Re: [tcpm] tcp-auth-opt issue: support for NATs

"Adam Langley" <> Fri, 01 August 2008 00:00 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id C3CE328C334; Thu, 31 Jul 2008 17:00:12 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3CB0628C334 for <>; Thu, 31 Jul 2008 17:00:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zDjk3vov4GeA for <>; Thu, 31 Jul 2008 17:00:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5574028C235 for <>; Thu, 31 Jul 2008 17:00:08 -0700 (PDT)
Received: by with SMTP id b25so707533rvf.49 for <>; Thu, 31 Jul 2008 17:00:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=4mWETs5X2TjGEBCUS5h/M3H7y52m5cT+wDIU9iF6TPI=; b=F4CyckHR7Y73K7xmHI5hP3jUiZpXLVMfjFl0/RR3vUedPvE574F9ReoN+7tqCLtlem HSA1XTKhs/jSb1GROFx0E3QpGmv+PmVp/qdJA9Ho78i3WgIicVCFuKba0Y5aZWmXpvk6 QYv1R/rV82Ixlb1oYan2EciO5OCDEVz2EZv14=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=W7O396Dpkc8w11+D6G7vFIT0Ma+p0Kej/8uwYhLi3Gfh56DgDOrs/WX5yl9SwWO5lU Jf1wWU4j9M1B6Q3smvVZLkYoI7h9fM9R9Ap5gSWXxTpNwfn8txFbjmjrTMHUJdknsacc BXDhom4/sC7h2XsOzZiZejCPvkd8zOHCzenso=
Received: by with SMTP id e8mr5615374rvo.19.1217548809614; Thu, 31 Jul 2008 17:00:09 -0700 (PDT)
Received: by with HTTP; Thu, 31 Jul 2008 17:00:09 -0700 (PDT)
Message-ID: <>
Date: Thu, 31 Jul 2008 17:00:09 -0700
From: Adam Langley <>
To: Joe Touch <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Disposition: inline
References: <> <> <>
X-Google-Sender-Auth: 1d226f7a818a444d
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On Wed, Jul 30, 2008 at 4:40 PM, Joe Touch <> wrote:
> The current TSAD supports only a wildcard source port, which is
> instantiated for the first connection received that matches. It expects
> that the KMS installs additional keys as needed.

I was assuming that the TSAD would support wildcards for source IPs
and ports. I would also suggest that it's not a bad idea, although if
it didn't happen, that's no problem.

> The above appears to require that the KMS deploy the same key for all
> potentially overlapping NAT'd connections. This adds a requirement to
> the KMS, but suggests that the pseudoheader is included or excluded for
> all connections to a host from a given IP address. Is that what is
> intended, or can you clarify? If that is what is intended, how can the
> KMS enforce this?

Indeed, something would have to arrange for the pseudoheader to be
excluded from the MAC input when a packet matches a wildcard source IP
rule. Also, the same key would indeed be used by many connections.
Thus the key should rotate based on the time (once a minute would be


Adam Langley
tcpm mailing list