Re: [tcpm] Minimum nonce length in draft-touch-tcpm-experimental-options
Joe Touch <touch@isi.edu> Wed, 29 February 2012 21:15 UTC
Return-Path: <touch@isi.edu>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09E0121F87B7 for <tcpm@ietfa.amsl.com>; Wed, 29 Feb 2012 13:15:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.959
X-Spam-Level:
X-Spam-Status: No, score=-102.959 tagged_above=-999 required=5 tests=[AWL=-0.360, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8I-Y65veP2A8 for <tcpm@ietfa.amsl.com>; Wed, 29 Feb 2012 13:15:35 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by ietfa.amsl.com (Postfix) with ESMTP id 89F0E21F87B3 for <tcpm@ietf.org>; Wed, 29 Feb 2012 13:15:35 -0800 (PST)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id q1TLF67k007880 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 29 Feb 2012 13:15:06 -0800 (PST)
Message-ID: <4F4E955A.9040405@isi.edu>
Date: Wed, 29 Feb 2012 13:15:06 -0800
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: "SCHARF, Michael" <Michael.Scharf@alcatel-lucent.com>
References: <133D9897FB9C5E4E9DF2779DC91E947C06C80E75@SLFSNX.rcs.alcatel-research.de> <11225_1330460112_4F4D35D0_11225_4274_1_CAO249ycxh75VETJ6jYScpw-ChCi9As6x6x35RnXHKWY1TVEkYw@mail.gmail.com> <7CC5FA62-2223-4003-BE21-F9E2F6120D96@iki.fi> <133D9897FB9C5E4E9DF2779DC91E947C06E03465@SLFSNX.rcs.alcatel-research.de>
In-Reply-To: <133D9897FB9C5E4E9DF2779DC91E947C06E03465@SLFSNX.rcs.alcatel-research.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Minimum nonce length in draft-touch-tcpm-experimental-options
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Feb 2012 21:15:36 -0000
On 2/29/2012 12:29 PM, SCHARF, Michael wrote: >>>> Does that statement intend to say something like "MUST NOT >> be shorter >>>> than 16 bits long"? Or shall even a nonce of length 0 be allowed, >>>> provided that there are additional security mechanism such as >>>> checksums or digital signatures? In the latter case, >> existing use of >>>> the codepoints without nonce could be compliant to the >>>> recommendation, provided that there are other means to >> detect false positives. >>> >>> I don't have strong opinion on this yet, but I personally think we >>> don't have to mention minimum length specifically in the draft. >>> However, I might prefer to put a little bit more stress in >> this regards, like, >>> o It's implementor's responsibility to find good balance >> between the >>> overhead of magic number and the overhead to handle false positive. >>> o the draft doesn't guarantee anything even if an implementor >>> chooses longer magic number >> >> I agree. Given the scarcity of TCP option space, you do not >> want to use any more space for the magic number than >> necessary. Maybe one possible option could be to use a 32-bit >> magic number in the SYN handshake, to declare that for the >> rest of that connection option types 253 and 254 are used >> without magic number for feature X (or perhaps with a shorter >> magic number, to allow simultaneous experimental features). >> This could be useful when the option space is expected to get tight. > > Option space is particularly scarce in SYNs. Afterwards one could try to > piggyback a long option to an empty ACK instead. Thus, this only helps > if a rather long option must indeed be present in a data segment, right? > > Michael There could be multiple instances of option 253 or 254, and the only way to know they're distinct is the magic number. Otherwise, any shortcut you use could conflict with someone else's. So there's no shortcut here; as you note, this isn't helping the more critical location (SYNs) anyway. Joe
- [tcpm] Minimum nonce length in draft-touch-tcpm-e… SCHARF, Michael
- Re: [tcpm] Minimum nonce length in draft-touch-tc… Yoshifumi Nishida
- Re: [tcpm] Minimum nonce length in draft-touch-tc… Pasi Sarolahti
- Re: [tcpm] Minimum nonce length in draft-touch-tc… SCHARF, Michael
- Re: [tcpm] Minimum nonce length in draft-touch-tc… Joe Touch