Re: [tcpm] [OPSEC] draft-gont-tcp-security
Fernando Gont <fernando@gont.com.ar> Mon, 13 April 2009 21:02 UTC
Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 750913A6EAE; Mon, 13 Apr 2009 14:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.444
X-Spam-Level:
X-Spam-Status: No, score=-2.444 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHvej6x4dtq0; Mon, 13 Apr 2009 14:02:54 -0700 (PDT)
Received: from mail-gx0-f163.google.com (mail-gx0-f163.google.com [209.85.217.163]) by core3.amsl.com (Postfix) with ESMTP id D242E3A6ED8; Mon, 13 Apr 2009 14:02:09 -0700 (PDT)
Received: by gxk7 with SMTP id 7so441529gxk.13 for <multiple recipients>; Mon, 13 Apr 2009 14:03:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=LSwc2s+dPhZk/nolwE375FttFgXivlgGBPLgK0LqKtA=; b=RHJTTn2m1JJIfBanAbyJ5zEKLdMb26fgUagylVGKBVIxJHCcSaiaGBppsihZlGBXaE ScuEO0wuPXOFPG1jyDVI35GyuBAZUW0zfbiTAtv8imErTG88hr4PCfoR78RpApIb4fmH 7o9OUX75MkELY7wnp4AEl7tHpIobqvnYk8Kws=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=dTyms580WszwzjPtugbljTePnuhRL3+NFESvEzHjOSfQOtmlsXRuZLV6IMaZn0F99n mP51+VBWKydkX4kPyQYQwWE/c7jjtxQxMthCRXhKlyE/pfOUMuq5lrZnah9kDUSZYA36 DKJ4YnzpACzvuXL+YlzKDllHzLN502WXtXuXM=
Received: by 10.100.7.13 with SMTP id 13mr8565634ang.10.1239656599991; Mon, 13 Apr 2009 14:03:19 -0700 (PDT)
Received: from ?192.168.0.151? (235-131-17-190.fibertel.com.ar [190.17.131.235]) by mx.google.com with ESMTPS id c9sm853001ana.5.2009.04.13.14.03.16 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 13 Apr 2009 14:03:19 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <49E3A88F.9060301@gont.com.ar>
Date: Mon, 13 Apr 2009 18:03:11 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: "Smith, Donald" <Donald.Smith@qwest.com>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8@NDJSSCC01.ndc.nasa.g ov><49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1004BC4176D0@qtdenexmbm24.AD.QINTRA.COM>
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F1004BC4176D0@qtdenexmbm24.AD.QINTRA.COM>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "'tcpm@ietf.org'" <tcpm@ietf.org>, "'ietf@ietf.org'" <ietf@ietf.org>, 'Joe Touch' <touch@ISI.EDU>, 'Joe Abley' <jabley@ca.afilias.info>, "'opsec@ietf.org'" <opsec@ietf.org>
Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2009 21:02:55 -0000
Smith, Donald wrote: >>>> Please talk to vendors. I don't want to reproduce here >> what seems to >>>> be the consensus among vendors with respect to the current >>>> state of affairs in terms of how up-to-date our specs are. > I talk to vendors a lot. I don't think there is a consensus on the > "how up-to-date our specs are". The consensus seems to be that the current state of affairs is something like: "a mess". Even if you do care to produce a resilient implementation, that task is going to be much harder than necessary. You don't know the amount of cycles we spent in producing draft-gont-tcp-security.... let alone the time it would take to move the advice in an actual implementation. > I can't even get a straight answer on how they addressed the > icmp-blind resets or the tcp-blind resets from several years ago. > There were several possible mitigations with some trade offs on each > of them. Yet finding out how your favorite vendor addressed those is > likely to be difficult. In many cases the lack of a straight answer may have to do with us being unable to get to consensus and get something published in a timely fashion. e.g., the last round on ICMP attacks against TCP was circa 2004. At that point an I-D was published on the subject (now draft-ietf-tcpm-icmp-attacks). Yet we're still nitpicking on it, when everybody did something about it five years ago. It becomes harder to get s staright answer when it's impossible for a vendor to point to a counter-measure that is supposed to be the result of a thorough review process, in a *timely* fashion. I'm aware there's an effort in the vendor community to improve the resiliency of TCP basedon the document published by UK CPNI. Yet we're still debating whether to ignore it or not.... maybe so that we can publish an RFC in the future tagging those implementations as non-compliant... or maybe to allow tcp vulnerabilities to be "rediscovered" every few years. Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- [tcpm] draft-gont-tcp-security Eddy, Wesley M. (GRC-RCN0)[Verizon]
- Re: [tcpm] draft-gont-tcp-security Joe Touch
- Re: [tcpm] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] draft-gont-tcp-security Joe Touch
- Re: [tcpm] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Smith, Donald
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Smith, Donald
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joel Jaeggli
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Smith, Donald
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Todd Glassey
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Todd Glassey
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joel Jaeggli
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch