IETF Logo Mail Archive

Re: [Tsv-art] TSV Triage team: Review of IETF LC documents as of 10/11

"Black, David" <David.Black@dell.com> Thu, 12 October 2017 14:20 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9474134316 for <tsv-art@ietfa.amsl.com>; Thu, 12 Oct 2017 07:20:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5
X-Spam-Level:
X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=Hw7uh021; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=fQH/Zeds
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ucf8Ujxu51IB for <tsv-art@ietfa.amsl.com>; Thu, 12 Oct 2017 07:20:25 -0700 (PDT)
Received: from esa1.dell-outbound.iphmx.com (esa1.dell-outbound.iphmx.com [68.232.153.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 207CF132D4E for <tsv-art@ietf.org>; Thu, 12 Oct 2017 07:20:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1507817451; x=1539353451; h=from:cc:to:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=+ocWcYKYzrlTqvgZiuSpBxyn8MqFmF6IzPNZnmhpquc=; b=Hw7uh0212uD1eAMOuaDTYv7TQShtWvtIJn8itbllJI4432ycNofaZYSO dNUE8KmmRXd7yKhsH3/vsVRysasF2E9xExS2yuRkLYcc21M2md/1XrOpc +Lf7BspTTkVBHrPqEQExXL03goT6xo9a5RLV/khEEkSGVTllbxjmLZlpG M=;
Received: from esa2.dell-outbound2.iphmx.com ([68.232.153.202]) by esa1.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Oct 2017 09:10:51 -0500
From: "Black, David" <David.Black@dell.com>
Cc: "tsv-art@ietf.org" <tsv-art@ietf.org>, "Black, David" <David.Black@dell.com>
Received: from mailuogwhop.emc.com ([168.159.213.141]) by esa2.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Oct 2017 20:10:56 +0600
Received: from maildlpprd01.lss.emc.com (maildlpprd01.lss.emc.com [10.253.24.33]) by mailuogwprd02.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v9CEKLXu026696 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 12 Oct 2017 10:20:22 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com v9CEKLXu026696
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1507818023; bh=dCkDmDNWSHbNdeb4gfLTbL8OnMk=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=fQH/ZedsvGM6lmeWvN+/I9wJrE1G5FQIJjlU7o0OZmcAKkiuaTSVuq6FUcZBCMREG 7S/ML8se7IdLnvJ8MNHsI6oj0ORjr1Kjxsg4tmxC6y/p7GWBHbKjpOj7DAI7792D3M w5ITg/g11nwboU8W188m5iEqP52iSThP/47SQmm4=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com v9CEKLXu026696
Received: from mailusrhubprd01.lss.emc.com (mailusrhubprd01.lss.emc.com [10.253.24.19]) by maildlpprd01.lss.emc.com (RSA Interceptor); Thu, 12 Oct 2017 10:19:55 -0400
Received: from MXHUB310.corp.emc.com (MXHUB310.corp.emc.com [10.146.3.36]) by mailusrhubprd01.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v9CEK98S027525 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL); Thu, 12 Oct 2017 10:20:10 -0400
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB310.corp.emc.com ([10.146.3.36]) with mapi id 14.03.0352.000; Thu, 12 Oct 2017 10:20:09 -0400
To: Mirja Kühlewind <ietf@kuehlewind.net>, Joe Touch <touch@strayalpha.com>, Martin Stiemerling <mls.ietf@gmail.com>
Thread-Topic: [Tsv-art] TSV Triage team: Review of IETF LC documents as of 10/11
Thread-Index: AQHTQxGk8xXgZt9A8UWC0+Ef5as41qLgJs+AgABRRYCAAASUAP//vaUg
Date: Thu, 12 Oct 2017 14:20:09 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949362FCD9823@MX307CL04.corp.emc.com>
References: <641815bd-11d4-3742-a2f4-a1b63e239b36@gmail.com> <07958751-5EC5-4B59-86BD-A5D40201EEAE@strayalpha.com> <bd0bfa57-99da-2f42-7f92-11b116a056b6@kuehlewind.net> <f9adb386-71ff-6c4f-d81b-66a3dfa82515@strayalpha.com> <7d3e886c-2d79-3472-b357-7628de93dee3@kuehlewind.net>
In-Reply-To: <7d3e886c-2d79-3472-b357-7628de93dee3@kuehlewind.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.44.138]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd01.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/67_TSGv9BUy9xteBJwyOTePwW5k>
Subject: Re: [Tsv-art] TSV Triage team: Review of IETF LC documents as of 10/11
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2017 14:20:28 -0000

Writing as a TCPINC WG chair ...

> > I remain unclear on what problem they’re
> > trying to solve, other than to integrate TLS into the TCP 3WHS 

First sentence of charter:

	The TCPINC WG will develop the TCP extensions to provide unauthenticated encryption and integrity protection of TCP streams.

The key word here is "unauthenticated" - in practice TLS needs to be authenticated, usually with a certificate.  A second important distinguishing aspect is that this is layered functionality that is intended to provide communication security to applications that don't have TLS or similar security functionality.

