Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpcrypt - draft header

"Black, David" <David.Black@dell.com> Thu, 16 February 2017 00:37 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01CF312988A for <tcpinc@ietfa.amsl.com>; Wed, 15 Feb 2017 16:37:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.587
X-Spam-Level:
X-Spam-Status: No, score=-4.587 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.887, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=AceG4jw1; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=IFCpDbx+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H4gFClDbfE40 for <tcpinc@ietfa.amsl.com>; Wed, 15 Feb 2017 16:37:34 -0800 (PST)
Received: from esa6.dell-outbound.iphmx.com (esa6.dell-outbound.iphmx.com [68.232.149.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5160B129956 for <tcpinc@ietf.org>; Wed, 15 Feb 2017 16:37:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1487205454; x=1518741454; h=from:to:subject:date:message-id:mime-version; bh=AQlsagKuRgYixEzMZXpIDVAvcEsSJMKIsu6WIBzTJ3A=; b=AceG4jw1BK557iJhrUOthaAYoxItivvhBpPW5YvbgYiWdauKeVxcAMa8 AhTtsVic8Mne57oxYq7thy7HlqJjviuQ4x+PJ6MS/QKb1elVPVNDKbnYh gXuNQF1IBSdw8LmboSym0eYbtQeHWT//eE/BDdVwpL/LJ73+pfhYnkWVZ 4=;
Received: from esa4.dell-outbound2.iphmx.com ([68.232.154.98]) by esa6.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Feb 2017 18:37:33 -0600
From: "Black, David" <David.Black@dell.com>
To: "Black, David" <David.Black@dell.com>, tcpinc <tcpinc@ietf.org>
Received: from mailuogwhop.emc.com ([168.159.213.141]) by esa4.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Feb 2017 06:37:33 +0600
Received: from maildlpprd05.lss.emc.com (maildlpprd05.lss.emc.com [10.253.24.37]) by mailuogwprd01.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v1G0bV5G027316 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <tcpinc@ietf.org>; Wed, 15 Feb 2017 19:37:32 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com v1G0bV5G027316
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1487205452; bh=ekwQGNdQwFdQylp8OxERDn4/aio=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=IFCpDbx+G9my+eubfPCqpYk2KBz11BdtmNk8WmPxF5S3fb3a6xLJk4iSzjqNcVdKn GBLsfdy6osEZfh4WKBR4EpSvTu+VQmwo48l6DaXeS38xfcbpYpWZYJ+2oUegttm3Ip OWXqyU32lFqPfO84Wy6YHtHJnTvwtVioysLST+vY=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd01.lss.emc.com v1G0bV5G027316
Received: from mailusrhubprd52.lss.emc.com (mailusrhubprd52.lss.emc.com [10.106.48.25]) by maildlpprd05.lss.emc.com (RSA Interceptor) for <tcpinc@ietf.org>; Wed, 15 Feb 2017 19:35:54 -0500
Received: from MXHUB314.corp.emc.com (MXHUB314.corp.emc.com [10.146.3.92]) by mailusrhubprd52.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v1G0bHOW031810 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL) for <tcpinc@ietf.org>; Wed, 15 Feb 2017 19:37:18 -0500
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB314.corp.emc.com ([10.146.3.92]) with mapi id 14.03.0266.001; Wed, 15 Feb 2017 19:37:17 -0500
Thread-Topic: [tcpinc] WGLC for draft-ietf-tcpinc-tcpcrypt - draft header
Thread-Index: AdKH7NK9jPGB1/JdSFGkIGjzkkrOow==
Date: Thu, 16 Feb 2017 00:37:16 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949362F870E05@MX307CL04.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.45.79]
Content-Type: multipart/alternative; boundary="_000_CE03DB3D7B45C245BCA0D243277949362F870E05MX307CL04corpem_"
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd52.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/2hIRBeKbvjI2aRunhS9HR3TxgIA>
Subject: Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpcrypt - draft header
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 00:37:36 -0000

The tcpcrypt draft is going to be an Experimental RFC, as indicated by our charter and the datatracker.   However, the draft header says “Intended status: Standards Track”  (oops).   This oversight is a must-fix item before we can send the draft to the IESG with an RFC publication request ...

Thanks, --David

From: Tcpinc [mailto:tcpinc-bounces@ietf.org] On Behalf Of Black, David
Sent: Wednesday, February 15, 2017 7:30 PM
To: tcpinc
Subject: Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpcrypt

I focused on the changes since the -03 version, and found this sentence in Section 3.7:

   When the TCP FIN flag differs
   from "FINp", a receiving host MUST either ignore the segment
   altogether or abort the connection and raise an error condition
   distinct from the end-of-file condition.

I believe that this is ok, although I suggest adding a short explanation of why this is not a new denial-of-service exposure to the Security Considerations section.  In essence, this check blocks off-path injection of FIN, as the off-path attacker cannot generate valid tcpcrypt content, so the packet should be dropped before getting to this header flag processing, and the situation for an on-path attacker is no worse, as in tcpcrypt’s absence, the injected FIN would close the connection.

Thanks, --David

From: Tcpinc [mailto:tcpinc-bounces@ietf.org] On Behalf Of Kyle Rose
Sent: Monday, January 23, 2017 6:16 PM
To: tcpinc
Subject: [tcpinc] WGLC for draft-ietf-tcpinc-tcpcrypt

This is a working group last call for the "Cryptographic protection of TCP Streams (tcpcrypt)" draft available at https://datatracker.ietf.org/doc/draft-ietf-tcpinc-tcpcrypt/. Please review the document and send your comments to the list by 2017-February-15.
- Kyle and David