IETF Logo Mail Archive

Re: [tcpm] status of TCP-MD5 after TCP-AO publication

"Chaks Chigurupati (chaks)" <chaks@cisco.com> Tue, 04 August 2009 16:49 UTC

Return-Path: <chaks@cisco.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 506273A68BE; Tue, 4 Aug 2009 09:49:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHfTQOxupQiv; Tue, 4 Aug 2009 09:49:39 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 4D86728C375; Tue, 4 Aug 2009 09:49:08 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAB8DeEqrR7O6/2dsb2JhbAC9D4gpj3gFhBg
X-IronPort-AV: E=Sophos;i="4.43,322,1246838400"; d="scan'208";a="360210973"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 04 Aug 2009 16:48:44 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n74GmiZZ010561; Tue, 4 Aug 2009 09:48:44 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id n74GmhBk028333; Tue, 4 Aug 2009 16:48:44 GMT
Received: from xmb-sjc-214.amer.cisco.com ([171.70.151.145]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 4 Aug 2009 09:48:43 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 04 Aug 2009 09:48:42 -0700
Message-ID: <3C50EF6BFB256E448286057DABC00CBE0834DB40@xmb-sjc-214.amer.cisco.com>
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F100599C37D03@qtdenexmbm24.AD.QINTRA.COM>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] status of TCP-MD5 after TCP-AO publication
Thread-Index: AcoVHCcZ8JwlPIP3Qw6VTNwcE8WB5AAAMtNQAAFy8wA=
References: <6BB76CFA-4134-4D3E-BE20-3A90A5111CBD@nokia.com><FB33B8FD-308B-4867-902E-131382969C35@muada.com><4A777220.3070507@juniper.net><75E968CA-1D9A-40BD-9C3E-534518B13BCF@muada.com> <B01905DA0C7CDC478F42870679DF0F100599C37D03@qtdenexmbm24.AD.QINTRA.COM>
From: "Chaks Chigurupati (chaks)" <chaks@cisco.com>
To: "Smith, Donald" <Donald.Smith@qwest.com>, Iljitsch van Beijnum <iljitsch@muada.com>, Ron Bonica <rbonica@juniper.net>
X-OriginalArrivalTime: 04 Aug 2009 16:48:43.0642 (UTC) FILETIME=[6D5E5DA0:01CA1523]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3588; t=1249404524; x=1250268524; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=chaks@cisco.com; z=From:=20=22Chaks=20Chigurupati=20(chaks)=22=20<chaks@cisco .com> |Subject:=20RE=3A=20[tcpm]=20status=20of=20TCP-MD5=20after= 20TCP-AO=20publication |Sender:=20; bh=ZYPonULPIQKDv2KYHSHqMqGxZHANcvN2Jcc1qUuk6QI=; b=OWfNMd46lsqbwE/0RO7FInh0morVH/snPGfWupztRfpvjjsQHmt93zOTy/ 0WkPh+wW38nnvfc7TLOaYR8TS+SGsIBWt8vgyN6k0xFaQdHyXQhauWAbylAU 7rnzErFaA+;
Authentication-Results: sj-dkim-2; header.From=chaks@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: tcpm@ietf.org, iesg@ietf.org
Subject: Re: [tcpm] status of TCP-MD5 after TCP-AO publication
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2009 16:49:40 -0000

One minor comment - Please see inline for [Chaks]

> -----Original Message-----
> From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> Behalf Of Smith, Donald
> Sent: Tuesday, August 04, 2009 9:27 AM
> To: 'Iljitsch van Beijnum'; 'Ron Bonica'
> Cc: 'tcpm@ietf.org'; 'iesg@ietf.org IESG'
> Subject: Re: [tcpm] status of TCP-MD5 after TCP-AO publication
> 
> I believe the rfc2385 should be modified.
> 
> http://www.ietf.org/rfc/rfc2385.txt
> 4.1
>    A connectionless reset will be ignored by the receiver of 
> the reset,
>    since the originator of that reset does not know the key, and so
>    cannot generate the proper signature for the segment.  This means,
>    for example, that connection attempts by a TCP which is generating
>    signatures to a port with no listener will time out 
> instead of being
>    refused.  Similarly, resets generated by a TCP in response to
>    segments sent on a stale connection will also be ignored.
>    Operationally this can be a problem since resets help BGP recover
>    quickly from peer crashes.
> 
> 
> 
> An authenticationless reset MUST be ignored by the receiver 
> of the reset.
> The originator of that reset knows the key associated with 
> their bgp neighbor and SHOULD use the key to generate an 
> authenticated reset if that session has been terminated for 
> some reason.
> This means, for example, that connection attempts by a TCP 
> which is generating signatures to a port with no listener 
> could be refused with a authenticated reset instead of being 
> timed out.

[Chaks] If the listener is not around, it is very likely that the
listener has withdrawn from TCP the knowledge about the 
various keys associcated with the neighbors. OR, TCP itself might have
purged that info as such info is usually "attached" to the listen
socket. So, it may not be possible for TCP to generate an authenticated
reset in the absence of a listener.

Chaks

> Operationally this would be an improvement over the current 
> standard since resets help BGP recover quickly from peer crashes.
> 
> 
> 
> The current rfc compliant behavior doesn't make authenticated 
> reset work, it makes ALL RESETS fail.
> We could just as well have a flag that says ignore resets for 
> bgp. It would have the same value as today's rfc compliant 
> router implementations.
> 
> (coffee != sleep) & (!coffee == sleep)
> Donald.Smith@qwest.com gcia   
> 
> > -----Original Message-----
> > From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> > Behalf Of Iljitsch van Beijnum
> > Sent: Tuesday, August 04, 2009 9:56 AM
> > To: Ron Bonica
> > Cc: tcpm@ietf.org; iesg@ietf.org IESG
> > Subject: Re: [tcpm] status of TCP-MD5 after TCP-AO publication
> > 
> > On 4 aug 2009, at 1:26, Ron Bonica wrote:
> > 
> > > The HISTORIC nomenclature doesn't mean that there is no longer an
> > > installed base. It just means that something more recent is 
> > available.
> > 
> > I still think it's premature to change the status of RFC 2385 
> > before a  
> > replacement is widely available operationally.
> > 
> > And yes, that can take a decade, see 32-bit AS numbers.
> > 
> > Iljitsch
> > _______________________________________________
> > tcpm mailing list
> > tcpm@ietf.org
> > https://www.ietf.org/mailman/listinfo/tcpm
> > 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm
>

v2.31.3 | Report a Bug | By Email | System Status