Re: [Spud] on trust and lying
Bob Briscoe <bob.briscoe@bt.com> Wed, 25 March 2015 21:29 UTC
Return-Path: <bob.briscoe@bt.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 376371A87BE
for <spud@ietfa.amsl.com>; Wed, 25 Mar 2015 14:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 4TMszc7-VchL for <spud@ietfa.amsl.com>;
Wed, 25 Mar 2015 14:29:04 -0700 (PDT)
Received: from hubrelay-rd.bt.com (hubrelay-rd.bt.com [62.239.224.99])
(using TLSv1 with cipher AES128-SHA (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id B6E291A039A
for <spud@ietf.org>; Wed, 25 Mar 2015 14:29:03 -0700 (PDT)
Received: from EVMHR02-UKBR.domain1.systemhost.net (193.113.108.41) by
EVMHR67-UKRD.bt.com (10.187.101.22) with Microsoft SMTP Server (TLS) id
8.3.348.2; Wed, 25 Mar 2015 21:29:02 +0000
Received: from EPHR02-UKIP.domain1.systemhost.net (147.149.100.81) by
EVMHR02-UKBR.domain1.systemhost.net (193.113.108.41) with Microsoft SMTP
Server (TLS) id 8.3.348.2; Wed, 25 Mar 2015 21:29:01 +0000
Received: from bagheera.jungle.bt.co.uk (132.146.168.158) by
EPHR02-UKIP.domain1.systemhost.net (147.149.100.81) with Microsoft SMTP
Server id 14.3.181.6; Wed, 25 Mar 2015 21:29:00 +0000
Received: from BTP075694.jungle.bt.co.uk ([10.111.176.200]) by
bagheera.jungle.bt.co.uk (8.13.5/8.12.8) with ESMTP id t2PLSvGt003818; Wed,
25 Mar 2015 21:28:58 GMT
Message-ID: <201503252128.t2PLSvGt003818@bagheera.jungle.bt.co.uk>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 25 Mar 2015 21:28:57 +0000
To: Eliot Lear <lear@cisco.com>
From: Bob Briscoe <bob.briscoe@bt.com>
In-Reply-To: <551304ED.7080601@cisco.com>
References: <551304ED.7080601@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Scanned-By: MIMEDefang 2.56 on 132.146.168.158
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/vQSfl8DKYscRuGBKuhOtA7Vb8HU>
Cc: spud@ietf.org
Subject: Re: [Spud] on trust and lying
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>,
<mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>,
<mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 21:29:06 -0000
Eliot, At 18:56 25/03/2015, Eliot Lear wrote: >A comment was made at the microphone that middle boxes will lie to end >hosts and end hosts will lie to middle boxes. That is not strictly >true, and we have an existence proof of when it is not: that is TCP. We cannot naively rely on TCP experience though, because part of the security that firewalls attribute to TCP's connection life-cycle controls (SYN, SYN/ACK, FIN, RST etc) derives from being able to assume their universal support on all hosts. SPUD doesn't have that luxury. For instance, any TCP host will always discard a data segment that was not preceded by a SYN. But UDP hosts out there today without a firewall in their stack will accept a UDP datagram whether or not it is preceded by a SPUD open command (because they don't recognise SPUD commands). So if a perimeter firewall today is blocking all UDP from red-side (to protect such unprotected hosts), it is not going to allow through UDP datagrams to any green-side host, just because the datagram says "SPUD-open". At best the firewall will be reprogrammed to allow SPUD-open through to green-side hosts that have previously registered that they support SPUD. The firewall policy might be more restrictive, e.g. it might allow SPUD-open from only specific red-side hosts to certain green-side SPUD hosts. That's why I said, at the mic today, that the SPUD-ack-open command is the significant one in security terms. You can think of that as either of two dual functions: i) the command that a green-side host uses to register its SPUD support to the firewall within a long-term security context. ii) Or you can think of it as equivalent to a "SYN/ACK preceding a SYN" for the short-term security context of a tube. It should be possible for one command to support either type of context. I am not disagreeing with your general point that TCP is an exsistence proof of a protocol that has sufficient hooks to be able to mitigate the effects of lying. I'm just saying we have to think about SPUD security from scratch, not just rely on mimicking TCP, because SPUD has the additional dimension of incremental deployment. Bob ________________________________________________________________ Bob Briscoe, BT
- [Spud] on trust and lying Eliot Lear
- Re: [Spud] on trust and lying Salvatore Loreto
- Re: [Spud] on trust and lying Roland Bless
- Re: [Spud] on trust and lying Bob Briscoe