IETF Logo Mail Archive

Re: [tcpm] tcpsecure: how strong to recommend?

Joe Touch <touch@ISI.EDU> Wed, 26 September 2007 19:28 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IacYs-0004DA-M6; Wed, 26 Sep 2007 15:28:42 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IacYr-0004BD-SO for tcpm@ietf.org; Wed, 26 Sep 2007 15:28:41 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IacYm-00060D-RC for tcpm@ietf.org; Wed, 26 Sep 2007 15:28:41 -0400
Received: from [75.214.61.9] (9.sub-75-214-61.myvzw.com [75.214.61.9]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l8QJS2X8017024; Wed, 26 Sep 2007 12:28:02 -0700 (PDT)
Message-ID: <46FAB2B9.60006@isi.edu>
Date: Wed, 26 Sep 2007 12:27:53 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
Subject: Re: [tcpm] tcpsecure: how strong to recommend?
References: <0C53DCFB700D144284A584F54711EC5804052246@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC5804052246@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
Cc: tcpm@ietf.org, Tim Shepard <shep@alum.mit.edu>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0748367709=="
Errors-To: tcpm-bounces@ietf.org


Anantha Ramaiah (ananth) wrote:
>> Anantha Ramaiah (ananth) wrote:
>> ...
>>> If we have to fix multiple layers, lets fix it, I have no problems. 
>>> You can do all at once or piecemeal, as simple as that. It doesn't 
>>> matter whether spoofing is standalone or not, it is about 
>> how well you 
>>> can make your TCP stack respond to such malicious attacks, 
>> if you care to do so.
>>
>> TCP is not a secure protocol. It's not intended for 
>> protection from malicious attacks per se; 'fixing' it is to 
>> assert your solution on everyone, as below.
> 
> I see what you are saying except the "asserting your solution part". 
...
> Anyways, I don't want to side-track this discussion from it's original
> intent viz., "strength of mitigations"

OK, so let's get back to that. If you believe that it's appropriate to
let people decide what mitigations they want to deploy, then why isn't
tcpsecure a MAY?

I.e., you MAY deploy it if you want the mitigations.

There's no MUST in that logic, any more than 'you MUST deploy
IPsec/BTNS/TCP-MD5++'.

I think we're all agreeing that "let the user decide" is appropriate.
What we disagree upon appears to be what that implies.

Joe


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email