLS 1.3 between IP layer and UDP/TCP layers For securing legacy network applications (SIP, RTP and RTCP for example) It looks, from my point of view, that a small addition could transform this protocol from an application oriented security mechanism, into a general internet workhorse. Providing a simpler solution for both the IoT and Cloud Other protocols call this Protocol (IPv4) Next Header (IPv6) Ethertype (Ethernet) And then you would also need to register this generic TLS 1.3 protocol with Iana to register your own protocol Id
- [TLS] ticket_lifetime and generic network layer Mark Dunn
- Re: [TLS] ticket_lifetime and generic network lay… Ilari Liusvaara
- Re: [TLS] ticket_lifetime and generic network lay… Mark Dunn