Re: [secdir] draft-ietf-tcpm-tcpsecure

Sandra Murphy <sandy@sparta.com> Mon, 14 September 2009 15:22 UTC

Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD07628C18C; Mon, 14 Sep 2009 08:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.514
X-Spam-Level:
X-Spam-Status: No, score=-2.514 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kfiSq0ijFsav; Mon, 14 Sep 2009 08:22:35 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id B5FE93A63C9; Mon, 14 Sep 2009 08:22:35 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id n8EFMrR7009048; Mon, 14 Sep 2009 10:22:53 -0500
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id n8EFMq7V001257; Mon, 14 Sep 2009 10:22:52 -0500
Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.248.8]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 14 Sep 2009 11:22:51 -0400
Date: Mon, 14 Sep 2009 11:22:47 -0400 (Eastern Daylight Time)
From: Sandra Murphy <sandy@sparta.com>
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC5807FF0261@xmb-sjc-21c.amer.cisco.com>
Message-ID: <Pine.WNT.4.64.0909140726580.2228@SANDYM-LT.columbia.ads.sparta.com>
References: <Pine.WNT.4.64.0906080948290.6048@SANDYM-LT.columbia.ads.sparta.com> <0C53DCFB700D144284A584F54711EC5807FF0261@xmb-sjc-21c.amer.cisco.com>
X-X-Sender: sandy@nemo.columbia.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-OriginalArrivalTime: 14 Sep 2009 15:22:52.0143 (UTC) FILETIME=[39C5BFF0:01CA354F]
Cc: "Mitesh Dalal \(mdalal\)" <mdalal@cisco.com>, iesg@ietf.org, Lars Eggert <lars.eggert@nokia.com>, secdir@ietf.org
Subject: Re: [secdir] draft-ietf-tcpm-tcpsecure
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2009 15:22:36 -0000

On Sun, 13 Sep 2009, Anantha Ramaiah (ananth) wrote:

>
> I figured out the reply to this email doidn't make it ( I was editing
> the draft based on the feedback received)

That happens to you, too, huh?  Believe me, with my record of failed 
obligations lately, I'm really happy to have a chance to say "oh, that's 
OK" to someone.

The synopsis of this is:

How much rigor is needed in expressing the changes?

The cases (1) and (2) in section 3.2 have a typo.

What does the "it" in "it is ignored" mean?  As written, it looks like the 
ACK is ignored, but what I thought I saw in implementation was that the 
*segment* is ignored/dropped.  That makes a difference in comparing the 
new technique to the existing code.

How much does an application need to know about the TCP stack (and vice 
versa) for this to work (or work well)?

--Sandy

>
>> -----Original Message-----
>> From: Sandra Murphy [mailto:sandy@sparta.com]
>> Sent: Monday, June 08, 2009 6:59 AM
>> To: Anantha Ramaiah (ananth); Mitesh Dalal (mdalal)
>> Cc: iesg@ietf.org; secdir@ietf.org
>> Subject: draft-ietf-tcpm-tcpsecure
>>
>> I've been on the road, so this is just a quick note to say
>> that I still have questions, with a promise of more full
>> answer when I get back to the office tomorrow.  All the
>> following done really from memory from a re-review yesterday.
>>  Just  so you know I haven't forgotten you.
>>
>> About quoting text:
>>
>> The example you point to of what each mitigation says is a good case.
>> (what is "rg"?)
>>
>> You posit a case 1 and case 2.  This is a summary of what 793
>> says, not a quote.  793 spreads the discussion over 2 pages.
>> your case 1 is represented in a parenthetical remark in an
>> "otherwise" clause - hard to find.  And you have a typo in
>> the inequality.  And the case 2 in 793 is broken out over
>> three different groupings of states.  Do you mean the new ACK
>> to be generated in all three state groups?
>
> Are you talking about RST/SYN mitigations ? If so the current text is
> clear. The challenge ACK will be generated, pl note that the document
> quotes the processing rules of the incoming segment and talks what mods
> are suggested.
>
>>
>> About the stingency.
>>
>> If UNA is 1000, Max.snd.wnd is 50, and the ack is 975, then
>> in 793, the ack is < UNA and so "it is ignored", in your
>> draft the ack is > UNA-max.snd.wnd so it is acceptable.
>
> Ok, I have added more text to clarify this point. "Ignored"
> means the ACK value is ignored and the segment is processed as per the
> other rules, hence ignored implies "accepted" and not dropped.
>
>>
>> So your draft accepts more ACKs that 793.
>>
>> Have I lost my ability to tell > from <?  Do you regard
>> accepting more ACKS as "more stringent"?
>
> No, I think it is a mis-interpreation of ignored.
>
>>
>> About the guidance to implementors.
>>
>> It still looks to me like this guidance is only useful to
>> implementors who are implementing both the OS TCP stack *AND*
>> the application.  I.E., freebsd won't know whether this to
>> follow the guidance or not but cisco/juniper/etc will.
>
> Not sure why such an inference is made.
>
>>
>> What is the "AS"?
> Applicability statement (but I couldn't find the AS reference in the
> draft, it is spelled out in full)
> ?
>
> -Anantha
>>
>> About grammar checks:
>>
>> And you did not miss email, I lost my marked up copy, so I've
>>  gone through for the grammar check again (don't think I
>> found all that many
>> nits) and will send to you.
>>
>> --Sandy
>>
>>
>>
>