IETF Logo Mail Archive

Re: [secdir] draft-ietf-tcpm-tcpsecure

Lars Eggert <lars.eggert@nokia.com> Sun, 16 August 2009 07:54 UTC

Return-Path: <lars.eggert@nokia.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B985E3A693B for <secdir@core3.amsl.com>; Sun, 16 Aug 2009 00:54:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.455
X-Spam-Level:
X-Spam-Status: No, score=-2.455 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TqgV8+Vp4x+o for <secdir@core3.amsl.com>; Sun, 16 Aug 2009 00:54:50 -0700 (PDT)
Received: from mail.fit.nokia.com (mail.fit.nokia.com [195.148.124.195]) by core3.amsl.com (Postfix) with ESMTP id 4E81C3A6925 for <secdir@ietf.org>; Sun, 16 Aug 2009 00:54:50 -0700 (PDT)
Received: from [10.0.1.5] (cs95024.pp.htv.fi [212.90.95.24]) (authenticated bits=0) by mail.fit.nokia.com (8.14.3/8.14.3) with ESMTP id n7G7scN7058056 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sun, 16 Aug 2009 10:54:38 +0300 (EEST) (envelope-from lars.eggert@nokia.com)
Message-Id: <2EC33DD4-D1D8-47C8-9C8C-96A6E7CBB381@nokia.com>
From: Lars Eggert <lars.eggert@nokia.com>
To: Anantha Ramaiah <ananth@cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC5807D5548E@xmb-sjc-21c.amer.cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail-21--628345202"; micalg="sha1"; protocol="application/pkcs7-signature"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 16 Aug 2009 10:54:37 +0300
References: <Pine.WNT.4.64.0906080948290.6048@SANDYM-LT.columbia.ads.sparta.com> <20090814221222.GH1043@Sun.COM> <0C53DCFB700D144284A584F54711EC5807D55441@xmb-sjc-21c.amer.cisco.com> <20090815004234.GN1043@Sun.COM> <0C53DCFB700D144284A584F54711EC5807D5548E@xmb-sjc-21c.amer.cisco.com>
X-Mailer: Apple Mail (2.936)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (mail.fit.nokia.com [195.148.124.194]); Sun, 16 Aug 2009 10:54:40 +0300 (EEST)
Cc: tcpm-chairs@tools.ietf.org, Nicolas Williams <Nicolas.Williams@sun.com>, secdir@ietf.org, The IESG <iesg@ietf.org>, "Mitesh Dalal (mdalal)" <mdalal@cisco.com>
Subject: Re: [secdir] draft-ietf-tcpm-tcpsecure
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Aug 2009 07:54:50 -0000

Hi,

as Anantha said, the process by which the WG arrived on what's in the  
current document was slightly painful for all involved.

If there are changes proposed, please discuss them on the WG list.  
Because this specific issue was so controversial, any change here  
needs to be vetted by the WG consensus process.

Lars

On 2009-8-15, at 19:36, Anantha Ramaiah (ananth) wrote:

>
>
>>
>>
>>> secure is mostly useful only for long lived connections (like BGP),
>>> then it may not be applicable to hosts and only applicable
>> to routers.
>>> I
>>
>> So what?  Implementors who don't care for this feature
>> wouldn't be bound to implement it just because this RFC says
>> it's a MUST.  Implementors who don't implement it would just
>> not be compliant with this RFC, but nothing says they have to be.
>
> Well, we did argue this point before.
>
>>
>>> didn't (so as many others) didn't buy this argument, but
>> since it was
>>> not going anywhere Lars stepped up with the suggestion of
>>> applicability statement to be added to this draft (I
>> haven't seen any
>>> other TCP related RFC which has an AS in it, FWIW) and the rest is
>>> history. I seriously doubt whether the chairs/Lars/WG would like to
>>> fallback to MUST/MUST/SHOULD.
>>
>> I'd like to hear from them.
>
> Sure, but if you can also suggest some text (either in the AS  
> section or
> in section 6) which can probably make the implementers more  
> comfortable
> and also can make look the compliance story healhier we can consider
> adding such a text and take care of this issue. As an FYI, I want to
> stress that the draft has been around for a long time before reaching
> last call and I would prefer not to move backwards. That said, if the
> consensus turns out to be changing the mitigation stengths as per your
> suggestion, I am fine with that too!
>
>>
>>> As far as the SYN corner case workaround we chose not to talk about
>>> the fix for the same in the draft since the corner case
>> exists in RFC
>>> 793 and nothing to do with the current SYN mitigation.
>>
>> OK.  Maybe this should be stated in the I-D.
>
> The draft already covers it in section 4.2. "This corner case is a
> result of the [RFC0793] specification and is
> not introduced by these new requirements."
>
> Do you see the need for more clarification?, if so pl feel free to  
> send
> some text.
>
> -Anantha
>>
>> Nico
>> -- 
>>

v2.23.0 | Report a Bug | By Email