IETF Logo Mail Archive

Re: [tcpm] [OPSEC] draft-gont-tcp-security

Fernando Gont <fernando@gont.com.ar> Mon, 13 April 2009 21:02 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 750913A6EAE; Mon, 13 Apr 2009 14:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.444
X-Spam-Level:
X-Spam-Status: No, score=-2.444 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHvej6x4dtq0; Mon, 13 Apr 2009 14:02:54 -0700 (PDT)
Received: from mail-gx0-f163.google.com (mail-gx0-f163.google.com [209.85.217.163]) by core3.amsl.com (Postfix) with ESMTP id D242E3A6ED8; Mon, 13 Apr 2009 14:02:09 -0700 (PDT)
Received: by gxk7 with SMTP id 7so441529gxk.13 for <multiple recipients>; Mon, 13 Apr 2009 14:03:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=LSwc2s+dPhZk/nolwE375FttFgXivlgGBPLgK0LqKtA=; b=RHJTTn2m1JJIfBanAbyJ5zEKLdMb26fgUagylVGKBVIxJHCcSaiaGBppsihZlGBXaE ScuEO0wuPXOFPG1jyDVI35GyuBAZUW0zfbiTAtv8imErTG88hr4PCfoR78RpApIb4fmH 7o9OUX75MkELY7wnp4AEl7tHpIobqvnYk8Kws=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=dTyms580WszwzjPtugbljTePnuhRL3+NFESvEzHjOSfQOtmlsXRuZLV6IMaZn0F99n mP51+VBWKydkX4kPyQYQwWE/c7jjtxQxMthCRXhKlyE/pfOUMuq5lrZnah9kDUSZYA36 DKJ4YnzpACzvuXL+YlzKDllHzLN502WXtXuXM=
Received: by 10.100.7.13 with SMTP id 13mr8565634ang.10.1239656599991; Mon, 13 Apr 2009 14:03:19 -0700 (PDT)
Received: from ?192.168.0.151? (235-131-17-190.fibertel.com.ar [190.17.131.235]) by mx.google.com with ESMTPS id c9sm853001ana.5.2009.04.13.14.03.16 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 13 Apr 2009 14:03:19 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <49E3A88F.9060301@gont.com.ar>
Date: Mon, 13 Apr 2009 18:03:11 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: "Smith, Donald" <Donald.Smith@qwest.com>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8@NDJSSCC01.ndc.nasa.g ov><49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1004BC4176D0@qtdenexmbm24.AD.QINTRA.COM>
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F1004BC4176D0@qtdenexmbm24.AD.QINTRA.COM>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "'tcpm@ietf.org'" <tcpm@ietf.org>, "'ietf@ietf.org'" <ietf@ietf.org>, 'Joe Touch' <touch@ISI.EDU>, 'Joe Abley' <jabley@ca.afilias.info>, "'opsec@ietf.org'" <opsec@ietf.org>
Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2009 21:02:55 -0000

Smith, Donald wrote:

>>>> Please talk to vendors. I don't want to reproduce here
>> what seems to
>>>> be the consensus among vendors with respect to the current
>>>> state of affairs in terms of how up-to-date our specs are.
> I talk to vendors a lot. I don't think there is a consensus on the
> "how up-to-date our specs are".

The consensus seems to be that the current state of affairs is something
like: "a mess". Even if you do care to produce a resilient
implementation, that task is going to be much harder than necessary. You
don't know the amount of cycles we spent in producing
draft-gont-tcp-security.... let alone the time it would take to move the
advice in an actual implementation.



> I can't even get a straight answer on how they addressed the
> icmp-blind resets or the tcp-blind resets from several years ago.
> There were several possible mitigations with some trade offs on each
> of them. Yet finding out how your favorite vendor addressed those is
> likely to be difficult.

In many cases the lack of a straight answer may have to do with us being
unable to get to consensus and get something published in a timely
fashion. e.g., the last round on ICMP attacks against TCP was circa
2004. At that point an I-D was published on the subject (now
draft-ietf-tcpm-icmp-attacks). Yet we're still nitpicking on it, when
everybody did something about it five years ago.

It becomes harder to get s staright answer when it's impossible for a
vendor to point to a counter-measure that is supposed to be the result
of a thorough review process, in a *timely* fashion.

I'm aware there's an effort in the vendor community to improve the
resiliency of TCP basedon the document published by UK CPNI. Yet we're
still debating whether to ignore it or not.... maybe so that we can
publish an RFC in the future tagging those implementations as
non-compliant... or maybe to allow tcp vulnerabilities to be
"rediscovered" every few years.

Thanks!

Kind regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email