IETF Logo Mail Archive

Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)

"Scharf, Michael" <Michael.Scharf@hs-esslingen.de> Sun, 10 July 2022 16:40 UTC

Return-Path: <Michael.Scharf@hs-esslingen.de>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EC15C14CF0F; Sun, 10 Jul 2022 09:40:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hs-esslingen.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nab71mb1cxSm; Sun, 10 Jul 2022 09:40:30 -0700 (PDT)
Received: from mail.hs-esslingen.de (mail.hs-esslingen.de [134.108.32.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AE00C157B42; Sun, 10 Jul 2022 09:40:28 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.hs-esslingen.de (Postfix) with ESMTP id 8161C25A20; Sun, 10 Jul 2022 18:40:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hs-esslingen.de; s=mail; t=1657471225; bh=Y4UW8wHKsNWitMsyMX04aPo5qrY4NsdI/2hDm0h2kFM=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=VBng2KtJ+GaVzdPMfJTrWbM1NpvzHwAEQMXwkMgOIXHMwVefFEJiJoal4lirxMIO6 ROsaNQJJyGK3ZpolZB5dgsrAQybyUE30iicZwhrsBB3lnC/mSm/ZsqKISicg2LtpPp 59wrlJdH9j08F1md0pKg0ya/2BQiy9/b70po/J2o=
X-Virus-Scanned: by amavisd-new-2.7.1 (20120429) (Debian) at hs-esslingen.de
Received: from mail.hs-esslingen.de ([127.0.0.1]) by localhost (hs-esslingen.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bk3lHbjeQw_z; Sun, 10 Jul 2022 18:40:24 +0200 (CEST)
Received: from rznt8202.rznt.rzdir.fht-esslingen.de (rznt8202.hs-esslingen.de [134.108.48.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.hs-esslingen.de (Postfix) with ESMTPS; Sun, 10 Jul 2022 18:40:24 +0200 (CEST)
Received: from rznt8202.rznt.rzdir.fht-esslingen.de (134.108.48.165) by rznt8202.rznt.rzdir.fht-esslingen.de (134.108.48.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.28; Sun, 10 Jul 2022 18:40:24 +0200
Received: from rznt8202.rznt.rzdir.fht-esslingen.de ([fe80::aca4:171a:3ee1:57e0]) by rznt8202.rznt.rzdir.fht-esslingen.de ([fe80::aca4:171a:3ee1:57e0%3]) with mapi id 15.01.2375.028; Sun, 10 Jul 2022 18:40:24 +0200
From: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-tcpm-yang-tcp@ietf.org" <draft-ietf-tcpm-yang-tcp@ietf.org>, "tcpm-chairs@ietf.org" <tcpm-chairs@ietf.org>, "tcpm@ietf.org" <tcpm@ietf.org>, "nsd.ietf@gmail.com" <nsd.ietf@gmail.com>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)
Thread-Index: AQHYi8yWqpYxf/XurU6JgauzF7fgY6133JtQ
Date: Sun, 10 Jul 2022 16:40:23 +0000
Message-ID: <9eea7ee54f3d49218cc230d495b8a0fc@hs-esslingen.de>
References: <165651637903.27765.15214938683310593938@ietfa.amsl.com>
In-Reply-To: <165651637903.27765.15214938683310593938@ietfa.amsl.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [134.108.140.249]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/H0UNpd1Fh-uI6rblHh1895-7iT4>
Subject: Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2022 16:40:35 -0000

Hi Roman,

The authors will get back to all feedback (in particular the various DISCUSS). We still work on that.

For the time being, one specific question regarding your comment:

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thank you to Hilarie Orman for the SECDIR review.
> 
> I concur with the SECDIR observation that “there are no statistics kept for
> authentication failures.  If a shared key falls out of synch, the statistics
> might help detect that.”  I appreciate the response
> (https://mailarchive.ietf.org/arch/msg/secdir/BnjVJ7_IgN7mSNaGi3H2ujVYv
> n0/)
> which recommends that this should be generically modeled.  I disagree that
> this
> should be deferred. There is a very specific TCP-level primitive being
> described here and it makes sense to me to provide a corresponding logging
> primitive.

The document uses the RFC 8177 keychain with some (relatively minor) additions. Can you please better explain what would - in your view - be different between a TCP-AO authentication failure and an authentication failure by any other use of RFC 8177? Why would generic statistics for all RFC 8177 users not be possible at all?

Or, in other words, what would be different between a counter that sums up TCP-AO authentication failures and a corresponding counter for authentication failures for some other use of RFC 8177?

Thanks

Michael

v2.23.0 | Report a Bug | By Email