IETF Logo Mail Archive

Re: [tcpm] [OPSEC] draft-gont-tcp-security

Fernando Gont <fernando@gont.com.ar> Tue, 09 June 2009 19:36 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6966A3A6D92; Tue, 9 Jun 2009 12:36:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYdiwOeAJAyb; Tue, 9 Jun 2009 12:36:26 -0700 (PDT)
Received: from mail-qy0-f111.google.com (mail-qy0-f111.google.com [209.85.221.111]) by core3.amsl.com (Postfix) with ESMTP id 4690A3A69E7; Tue, 9 Jun 2009 12:36:26 -0700 (PDT)
Received: by qyk9 with SMTP id 9so15608qyk.29 for <multiple recipients>; Tue, 09 Jun 2009 12:36:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=NJI+QIbrhFAwiVLpynQOjRx9LwceLecje5X6C5SY1tQ=; b=b7UardYZaLtBEji2MbmiA18fvRZAnmko/xlBcSY06NhjyM03iF4lsFI6opzY+elkqp otdSEFmtTkIDdmZ0lS5LQHKFfbsPJwCe//62WmlrXGqrDIcvHIlu0I+p89iSSBsUMKNS oqty53ZbclfNZgSZfswrYWs+nSIoDnAqfmEGA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=NMsA4sucpbglw/2ltxdTIj7ETqPqcEuMTTxPMTDWQgfokLRVT5969fY3n9H7+4e0/y pWuLM/ztkKI+Sok7U3kimRmlb33RYO/UrziE3a/Oitj4vKRFp90owE4pb7w898vSPJ0f 4z7j4XWKWqQOlnqSZw+ebNSKAMFjZ3nPY+55Q=
Received: by 10.220.100.5 with SMTP id w5mr679252vcn.62.1244576189828; Tue, 09 Jun 2009 12:36:29 -0700 (PDT)
Received: from ?190.48.216.129? ([190.48.216.129]) by mx.google.com with ESMTPS id 8sm90027ywg.53.2009.06.09.12.36.26 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 09 Jun 2009 12:36:28 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4A2EB9B7.80907@gont.com.ar>
Date: Tue, 09 Jun 2009 16:36:23 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8@NDJSSCC01.ndc.nasa.g ov><49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1004BC4176D0@qtdenexmbm24.AD.QINTRA.COM> <49E3A88F.9060301@gont.com.ar> <49E3ABC0.1050601@isi.edu> <49E3B9BF.1060901@gont.com.ar> <49E3BED9.1030701@isi.edu> <C9E987CC-0213-4C67-BA0A-11C736772EE7@nokia.com> <49E4D257.40504@gont.com.ar> <49E4E233.9040609@earthlink.net> <EC5F7E6A-0393-41CC-B4DF-BCD134FF4EF5@nokia.com> <49E5F36D.7020808@earthlink.net> <A9D3331F-FDE6-4500-8650-3F94B0A78C2E@nokia.com> <49EE1873.1090907@gont.com.ar> <88ACD16A-1137-4E55-871F-8F0C992D7A63@nokia.com> <4A24626E.90805@gont.com.ar> <4A26E173.6040802@bogus.com> <4A2E1008.4060303@gont.com.ar> <4A2E66C3.6040701@isi.edu>
In-Reply-To: <4A2E66C3.6040701@isi.edu>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Joel Jaeggli <joelja@bogus.com>, opsec@ietf.org, tcpm@ietf.org
Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2009 19:36:27 -0000

Joe Touch wrote:

>>> 	The diligent blacksmith knows that hardening a tool also
>>> 	makes it more brittle...
>> This is a nice quote, but... I'd like examples. e.g., start discussing
>> about which specific hardening proposal makes TCP more brittle.
> 
> 1) any security mechanism that increases complexity - of actions, state,
> or message exchanges - any of which increases the potential for
> implementation error

Agreed.



> 2) any security mechanism that has false positives, i.e., that discards
> messages deemed a security threat when they were sent for legitimate reasons

Why would this make e.g., TCP more brittle?

In any case, the actual response to such packets may vary (e.g., in the
case of ICMP hard errors, discard vs. process as soft errors). I believe
that no matter what the recommended response is, it is important to
discuss these issues, and try to get consensus on what's the right thing
to do in each case.


> #1 includes basically everything, from TCP MD5 (and TCP-AO) to tcpsecure
> and ICMP filtering

ICMP filtering actually decreases complexity.



> I.e., AFAICT, *everything* that makes TCP more secure also makes it
> brittle, by definition (ditto for metal hardening, FWIW). The key issue
> is "when/where is the benefit worth the cost".

As I said before, I'd like to have concrete examples from the tcp
security i-d that are deemed to make TCP more brittle.

Thanks!

Kind regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email