Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01

At Tue, 29 Jul 2008 07:10:19 -0700,
Joe Touch wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi, Eric,
> 
> Eric Rescorla wrote:
> | At Tue, 29 Jul 2008 06:40:48 -0700,
> | Joe Touch wrote:
> |> -----BEGIN PGP SIGNED MESSAGE-----
> |> Hash: SHA1
> ...
> |> | So, if we are going down that route, then I would argue it may be
> |> | worthwhile to debate "how much" to include in general, i.e, is it
> |> | worthwhile to include selective portions OR part of the data portion of
> |> | the TCP data in the MAC computation instead of he entire data.?
> |>
> |> Absolutely; that can be implemented inside the MAC algorithm, opaquely
> |> to TCP-AO, though. I.e., I can create a MAC that hashes only the odd
> |> blocks, only the first half of the blocks, etc.
> ...
> | Well, it's true that one *could* do this, but I think it's a really
> | bad idea. MACs should provide a uniform interface and set of semantics.
> | If you want to have partial coverage, this should be handled at the
> | TCP-AO level.
> 
> First, I'm not sure this overall function is useful; since apps can't
> align data to the TCP segments, IMO the data is "all or none". I don't
> see a reason to omit the data entirely from a MAC (excepting performance
> for statistical benefit).
> 
> Overall, this doesn't seem to fit the spirit of "TCP-AO should be simple".
> 
> | I appreciate that you're trying to isolate the crypto from the TCP-AO
> | service, but I don't think you can isolate it to this extent.
> 
> It would be useful to explain the reason you see a need for coupling
> here (provided this is even needed, as noted above).

(1) I don't think it's needed.
(2) The semantics of partial protection are only meaningful at the TCP
    layer. The MAC just operates on chunks of bits.

-Ekr
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm