Re: [tcpm] tcp-auth-opt issue: support for NATs

Joe Touch <touch@ISI.EDU> Wed, 30 July 2008 23:41 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 361FB3A6A46; Wed, 30 Jul 2008 16:41:32 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0A3573A6A46 for <>; Wed, 30 Jul 2008 16:41:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NI97vD8e82TP for <>; Wed, 30 Jul 2008 16:41:30 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 077453A69FD for <>; Wed, 30 Jul 2008 16:41:30 -0700 (PDT)
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id m6UNex8g003062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 30 Jul 2008 16:41:02 -0700 (PDT)
Message-ID: <>
Date: Wed, 30 Jul 2008 16:40:24 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20080708)
MIME-Version: 1.0
To: Adam Langley <>
References: <> <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"

Hash: SHA1

Adam Langley wrote:
| On Wed, Jul 30, 2008 at 4:09 PM, Joe Touch <> wrote:
|> Should the document:
|> a) require the socket pair info always be included in the MAC, i.e., be
|> protected
|> b) allow a TSAD entry to indicate that the socket pair is excluded from
|> the MAC?
|> Finally, does (b) help, given the current keying requirements?
| My assumption was that the TSAD could return the same keyset for all
| addresses and source ports going to a given destination/port pair. As
| an example, a listening socket could be configured such that one could
| only connect to it if one knew a key. (Standard proviso's here: the AO
| key itself should be a time rotating, secure derived key from the
| master secret). If one didn't have the key, not even a SYNACK would be
| sent in reply. Once a connection has been established, then the keys
| for that connection's 4-tuple can change independent of the wildcard
| keys.
| If that's a use case that the spec wishes to support, then having an
| option to exclude the pseudo-header and TCP port numbers from MAC
| protection would allow these connections to traverse NATs.

The current TSAD supports only a wildcard source port, which is
instantiated for the first connection received that matches. It expects
that the KMS installs additional keys as needed.

The above appears to require that the KMS deploy the same key for all
potentially overlapping NAT'd connections. This adds a requirement to
the KMS, but suggests that the pseudoheader is included or excluded for
all connections to a host from a given IP address. Is that what is
intended, or can you clarify? If that is what is intended, how can the
KMS enforce this?

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -

tcpm mailing list