Re: [tcpm] [OPSEC] draft-gont-tcp-security

Lars Eggert <lars.eggert@nokia.com> Wed, 15 April 2009 07:16 UTC

Return-Path: <lars.eggert@nokia.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDAB93A6BAB; Wed, 15 Apr 2009 00:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxbJlxzh3Nfm; Wed, 15 Apr 2009 00:16:32 -0700 (PDT)
Received: from mail.fit.nokia.com (unknown [IPv6:2001:2060:40:1::123]) by core3.amsl.com (Postfix) with ESMTP id 293B03A6B98; Wed, 15 Apr 2009 00:16:30 -0700 (PDT)
Received: from [IPv6:2001:2060:40:2:219:e3ff:fe06:dc74] ([IPv6:2001:2060:40:2:219:e3ff:fe06:dc74]) (authenticated bits=0) by mail.fit.nokia.com (8.14.3/8.14.3) with ESMTP id n3F7HJqk064106 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 15 Apr 2009 10:17:21 +0300 (EEST) (envelope-from lars.eggert@nokia.com)
Message-Id: <EC5F7E6A-0393-41CC-B4DF-BCD134FF4EF5@nokia.com>
From: Lars Eggert <lars.eggert@nokia.com>
To: Todd Glassey <tglassey@earthlink.net>
In-Reply-To: <49E4E233.9040609@earthlink.net>
Content-Type: multipart/signed; boundary="Apple-Mail-69--520365169"; micalg="sha1"; protocol="application/pkcs7-signature"
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Wed, 15 Apr 2009 10:17:19 +0300
References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8@NDJSSCC01.ndc.nasa.g ov><49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1004BC4176D0@qtdenexmbm24.AD.QINTRA.COM> <49E3A88F.9060301@gont.com.ar> <49E3ABC0.1050601@isi.edu> <49E3B9BF.1060901@gont.com.ar> <49E3BED9.1030701@isi.edu> <C9E987CC-0213-4C67-BA0A-11C736772EE7@nokia.com> <49E4D257.40504@gont.com.ar> <49E4E233.9040609@earthlink.net>
X-Mailer: Apple Mail (2.930.3)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (mail.fit.nokia.com [IPv6:2001:2060:40:1::123]); Wed, 15 Apr 2009 10:17:22 +0300 (EEST)
Cc: "'tcpm@ietf.org'" <tcpm@ietf.org>, "'ietf@ietf.org'" <ietf@ietf.org>, Joe Touch <touch@ISI.EDU>, "Smith, Donald" <Donald.Smith@qwest.com>, 'Joe Abley' <jabley@ca.afilias.info>, "'opsec@ietf.org'" <opsec@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2009 07:16:33 -0000

Hi, Todd,

On 2009-4-14, at 22:21, Todd Glassey wrote:
> Fernando Gont wrote:
>> Lars Eggert wrote:
>>> I agree with Joe that some of the hardening techniques that  
>>> vendors are
>>> implementing come with consequences (make TCP more brittle). To  
>>> me, this
>>> is a *reason* this document should be published via the IETF (i.e.,
>>> TCPM) - we are probably in the best position to correctly evaluate  
>>> and
>>> classify the impact of various hardening techniques. Stack vendors  
>>> have
>>> been putting these mechanisms in to their stacks without clear
>>> specifications and discussions of the potential upsides and  
>>> downsides
>>> that would let them make an educated decision. It seems clear to  
>>> me that
>>> the vendor community is looking for guidance here, and I do  
>>> believe the
>>> IETF should give it.
>>>
>>
>> This is the reason for which the output of the CPNI project was
>> submitted as an IETF I-D.
>>
> Yeah - so then this would be tested across all of the local TCP
> implementations including the MS, AT&T *(i.e. Lachman Associates Inc)
> and possibly Mentat's fast system?

Nothing would be "tested", the IETF isn't in the business of auditing  
TCP stacks. What we're talking about is describing attack vectors,  
potential countermeasures and the the impact (downsides) those  
countermeasures might come with. Implementors will need to decide for  
themselves if and how to apply any of these techniques to their stacks.

Lars