IETF Logo Mail Archive

Re: [Tcpcrypt] v3 of the charter

Joe Touch <touch@isi.edu> Wed, 30 April 2014 21:28 UTC

Return-Path: <touch@isi.edu>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 021C31A0948 for <tcpcrypt@ietfa.amsl.com>; Wed, 30 Apr 2014 14:28:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Level:
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yu-UOOc3URNv for <tcpcrypt@ietfa.amsl.com>; Wed, 30 Apr 2014 14:28:25 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by ietfa.amsl.com (Postfix) with ESMTP id 28C301A09BC for <tcpcrypt@ietf.org>; Wed, 30 Apr 2014 14:28:19 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id s3ULRmsQ027403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 30 Apr 2014 14:27:49 -0700 (PDT)
Message-ID: <53616AD4.6010309@isi.edu>
Date: Wed, 30 Apr 2014 14:27:48 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "Eggert, Lars" <lars@netapp.com>, Marcelo Bagnulo <marcelo@it.uc3m.es>
References: <536099A0.30900@it.uc3m.es> <23862F2E-9D56-4651-9202-FC676D15720B@netapp.com> <07C2D017-9342-4742-990C-7D3BC795049F@netapp.com> <536157E1.2060202@fifthhorseman.net> <53615A40.9050903@isi.edu> <536165C6.20909@fifthhorseman.net> <536167CC.8010703@isi.edu> <536168FA.2010800@fifthhorseman.net>
In-Reply-To: <536168FA.2010800@fifthhorseman.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/ypzsC40KWn0fProumqg34l0LVls
Cc: "tcpcrypt@ietf.org" <tcpcrypt@ietf.org>
Subject: Re: [Tcpcrypt] v3 of the charter
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 21:28:27 -0000

On 4/30/2014 2:19 PM, Daniel Kahn Gillmor wrote:
...
>> They're also both clients because they issue the initial (non-ACK) SYN.
>> So they're both - which is why most TCP protocol specification docs tend
>> not to use the term client/server.
>
> I know they're both clients in this sense; we're discussing
> fingerprinting.  the charter text makes it clear that we want to be able
> to avoid fingerprinting for the client, but not the server, since the
> server presumably has some form of persistent identity, or else the
> client wouldn't be able to connect to it in the first place.
>
> That's the context in which i think we need to see TCP simultaneous open
> as a server -- i don't think we need to worry about protecting
> fingerprinting by the peer for either simultaneous open peer, since each
> peer already has some information about the other.

It'd be optimal if this wasn't useful for fingerprinting either client 
or server. Even if you know the server's IP and port, that's all you 
ought to know, and all that needs to persist during the lifetime of a 
particular connection.

So why not just require anti-fingerprinting in general, and not focus on 
who initiated the connection?

>
> 	--dkg
>
> (that said, i'm not sure how simultaneous open will work in whatever
> spec we work out; maybe it turns out we have to be willing to sacrifice
> simultaneous open in order to use tcp inc?)

It should revert to conventional TCP and thus support simultaneous open 
in that case.

Joe

v2.23.0 | Report a Bug | By Email