> > (an
> > alternate, more direct approach along those lines by Eric R ?? was
> > rejected, FWIW).

the "was rejected" statement is not correct ...

> > I disagree; what I saw were "votes" to pick *a* solution, not multiple
> > ones. In particular, working on multiple solutions was deemed to
> > undermine the goal of "we have one that everyone will use".

As Mirja explained, the ADs noticed that unproductive activity and made some changes because the "beauty contest" to choose one crypto approach a priori was consuming time without making any forward progress.  The result in the latter part of 2015 was WG adoption of drafts for a common negotiation option and both crypto approaches.   Based on the level of WG participant interest and ability to work on the drafts, the tcpcrypt crypto work has been completed, and work on the TLS-based crypto work could be resumed if there is sufficient interest in doing so.

> > It doesn’t protect the TCP layer at all.

That's mostly correct, but not 100%.   The underlying situation is that the WG decided not to do anything that would break middlebox resegmentation (send gag reflex responses to /dev/null, please), which makes it impossible to do much in the way of protecting TCP headers.  OTOH, there is some modest TCP protection provided, e.g., this blocks injected FINs.

> > I don't know if ENO will support anything other than TCPCRYPT; it may be
> > intended that way, but the jury is out exactly because nobody else is
> > using it.
> 
> ENO explicitly was designed to support other approaches, especially TLS.
> There was even a registration for the TLS in the ENO draft. I told the
> authors to remove that because that registration should be done by the TLS
> draft itself (if it every gets finished).

While both Joe and Mirja are correct, I concur with Joe's view of the likely future - the TLS-based crypto approach seems unlikely to be completed.

> > I was giving my impression as context, but basically encouraging someone
> > else from TRIAGE to volunteer to give these docs a pass. If that's not
> > useful, perhaps you should let Martin know he didn't need to ask for that.
> Sorry again, I missed that. I personally think we don't need further tsv
> reviews at this stage. But of course any additional review can help.
> 
> @Martin: David is the chair of the tcpinc group and shepherd of one of the
> drafts, so he has certainly reviewed it already :-)

Indeed I have reviewed, but more reviewer eyes never hurt ...

Thanks, --David

> -----Original Message-----
> From: Tsv-art [mailto:tsv-art-bounces@ietf.org] On Behalf Of Mirja
> Kühlewind
> Sent: Thursday, October 12, 2017 9:42 AM
> To: Joe Touch <touch@strayalpha.com>; Martin Stiemerling
> <mls.ietf@gmail.com>
> Cc: tsv-art@ietf.org
> Subject: Re: [Tsv-art] TSV Triage team: Review of IETF LC documents as of
> 10/11
> 
> Hi Joe,
> 
> On 12.10.2017 15:25, Joe Touch wrote:
> >
> >
> > On 10/12/2017 1:34 AM, Mirja Kühlewind wrote:
> >> Hi Joe,
> >>
> >> not sure, what your actual request is to the triage team but they
> >> usually don't assign tsv document for tsv-art review.
> > I was responding to Martin's request, not making one of my own.Sorry I
> missed that request.
> 
> >
> >> Also your concern seems to be quite fundamentally about the approach
> >> taken by the working group and it seems simply too late to change
> >> anything about this now as the document(s) are in IETF last call.
> > Any review - at any stage, for any reason - can bring up issues with the
> > need for an approach and the utility of the approach provided.
> Sure, you can bring up new issues but issues regarding the selection of this
> approach have been discussed before and I don't think it will be use useful
> to revisit that argument at this stage.
> 
> >
> >> However, let me provide you some more input as responsible AD and
> >> previous chair. The TLS-based proposal was not rejected at all. There
> >> was, however, not enough energy in the group to follow on with that
> >> approach now,
> > I disagree; what I saw were "votes" to pick *a* solution, not multiple
> > ones. In particular, working on multiple solutions was deemed to
> > undermine the goal of "we have one that everyone will use".
> 
> This was before I took over the group as chair. These (kind of weird) votes
> didn't lead to any conclusion. When I took over the group we adopted both
> proposals but the author of the TLS one later explained that he would not
> have the time commitment to follow on, so the group concentrated on
> finalizing the tcpcrypt approach.
> 
> >
> >> so the only option to finish up any time soon was to go with tcpcrypt.
> >> However, the reason why there is tcpeno, is that this mechanism can
> >> still be used to negotiate the use of TLS and the hope it that this
> >> proposal will still be finished at some point of time. I personally
> >> think that just having a negotiation mechanism in TCP for TLS could
> >> provide a stronger incentive for adoption but as far as I can tell
> >> there is currently anyway not a huge interest in deploying tcpinc
> >> (probably also because QUIC could provide a alternative if you want an
> >> encrypted transport).
> > QUIC is basically TLS for UDP: https://www.chromium.org/quic
> > In fact, the project claims to want to adopt TLS 1.3 in place of its
> > interim approach.
> 
> QUIC as standardized in the IETF currently is using TLS1.1 (as explicitly
> stated in the charter I believe).
> >
> > I don't know if ENO will support anything other than TCPCRYPT; it may be
> > intended that way, but the jury is out exactly because nobody else is
> > using it.
> 
> ENO explicitly was designed to to support other approaches, especially TLS.
> There was even a registration for the TLS in the ENO draft. I told the
> authors to remove that because that registration should be done by the TLS
> draft itself (if it every gets finished).
> 
> >
> >> I hope that addresses your concerns at least a bit.
> > It doesn't.
> >
> > I was giving my impression as context, but basically encouraging someone
> > else from TRIAGE to volunteer to give these docs a pass. If that's not
> > useful, perhaps you should let Martin know he didn't need to ask for that.
> Sorry again, I missed that. I personally think we don't need further tsv
> reviews at this stage. But of course any additional review can help.
> 
> @Martin: David is the chair of the tcpinc group and shepherd of one of the
> drafts, so he has certainly reviewed it already :-)
> 
> Mirja
> 
> 
> >
> > Joe
> >
> >> Thanks for your feedback though! I really appreciate your (and some
> >> others) efforts to have an eye on what's going on! Honestly thanks!
> >>
> >> Mirja
> >>
> >>
> >>
> >> On 12.10.2017 06:21, Joe Touch wrote:
> >>> Hi Martin (et al.),
> >>>
> >>> I’ve (unfortunately) tracked TCPCRYPT and ENO since their
> >>> introduction to the IETF. I remain unclear on what problem they’re
> >>> trying to solve, other than to integrate TLS into the TCP 3WHS (an
> >>> alternate, more direct approach along those lines by Eric R ?? was
> >>> rejected, FWIW). It doesn’t protect the TCP layer at all.
> >>>
> >>> IMO, both would benefit from at least a cursory pass by fresh eyes,
> >>> though. Besides, at this point I doubt anything I have to say hasn’t
> >>> been said (and largely ignored) before.
> >>>
> >>> Joe
> >>>
> >>>> On Oct 11, 2017, at 1:07 AM, Martin Stiemerling <mls.ietf@gmail.com>
> >>>> wrote:
> >>>>
> >>>> Dear TSVers,
> >>>>
> >>>> I did work through all documents that are in IETF LC, IESG
> >>>> processing or being requested for publication as of 10/11, 10:00 am
> >>>> CEST.
> >>>>
> >>>> Please find below all documents checked and what to do with these
> >>>> documents.
> >>>>
> >>>> There are a two documents out of TCPINC that are important and
> >>>> probably should be reviewed by the TSVART, if not somebody has
> >>>> already reviewed those as part of the regular TCPINC WG review:
> >>>> draft-ietf-tcpinc-tcpeno-10
> >>>> draft-ietf-tcpinc-tcpcrypt-07
> >>>>
> >>>> Any volunteers or did someone out of the TSVART (David probably?)
> >>>> any read it?
> >>>>
> >>>>
> >>>> Documents that require TSV attention:
> >>>> draft-ietf-i2nsf-framework-08 -- Martin
> >>>> draft-ietf-dhc-relay-port-06 -- Jörg (changed, was assigned to Colin)
> >>>> draft-ietf-sunset4-ipv6-ietf-01 -- Michael Tuexen
> >>>> draft-ietf-nvo3-mcast-framework-10 -- Colin, as he did review -09
> >>>> draft-ietf-mboned-interdomain-peering-bcp-11 -- Yoshifum (AD
> request
> >>>> by Mirja)
> >>>>
> >>>>
> >>>> Documents that do not require TSV attention:
> >>>> draft-ietf-netconf-rfc6536bis-06
> >>>> draft-ietf-lime-yang-connectionless-oam-methods-09
> >>>> draft-ietf-lime-yang-connectionless-oam-11
> >>>> draft-ietf-acme-acme-07
> >>>> draft-schaad-curdle-oid-registry-02
> >>>> draft-ietf-rmcat-scream-cc-11 -- TSV owned
> >>>> draft-ietf-sidrops-bgpsec-rollover-02
> >>>> draft-ietf-uta-email-deep-09
> >>>> draft-ietf-ospf-segment-routing-extensions-19
> >>>> draft-ietf-dnssd-hybrid-07
> >>>> draft-ietf-anima-voucher-05
> >>>> draft-ietf-anima-prefix-management-05
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>>    Martin
> >>>>
> >>>> _______________________________________________
> >>>> Tsv-art mailing list
> >>>> Tsv-art@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/tsv-art
> >>>
> >>> _______________________________________________
> >>> Tsv-art mailing list
> >>> Tsv-art@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/tsv-art
> >>>
> >
> > _______________________________________________
> > Tsv-art mailing list
> > Tsv-art@ietf.org
> > https://www.ietf.org/mailman/listinfo/tsv-art
> >
> 
> _______________________________________________
> Tsv-art mailing list
> Tsv-art@ietf.org
> https://www.ietf.org/mailman/listinfo/tsv-art

v2.23.0 | Report a Bug | By Email