IETF Logo Mail Archive

[tcpm] Comments for draft-scharf-tcpm-yang-tcp-06

Juhamatti Kuusisaari <juhamatk@gmail.com> Fri, 18 September 2020 08:53 UTC

Return-Path: <juhamatk@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CA113A105D for <tcpm@ietfa.amsl.com>; Fri, 18 Sep 2020 01:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nbjA8D5wZodx for <tcpm@ietfa.amsl.com>; Fri, 18 Sep 2020 01:53:23 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB25F3A105A for <tcpm@ietf.org>; Fri, 18 Sep 2020 01:53:22 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id e11so6208313wme.0 for <tcpm@ietf.org>; Fri, 18 Sep 2020 01:53:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ZyYP29h/qdoDjXRFhgP1IvUcWOVCC9SjPPaaW9vMZmc=; b=cR5z0/yq3cWGnFoD3Dx60Ul1CGoV0YTOQUBgr5/wqUHnv6oEMLCnxBr+mo8dG9+wEh gHgoUvQrQshoiWjpBaHyODr7EYeqsf0lo1eVjPZiC7+MiQXVvSfcRIcafdjXd3D7QSHW /pOcXjQkDZ0xBCsMUfAQ8OO13JyC3FxaR6HnjyeZBVg7jx652NWy640pw2OcekVIPrmG jSdFWvslVO5d5DhJIToZd5dd/qZQxRpXB28wnPPE4irW3OpMA2eGm+LXB9GTuuVWvPJ6 Tuv16KLuBSRjUgrhGuMdeMUE/5Ce1LhRykhwDMvzwI/pcJJC08WpQl4F2xInGvRf1E/+ c4gA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ZyYP29h/qdoDjXRFhgP1IvUcWOVCC9SjPPaaW9vMZmc=; b=dbgNBYAWO7Sp4YMLed2L9AvIwKUSTFchR3roZYE5OeNlmirF0YYkZMfN2dbwvn1JOb yWZenAmGTa8H8He06RcyoueiI73DX6myK/lNNAh019v5aUd9JbgaR4Ft8nzgz/ykww8d tI5UIxOgeOfA65UiLhsCvEFEp8LFxQqC3pqvtrAjUu9xcZmUwUo8mrZfibnqhFYxL9PO u9/rCeGJJauYzp/s/2vrFvdPzKRKRV7v1Ire6s/0q6VZ61QPVynmEmWvcURW4H7IGggM JHHJbHjTr2INUQD2iivhlko+ysYFGMxAhPYAIHQ11SZ0nnL4AgbnTLK4xwPIw9kbyex3 vAMg==
X-Gm-Message-State: AOAM5339vprXeZ81oN6KrJtdjeVR+FEEeiGGlhxgG+OaQWQ/x3VJokMN JY0irlIuxsiQV8khX22zV2cuVye2ZpO84RjJcNyo5Fdd82E=
X-Google-Smtp-Source: ABdhPJyQb/HYgE35k1diJb53CW+FIPfgPHwUPsS0ZdTOwtcQusecbxeeYzqELImSSYYZtyvQNuxBXaUTXjtI7o+nJrc=
X-Received: by 2002:a1c:80cd:: with SMTP id b196mr14510636wmd.104.1600419200571; Fri, 18 Sep 2020 01:53:20 -0700 (PDT)
MIME-Version: 1.0
From: Juhamatti Kuusisaari <juhamatk@gmail.com>
Date: Fri, 18 Sep 2020 11:53:08 +0300
Message-ID: <CACS3ZpBJOfctZjW0qUD+2p1vw63p9KeJ+ie15SHE=k_fk6suTw@mail.gmail.com>
To: tcpm IETF list <tcpm@ietf.org>, "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/Ns62POXqfqq88mUQVLMEEGiNnvo>
Subject: [tcpm] Comments for draft-scharf-tcpm-yang-tcp-06
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 08:53:24 -0000

Hello,

I read through draft-scharf-tcpm-yang-tcp-06 and overall it looks fine to me.

Nevertheless, there are a couple of items that may need
clarifications/improvements.

(1) I believe "leaf include-tcp-options" should be "leaf
ignore-tcp-options" with a false default as the options are included
by default in the RFC 5925. In my opinion, this would better emphasize
the fact that options really should be included by default and not
including them should be a special case. Change suggestion in detail
below:

      leaf include-tcp-options {
        type boolean;
        must "../enable-ao = 'true'";
        description
          "Include TCP options in HMAC calculation.";
      }
=>
      leaf ignore-tcp-options {
        type boolean;
        default "false";
        must "../enable-ao = 'true'";
        description
          "Ignore TCP options in MAC calculation.";
      }

Please also note the "HMAC"->"MAC" change suggestion. And yes, I do
realize that a default could be added to the original "include" leaf.
After pondering about this, I do think "ignore" leaf would be a better
end result for the reasons I mentioned above.

(2) There is now a leaf that says:

      leaf accept-ao-mismatch {
        type boolean;
        must "../enable-ao = 'true'";
        description
          "Accept packets with HMAC mismatch.";
      }

It is true that RFC 5925 allows non-existing MKT connections that
should be accepted. Then again, the above configuration and its
description looks to me that any mismatch would be accepted. So, maybe
a configuration setting better reflecting RFC 5925 would be something
on the lines of

      leaf accept-key-mismatch {
        type boolean;
        must "../enable-ao = 'true'";
        description
          "Accept TCP segments with a Master Key Tuple (MKT) that is
not configured.";
      }

As this configuration option does not have such a strong default as
the former one, I do not see a need to change its logic otherwise nor
add a default. I would assume that most security aware users would
have "false" there as a setting - especially those users that would
use a YANG model to do the configuration.

Best regards,
--
 Juhamatti

v2.23.0 | Report a Bug | By Email