RE: [tcpm] tcpsecure: how strong to recommend?

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Tue, 02 October 2007 16:45 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcksF-0002I2-MR; Tue, 02 Oct 2007 12:45:31 -0400
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1IcksE-0002FP-Ea for tcpm-confirm+ok@megatron.ietf.org; Tue, 02 Oct 2007 12:45:30 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcksE-0002FH-3f for tcpm@ietf.org; Tue, 02 Oct 2007 12:45:30 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IcksD-0001IZ-MN for tcpm@ietf.org; Tue, 02 Oct 2007 12:45:30 -0400
X-IronPort-AV: E=Sophos;i="4.21,220,1188802800"; d="scan'208";a="403400670"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-2.cisco.com with ESMTP; 02 Oct 2007 09:45:29 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l92GjTsE005014; Tue, 2 Oct 2007 09:45:29 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l92GjTvP026485; Tue, 2 Oct 2007 16:45:29 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 2 Oct 2007 09:45:28 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] tcpsecure: how strong to recommend?
Date: Tue, 2 Oct 2007 09:45:27 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC58040A0474@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <47026DD7.6000009@isi.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] tcpsecure: how strong to recommend?
Thread-Index: AcgFDxgnY9bqUd2LRVeE3BxkbgZUIwAAY2+w
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: "Joe Touch" <touch@ISI.EDU>
X-OriginalArrivalTime: 02 Oct 2007 16:45:28.0933 (UTC) FILETIME=[A3B82150:01C80513]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1877; t=1191343529; x=1192207529; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=20=22Anantha=20Ramaiah=20(ananth)=22=20<ananth@cisco.com> |Subject:=20RE=3A=20[tcpm]=20tcpsecure=3A=20how=20strong=20to=20recommend ? |Sender:=20; bh=dw+8eEsu9hzCk4uvhRg8ubXwl9Ua+kTrZhMYkbN9UGo=; b=BCZkPqhaBdih/k093Ulp53WmVxu06pQqpuhwPaDWyYU9jPxAGGt1QX9+8jG5FZrzQTGp5Iz3 /KwMKmaOjWqK6hq9FVa3dfrAwuSK9bw0IQ0oJeG0mlw6PupEdD8Xw3l7i8ERnaQIRZp9nddeUr ac198/kp8jaQ/Rnhrjdx06p9k=;
Authentication-Results: sj-dkim-1; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Cc: tcpm@ietf.org, "Edward A. Gardner" <eag@ophidian.com>, "Mitesh Dalal \(mdalal\)" <mdalal@cisco.com>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

> As a way forward, the following captures the 
> SHOULD/SHOULD/MAY which was
>  most supported in Chicago:
> 
> --------------------------------------------------------------
> -------------
> 
> tcpsecure SHOULD be implemented in TCP stacks supporting router.
> Notable exceptions include deployments where routers are known to use
> other antispoofing protection, e.g., IPsec, TCP/MD5 and its 
> successors.
> 
> tcpsecure MAY be implemented in other TCP stacks.
> 
> ----


> within tcpsecure:
> 
> RST protection MUST be supported
> 
> SYN protection MUST be supported
> 
> data segment (i.e., non-RST, non-SYN) protection MAY be supported
> 
> -------------------------------------------

I think you got it wrong. 

Most supported in Chicago was about [SHOULD/SHOULD/MAY] WITHOUT the
applicability statement in place. It was "STANDALONE" question raised by
the chairs for which the consensus seemed to be in favour of S/S/M.  Now
WITH the applicability statement in place, it completely changes the
entire equation. To quote Mark's email :

BEGIN QUOTE
> It seems to me that this discussion is really divergent because there
> is no applicability statement in the document, per Lars' comment.  I
> wonder if you guys could go off and generate such a statement and 
> then we could re-visit this question.  I think that would factor
things
> into a question of "where" this is applicable and then how strongly we
> want to advocate these mitigations within that context.  Is that
> reasonable?
END QUOTE

So, the game plan moving forward is, to generate the AS and revisit the
mitigation strengths. Also, just in case you missed, some of responses
in this list have indicated no issues with "MUST'ing" all the
mitigations provided there is a proper applicability statement in place.

-Anantha


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm