Re: [tcpm] Secdir last call review of draft-ietf-tcpm-rfc793bis-24
Kyle Rose <krose@krose.org> Sun, 05 September 2021 16:13 UTC
Return-Path: <krose@krose.org>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5CC13A03FE for <tcpm@ietfa.amsl.com>; Sun, 5 Sep 2021 09:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rathHJTMszO0 for <tcpm@ietfa.amsl.com>; Sun, 5 Sep 2021 09:13:16 -0700 (PDT)
Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAF8B3A03F3 for <tcpm@ietf.org>; Sun, 5 Sep 2021 09:13:15 -0700 (PDT)
Received: by mail-wm1-x32a.google.com with SMTP id k5-20020a05600c1c8500b002f76c42214bso3195515wms.3 for <tcpm@ietf.org>; Sun, 05 Sep 2021 09:13:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3FbNDl93jc7EzrLSz/9pI6S6Wd+W9LMo/7xOVDNL98w=; b=lb9LpBe1R/8PWTbldeTuUbHMBy2LFxEqrthHm9RzY/ELbWieR1sFpzDgcG425nxE9c LxDZG0Z+Jp7kgPb4OlaXxGSndsnLyZxL3kMD2oDyxU8zQXsPyWBgHR2PptLbqEfLI5l4 WPSUsJoIOdrS884xwBiFagDsZk70OouAkZMjE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3FbNDl93jc7EzrLSz/9pI6S6Wd+W9LMo/7xOVDNL98w=; b=t7mjOhaPqfSRytGc8yvOLHYw9lrLCLdSHPfiBVg6jtXkjlogKrUgtphCeDrLJ+Y6MX GYcEjmoeaSd816x3T/YN/983dfDYjRvLSvpqfAdXWMG+umeBXf4w+Nlybb9Qx1s+twnP Kl0R9HtlNUcB8qJdA7L0I7vqIDN0UDmulEhjjMKn8R8QmHbPnHDuyFOPt97yC5nEP/UP HnBsVtGrHu6qh+g/Om2rtf8+pL/B5Otcij8/oSmMNnkmgUb8pVvbWINQjoHPtmBoIfms AvSbGKMsP69pIAJ2Ct2P9kx2+nANwzVBiRRUFC6wMiQU1uHd11NZdVsHJEg/r5cO6Xxo RIqw==
X-Gm-Message-State: AOAM5330BpqP/ajWKLEru5oG1dS6irZooaCBakPbI+6JPPwjU0X+UEoo 165xIpeZ0+7+ekTGYeFkfxwVmMxgW0VpBPMy2F3jn3+XD2SKVxuv
X-Google-Smtp-Source: ABdhPJy3p+9pRkFkB0KPRnmO+3iWxuBk1wPr303ghOG9U/PEz4SC5pgPYNTMCuKH5JkNmtjtGBEx6DGyAdC321gcqLs=
X-Received: by 2002:a05:600c:3554:: with SMTP id i20mr7412225wmq.164.1630858393408; Sun, 05 Sep 2021 09:13:13 -0700 (PDT)
MIME-Version: 1.0
References: <162767735763.27351.5673596060247016004@ietfa.amsl.com> <cd7d3085-7602-b6f9-471b-4c7fed99e158@mti-systems.com> <CAJU8_nXjH=i-cZDOLy3piA8a65=pe4YQEZSsNF27bGCtxjVmLg@mail.gmail.com> <290f7fc9-7a05-5474-ca8f-17d63d9f7b36@mti-systems.com>
In-Reply-To: <290f7fc9-7a05-5474-ca8f-17d63d9f7b36@mti-systems.com>
From: Kyle Rose <krose@krose.org>
Date: Sun, 05 Sep 2021 12:13:02 -0400
Message-ID: <CAJU8_nUTBm-6mF=FLvqvZyFAHJknsQMyAXuNYr+hK6fXBTC2eA@mail.gmail.com>
To: Wesley Eddy <wes@mti-systems.com>
Cc: tcpm IETF list <tcpm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000037f2b805cb41cfdd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/1BUdTHQO_l3uoQjR9OBURtqJ5Ro>
Subject: Re: [tcpm] Secdir last call review of draft-ietf-tcpm-rfc793bis-24
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Sep 2021 16:13:22 -0000
On Fri, Sep 3, 2021 at 3:54 PM Wesley Eddy <wes@mti-systems.com> wrote: > > > The one item I see missing from this section is a mention of lessons > > learned > > > and subsequently applied to the design of QUIC. I think it is worth > > mentioning, > > > for instance, that TCP's large surface area of cleartext metadata > > exposes more > > > information to the path than required to successfully route packets > > to their > > > destination, including to on-path adversaries that may be able to > > use this > > > metadata to bolster targeted or pervasive surveillance. > > It looks like this is covered pretty well in RFC 8546, which you mention > below, so I think it might suffice for 793bis to just add a sentence > noting pretty much exactly what you said above and referring interested > readers to RFC 8546. > Agreed, this sounds good. > > There is one more omission, adjacent to (but not explicitly about) > > security, > > > that I think warrants some text in this document: that is around > > ossification. .... > > I don't really want to add a whole section for this, since we aren't > going to actually change anything, however, I think it makes sense to > add the above-mentioned reference to 8546, plus a little bit more > expansion that references RFC 8558 as having additional recommendations > that could be applied with regard to future TCP extensions. > The IAB's use-it-or-lose-it draft ( https://datatracker.ietf.org/doc/html/draft-iab-use-it-or-lose-it) might be the best reference for this particular problem. This is what 8546 refers to when discussing this problem. But some brief text describing how the problem applies to TCP extensibility might be worthwhile, though I'm not sure where to put it into this document. Something like: q[ While TCP was designed from the start with extensibility in mind, practically speaking standards-compliant extensions have faced numerous obstacles to deployment as a result of constraints imposed by on-path elements with assumptions about valid TCP traffic that they then impose on flows. With respect to the option mechanism, for instance, on-path elements collectively dubbed "middleboxes" [RFC 3234] often filter or otherwise modify TCP packets to strip unknown options or otherwise render them unusable; similarly, middleboxes often re-segment TCP traffic, precluding the introduction of extensions that presume end-to-end preservation of stream segmentation, such as in early revisions of tcpcrypt [RFC 8548]. Such protocol ossification beyond the constraints implied by the standard described herein effectively limits TCP extensibility for use cases requiring transit over the public Internet. (This effect has subsequently motivated protocol design patterns that hide data from path elements (for example, by encrypting as much header information as possible) and that exercise cleartext or otherwise predictable elements of the wire image ([USE-IT]) to preserve the intended degree of future extensibility.) ] Kyle
- [tcpm] Secdir last call review of draft-ietf-tcpm… Kyle Rose via Datatracker
- Re: [tcpm] Secdir last call review of draft-ietf-… Wesley Eddy
- Re: [tcpm] Secdir last call review of draft-ietf-… Kyle Rose
- Re: [tcpm] Secdir last call review of draft-ietf-… Gorry Fairhurst
- Re: [tcpm] Secdir last call review of draft-ietf-… Kyle Rose
- Re: [tcpm] Secdir last call review of draft-ietf-… Gorry Fairhurst
- Re: [tcpm] Secdir last call review of draft-ietf-… Wesley Eddy
- Re: [tcpm] Secdir last call review of draft-ietf-… Kyle Rose
- Re: [tcpm] Secdir last call review of draft-ietf-… Gorry Fairhurst
- Re: [tcpm] Secdir last call review of draft-ietf-… Kyle Rose
- Re: [tcpm] Secdir last call review of draft-ietf-… Martin Duke