Re: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security

Fernando Gont <fernando@gont.com.ar> Fri, 05 March 2010 16:33 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15F163A8965 for <tcpm@core3.amsl.com>; Fri, 5 Mar 2010 08:33:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.501
X-Spam-Level:
X-Spam-Status: No, score=-3.501 tagged_above=-999 required=5 tests=[AWL=0.098, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7s7bKhUClRG for <tcpm@core3.amsl.com>; Fri, 5 Mar 2010 08:33:49 -0800 (PST)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id 80E383A8B31 for <tcpm@ietf.org>; Fri, 5 Mar 2010 08:33:47 -0800 (PST)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id DA65B6B6C17; Fri, 5 Mar 2010 13:33:50 -0300 (ART)
Received: from [192.168.0.100] (129-130-17-190.fibertel.com.ar [190.17.130.129]) (authenticated bits=0) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id o25GXYLe012800; Fri, 5 Mar 2010 13:33:45 -0300
Message-ID: <4B913260.8060207@gont.com.ar>
Date: Fri, 05 Mar 2010 13:33:36 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]" <wesley.m.eddy@nasa.gov>
References: <4B7F2881.7000700@gont.com.ar> <C304DB494AC0C04C87C6A6E2FF5603DB47DE76AE73@NDJSSCC01.ndc.nasa.gov> <4B8F050C.9070003@gont.com.ar> <C304DB494AC0C04C87C6A6E2FF5603DB47DE9A7498@NDJSSCC01.ndc.nasa.gov>
In-Reply-To: <C304DB494AC0C04C87C6A6E2FF5603DB47DE9A7498@NDJSSCC01.ndc.nasa.gov>
X-Enigmail-Version: 0.96.0
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Fri, 05 Mar 2010 13:33:50 -0300 (ART)
Cc: "tcpm@ietf.org" <tcpm@ietf.org>
Subject: Re: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2010 16:33:50 -0000

Hi, Wes,

> It doesn't really matter to my; my only concern was
> that they each have a unique identifier to reference
> against more easily than using the full sentence.

That makes perfect sense.


> In order to not cause massive renumberings when
> adding or removing, one system would be to name them
> something like "R.0302001" for the first requirement
> in section 3.2 and "R.1100012" for the twelfth one in
> section 11 (with no subsections).  There may be a
> more elegant way, I don't really care what the ID
> looks like as long as there is one :).

Ok, I'll use your proposal... unless somebody can quickly come up with
something that is clearly better (I can't).

FWIW, the behave folks use "REQ-n"... however, their documents usually
have no more than a dozen requirements... and thus such a "flat" naming
scheme is managable. In our case, we'll probably end-up with more than a
hundred requirements, so such a "flat" scheme would not work that well
here. A more hierarchical one such as the one you describe would work
better.



> If it's too much trouble or nobody else in the WG
> cares, I don't think it's absolutely necessary, I
> just would find it really helpful in my work.

It's not too much trouble (I can add the "numbers" in an incremental
way... as I edit the I-D)... and it is clearly useful. So I will be
adding the req-numbers in the next rev.

(Worst case, if people don't like it, we could eventually remove the
numbers (I guess the only argument against it is that things like
"R.XXXXXX" look like cryptic, but that's it :-) )).



>>> a fingerprinting attempt, then we need to explain that,
>> Agreed. The rationale for that response was "responsiveness" -- i.e.,
>> rather than letting the connection-establishment time-out, you send an
>> RST.
>>
>> But please let me give this one another thought....
> 
> I agree that the port can't and shouldn't be used,
> but if we're starting with the assumption that it's
> never legitimately used, then why would we worry
> about making a timely response to incoming packets
> on that port? I think it's easier to just ignore
> them.  It's like sending responses to spam otherwise.

Makes sense to me.

(I guess at the time I decided that an RST might make sense as it would
signal a "hard error" condition... but in retrospective, I agree with
what you say. For instance, some systems already do this (ignore TCP
segments that use port 0)).



>>> Regarding the requirement:
>>> """
>>>    Middle-boxes such as packet filters MUST NOT assume that clients
>> use
>>>    port numbers from only the Dynamic or Registered port ranges.
>>> """
>>> It's not clear to me how this improves security.
>> Disclaimer: I must say I wasn't sure about including this one as a
>> "requirement" (as this req does not aim at end-systems).
>>
>> That said, while this does not improve the security of end-systems, it
>> provides advice on how to set policies correctly, so that communication
>> is not blocked mistakenly. (i.e., a middle-box must not assume that
>> clients only use port numbers in that range as the source port).
> 
> Ok; but implementing this requirement doesn't at all
> improve the security of TCP implementations, so I
> believe it's out of scope.  

Yes, I agree. As I said before, I wasn't sure whether to include it as a
req. But did so so that we'd discuss it.



> It seems like something
> that would be included in BEHAVE's work (and maybe
> it already is?), but I've not been active in that
> so I could be wrong.

And maybe not even behave... this has more to do with firewalls...

Thanks!

Kind regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1