Re: [tcpm] DISCUSS: draft-ietf-tcpm-tcpsecure
Joe Touch <touch@ISI.EDU> Mon, 11 January 2010 19:07 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E05E73A6863 for <tcpm@core3.amsl.com>; Mon, 11 Jan 2010 11:07:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAhv-Lbl-2YU for <tcpm@core3.amsl.com>; Mon, 11 Jan 2010 11:07:32 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 9C4A53A683A for <tcpm@ietf.org>; Mon, 11 Jan 2010 11:07:32 -0800 (PST)
Received: from [75.213.76.118] (118.sub-75-213-76.myvzw.com [75.213.76.118]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id o0BJ4BWf011191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 11 Jan 2010 11:04:14 -0800 (PST)
Message-ID: <4B4B762A.7070902@isi.edu>
Date: Mon, 11 Jan 2010 11:04:10 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
References: <20091008003703.885C93A684E@core3.amsl.com> <0C53DCFB700D144284A584F54711EC58082480D6@xmb-sjc-21c.amer.cisco.com> <A0CF1A5C-5693-4FDC-87DD-CCD711AFEB38@cisco.com> <F74F9F56-42C5-4FB5-A512-4FC680206187@cisco.com> <0C53DCFB700D144284A584F54711EC5808AA86F6@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC5808AA86F6@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "Cullen Jennings (fluffy)" <fluffy@cisco.com>, tcpm-chairs@tools.ietf.org, tcpm@ietf.org, draft-ietf-tcpm-tcpsecure@tools.ietf.org
Subject: Re: [tcpm] DISCUSS: draft-ietf-tcpm-tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2010 19:07:34 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anantha Ramaiah (ananth) wrote: > > Hi, > > I am forwarding [sorry about the long delay] these comments received > during IESG review ( as suggested by Lars) to get some feedback from > TCPM. The suggestion below from Cullen is to add more text to the > middle-box section and also add some notes to the AS. [ Pl refer below] > > My comments here are : [ you can find them inside the email responses > below, but listed here in brief ] > > - We have alreaady have mentioned the challenges that middle-boxes pose, > this is not just limited to the current RFC, RFC TCP-MD5 or TCP-AO has > issues and list can go on. I think the difference is that people expect NATs and other devices that modify TCP packets to affect any authentication mechanism (MD5, AO), but that they wouldn't expect it to affect this mechanism. I'm not sure how it would, though - what is the case they're thinking of here that would cause this to fail with a middlebox? (transparent rewriting maybe?) > - Regarding the case of a server opening closing connections at a rapid > rate implies "short-lived" connections. The document currently says that > these mitigations can be very useful in case of long lived connections, > short-lived connections may or may not want to implement this. So my > thinking is that the current text gives more flexibility for > implementers to chose what they want to do, they can have a socket > option to turn these mitigations to select ports etc., In case of where > the connections are made/broken at a rapid rate, there are other > problems that come into play : for example the port collisions happening > because the TCB in the server is stuck in the TIMEWAIT state and that > causes denying the incoming connection. The orthogonal and somewhat > important point is that to note is that typically cleanup involves a > client sending an FIN and not RST, sending RST has many other issues and > should be used with caution and that typically happens today in > implementations. So, I am not really sure about adding a text that says > "a server should not be doing that" The point of the comment focuses on the increased load due to packet exchange, not just the lack of benefit. For high-rate servers, there are thus not only reasons they might not benefit, but reasons they might want to deliberately avoid this mechanism. Yes, there are other challenges to building a high-rate server, but it's worth noting that this mechanism might complicate that situation more than it helps. I think that's worth stating, though should take only a sentence or two. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAktLdioACgkQE5f5cImnZrs+fACgicnAFT5xYOujMnJVbwRmWv5K u1UAn0wjGOSvA6IkiEoogJx/Nn0QHBFu =7F/U -----END PGP SIGNATURE-----
- Re: [tcpm] DISCUSS: draft-ietf-tcpm-tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] DISCUSS: draft-ietf-tcpm-tcpsecure Joe Touch