IETF Logo Mail Archive

Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)

"touch@strayalpha.com" <touch@strayalpha.com> Sun, 18 September 2022 17:52 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A81C4C1522A4 for <tcpm@ietfa.amsl.com>; Sun, 18 Sep 2022 10:52:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.326
X-Spam-Level:
X-Spam-Status: No, score=-1.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Me8q2E9W7Fxk for <tcpm@ietfa.amsl.com>; Sun, 18 Sep 2022 10:52:39 -0700 (PDT)
Received: from server217-2.web-hosting.com (server217-2.web-hosting.com [198.54.115.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4440EC14CE3A for <tcpm@ietf.org>; Sun, 18 Sep 2022 10:52:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TV2r3Jff1UYCfzUh5pv0ltEVg/i575Ngstn21RQkJFc=; b=XQVdMHRAqFX1v5RqN33iRC3TKH 2AmcAuornF/dyKa+k/QbA11S2mUYNlxpLICYf0voSRYFh8rwtNwIRWsH51oD1H2AB6fP4SusFkZMq 6Oz6rzoIGtA2t1MjEKLM4Q80p24AR0UxiQfs12V+9TNtUdo+O/0GaFSHJLW/GGT9iuYxWQsaReIU7 nFKIA9xgxriGb/7nAu/zTdaXBYXxWL9W0+P8KVMFKbfGjtxDddkJTaBg8LzRShZnCM1AKQ1ZuiGTw EEihFCvwmksmDDYMcg7K2nSDI5SGwvJlAVliPFpqQeEq1KG7jNpka20xkAbFHzxXNY/MtSep+crHe CwOQy2Mg==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:55345 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1oZySN-006kA7-2G; Sun, 18 Sep 2022 13:51:56 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_BE5BBED0-F810-4567-BD24-EAA06F5B5F5A"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <DS7PR84MB306111FCED3D5EA480D803E3F74A9@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM>
Date: Sun, 18 Sep 2022 10:51:48 -0700
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Allison Mankin <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin Duke <martin.h.duke@gmail.com>, Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com>, Yoshifumi Nishida <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>, "ianswett@google.com" <ianswett@google.com>, "tcpm@ietf.org" <tcpm@ietf.org>
Message-Id: <36306D78-2224-42AA-A522-360DAC7867DF@strayalpha.com>
References: <20220916083132.1A971AB20C@rfcpa.amsl.com> <7EC1AAE9-D8A1-492A-936B-FDD503EEE6B0@strayalpha.com> <DS7PR84MB306111FCED3D5EA480D803E3F74A9@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM>
To: "Natarajan, Venkatesh (HP-Networking)" <venkatesh.natarajan@hpe.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/2M2gAamkAo9qqTqPRoPqgzmbbQ4>
X-Mailman-Approved-At: Mon, 19 Sep 2022 11:33:34 -0700
Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Sep 2022 17:52:43 -0000

Hi, Venkatesh,

TCP-AO is designed so that it requires a MKT to operate - even to discard traffic that lacks TCP-AO headers. 

That means that TCP’s behavior doesn’t change UNLESS there’s an MKT. So anything that matches no MKT is allowed, by default - even if TCP-AO is in the header.

That’s intentional - it’s “opt-in” on both sides. Let’s look at the 4 cases, where “client” implies the party initiation the connection. Assume both sides implement TCP-AO:
	- client and server do not have MKTs at all
		neither side will match their MKTs, TCP-AO is not used and the connection proceeds as usual
	- client has an MKT that matches, but not the server
		Client sends TCP-AO, but server doesn’t check and sends a SYN-ACK without TCP-AO
		Client will now discard any returning packets because they won’t have TCP-AO
		The connection will fail
	- client lacks an MKT but server has an MKT that matches
		Client sends without TCP-AO, but SYN matches an MKT
		Server will drop the SYN because it matches an MKT but fails the TCP-AO check (it has to - it has no TCP-AO option)
		connection will fail
	- both sides have MTS that match
		everything works

So we don’t need to change the text to handle the case where the endpoints differ in whether they want to use TCP-AO on a connection.

The “default accept” is per side, but the total effect is “default deny unless both sides use it and have the right keys”.

Joe

—
Dr. Joe Touch, temporal epistemologist
www.strayalpha.com

> On Sep 18, 2022, at 5:31 AM, Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com> wrote:
> 
> Hi Joe,
>  
> Thank you for reviewing the Errata submission.
>  
> The whole point of having a default-accept for a MKT mismatch is to allow a mismatch-key-TCP-AO connection establishment even if the TCP-AO was the intended use.  If only one endpoint between the two is configured for TCP-AO , then also it is the same condition where there is no authentication. I do not understand the differentiation that is being brought out by the 7.3 section in the RFC for allowing a mismatch-key tcp-ao and when the tcp-ao option itself is not present. How is one different from the other in term of security. Both are offering unsecured/unprotected connection.
>  
> What do you think is the reason for a unsecure connection be allowed by default?  I can reason to some extent that such a behavior be implemented iff there is a transition period for  Non-TCP-AO to TCP-AO and say the server has migrated to TCP-AO but some of the clients are yet to be upgraded/migrated to use TCP-AO. Its in this mode that the acceptance of a connection from a non-tcp-ao client (segment having no-tcp-oa option) even makes sense.
>  
> -Venkatesh
>  
> From: touch@strayalpha.com <mailto:touch@strayalpha.com> <touch@strayalpha.com <mailto:touch@strayalpha.com>>
> Date: Sunday, 18 September 2022 at 5:33 AM
> To: RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>>
> Cc: Dr. Joe Touch <touch@isi.edu <mailto:touch@isi.edu>>, Allison Mankin <mankin@psg.com <mailto:mankin@psg.com>>, Ron Bonica <rbonica@juniper.net <mailto:rbonica@juniper.net>>, Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>>, Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com <mailto:Zaheduzzaman.Sarker@ericsson.com>>, Yoshifumi Nishida <nsd.ietf@gmail.com <mailto:nsd.ietf@gmail.com>>, Michael Tuexen <tuexen@fh-muenster.de <mailto:tuexen@fh-muenster.de>>, ianswett@google.com <mailto:ianswett@google.com> <ianswett@google.com <mailto:ianswett@google.com>>, Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com <mailto:venkatesh.natarajan@hpe.com>>, tcpm@ietf.org <mailto:tcpm@ietf.org> <tcpm@ietf.org <mailto:tcpm@ietf.org>>
> Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
> 
> Hi, all,
>  
> I disagree with this errata.
>  
> The decision is based on whether the segments match an MKT. If TCP-AO is required, an MKT would have been configured; packets with the option would match the MKT and proceed. Packets without the option would not match the MKT - because an MKT requires info in the option.
>  
> Recommend reject.
>  
> Joe
>  
> —
> Dr. Joe Touch, temporal epistemologist
> www.strayalpha.com <http://www.strayalpha.com/>
> 
> 
> On Sep 16, 2022, at 1:31 AM, RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>> wrote:
>  
> The following errata report has been submitted for RFC5925,
> "The TCP Authentication Option".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid7135 <https://www.rfc-editor.org/errata/eid7135>
> 
> --------------------------------------
> Type: Technical
> Reported by: Venkatesh Natarajan <venkatesh.natarajan@hpe.com <mailto:venkatesh.natarajan@hpe.com>>
> 
> Section: 7.3
> 
> Original Text
> -------------
> 
> A TCP-AO implementation MUST allow for configuration of the
>   behavior of segments with TCP-AO but that do not match an MKT.  The
>   initial default of this configuration SHOULD be to silently accept
>   such connections.  If this is not the desired case, an MKT can be
>   included to match such connections, or the connection can indicate
>   that TCP-AO is required.  Alternately, the configuration can be
>   changed to discard segments with the AO option not matching an MKT.
> 
> Corrected Text
> --------------
> 
> A TCP-AO implementation MUST allow for configuration of the
>   behavior of segments with TCP-AO but that do not match any MKT or 
>   no MKT is available. The initial default of this configuration 
>   SHOULD be to silently accept such connections. In this mode of 
>   operation, both the endpoints will not perform TCP-AO validation.
>   If this is not the desired case, an MKT can be included to match such 
>   connections, or the connection can indicate that TCP-AO is required. 
>   Alternately, the configuration can be changed to discard segments
>   with the AO option not matching an MKT.
> 
> Notes
> -----
> The RFC does not clearly draw out the distinction between treatment of segments with TCP-AO and without TCP-AO option.
> Note that in the case of MKT mismatch as per existing RFC text, if either endpoint does TCP-AO validation, the session would not get established.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC5925 (draft-ietf-tcpm-tcp-auth-opt-11)
> --------------------------------------
> Title               : The TCP Authentication Option
> Publication Date    : June 2010
> Author(s)           : J. Touch, A. Mankin, R. Bonica
> Category            : PROPOSED STANDARD
> Source              : TCP Maintenance and Minor Extensions
> Area                : Transport
> Stream              : IETF
> Verifying Party     : IESG
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org <mailto:tcpm@ietf.org>
> https://www.ietf.org/mailman/listinfo/tcpm <https://www.ietf.org/mailman/listinfo/tcpm>

v2.23.0 | Report a Bug | By Email