Re: [tcpm] tcp-auth-opt issue: support for NATs

"Adam Langley" <agl@imperialviolet.org> Thu, 07 August 2008 18:10 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 30D493A6914; Thu, 7 Aug 2008 11:10:04 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E19773A6819 for <tcpm@core3.amsl.com>; Thu, 7 Aug 2008 11:10:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wf2O4xVMiZcH for <tcpm@core3.amsl.com>; Thu, 7 Aug 2008 11:10:03 -0700 (PDT)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by core3.amsl.com (Postfix) with ESMTP id C6FF83A6914 for <tcpm@ietf.org>; Thu, 7 Aug 2008 11:10:02 -0700 (PDT)
Received: by yw-out-2324.google.com with SMTP id 3so294156ywj.49 for <tcpm@ietf.org>; Thu, 07 Aug 2008 11:10:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=dNMnyZxFF/sxrSEMJSBLyquxSlx49WIH+DLK4NujQk8=; b=nibsCwdViKU2CY8u66JNXdJDN7dynHQjF1Zf8D3LluZxrm4VYGmwCVZUiHL/ubhmMC fLbNXq4ps5Znd0a8VMjgg0dUox9uF/JlhmBts1ICG8CSnP4c1nkOBfibjMgCeqxGz3Ni WfqApo9wZug6lsxS5qI1dMHISR1jHW9wSYvzE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=hvsDzXHyl9T+0W1RwVkF4b2vW7SjPgDVWmnJp7a2DRr3mgJNT81HiUSavQo/MSNj7M bkJoocwDB7GPdYAeWp6u7wLjl/y9Y0UsiYqEzPGpLJTNdMxl+S6j0ziDhP9g+1/fnlXz N6sRD9sJkwpDF7PfmdnJIspQKe2Hoqa6T7lCc=
Received: by 10.142.180.19 with SMTP id c19mr356383wff.263.1218132638520; Thu, 07 Aug 2008 11:10:38 -0700 (PDT)
Received: by 10.142.213.20 with HTTP; Thu, 7 Aug 2008 11:10:38 -0700 (PDT)
Message-ID: <396556a20808071110o5d45221fq4bea1ed4247f70ff@mail.gmail.com>
Date: Thu, 07 Aug 2008 11:10:38 -0700
From: Adam Langley <agl@imperialviolet.org>
To: Eric Rescorla <ekr@networkresonance.com>
In-Reply-To: <20080807180512.77604529E4D@kilo.rtfm.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <4890F4BE.6060302@isi.edu> <4890FBE8.1020203@isi.edu> <396556a20807311700w1eda50b0o5da7ae52e6c1691a@mail.gmail.com> <48935FFD.4090805@isi.edu> <396556a20808051826w1a839577q956f379f56db1165@mail.gmail.com> <20080806020257.D1C69525D8F@kilo.rtfm.com> <396556a20808061742y19f8f5fh78fe66bfe4d415be@mail.gmail.com> <20080807011812.DDC8050846@romeo.rtfm.com> <396556a20808071047q5bda8acbje7a8fc9f9bf2e597@mail.gmail.com> <20080807180512.77604529E4D@kilo.rtfm.com>
X-Google-Sender-Auth: 0a47a6b02cd09ed3
Cc: tcpm@ietf.org, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

On Thu, Aug 7, 2008 at 11:05 AM, Eric Rescorla <ekr@networkresonance.com> wrote:
> Because the side doing the passive open doesn't know which client
> is connecting and it may have multiple instances of the same key-id?
> I don't understand the purpose of the time. Just do trial verifications
> with each key.

I don't believe that there should be multiple instances of the same
keyid. This is for the situation where there is a shared key between
the server and all valid clients. If we wished, we could fine that to
be keyid 0, sign the packets and be done with it.

But since the SEQ/ACK space isn't that large, and a replayed SYN could
still be used to SYN flood a system, I sketched that system to rotate
the keys based on time to limit the scope of replays.


AGL

-- 
Adam Langley agl@imperialviolet.org http://www.imperialviolet.org
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm