Re: [tcpm] tcp-auth-opt issue: support for NATs
Joe Touch <touch@ISI.EDU> Wed, 30 July 2008 23:41 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 361FB3A6A46; Wed, 30 Jul 2008 16:41:32 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A3573A6A46 for <tcpm@core3.amsl.com>; Wed, 30 Jul 2008 16:41:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NI97vD8e82TP for <tcpm@core3.amsl.com>; Wed, 30 Jul 2008 16:41:30 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 077453A69FD for <tcpm@ietf.org>; Wed, 30 Jul 2008 16:41:30 -0700 (PDT)
Received: from [128.9.176.37] (c1-vpn7.isi.edu [128.9.176.37]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m6UNex8g003062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 30 Jul 2008 16:41:02 -0700 (PDT)
Message-ID: <4890FBE8.1020203@isi.edu>
Date: Wed, 30 Jul 2008 16:40:24 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Adam Langley <agl@imperialviolet.org>
References: <4890F4BE.6060302@isi.edu> <396556a20807301622l4cb33deuff73cd13d7a75ba1@mail.gmail.com>
In-Reply-To: <396556a20807301622l4cb33deuff73cd13d7a75ba1@mail.gmail.com>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Langley wrote: | On Wed, Jul 30, 2008 at 4:09 PM, Joe Touch <touch@isi.edu> wrote: |> Should the document: |> |> a) require the socket pair info always be included in the MAC, i.e., be |> protected |> |> b) allow a TSAD entry to indicate that the socket pair is excluded from |> the MAC? |> |> Finally, does (b) help, given the current keying requirements? | | My assumption was that the TSAD could return the same keyset for all | addresses and source ports going to a given destination/port pair. As | an example, a listening socket could be configured such that one could | only connect to it if one knew a key. (Standard proviso's here: the AO | key itself should be a time rotating, secure derived key from the | master secret). If one didn't have the key, not even a SYNACK would be | sent in reply. Once a connection has been established, then the keys | for that connection's 4-tuple can change independent of the wildcard | keys. | | If that's a use case that the spec wishes to support, then having an | option to exclude the pseudo-header and TCP port numbers from MAC | protection would allow these connections to traverse NATs. The current TSAD supports only a wildcard source port, which is instantiated for the first connection received that matches. It expects that the KMS installs additional keys as needed. The above appears to require that the KMS deploy the same key for all potentially overlapping NAT'd connections. This adds a requirement to the KMS, but suggests that the pseudoheader is included or excluded for all connections to a host from a given IP address. Is that what is intended, or can you clarify? If that is what is intended, how can the KMS enforce this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiQ++gACgkQE5f5cImnZrseZACfSvxBHZt/PXSWLlvL7n06N77n d7gAoO7h9NByaqSzUKewHlXV6io7OsaL =dov+ -----END PGP SIGNATURE----- _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Anantha Ramaiah (ananth)
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Ron Bonica
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Ted Faber
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch