IETF Logo Mail Archive

Re: [OPSEC] OT: TCP session lifetime - Re: [Tsv-art] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

Nico Williams <nico@cryptonector.com> Fri, 07 December 2018 23:03 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57151130E1D; Fri, 7 Dec 2018 15:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrvC1Xy2-6gT; Fri, 7 Dec 2018 15:03:12 -0800 (PST)
Received: from insect.birch.relay.mailchannels.net (insect.birch.relay.mailchannels.net [23.83.209.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5262812D4E7; Fri, 7 Dec 2018 15:03:10 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id F0545124B2F; Fri, 7 Dec 2018 23:03:09 +0000 (UTC)
Received: from pdx1-sub0-mail-a35.g.dreamhost.com (unknown [100.96.33.121]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 83947123E56; Fri, 7 Dec 2018 23:03:09 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a35.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.2); Fri, 07 Dec 2018 23:03:09 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Continue-Reaction: 45a3932519b1179f_1544223789792_3756335959
X-MC-Loop-Signature: 1544223789792:4200155336
X-MC-Ingress-Time: 1544223789791
Received: from pdx1-sub0-mail-a35.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a35.g.dreamhost.com (Postfix) with ESMTP id 42BF77F5D5; Fri, 7 Dec 2018 15:03:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=faa39iOIIZTnpjNG5mx+wAWQySE=; b=s06kFSNnbcm 0gKAZzf6sTQK9SQ7LhzaaSU3hEVS8lbGSNm7m2yH+CjSkXoufP29pfS6pjbOzT9S nWYK4OmmSM3hhxzJTOUUICPTINXIvLr/hZ877cfEGYhXwqHZwzJ8xD+1GPGWeo+M nFhPZ1zJyizeD4CF+C/jUvMm1Y0acueM=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a35.g.dreamhost.com (Postfix) with ESMTPSA id 593887F5D3; Fri, 7 Dec 2018 15:03:05 -0800 (PST)
Date: Fri, 07 Dec 2018 17:03:03 -0600
X-DH-BACKEND: pdx1-sub0-mail-a35
From: Nico Williams <nico@cryptonector.com>
To: Jared Mauch <jared@puck.nether.net>
Cc: Christopher Morrow <morrowc.lists@gmail.com>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, heard@pobox.com, opsec wg mailing list <opsec@ietf.org>, tsv-art@ietf.org, Gert Doering <gert@space.net>
Message-ID: <20181207230302.GA15561@localhost>
References: <74d89efc-bfba-6e54-ebb2-d688e45b139f@gmail.com> <20181206125726.GG1543@Space.Net> <d078ea0f-3c2c-f782-4c1a-b54c463b48ce@gmail.com> <CAKKJt-eNCeV4hS=v99NGAYFkkmLdSO5Cp9gk2ojdbZ5vrU7img@mail.gmail.com> <90130407-2B6E-491A-AB9B-BEBB45604D50@puck.nether.net> <CABcZeBNB3scdEm0aF99KeD3F=JvqCU1yaxL1cepFhnE+dg=0Wg@mail.gmail.com> <CAL9jLaYiMbMfyLK8b97TEqNcJVaQzfyC=HZvo4F01b3KZaYdVg@mail.gmail.com> <B60C8071-9577-4935-A260-FAE0EF80AFCF@puck.nether.net> <20181207224445.GZ15561@localhost> <F6F9C969-021E-46A5-9E97-F5DBF703F7C3@puck.nether.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <F6F9C969-021E-46A5-9E97-F5DBF703F7C3@puck.nether.net>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtkedrudegtddgtdekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtugfgjggfsehtkeertddtreejnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/ybAxfaIueJ1gt5COoPP2KTMmkZE>
Subject: Re: [OPSEC] OT: TCP session lifetime - Re: [Tsv-art] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 23:03:13 -0000

On Fri, Dec 07, 2018 at 05:48:40PM -0500, Jared Mauch wrote:
> > On Dec 7, 2018, at 5:44 PM, Nico Williams <nico@cryptonector.com> wrote:
> > On Fri, Dec 07, 2018 at 03:46:15PM -0500, Jared Mauch wrote:
> >> 1) We have long-lived TCP sessions, measured in years.  (Implied: many
> >> of the transport people really prefer stable routes without
> >> flapping/jitter/reordering from us)
> > 
> > <rhetorical>
> > I've long wondered why BGP has to be this way and why it still is after
> > so many years.
> > </rhetorical>
> 
> I have seen BGP sessions up for over 7 years on some routers. One can
> argue if this is a good thing or bad.  It’s quite an interesting thing
> to see and go “wow, someone forgot about this one …”

What I meant is that I don't understand why resetting a connection
should still cause routes to flap.  Instead I'd expect session
management negotiation to determine whether the thing that failed (e.g.,
a BGP daemon) implies that the routes are gone or not.  Then RST
injection would not be a problem.  You'd still need integrity
protection, but then that could always have been done with TLS.

Basically, it feels like BGP is stuck in the stone age.

I'm not asking the routing area to fix it.  I'm not saying that we
should not cater to their needs.  My point truly was rhetorical.  I do
hope the routing area does improve session management in BGP some day.

Nico
--

v2.23.0 | Report a Bug | By Email