Re: [tcpm] TCP-AO review comments.
Joe Touch <touch@ISI.EDU> Mon, 11 August 2008 01:50 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 492C83A6B28; Sun, 10 Aug 2008 18:50:19 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E51A73A6B22 for <tcpm@core3.amsl.com>; Sun, 10 Aug 2008 18:50:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utv7PIcaapbi for <tcpm@core3.amsl.com>; Sun, 10 Aug 2008 18:50:16 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id D542A3A6B16 for <tcpm@ietf.org>; Sun, 10 Aug 2008 18:50:16 -0700 (PDT)
Received: from [75.211.31.157] (157.sub-75-211-31.myvzw.com [75.211.31.157]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m7B1nn4S019516 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 10 Aug 2008 18:49:56 -0700 (PDT)
Message-ID: <489F9A94.9080205@isi.edu>
Date: Sun, 10 Aug 2008 18:49:08 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Stefanos Harhalakis <v13@v13.gr>
References: <0C53DCFB700D144284A584F54711EC58058C2FD4@xmb-sjc-21c.amer.cisco.com> <200808101237.46574.v13@v13.gr> <489ECCD2.9010608@isi.edu> <200808101507.35830.v13@v13.gr>
In-Reply-To: <200808101507.35830.v13@v13.gr>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org, "Anantha Ramaiah (ananth)" <ananth@cisco.com>
Subject: Re: [tcpm] TCP-AO review comments.
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <indiv hat on> Stefanos Harhalakis wrote: | On Sunday 10 August 2008, Joe Touch wrote: |> Stefanos Harhalakis wrote: |> | Also, is there any good in including a (1-byte - or smaller with some |> | unused |> | bits) version field in TCP-AO? This will help similar future |> | extensions/replacements and will also allow for easier authentication |> | option |> | handshaking by falling back to the highest commonly supported method. |> |> <indiv hat on> |> Options don't typically have version numbers; they're implicit in the |> option KIND itself. IMO, that's why TCP-AO is requesting a new KIND value. | | Agreed, but since this is a 'group of options' that exclude each other, a kind | of initial handshake is inevitable. Handshakes in this case aren't meaningful. | As far as I see it, even with just | TCP-MD5 and TCP-AO there is an initial handshake problem for deciding which | one of them both ends support (no?). Once a packet contains a TCP MD5 header, it MUST be authenticated using that option, regardless of other options - thus it is irrelevant to have alternative options present. That rule basically prevents negotiation of the TCP MD5 option, or 'escalating' it into TCP-AO. | Practically this makes the transition | from MD5 to AO a hard issue. TCP MD5 made this impossible. TCP-AO permits 'optional' use, i.e., that the option can be present or ignored on an individual connection, which may enable future negotiation among a variety of authentication alternatives. ... | Of course a new KIND is required for TCP-AO but I believe that this should be | the last one for the "series" of TCP authentication options. TCP-AO is intended to be sufficiently general - e.g., by the use of a MAC field which is defined on a per connection basis - that future updates should not be needed for a long time. That said, there are plenty of KIND values left if we consume one every 10 years for this purpose... | In fact, this | may not be considered as a different 'KIND' of options, unless the SYN-senter | negotiations all authentication options and the SYN-receiver selects the best | that it supports. Since this isn't possible with limited TCP options space | and SYN-cookies issues, something different is required (versioning). | | Do you see another (better) long-term solution? Overall, since they keys and parameters need to be configured on a per-endpoint-pair basis anyway, IMO this sort of handshake ought to occur in the KMS, not in TCP. TCP's SYN option space is insufficient to contain multiple authentication fields, AFAICT, in addition to the other fields currently commonly in use. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkifmoIACgkQE5f5cImnZrsH2gCg0tmFJkBO7pkeFJsjvXctAwrD eAYAniIRWYRX8S30PghaBIn40GGV2K5z =Z5Ky -----END PGP SIGNATURE----- _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] TCP-AO review comments. Joe Touch
- [tcpm] TCP-AO review comments. Anantha Ramaiah (ananth)
- Re: [tcpm] TCP-AO review comments. Joe Touch
- Re: [tcpm] TCP-AO review comments. Anantha Ramaiah (ananth)
- Re: [tcpm] TCP-AO review comments. Joe Touch
- Re: [tcpm] TCP-AO review comments. Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] TCP-AO review comments. Adam Langley
- Re: [tcpm] TCP-AO review comments. Chandrashekhar Appanna
- Re: [tcpm] TCP-AO review comments. Lars Eggert
- Re: [tcpm] TCP-AO review comments. Caitlin Bestler
- Re: [tcpm] TCP-AO review comments. Eric Rescorla
- Re: [tcpm] TCP-AO review comments. Joe Touch
- Re: [tcpm] TCP-AO review comments. Ron Bonica
- Re: [tcpm] TCP-AO review comments. Stefanos Harhalakis
- Re: [tcpm] TCP-AO review comments. Joe Touch
- Re: [tcpm] TCP-AO review comments. Joe Touch
- Re: [tcpm] TCP-AO review comments. Stefanos Harhalakis
- Re: [tcpm] TCP-AO review comments. Joe Touch
- Re: [tcpm] TCP-AO review comments. Stefanos Harhalakis