IETF Logo Mail Archive

Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)

"touch@strayalpha.com" <touch@strayalpha.com> Mon, 19 September 2022 14:48 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69746C14F723 for <tcpm@ietfa.amsl.com>; Mon, 19 Sep 2022 07:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.325
X-Spam-Level:
X-Spam-Status: No, score=-1.325 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RtHVD8wuM7jg for <tcpm@ietfa.amsl.com>; Mon, 19 Sep 2022 07:47:58 -0700 (PDT)
Received: from server217-2.web-hosting.com (server217-2.web-hosting.com [198.54.115.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C62FC1524C2 for <tcpm@ietf.org>; Mon, 19 Sep 2022 07:47:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=bzj36UvrCeDxr3dH/e07sqlKY+ofCE3eiTGltEj0Sec=; b=vcqmk/RQ481om8+mNt1ch35miQ H1tXSByk0NEhP+0D/bedkCp5AHbTxiMcQb3B2K6/qqONYS/l0TFwXpajQ11plCZkXQy9q3HH4Us3t yALS4bVmbeHhO8SMOql6NktgwYiUU9AYHZyt4m0GY9ulv4HWg5gTllMdANibP8SvBC2Js3XhNEA+n ih5yHxaJeaD9/Pcx1T5LITnuhm/MTfPX/nwqQCUoNan0+IyyC7f/71WNn9sqMXClISMVA0tEP5Kmj hk8WDALq4dpE3c6rHyrUMCLFFjTEUNxzMJdsN0vixkqtKgtat2cHCOSnhDLjl1LZCnBHEBbqOhAlP 600zCfBA==;
Received: from cpe-172-114-237-88.socal.res.rr.com ([172.114.237.88]:61137 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <touch@strayalpha.com>) id 1oaI31-00G8vR-Ls; Mon, 19 Sep 2022 10:47:05 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_439B469C-0C50-4E1C-BA86-043092207DE7"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <DS7PR84MB30619F7CDA62FE31826DA5BEF74A9@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM>
Date: Mon, 19 Sep 2022 07:46:55 -0700
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Allison Mankin <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin Duke <martin.h.duke@gmail.com>, Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com>, Yoshifumi Nishida <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>, "ianswett@google.com" <ianswett@google.com>, "tcpm@ietf.org" <tcpm@ietf.org>
Message-Id: <0F10A456-7CF5-4817-9E0F-C90F24B38E22@strayalpha.com>
References: <20220916083132.1A971AB20C@rfcpa.amsl.com> <7EC1AAE9-D8A1-492A-936B-FDD503EEE6B0@strayalpha.com> <DS7PR84MB306111FCED3D5EA480D803E3F74A9@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM> <36306D78-2224-42AA-A522-360DAC7867DF@strayalpha.com> <DS7PR84MB30619F7CDA62FE31826DA5BEF74A9@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM>
To: "Natarajan, Venkatesh (HP-Networking)" <venkatesh.natarajan@hpe.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/8Z8MV3OwuALKv6Q_KivKGKqzzSg>
X-Mailman-Approved-At: Mon, 19 Sep 2022 11:33:34 -0700
Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 14:48:02 -0000

Hi, Venkatesh,

TCP-AO knows whether to protect a connection at all by the presence of a match MKT. That’s what the existing text explains. It says nothing about the key check.

In a protected connection, TCP-AO knows what to do based on whether the key matches. If an MKT matches but the key fails, the segment will be dropped and the connection won’t be established. That’s already explained elsewhere in the doc.

In case 3 below, the MKT check will accept the segment but the key check will fail in later steps of the processing.

In case 4 below, which side accepts the connection is explained by the existing text. 

In the first sentence, the added  “not matching an MKT” text is not needed because is that is already what happens when no MKT is available (a match cannot occur to an item that doesn’t exist). That doesn’t need over explanation.

The sentence added is incorrect: “In this mode of operation, both the endpoints will not perform TCP-AO validation.”  Each endpoint makes this decision only for incoming connection establishment; return packets of connections they initiate with TCP-AO will fail (due to lack of TCP-AO). There is no clarification of this point needed.

Joe
—
Dr. Joe Touch, temporal epistemologist
www.strayalpha.com

> On Sep 19, 2022, at 5:40 AM, Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com> wrote:
> 
> Hi Joe,
>  
> Sorry I am still not following. I think there is a condition that is missed. I have captured the permutation/combination in a table  where both Peer-1 and Peer-2 are TCP-AO capable and implemented in s/w.
>  
> +-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+
> |     | Peer-1                  | Peer-2                  | Expected Behavior              | Comments                             |
> +=====+=========================+=========================+================================+======================================+
> |     |                         |                         |                                |                                      |
> | 1   | No-TCP-AO configured    | No TCP-AO Configured    | Vanilla TCP Session            | No TCP-AO but connection establishes |
> +-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+
> |     | TCP-AO Configured with  | TCP-AO Configured with  | TCP-AO session                 | TCP-AO and connection establishes.   |
> | 2   | Key1                    | Key1                    |                                |                                      |
> +-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+
> |     | TCP-AO configured with  | TCP-AO configured with  | Peer-2 will accept connection  | The segments will be accepted by     |
> |     | valid Key-1             | valid Key-2             | from Peer-1 by default for     | default even if there is a mismatch  |
> |     | (send-id=recv-id=1)     | (send-id=recv-id=2)     | mis-match of key               | on both-ends.                        |
> |     |                         |                         |                                | Agreed, if the default behaviour at  |
> |     |                         |                         | Peer-1 will accept connection  | either peer is changed, the          |
> |     |                         |                         | from Peer-1 by default for     | connection will not be established.  |
> |     |                         |                         | mismatch of key.               |                                      |
> | 3   |                         |                         |                                | RFC does explain this point.         |
> +-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+
> |     | TCP-AO configured with  | No TCP-AO configured    | Peer-2 will accept segments    | The point I have made is for this    |
> |     | a valid Key-1           |                         | if it ignores TCP-AO option.   | condition                            |
> |     |                         |                         | Peer-1 will reject segments    |                                      |
> | 4   |                         |                         | from Peer-2 (No TCP-AO option) |                                      |
> +-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+
>  
>  
> If (3) is allowed why not (4). They both have similar  security exposure if not the same.
>  
> -Venkatesh
>  
> From: touch@strayalpha.com <mailto:touch@strayalpha.com> <touch@strayalpha.com <mailto:touch@strayalpha.com>>
> Date: Sunday, 18 September 2022 at 11:23 PM
> To: Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com <mailto:venkatesh.natarajan@hpe.com>>
> Cc: RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>>, Allison Mankin <mankin@psg.com <mailto:mankin@psg.com>>, Ron Bonica <rbonica@juniper.net <mailto:rbonica@juniper.net>>, Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>>, Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com <mailto:Zaheduzzaman.Sarker@ericsson.com>>, Yoshifumi Nishida <nsd.ietf@gmail.com <mailto:nsd.ietf@gmail.com>>, Michael Tuexen <tuexen@fh-muenster.de <mailto:tuexen@fh-muenster.de>>, ianswett@google.com <mailto:ianswett@google.com> <ianswett@google.com <mailto:ianswett@google.com>>, tcpm@ietf.org <mailto:tcpm@ietf.org> <tcpm@ietf.org <mailto:tcpm@ietf.org>>
> Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
> 
> Hi, Venkatesh,
>  
> TCP-AO is designed so that it requires a MKT to operate - even to discard traffic that lacks TCP-AO headers. 
>  
> That means that TCP’s behavior doesn’t change UNLESS there’s an MKT. So anything that matches no MKT is allowed, by default - even if TCP-AO is in the header.
>  
> That’s intentional - it’s “opt-in” on both sides. Let’s look at the 4 cases, where “client” implies the party initiation the connection. Assume both sides implement TCP-AO:
> - client and server do not have MKTs at all
> neither side will match their MKTs, TCP-AO is not used and the connection proceeds as usual
> - client has an MKT that matches, but not the server
> Client sends TCP-AO, but server doesn’t check and sends a SYN-ACK without TCP-AO
> Client will now discard any returning packets because they won’t have TCP-AO
> The connection will fail
> - client lacks an MKT but server has an MKT that matches
> Client sends without TCP-AO, but SYN matches an MKT
> Server will drop the SYN because it matches an MKT but fails the TCP-AO check (it has to - it has no TCP-AO option)
> connection will fail
> - both sides have MTS that match
> everything works
>  
> So we don’t need to change the text to handle the case where the endpoints differ in whether they want to use TCP-AO on a connection.
>  
