IETF Logo Mail Archive

Re: [tcpm] tcp-auth-opt issue: support for NATs

"Adam Langley" <agl@imperialviolet.org> Fri, 01 August 2008 00:00 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C3CE328C334; Thu, 31 Jul 2008 17:00:12 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3CB0628C334 for <tcpm@core3.amsl.com>; Thu, 31 Jul 2008 17:00:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDjk3vov4GeA for <tcpm@core3.amsl.com>; Thu, 31 Jul 2008 17:00:09 -0700 (PDT)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.229]) by core3.amsl.com (Postfix) with ESMTP id 5574028C235 for <tcpm@ietf.org>; Thu, 31 Jul 2008 17:00:08 -0700 (PDT)
Received: by rv-out-0506.google.com with SMTP id b25so707533rvf.49 for <tcpm@ietf.org>; Thu, 31 Jul 2008 17:00:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=4mWETs5X2TjGEBCUS5h/M3H7y52m5cT+wDIU9iF6TPI=; b=F4CyckHR7Y73K7xmHI5hP3jUiZpXLVMfjFl0/RR3vUedPvE574F9ReoN+7tqCLtlem HSA1XTKhs/jSb1GROFx0E3QpGmv+PmVp/qdJA9Ho78i3WgIicVCFuKba0Y5aZWmXpvk6 QYv1R/rV82Ixlb1oYan2EciO5OCDEVz2EZv14=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=W7O396Dpkc8w11+D6G7vFIT0Ma+p0Kej/8uwYhLi3Gfh56DgDOrs/WX5yl9SwWO5lU Jf1wWU4j9M1B6Q3smvVZLkYoI7h9fM9R9Ap5gSWXxTpNwfn8txFbjmjrTMHUJdknsacc BXDhom4/sC7h2XsOzZiZejCPvkd8zOHCzenso=
Received: by 10.141.152.8 with SMTP id e8mr5615374rvo.19.1217548809614; Thu, 31 Jul 2008 17:00:09 -0700 (PDT)
Received: by 10.141.186.3 with HTTP; Thu, 31 Jul 2008 17:00:09 -0700 (PDT)
Message-ID: <396556a20807311700w1eda50b0o5da7ae52e6c1691a@mail.gmail.com>
Date: Thu, 31 Jul 2008 17:00:09 -0700
From: Adam Langley <agl@imperialviolet.org>
To: Joe Touch <touch@isi.edu>
In-Reply-To: <4890FBE8.1020203@isi.edu>
MIME-Version: 1.0
Content-Disposition: inline
References: <4890F4BE.6060302@isi.edu> <396556a20807301622l4cb33deuff73cd13d7a75ba1@mail.gmail.com> <4890FBE8.1020203@isi.edu>
X-Google-Sender-Auth: 1d226f7a818a444d
Cc: tcpm@ietf.org
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

On Wed, Jul 30, 2008 at 4:40 PM, Joe Touch <touch@isi.edu> wrote:
> The current TSAD supports only a wildcard source port, which is
> instantiated for the first connection received that matches. It expects
> that the KMS installs additional keys as needed.

I was assuming that the TSAD would support wildcards for source IPs
and ports. I would also suggest that it's not a bad idea, although if
it didn't happen, that's no problem.

> The above appears to require that the KMS deploy the same key for all
> potentially overlapping NAT'd connections. This adds a requirement to
> the KMS, but suggests that the pseudoheader is included or excluded for
> all connections to a host from a given IP address. Is that what is
> intended, or can you clarify? If that is what is intended, how can the
> KMS enforce this?

Indeed, something would have to arrange for the pseudoheader to be
excluded from the MAC input when a packet matches a wildcard source IP
rule. Also, the same key would indeed be used by many connections.
Thus the key should rotate based on the time (once a minute would be
reasonable.)


AGL

-- 
Adam Langley agl@imperialviolet.org http://www.imperialviolet.org
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email