TCP Increased Security (tcpinc) Internet Drafts


      
 TCP-ENO: Encryption Negotiation Option
 
 draft-ietf-tcpinc-tcpeno-19.txt
 Date: 29/06/2018
 Authors: Andrea Bittau, Daniel Giffin, Mark Handley, David Mazieres, Eric Smith
 Working Group: TCP Increased Security (tcpinc)
 Formats: xml txt
Despite growing adoption of TLS, a significant fraction of TCP traffic on the Internet remains unencrypted. The persistence of unencrypted traffic can be attributed to at least two factors. First, some legacy protocols lack a signaling mechanism (such as a "STARTTLS" command) by which to convey support for encryption, making incremental deployment impossible. Second, legacy applications themselves cannot always be upgraded, requiring a way to implement encryption transparently entirely within the transport layer. The TCP Encryption Negotiation Option (TCP-ENO) addresses both of these problems through a new TCP option-kind providing out-of-band, fully backward-compatible negotiation of encryption.
 Cryptographic protection of TCP Streams (tcpcrypt)
 
 draft-ietf-tcpinc-tcpcrypt-15.txt
 Date: 11/12/2018
 Authors: Andrea Bittau, Daniel Giffin, Mark Handley, David Mazieres, Quinn Slack, Eric Smith
 Working Group: TCP Increased Security (tcpinc)
 Formats: txt xml
This document specifies tcpcrypt, a TCP encryption protocol designed for use in conjunction with the TCP Encryption Negotiation Option (TCP-ENO). Tcpcrypt coexists with middleboxes by tolerating resegmentation, NATs, and other manipulations of the TCP header. The protocol is self-contained and specifically tailored to TCP implementations, which often reside in kernels or other environments in which large external software dependencies can be undesirable. Because the size of TCP options is limited, the protocol requires one additional one-way message latency to perform key exchange before application data can be transmitted. However, the extra latency can be avoided between two hosts that have recently established a previous tcpcrypt connection.


TCP Increased Security (tcpinc)

WG Name TCP Increased Security
Acronym tcpinc
Area Transport Area (tsv)
State Active
Charter charter-ietf-tcpinc-01 Approved
Status Update Show update (last changed 2017-03-08)
Dependencies Document dependency graph (SVG)
Additional URLs
- Wiki
- Issue tracker
Personnel Chairs David Black
Kyle Rose
Area Director Mirja Kühlewind
Tech Advisor Stephen Farrell
Mailing list Address tcpinc@ietf.org
To subscribe https://www.ietf.org/mailman/listinfo/tcpinc
Archive https://mailarchive.ietf.org/arch/browse/tcpinc/
Jabber chat Room address xmpp:tcpinc@jabber.ietf.org?join
Logs https://jabber.ietf.org/logs/tcpinc/

Charter for Working Group

The TCPINC WG will develop the TCP extensions to provide unauthenticated
encryption and integrity protection of TCP streams. The WG will define
an unauthenticated key exchange mechanism. In addition, the WG will
define the TCP extensions to utilize unauthenticated keys, resulting in
encryption and integrity protection without authentication. This is
better than plain-text because it thwarts passive eavesdropping, but is
weaker than using authenticated keys, because it is vulnerable to man-
in-the-middle attacks during the initial unauthenticated key exchange.
This work is part of the IETF effort to evolve the Internet architecture
given the latest events of pervasive monitoring (see BCP 188).

The goal of this WG is to provide an additional security tool that
complements existing protocols at other layers in the stack. The WG will
be looking for the designs that find the right tradeoff spot between
conflicting requirements: to provide reasonable security for the
majority of connections. This work will deal with unprotected
connections, and therefore will focus more on improvements from a
baseline of no security than on achieving the high standard of security
that is already available to users of authenticated TLS.

Providing unauthenticated encryption and integrity protection at the TCP
layer will provide a set of features that cannot be achieved with
existing tools.
Those features include:
- encryption and integrity protection without modifications to the upper
layers (no API changes),
- encryption and integrity protection with forward secrecy with a per-
connection granularity,
- simple NAT and firewall traversal capabilities,
- key rollover without significant impact to the TCP connection,
- lower overhead compared to solutions relying in stacking multiple
protocols to achieve different features,
- no manual configuration required.

A more detailed description of the motivations for TCP-based solutions
can be found in draft-bellovin-tcpsec-01 and in RFC5925.

The working group will produce documents specifying the required TCP
extensions and additional documents needed.

The high-level requirements for the protocol for providing TCP
unauthenticated encryption and integrity protection are:
- It should work over the vast majority of paths that unmodified TCP
works over, in particular it must be compatible with NATs (at the very
minimum with the NATs that comply with BEHAVE requirements as
documented in RFC4787, RFC5382 and RFC5508).

- The protocol must be usable by unmodified applications. This effort
is complementary to other security protocols developed in the IETF
(such as TLS) as it protects those applications and protocols that are
difficult to change or may even not be able to be changed in a
backward compatible way. It also provides some protection in
scenarios where application developers are unwilling to change their
applications (e.g., by configuring encryption) solely for the sake of
improving security.

- The protocol must provide cryptographic algorithm agility.

- The protocol must gracefully fall-back to TCP if the remote peer does
not support the proposed extensions.

- When encryption is enabled, it must at least provide protection
against passive eavesdropping by default,

- Any required TCP option should use a minimum amount of TCP option
space, especially in SYN segments.

- The protocol must not require any authentication or configuration from
applications or users. However, hooks for external authentication
must be made available. The WG will not work on new authentication
mechanisms.

- The protocol must have acceptable performance, including acceptable
latency and processing overheads. For example, the protocol may try
to re-use existing cryptographic material for future communication
between the same endpoints to avoid expensive public key operations on
connection set up.

When encryption is enabled, then the protocol:

- must always provide forward secrecy.

- must always provide integrity protection of the payload data (it is
open for discussion for the WG if the TCP header should or should not
be protected).

- must always provide payload encryption.

- must not provide extra linkability: when encryption is enabled, the
TCP traffic should not give a third party observer any extra way to
associate those packets with the specific peers beyond information
that would have been present in a cleartext session.

- must allow the initiator of the connection to avoid being
fingerprinted as a result of using the protocol: some initiators may
want to avoid appearing as the same endpoint when connecting to a
remote peer on subsequent occasions. This should either be the default
or some mechanism should be available for initiators to drop or ignore
shared state to avoid being fingerprintable any more than would be
the case for a cleartext session.

Security features at the TCP-level can benefit other TCP extensions.
For example, both Multipath TCP and TCP Fast Open require proof that
some connections are related. Session resumption and Message
Authentication Codes (MACs) can provide this evidence. The working
group should identify synergies and design the security protocol in such
a way that other TCP efforts can benefit from it. Of course, TCP
extensions that break must be identified too, and kept to a minimum.

The working group will produce the following documents:

- A framework for unauthenticated encryption and integrity protection of
TCP connections. This document will describe basic design
considerations, including the motivation and the applicability of the
proposed mechanism, the interaction with other security mechanisms in
different layers of the stack, the interaction with external
authentication mechanisms, the expected protection, privacy
considerations and residual threats.

- Definition of the unauthenticated key exchange mechanism and the
extensions to current TCP to utilize unauthenticated key to provide
encryption and integrity protection. This covers all the protocol
changes required. This will be an experimental document.

- An extended API describing how applications can obtain further
benefits of the proposed extensions. In particular, the hooks for
supporting external authentication will be defined in this document.
This will be an informational document.

Milestones

Date Milestone
Jan 2017 Submit extended API to IESG as Informational
Done Submit unauthenticated key exchange mechanism and extensions to current TCP to IESG for publication as Experimental
draft-ietf-tcpinc-tcpcrypt
draft-ietf-tcpinc-tcpeno
Done Adpot first WG document on extended API
draft-ietf-tcpinc-api
Done Adopt first WG document on unauthenticated key exchange mechanism and extensions to current TCP
draft-ietf-tcpinc-tcpcrypt
draft-ietf-tcpinc-tcpeno
draft-ietf-tcpinc-use-tls