Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-04 [This time for sure]

"Eddy, Wesley M. (GRC-RCN0)[Verizon]" <wesley.m.eddy@nasa.gov> Mon, 23 March 2009 14:56 UTC

Return-Path: <wesley.m.eddy@nasa.gov>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BAA233A6835 for <tcpm@core3.amsl.com>; Mon, 23 Mar 2009 07:56:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.384
X-Spam-Level:
X-Spam-Status: No, score=-6.384 tagged_above=-999 required=5 tests=[AWL=0.215, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jeaRQGEiyb8h for <tcpm@core3.amsl.com>; Mon, 23 Mar 2009 07:56:15 -0700 (PDT)
Received: from ndjsnpf02.ndc.nasa.gov (ndjsnpf02.ndc.nasa.gov [198.117.1.122]) by core3.amsl.com (Postfix) with ESMTP id D4A643A6857 for <tcpm@ietf.org>; Mon, 23 Mar 2009 07:56:14 -0700 (PDT)
Received: from ndjsppt02.ndc.nasa.gov (ndjsppt02.ndc.nasa.gov [198.117.1.101]) by ndjsnpf02.ndc.nasa.gov (Postfix) with ESMTP id D6E71A80CD; Mon, 23 Mar 2009 09:57:04 -0500 (CDT)
Received: from ndjshub05.ndc.nasa.gov (ndjshub05.ndc.nasa.gov [198.117.4.164] (may be forged)) by ndjsppt02.ndc.nasa.gov (8.14.1/8.14.1) with ESMTP id n2NEv99k020191; Mon, 23 Mar 2009 09:57:09 -0500
Received: from NDJSSCC01.ndc.nasa.gov ([198.117.4.166]) by ndjshub05.ndc.nasa.gov ([198.117.4.164]) with mapi; Mon, 23 Mar 2009 09:57:04 -0500
From: "Eddy, Wesley M. (GRC-RCN0)[Verizon]" <wesley.m.eddy@nasa.gov>
To: Joe Touch <touch@ISI.EDU>, Eric Rescorla <ekr@rtfm.com>
Date: Mon, 23 Mar 2009 09:57:03 -0500
Thread-Topic: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-04 [This time for sure]
Thread-Index: AcmrxR8VeDUBz+PvRP2NuB8UukhA4gAAd2uA
Message-ID: <C304DB494AC0C04C87C6A6E2FF5603DB220CD56901@NDJSSCC01.ndc.nasa.gov>
References: <d3aa5d00903230443s6d57cef4t4e30ef2aa68216e@mail.gmail.com> <49C79ECF.2010501@isi.edu>
In-Reply-To: <49C79ECF.2010501@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tcpm@ietf.org" <tcpm@ietf.org>
Subject: Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-04 [This time for sure]
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2009 14:56:15 -0000

>-----Original Message-----
>From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
>Behalf Of Joe Touch
>Sent: Monday, March 23, 2009 10:38 AM
>
> ...
>
>>>
>>> Whenever the keyID appears in a segment (sent or received), 
>that tuple
>>> is used to validate the contents. As per the most recent 
>coordination,
>>> keyIDs are bidirectional, so there is no send or receive difference.
>> 
>> It was not my understanding that we agreed that key-ids were 
>bidirectional.
>> Rather, I believe we agreed that MKTs were bidirectional and that
>> there was a separate key-id in each direction, to address Russ's
>> concern.
>
>Russ can clarify. First, let's clarify some terms:
>
>key-id = a digit in [0..255] that, together with a connection's socket
>pair (as per RFC793, i.e., srcIP, dstIP, srcport, dstport) indicates a
>single MKT.
>
>key-id field = the value in the TCP-AO option
>
>key-id fields are unidirectional - they indicate the key-id used to
>authenticate that TCP segment
>
>key-ids are bidirectional - they indicate (with the socket pair) a MKT
>that can be used in either direction
>
>However, there is no utility in referring to the same MKT with 
>different
>key-id values for the different directions of a single connection.
>


This set of definitions makes sense to me, and I think it clarifies
what we mean by bidirectional versus unidirectional, which was what
seemed to be a major point of disconnect in conversation.  Eric or
Russ, do you agree?


---------------------------
Wes Eddy
Network & Systems Architect
Verizon FNS / NASA GRC
Office: (216) 433-6682
---------------------------