[perpass] TCP Stealth (Was: I-D Action: draft-kirsch-ietf-tcp-stealth-00.txt
Stephane Bortzmeyer <bortzmeyer@nic.fr> Mon, 18 August 2014 13:15 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC341A0323 for <perpass@ietfa.amsl.com>; Mon, 18 Aug 2014 06:15:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.818
X-Spam-Level:
X-Spam-Status: No, score=-0.818 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_FR=0.35, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id op0I4GeHRZRO for <perpass@ietfa.amsl.com>; Mon, 18 Aug 2014 06:15:45 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 965B91A0313 for <perpass@ietf.org>; Mon, 18 Aug 2014 06:15:45 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 09E14280266; Mon, 18 Aug 2014 15:15:43 +0200 (CEST)
Received: from relay1.nic.fr (relay1.nic.fr [192.134.4.162]) by mx4.nic.fr (Postfix) with ESMTP id 0524D28010A; Mon, 18 Aug 2014 15:15:43 +0200 (CEST)
Received: from bortzmeyer.nic.fr (unknown [IPv6:2001:67c:1348:7::86:133]) by relay1.nic.fr (Postfix) with ESMTP id F24F64C0089; Mon, 18 Aug 2014 15:15:12 +0200 (CEST)
Date: Mon, 18 Aug 2014 15:15:12 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: draft-kirsch-ietf-tcp-stealth@tools.ietf.org
Message-ID: <20140818131512.GA26987@nic.fr>
References: <20140815064106.17646.23281.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140815064106.17646.23281.idtracker@ietfa.amsl.com>
X-Operating-System: Debian GNU/Linux jessie/sid
X-Kernel: Linux 3.14-1-686-pae i686
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/perpass/D4th-cjIdhVr2gFhuCe0FEIIgN4
Cc: perpass@ietf.org
Subject: [perpass] TCP Stealth (Was: I-D Action: draft-kirsch-ietf-tcp-stealth-00.txt
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Aug 2014 13:15:51 -0000
[The I-D does not indicate, apparently, a mailing list for discussion of the idea. Trying on perpass. Suggestions of a better venue are welcome.] On Thu, Aug 14, 2014 at 11:41:06PM -0700, internet-drafts@ietf.org <internet-drafts@ietf.org> wrote a message of 49 lines which said: > Title : TCP Stealth > Authors : Julian Kirsch > Christian Grothoff > Jacob Appelbaum > Holger Kenn > Filename : draft-kirsch-ietf-tcp-stealth-00.txt IMHO, very good idea for an important problem. I would like this work to move forward (an independant RFC with status Experimental, may be?) A few suggestions/remarks: * May be a remark about the fact that it is intended for small groups (the use of a shared secret limits the scalability). * "If the token is incorrect, the operating system pretends that the port is closed." If the port is closed, the server will reply with a RST. Not very stealth. You meant "If the token is incorrect, the operating system won't reply at all"? * May be a security analysis comparing it to port knocking? If I'm correct, TCP stealth provides min(32, N) bits of secret (32 being the size of the ISN and N the number of bits in the shared secret) while port knocking provides 16*N bits (N being the number of ports to knock). * May be a mention of SPA <http://www.cipherdyne.org/fwknop/>, which is closer from TCP Stealth than port-knocking? (The biggest difference is that SPA is not stealth, Eve knows you're using SPA.) * Why MD5? I assume that TCP Stealth has no cryptographic agility since there is no room to indicate the crypto algorithm (while staying stealth) but why MD5, despite RFC 6151? * "6. Integraton with Applications" should be Integration
- [perpass] TCP Stealth (Was: I-D Action: draft-kir… Stephane Bortzmeyer
- Re: [perpass] TCP Stealth (Was: I-D Action: draft… Stephen Farrell
- Re: [perpass] TCP Stealth (Was: I-D Action: draft… Christian Grothoff
- Re: [perpass] TCP Stealth (Was: I-D Action: draft… Hagen Paul Pfeifer
- Re: [perpass] TCP Stealth (Was: I-D Action: draft… Stephane Bortzmeyer