> The “default accept” is per side, but the total effect is “default deny unless both sides use it and have the right keys”.
>  
> Joe
>  
> —
> Dr. Joe Touch, temporal epistemologist
> www.strayalpha.com <http://www.strayalpha.com/>
> 
> 
> On Sep 18, 2022, at 5:31 AM, Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com <mailto:venkatesh.natarajan@hpe.com>> wrote:
>  
> Hi Joe,
>  
> Thank you for reviewing the Errata submission.
>  
> The whole point of having a default-accept for a MKT mismatch is to allow a mismatch-key-TCP-AO connection establishment even if the TCP-AO was the intended use.  If only one endpoint between the two is configured for TCP-AO , then also it is the same condition where there is no authentication. I do not understand the differentiation that is being brought out by the 7.3 section in the RFC for allowing a mismatch-key tcp-ao and when the tcp-ao option itself is not present. How is one different from the other in term of security. Both are offering unsecured/unprotected connection.
>  
> What do you think is the reason for a unsecure connection be allowed by default?  I can reason to some extent that such a behavior be implemented iff there is a transition period for  Non-TCP-AO to TCP-AO and say the server has migrated to TCP-AO but some of the clients are yet to be upgraded/migrated to use TCP-AO. Its in this mode that the acceptance of a connection from a non-tcp-ao client (segment having no-tcp-oa option) even makes sense.
>  
> -Venkatesh
>  
> From: touch@strayalpha.com <mailto:touch@strayalpha.com> <touch@strayalpha.com <mailto:touch@strayalpha.com>>
> Date: Sunday, 18 September 2022 at 5:33 AM
> To: RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>>
> Cc: Dr. Joe Touch <touch@isi.edu <mailto:touch@isi.edu>>, Allison Mankin <mankin@psg.com <mailto:mankin@psg.com>>, Ron Bonica <rbonica@juniper.net <mailto:rbonica@juniper.net>>, Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>>, Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com <mailto:Zaheduzzaman.Sarker@ericsson.com>>, Yoshifumi Nishida <nsd.ietf@gmail.com <mailto:nsd.ietf@gmail.com>>, Michael Tuexen <tuexen@fh-muenster.de <mailto:tuexen@fh-muenster.de>>, ianswett@google.com <mailto:ianswett@google.com> <ianswett@google.com <mailto:ianswett@google.com>>, Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com <mailto:venkatesh.natarajan@hpe.com>>, tcpm@ietf.org <mailto:tcpm@ietf.org> <tcpm@ietf.org <mailto:tcpm@ietf.org>>
> Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
> 
> Hi, all,
>  
> I disagree with this errata.
>  
> The decision is based on whether the segments match an MKT. If TCP-AO is required, an MKT would have been configured; packets with the option would match the MKT and proceed. Packets without the option would not match the MKT - because an MKT requires info in the option.
>  
> Recommend reject.
>  
> Joe
>  
> —
> Dr. Joe Touch, temporal epistemologist
> www.strayalpha.com <http://www.strayalpha.com/>
> 
> 
> 
> On Sep 16, 2022, at 1:31 AM, RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>> wrote:
>  
> The following errata report has been submitted for RFC5925,
> "The TCP Authentication Option".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid7135 <https://www.rfc-editor.org/errata/eid7135>
> 
> --------------------------------------
> Type: Technical
> Reported by: Venkatesh Natarajan <venkatesh.natarajan@hpe.com <mailto:venkatesh.natarajan@hpe.com>>
> 
> Section: 7.3
> 
> Original Text
> -------------
> 
> 
> A TCP-AO implementation MUST allow for configuration of the
>   behavior of segments with TCP-AO but that do not match an MKT.  The
>   initial default of this configuration SHOULD be to silently accept
>   such connections.  If this is not the desired case, an MKT can be
>   included to match such connections, or the connection can indicate
>   that TCP-AO is required.  Alternately, the configuration can be
>   changed to discard segments with the AO option not matching an MKT.
> 
> Corrected Text
> --------------
> 
> 
> A TCP-AO implementation MUST allow for configuration of the
>   behavior of segments with TCP-AO but that do not match any MKT or 
>   no MKT is available. The initial default of this configuration 
>   SHOULD be to silently accept such connections. In this mode of 
>   operation, both the endpoints will not perform TCP-AO validation.
>   If this is not the desired case, an MKT can be included to match such 
>   connections, or the connection can indicate that TCP-AO is required. 
>   Alternately, the configuration can be changed to discard segments
>   with the AO option not matching an MKT.
> 
> Notes
> -----
> The RFC does not clearly draw out the distinction between treatment of segments with TCP-AO and without TCP-AO option.
> Note that in the case of MKT mismatch as per existing RFC text, if either endpoint does TCP-AO validation, the session would not get established.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC5925 (draft-ietf-tcpm-tcp-auth-opt-11)
> --------------------------------------
> Title               : The TCP Authentication Option
> Publication Date    : June 2010
> Author(s)           : J. Touch, A. Mankin, R. Bonica
> Category            : PROPOSED STANDARD
> Source              : TCP Maintenance and Minor Extensions
> Area                : Transport
> Stream              : IETF
> Verifying Party     : IESG
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org <mailto:tcpm@ietf.org>
> https://www.ietf.org/mailman/listinfo/tcpm <https://www.ietf.org/mailman/listinfo/tcpm>

v2.23.0 | Report a Bug | By Email