On 23/07/2015 15:32 pm, Watson Ladd wrote:
I'm surprised more weight isn't being given to kernel developers who don't feel that TLS implementations are of sufficient quality to go into the kernel. The fact that tcpcrypt is substantially simpler matters considerably.
I am also surprised that people think bolting TLS into the kernel will be received without comment.
I haven't touched a kernel in decades, and my knowledge of TLS is rusty at best. But if I was a kernel dev, I'd simply say no. Handoff to outside the kernel? A non-starter. Pulling any code base with the rep of OpenSSL into the kernel? Are you crazy? You want to write a new TLS code base that is good this time? Come back when you've done it :D
The only thing that would make any sense is a small, tight protocol that did precisely what is required, and no more. If it lacks a feature, tough. You get what you get. Want more? Get some TLS at the application level.
And even that is a tough ask - getting that tight protocol into the kernels is going to require some serious work & consensus & TLC with the *BSD and Linux crowd. Before we've even considered MS, Apple, Android, etc. Then there are the router guys. IoT. National standards/anticrypto groups.
In this environment, only "simple" will survive. Otherwise it's another ipv6 or IPSec "kitchen sink" approach which will face so much downstream resistance it will bog down somewhere or other.
The whole point of tcp encryption is that application authors do not have to opt-in. They have had years to do so and haven't. We need a kernel layer solution that everyone can deploy and integrate.
Yep. If they wanted to opt in, there's always TLS. Nobody's taking that away from them.
The only good reason to put TLS in is crypto experience. "Re-use." But that's a theoretical reason. This is not a theoretical project, it's an intensely practical one. It won't make or break in an IETF WG. It will make or break in *BSD / Linux kernels. It is their consensus that matters, not the consensus here.
All, IMNSHO. iang _______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc
