Re: [tcpm] Q&C regarding tcpsecure-09 recommendations
Joe Touch <touch@ISI.EDU> Tue, 03 June 2008 03:20 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 520563A6AC8; Mon, 2 Jun 2008 20:20:28 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3298B3A6A33 for <tcpm@core3.amsl.com>; Mon, 2 Jun 2008 20:20:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nAYquMvhXAQe for <tcpm@core3.amsl.com>; Mon, 2 Jun 2008 20:20:25 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 02E7C3A6B63 for <tcpm@ietf.org>; Mon, 2 Jun 2008 20:18:23 -0700 (PDT)
Received: from [127.0.0.1] (pool-71-106-109-69.lsanca.dsl-w.verizon.net [71.106.109.69]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m533IEgO007547 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 2 Jun 2008 20:18:16 -0700 (PDT)
Message-ID: <4844B7F5.9030800@isi.edu>
Date: Mon, 02 Jun 2008 20:18:13 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
References: <48432005.2070201@freebsd.org> <48449321.5000609@isi.edu> <0C53DCFB700D144284A584F54711EC5805449498@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC5805449498@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Q&C regarding tcpsecure-09 recommendations
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2057998244=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
Anantha Ramaiah (ananth) wrote: ... >> - with source port randomization, the mitigations are not needed >> (port randomization provides a 2^15 strength amplification), >> even presuming source IP addresses are known > > Source port randomization is one way of adding robustness and does not > every situation. Also you can't assume everyone is doing src port > randomization. No, you cannot. The responsibility for protecting the session then falls to the side that initiates it (fair territory, IMO), rather than the side that receives the RST (which is arbitrary). > Even then having these mitigations would make the attacks > described in the document harder to accomplish. Agreed that it makes the attacks still harder, but if they're already hard enough, then the mitigations aren't needed. >> - if source IP addresses are not known, the mitigations are not >> needed > > I think this is very obvious in the document. Right from the intro which > talks about the attack vectors, and what is needed to accomplish the > attack. > >> - the mitigations may increase the time needed to respond to >> a legitimate RST, incurring extra RTTs or retransmissions >> vs. an unmodified system > > Yes, this is obvious too due to the challenge ACK being sent. > >> - the mitigations are not a substitute for network or >> transport authentication, either of which obviate the need >> for the mitigations (yes, this is noted in the security >> considerations, but it's buried w.r.t. applicability) > > Oh, the way I read the draft the above fact is mentioned all over the > draft.. I can point out all the places if you want, but we have been > thru this before and I have incorporated the feedback received from you > but I am surprised that you are bringing this one up now. I noted below why I am raising it now (the FreeBSD note). >> - the mitigations protect only off-path attacks; on-path >> attacks, such as ISPs shutting connections down deliberately, >> are not prevented by this mitigation (yes, also noted >> in security considerations, but again worth noting in >> applicability, and worth adding the ISP example, IMO) > > Well, I would think that we generally don't want to repeat the same text > all over the document again and again, but if the work group believes in > this redundancy as you semm to do, I am more than willing to add it. I don't think it's huge; it is just a summary of - as you note - information noted elsewhere. Joe
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Anantha Ramaiah (ananth)
- [tcpm] Q&C regarding tcpsecure-09 recommendations Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Anantha Ramaiah (ananth)
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Lars Eggert
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Anantha Ramaiah (ananth)