IETF Logo Mail Archive

Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt

Tim Shepard <shep@alum.mit.edu> Fri, 23 April 2004 23:48 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA23041 for <tcpm-archive@odin.ietf.org>; Fri, 23 Apr 2004 19:48:25 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BHANy-0003lD-3o for tcpm-archive@odin.ietf.org; Fri, 23 Apr 2004 19:47:10 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i3NNl9Rm014451 for tcpm-archive@odin.ietf.org; Fri, 23 Apr 2004 19:47:10 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BHAIC-0002Nx-6V for tcpm-web-archive@optimus.ietf.org; Fri, 23 Apr 2004 19:41:12 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA22620 for <tcpm-web-archive@ietf.org>; Fri, 23 Apr 2004 19:41:10 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BHAIA-00037S-Gz for tcpm-web-archive@ietf.org; Fri, 23 Apr 2004 19:41:10 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BHAH6-0002lv-00 for tcpm-web-archive@ietf.org; Fri, 23 Apr 2004 19:40:05 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BHAEm-0002Sg-00 for tcpm-web-archive@ietf.org; Fri, 23 Apr 2004 19:37:40 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BHACE-0008Hb-Mq; Fri, 23 Apr 2004 19:35:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BH9z9-0004KB-KB for tcpm@optimus.ietf.org; Fri, 23 Apr 2004 19:21:31 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA21669 for <tcpm@ietf.org>; Fri, 23 Apr 2004 19:21:29 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BH9z8-00067r-0p for tcpm@ietf.org; Fri, 23 Apr 2004 19:21:30 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BH9yW-0005rq-00 for tcpm@ietf.org; Fri, 23 Apr 2004 19:20:53 -0400
Received: from dsl092-066-146.bos1.dsl.speakeasy.net ([66.92.66.146] helo=alva.home) by ietf-mx with esmtp (Exim 4.12) id 1BH9xS-0005Ms-00 for tcpm@ietf.org; Fri, 23 Apr 2004 19:19:46 -0400
Received: from shep (helo=alva.home) by alva.home with local-esmtp (Exim 3.36 #1 (Debian)) id 1BH9wo-0005j0-00 for <tcpm@ietf.org>; Fri, 23 Apr 2004 19:19:06 -0400
From: Tim Shepard <shep@alum.mit.edu>
To: tcpm@ietf.org
Subject: Re: [tcpm] draft-ietf-tcpm-tcpsecure-00.txt
In-reply-to: Your message of Fri, 23 Apr 2004 23:25:11 +0100. <Pine.GSO.4.50.0404232249570.5889-100000@argos.ee.surrey.ac.uk>
Date: Fri, 23 Apr 2004 19:19:06 -0400
Message-Id: <E1BH9wo-0005j0-00@alva.home>
Sender: tcpm-admin@ietf.org
Errors-To: tcpm-admin@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60

> This first sequence number information can be used to form part of the
> challenge-response; if the sender has sent an RST packet whose
> sequence number lies in the window, but it is not the next expected
> packet, the ack sent back by the receiver can be an indicator for the
> RST sender to pass the first sequence number in a subsequent packet
> (also containing a confirming RST flag. 'I told you to close. I'm
> telling you to close again. And here's a reminder of when we first
> spoke and agreed to open. It's a random number we both know.'.)

If I'm sending you a RST because I rebooted and lost all state and
don't have any state for the TCP connection that you apparently have
becasue you are sending me packets, how am I supposed to remember what
the initial sequence number was?




Here's an idea (just thinkint out loud here) for solving the BGP problem:

Ignore RSTs and just let keep alive failures and timers take care of
tearing down old connections.

(and continuing to think out loud here....)

Joe Touch recently suggested that IPsec/ESP with Null encryption and
authentication would effectively put in place a cookie mechanism (the
SPI being the cookie) which would be sufficient to solve these
probelms.  But that just pushes the problem of handling a TCP RST to
figuring out how to "RST" a IPsec SA.  And my understanding of that
problem (which is based on recent discussion in HIP WG) is that when a
packet shows up with an unknown SPI, that you might have a mechanism
that sends back an advisory "unknown SPI" notification, but that when
you receive an "unknown SPI" notification, there's not much you can do
with it because it could be someone spoofing you.

So it seems just hacking your TCP implementation to ignore RSTs
might give you the same robustness that you'd get from
null-encryption, null-authentication IPsec ESP.

			-Tim Shepard
			 shep@alum.mit.edu

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.40.4 | Report a Bug | By Email | System Status