Hello Juliusz.
This is about your contributions to the Babel and Homenet IETF working groups.
Given the apparent flood of Babel security related messages you are sending to
the Babel WG mailing list, I find it necessary to try putting it into proper
context. I tried to attack the problem rather than the person, it is up to you
to tell whether I managed to do that or not. In either case, I tried to leave
you room to defend yourself and to correct me if I am wrong.
A fact is, the Babel WG charter among other things has been saying: "Address
security needs for BABEL. This may include using the techniques in RFC 7298, or
other alternatives."
Another fact is, in early 2016 you were promoting the pre-IETF Babel work
before and at the Babel BoF and claimed that besides the HMAC (then RFC 7298)
approach to Babel security there was another viable alternative, namely,
"Stenberg-style security". You were promoting the idea that the Babel WG should
evaluate both mechanisms and choose the best.
* Q1: Do you acknowledge these two facts and do you agree they are directly
related? (yes/no, please explain if "no")
The specification of "Stenberg-style security" for Babel was never published.
It is June 2018 and I have never seen it, although I asked to.
* Q2: In 2016 did you know "Stenberg-style security" for Babel did not exist as
a workable WG item in the first place? (yes/no)
* Q3: Why were you promoting a WG option that either you didn't verify exists
in the first place (if "no" above) or you definitely knew does not exist (if
"yes" above)? Please explain.
At some point between 2016 and 2017 you stopped mentioning "Stenberg-style
security" and began to promote DTLS for Babel security. The first "running
code" prototypes (not implementations) of Babel DTLS began to be discussed
between late 2017 and early 2018 (as far as I could see in the mailing list
archive). It is June 2018 and I have never seen the DTLS Babel security
specification, although I have asked to.
* Q4: In 2016-2018 did you know a specification for the "DTLS" Babel security
did not exist as a workable WG item? (yes/no)
* Q5: same as Q3
Whichever the name of it, mentions of the "alternative" Babel security have
consistently been in your regular IETF slides, talks and status updates in the
Babel and Homenet WGs, and occasionally elsewhere at IETF. This statement is as
factual as the IETF meeting materials and witness of IETF participants
including myself.
* Q6: Do you agree your long-time presenting effort had created and maintained
an impression that the "alternative" security option was viable and workable by
the Babel WG, regardless of its actual status at the time? (yes/no, please
explain if "no")
* Q7: If "yes" to Q6, was this impression what you intentionally were trying to
achieve? (yes/no, please explain if "no")
* Q8: If "yes" to Q6, do you agree this impression has been influencing
decision making in both Babel and Homenet WGs? (yes/no, please explain if "no")
* Q9: Do you agree the end effect was that the work on HMAC Babel security was
held back in the Babel WG? (yes/no, please explain if "no")
In May 2018 the Babel WG had reached the decision not to adopt the HMAC I-D
(7298bis) as a working group document. The adoption call lasted for more than
60 days, so every participant had a chance to comment. You supported the
adoption at first and later withdrew your opinion in the course of the call.
* Q10: After the WG decision about HMAC (which was in line with your latest
position at the time) are you still maintaining that choosing between HMAC and
DTLS would benefit the Babel WG? (yes/no, please explain if "yes")
* Q11: If "no", could you explain why did not you denounce the idea on the
mailing list with appropriate comments?
Up to this point I could state I understand certain things even if I do not
like them. Such as, for example, effectively saying "security is not my
problem" in the Homenet Babel profile, or the need to consider DTLS for Babel
security, or the decision not to use HMAC. But I kept getting out of the path,
as that's what I expect from other people when I am working on something.
Now there is something that I cannot understand in the first place: after the
Babel WG decision you started to post HMAC-related messages to the mailing list.
* Q12: Do you agree, in the sense of your own long time "DTLS or HMAC" idea and
the claimed viability of DTLS, that the most consistent next step would be to
work towards the adoption of a DTLS Babel security mechanism document? (yes/no,
please explain if "no")
* Q13: If "yes", could you explain in detail why you started to draw so much
attention to HMAC after the WG decision and do not bring up DTLS anymore?
I have tried to find (in the first few dozens of your messages) the supposed
technical problem you are trying to solve. I could not see a sound technical
point not already addressed in RFC 7298, 7298bis I-D or the mailing list
discussion before and during the adoption call of 7298bis (including the replay
attack you had described and I had addressed). This impression may be wrong,
but I believe I have studied those messages well enough to make this statement.
* Q14: Could you clarify in proper technical terms what exact technical problem
you suddenly started to solve and why?
I am sorry if this message upsets you, but please note it concerns only your
voluntary activity within IETF. Its purpose is not to block progress, but
rather to avoid another couple years of talking/walking in circles.
I have a few more pending comments to make on your older messages, including
outstanding non-security technical issues in the Babel WG documents. I hope to
send them separately later.
Thank you.
--
Denis Ovsienko
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
