Re: [tcpm] tcp-security: More feedback requested for the document outline

Joe Touch <touch@ISI.EDU> Wed, 09 September 2009 06:18 UTC

Return-Path: <touch@ISI.EDU>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 560003A6ACF for <>; Tue, 8 Sep 2009 23:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hPApODQAWx2z for <>; Tue, 8 Sep 2009 23:18:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 73B6E3A6A59 for <>; Tue, 8 Sep 2009 23:18:03 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id n896HrGF008411 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 8 Sep 2009 23:17:54 -0700 (PDT)
Message-ID: <>
Date: Tue, 08 Sep 2009 23:17:53 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20090812)
MIME-Version: 1.0
To: Fernando Gont <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: n896HrGF008411
X-ISI-4-69-MailScanner: Found to be clean
Cc: "" <>, "" <>
Subject: Re: [tcpm] tcp-security: More feedback requested for the document outline
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Sep 2009 06:18:04 -0000

Hash: SHA1

Fernando Gont wrote:
> Folks,
> The original deadline for commenting on the document outline is over.
> These are the comments so far:
> * Joe: wants to change the outline from the current outline (which
> basically analyzes TCP on a "per-protocol-field",
> "per-protocol-mechanism" basis, etc.) to an outline that basically
> analyzes TCP on a "per-attack" basis (his proposal is available at:

The outline I proposed breaks things down into groups based on:
	control plane in-band
	control plane out-of-band
	data plane

This is (loosely) based on how TCP is specified (order not withstanding).

Although I did suggest talking about attacks first, then talking about
mitigations (to separate the two, because a single attack can have
multiple mitigations, and a single mitigation can inhibit multiple
attacks), the overall structure is not per-attack as much as it based on
breaking the protocol down into its component parts.

- ---

It also distinguishes between protocol weaknesses (places where the
protocol creates a vulnerability, regardless of implementation - e.g.,
ICMP attacks), implementation choice issues (places where a choice left
to implementers can cause problems if poorly chosen - e.g., how some
SHOULDs turn into "don't do this in a secure implementation"), and
implementation vulnerabilities (implementation issues not related to
choices in the spec that create problems - e.g., searching the TIME-WAIT
list linearly).

Regardless of how we proceed, I believe that this latter issue should be
considered in the presentation of solutions.

> * Wesley: would like to change the outline as proposed by Joe, but could
> live without doing that.
> * Alfred: wants to leave the outline as is
> * Fernando: wants to leave the outline as is
> * Toby: wants to change the outline as proposed by Joe
> I don't personally see clear consensus for changing the outline (even
> less if we consider that many more people had agreed to accept the
> document "as is").
> However, as there have not been that many opinions about the outline, I
> think it would be a good idea if wg participants that have not yet
> voiced their opinion regarding the document outline have another chance
> to do it.
> So let's set a new deadline for this second round off-comments: if you
> have any comments regarding the document outline, please voice your
> opinion till September 16th (Wednesday), 2009.
> Thanks!
> Kind regards,
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -