IETF Logo Mail Archive

Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06

"touch@strayalpha.com" <touch@strayalpha.com> Mon, 30 May 2022 19:56 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0F48C15C0A4; Mon, 30 May 2022 12:56:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.324
X-Spam-Level:
X-Spam-Status: No, score=-1.324 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BaRu6I41IJqk; Mon, 30 May 2022 12:56:52 -0700 (PDT)
Received: from server217-1.web-hosting.com (server217-1.web-hosting.com [198.54.114.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEB80C15AAE5; Mon, 30 May 2022 12:56:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=DCTx/rfTZ21mrEXBFXRJFuGZG3an9pCd70VPjNOOkw4=; b=tHiImduzQa2BwQ1kRmS53hL9TL eAtQ8DDCItaHycxZ/z1gn6SXgdVgOrOecjFg7wTMRPhYdhqv//fJ0OJ436Ie4YRLa7s3/IqngEzzT 2T6fiIAoxeqoOq1BrIJ3QjSKPuyFVoCF/wtYbtLPjE8tSz3ROX+oJw8lhqkrGfrPJVZWjOfYZJdKl kT5PEUhxGGlQ5zxktUG3lqCbklK+rHb7jvwOC0GsMaReRi1BaJNA/Aheyhh1Lao59u0FEmontklYW h4u7qjkSOoa96+OxBh9P+zTU1uj+Sn2CP5WSPhfVoVQN5LxqZDHW9Xf8osPaLtgw3Psk8YOEplCc7 ChFV/aHw==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:60084 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1nvlVO-00084z-9Z; Mon, 30 May 2022 15:56:50 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_762B3770-367D-421B-A6F6-2C2622129564"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <25237.6715.619617.181961@fireball.acr.fi>
Date: Mon, 30 May 2022 12:56:43 -0700
Cc: Valery Smyslov <svan@elvis.ru>, Christian Huitema <huitema@huitema.net>, secdir@ietf.org, draft-ietf-ipsecme-rfc8229bis.all@ietf.org, ipsec@ietf.org, last-call@ietf.org
Message-Id: <80DC0FE1-6C58-4E0A-A9C4-795469B520B5@strayalpha.com>
References: <165377251630.6282.16767658545384357479@ietfa.amsl.com> <077301d8741b$c0fe9b40$42fbd1c0$@elvis.ru> <25237.6715.619617.181961@fireball.acr.fi>
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: Apple Mail (2.3696.100.31)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/kWCfo6F2JAsD5V2xplbVh0yIgoc>
Subject: Re: [IPsec] [Last-Call] Secdir last call review of draft-ietf-ipsecme-rfc8229bis-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2022 19:56:56 -0000

On May 30, 2022, at 12:25 PM, Tero Kivinen <kivinen@iki.fi> wrote:
> 
> I think we need to add text explaining how to detect when the TCP
> length framing gets messed up by attacks, and how to recover (i.e.,
> close down the TCP channel and recreate the TCP channel). 

The impact of RSTs can be limited for this purpose by recommending RFC5961 for these connections.

But if even data injection has the same impact, it’d be much better to see if there’s a way to recover “sync” in the byte stream rather than expecting a new connection.

Joe

v2.23.0 | Report a Bug | By Email