Re: [IPsec] Charter review

2014-11-07 Thread Yaron Sheffer 

hats off

Regarding formal security proofs, I strongly disagree.

The current wording is extremely mild. It does not require an actual 
security proof (which would not be realistic), but says The solution 
should be in line with current best practices, including ... possible

formal protocol security proofs.

This to me means that people have looked at the modified protocol and 
can say that the new stuff does not inhibit such a security proof in the 
future, and that we formally understand the security properties that are 
supposed to be provided by the protocol.


We are making a major change to IKE, and as much as I care about its 
goals, we should try to do it right. Relying on the security afforded 
by DH is not easy when in the real world, both peers might be reusing 
exponents and/or using too short DH groups.


Thanks,
Yaron

On 11/07/2014 01:36 AM, Dan Harkins wrote:


On Tue, November 4, 2014 7:21 pm, Brian Weis wrote:

On Oct 31, 2014, at 4:05 PM, Kathleen Moriarty
kathleen.moriarty.i...@gmail.com wrote:


Hi,

The chairs provided text for an updated charter in line with the newly
adopted working group items.  The recharter text has been posted and
I'd like to give the WG a little time to comment prior to adding this
to a telechat for review.


I support the work item looking at defending against DDoS, and have no
objection to the opportunistic work item (after omitting the wording on
channel binding).


   +1

   How about we also get rid of the mention of a formal security proof
of opportunistic encryption? The security is just that afforded by D-H.

   Dan.


Brian



Here is a link:

http://datatracker.ietf.org/doc/charter-ietf-ipsecme/

Thanks.

--

Best regards,
Kathleen

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec


--
Brian Weis
Security, Enterprise Networking Group, Cisco Systems
Telephone: +1 408 526 4796
Email: b...@cisco.com

___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Re: [IPsec] Charter review

2014-11-07 Thread Dan Harkins 


On Fri, November 7, 2014 12:03 am, Yaron Sheffer wrote:
 hats off

 Regarding formal security proofs, I strongly disagree.

 The current wording is extremely mild. It does not require an actual
 security proof (which would not be realistic), but says The solution
 should be in line with current best practices, including ... possible
 formal protocol security proofs.

 This to me means that people have looked at the modified protocol and
 can say that the new stuff does not inhibit such a security proof in the
 future, and that we formally understand the security properties that are
 supposed to be provided by the protocol.

 We are making a major change to IKE, and as much as I care about its
 goals, we should try to do it right. Relying on the security afforded
 by DH is not easy when in the real world, both peers might be reusing
 exponents and/or using too short DH groups.

  This major change is to remove authentication. Peers reusing
exponents is already entirely permissible in IKE. Authenticating a
reused exponent does not change the problem caused by reusing
an exponent. I don't even know what too short DH groups are but
if you can do it in IKE with authentication then what's the issue that
is introduced when you take away authentication?

  I welcome the new interest in formal security proofs in the IETF but
I don't think this particular charter change compels one.

  regards,

  Dan.



___
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec