Re: [secdir] draft-ietf-tcpm-tcpsecure

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Mon, 14 September 2009 15:37 UTC

Return-Path: <ananth@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D94F3A68DE; Mon, 14 Sep 2009 08:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.499
X-Spam-Level:
X-Spam-Status: No, score=-6.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H9qJUEaYSh2l; Mon, 14 Sep 2009 08:37:38 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 024513A680B; Mon, 14 Sep 2009 08:37:38 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAPv/rUqrR7PE/2dsb2JhbADFdohMAY5FBYQY
X-IronPort-AV: E=Sophos;i="4.44,384,1249257600"; d="scan'208";a="204362817"
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-2.cisco.com with ESMTP; 14 Sep 2009 15:38:22 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id n8EFcMhf021268; Mon, 14 Sep 2009 08:38:22 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id n8EFcMsq014988; Mon, 14 Sep 2009 15:38:22 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 14 Sep 2009 08:38:22 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 14 Sep 2009 08:38:21 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5807FF03B3@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <Pine.WNT.4.64.0909140726580.2228@SANDYM-LT.columbia.ads.sparta.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-ietf-tcpm-tcpsecure
Thread-Index: Aco1T1HneiZWSkL7SIW96Cp4o1j9pgAAGZvw
References: <Pine.WNT.4.64.0906080948290.6048@SANDYM-LT.columbia.ads.sparta.com> <0C53DCFB700D144284A584F54711EC5807FF0261@xmb-sjc-21c.amer.cisco.com> <Pine.WNT.4.64.0909140726580.2228@SANDYM-LT.columbia.ads.sparta.com>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: "Sandra Murphy" <sandy@sparta.com>
X-OriginalArrivalTime: 14 Sep 2009 15:38:22.0600 (UTC) FILETIME=[645E3880:01CA3551]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5321; t=1252942702; x=1253806702; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=20=22Anantha=20Ramaiah=20(ananth)=22=20<ananth@cisco .com> |Subject:=20RE=3A=20draft-ietf-tcpm-tcpsecure |Sender:=20; bh=k2v6OlP5UDkIBTHmRSl7+BGR5rCEWF3hivxh5Rn45SI=; b=tCivzREVB4wQtIYLRSHx8NlBFfwvP2JHxy4TW8L0lq4x3Wo1MMSmbx/d0r DQXxQ4h7saXy6uM64Nkbkv0Pa2VqXra7gLo3Oizk3YYcsaRdaDNKVpEVTbfM wIOzlu9FQn;
Authentication-Results: sj-dkim-4; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: "Mitesh Dalal \(mdalal\)" <mdalal@cisco.com>, iesg@ietf.org, Lars Eggert <lars.eggert@nokia.com>, secdir@ietf.org
Subject: Re: [secdir] draft-ietf-tcpm-tcpsecure
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2009 15:37:39 -0000

 

> -----Original Message-----
> From: Sandra Murphy [mailto:sandy@sparta.com] 
> Sent: Monday, September 14, 2009 8:23 AM
> To: Anantha Ramaiah (ananth)
> Cc: Mitesh Dalal (mdalal); iesg@ietf.org; secdir@ietf.org; Lars Eggert
> Subject: RE: draft-ietf-tcpm-tcpsecure
> 
> 
> 
> On Sun, 13 Sep 2009, Anantha Ramaiah (ananth) wrote:
> 
> >
> > I figured out the reply to this email doidn't make it ( I 
> was editing 
> > the draft based on the feedback received)
> 
> That happens to you, too, huh?  Believe me, with my record of 
> failed obligations lately, I'm really happy to have a chance 
> to say "oh, that's OK" to someone.

I was waiting for your other comments and wanted to reply all together.
Anyways, I have incorporated your comments along with all the other last
call comments received and posted the new version.

> 
> The synopsis of this is:
> 
> How much rigor is needed in expressing the changes?
> 
> The cases (1) and (2) in section 3.2 have a typo.

The text is quoted as per RFC 793. Which line is that are you referring
to ?

> 
> What does the "it" in "it is ignored" mean?  As written, it 
> looks like the ACK is ignored, but what I thought I saw in 
> implementation was that the
> *segment* is ignored/dropped.  That makes a difference in 
> comparing the new technique to the existing code.

Hmm.. Which implementation are you talking about?. ACK ignored != ACK
dropped. (I have clarfied that in the new version) As mentioned in 793,
the segment is continued for processing, all implementations do the same
today.

> 
> How much does an application need to know about the TCP stack 
> (and vice
> versa) for this to work (or work well)?

It is a generic enhancement, although some applications sporting long
lived TCP connections tend to benefit when compared to short lived
applications (relatively speaking)

Well, if needed application can control this using knobs (socket options
etc.,) since these mitigations tend to look like being optional. These
are general purpose TCP mitigations and anyone can chose to turn these
on by default in their TCP stacks. 

Thanks for your review.

-Anantha
> 
> --Sandy
> 
> >
> >> -----Original Message-----
> >> From: Sandra Murphy [mailto:sandy@sparta.com]
> >> Sent: Monday, June 08, 2009 6:59 AM
> >> To: Anantha Ramaiah (ananth); Mitesh Dalal (mdalal)
> >> Cc: iesg@ietf.org; secdir@ietf.org
> >> Subject: draft-ietf-tcpm-tcpsecure
> >>
> >> I've been on the road, so this is just a quick note to say that I 
> >> still have questions, with a promise of more full answer 
> when I get 
> >> back to the office tomorrow.  All the following done really from 
> >> memory from a re-review yesterday.
> >>  Just  so you know I haven't forgotten you.
> >>
> >> About quoting text:
> >>
> >> The example you point to of what each mitigation says is a 
> good case.
> >> (what is "rg"?)
> >>
> >> You posit a case 1 and case 2.  This is a summary of what 
> 793 says, 
> >> not a quote.  793 spreads the discussion over 2 pages.
> >> your case 1 is represented in a parenthetical remark in an 
> >> "otherwise" clause - hard to find.  And you have a typo in the 
> >> inequality.  And the case 2 in 793 is broken out over 
> three different 
> >> groupings of states.  Do you mean the new ACK to be 
> generated in all 
> >> three state groups?
> >
> > Are you talking about RST/SYN mitigations ? If so the 
> current text is 
> > clear. The challenge ACK will be generated, pl note that 
> the document 
> > quotes the processing rules of the incoming segment and talks what 
> > mods are suggested.
> >
> >>
> >> About the stingency.
> >>
> >> If UNA is 1000, Max.snd.wnd is 50, and the ack is 975, 
> then in 793, 
> >> the ack is < UNA and so "it is ignored", in your draft the 
> ack is > 
> >> UNA-max.snd.wnd so it is acceptable.
> >
> > Ok, I have added more text to clarify this point. "Ignored"
> > means the ACK value is ignored and the segment is processed 
> as per the 
> > other rules, hence ignored implies "accepted" and not dropped.
> >
> >>
> >> So your draft accepts more ACKs that 793.
> >>
> >> Have I lost my ability to tell > from <?  Do you regard accepting 
> >> more ACKS as "more stringent"?
> >
> > No, I think it is a mis-interpreation of ignored.
> >
> >>
> >> About the guidance to implementors.
> >>
> >> It still looks to me like this guidance is only useful to 
> >> implementors who are implementing both the OS TCP stack *AND* the 
> >> application.  I.E., freebsd won't know whether this to follow the 
> >> guidance or not but cisco/juniper/etc will.
> >
> > Not sure why such an inference is made.
> >
> >>
> >> What is the "AS"?
> > Applicability statement (but I couldn't find the AS 
> reference in the 
> > draft, it is spelled out in full) ?
> >
> > -Anantha
> >>
> >> About grammar checks:
> >>
> >> And you did not miss email, I lost my marked up copy, so 
> I've  gone 
> >> through for the grammar check again (don't think I found all that 
> >> many
> >> nits) and will send to you.
> >>
> >> --Sandy
> >>
> >>
> >>
> >
>