Re: [secdir] draft-ietf-tcpm-tcpsecure

Nicolas Williams <Nicolas.Williams@sun.com> Fri, 14 August 2009 22:30 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3D2F3A68B0; Fri, 14 Aug 2009 15:30:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.583
X-Spam-Level:
X-Spam-Status: No, score=-5.583 tagged_above=-999 required=5 tests=[AWL=-0.137, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ojnXQ-msBA1T; Fri, 14 Aug 2009 15:30:33 -0700 (PDT)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by core3.amsl.com (Postfix) with ESMTP id 448173A6872; Fri, 14 Aug 2009 15:30:33 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n7EMUXrN003295; Fri, 14 Aug 2009 22:30:33 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n7EMUXwi055482; Fri, 14 Aug 2009 16:30:33 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n7EMCNx9001795; Fri, 14 Aug 2009 17:12:23 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n7EMCMq4001794; Fri, 14 Aug 2009 17:12:22 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Fri, 14 Aug 2009 17:12:22 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Sandra Murphy <sandy@sparta.com>
Message-ID: <20090814221222.GH1043@Sun.COM>
References: <Pine.WNT.4.64.0906080948290.6048@SANDYM-LT.columbia.ads.sparta.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.WNT.4.64.0906080948290.6048@SANDYM-LT.columbia.ads.sparta.com>
User-Agent: Mutt/1.5.7i
Cc: mdalal@cisco.com, ananth@cisco.com, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] draft-ietf-tcpm-tcpsecure
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2009 22:30:34 -0000

The mitigations in this I-D are made SHOULD, SHOULD, and MAY (see
section 6, page 15).  But that means that a TCP implementation could
claim conformance while not implementing any of these mitigations.
Therefore they should be, IMO, MUST, MUST and MAY (or SHOULD).

Also, ISTM that the corner case described in section 4.2 can be avoided
by noting the retransmitted SYN and then sending a SYN+ACK to that, and
if an acknowledgement comes back then reset the old connection (and if
there's no listener to accept the new one, then reset it too).

Nico
--