Re: [tcpm] Comments on TCP-AO Draft
"Gregory M. Lebovitz" <gregory.ietf@gmail.com> Tue, 18 November 2008 01:33 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2FE7F3A6922; Mon, 17 Nov 2008 17:33:54 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BDB9D3A6922 for <tcpm@core3.amsl.com>; Mon, 17 Nov 2008 17:33:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_42=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bAqW4sgluXV4 for <tcpm@core3.amsl.com>; Mon, 17 Nov 2008 17:33:51 -0800 (PST)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.236]) by core3.amsl.com (Postfix) with ESMTP id 9B3323A67E1 for <tcpm@ietf.org>; Mon, 17 Nov 2008 17:33:51 -0800 (PST)
Received: by rv-out-0506.google.com with SMTP id b25so2665629rvf.49 for <tcpm@ietf.org>; Mon, 17 Nov 2008 17:33:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:x-mailer:date:to:from:subject :in-reply-to:references:mime-version:content-type:message-id; bh=G63zKzr/jUMwTNlgFM9qcBGiMa5+2/q7+xzILEffcmM=; b=vW7Ud7tMO62s07/ayXF8sU58zbnYNk8iH2qwSrZqSab4n0mAUjsRc3+pgh3KEWvJZg +FH5qTMgVFawgAV0Xjw8WVojlPP2tj0S0b5ZbMVa0PAf+fevY8n8Xkvo+ctgpxt87zsm Jnh48IT4C35VpU9YuFTy2Ai1NpSwFIC3jgZYQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=x-mailer:date:to:from:subject:in-reply-to:references:mime-version :content-type:message-id; b=MGT5lENvhmE4ZgV6asc94ZXkg6Sg0NKBmrdJMd6VLNgodO9H80zLGr9FEqXQvIT+LQ 33+FR1NrnKiRtoOVCobmkWCR6i1YjPq0QHNo4QE6sK0q3idzIl0zno0dE7hfE4RngFNG wn37LXU+SobZlo4ztn1juAWDvIdxzzuyWTeyU=
Received: by 10.140.174.11 with SMTP id w11mr73635rve.280.1226972031121; Mon, 17 Nov 2008 17:33:51 -0800 (PST)
Received: from Gregory-T60.gmail.com ([130.129.95.186]) by mx.google.com with ESMTPS id l31sm11281033rvb.2.2008.11.17.17.33.47 (version=SSLv3 cipher=RC4-MD5); Mon, 17 Nov 2008 17:33:49 -0800 (PST)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 17 Nov 2008 17:33:43 -0800
To: "Eddy, Wesley M. (GRC-RCN0)[VZ]" <Wesley.M.Eddy@nasa.gov>, LANGE Andrew <Andrew.Lange@alcatel-lucent.com>, tcpm@ietf.org
From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
In-Reply-To: <7.1.0.9.2.20081117170325.05214da8@gmail.com>
References: <66F9363AB70F764C96547BD8A0A3679E154CB4@USDALSMBS05.ad3.ad.alcatel.com> <B5A5E01F9387F4409E67604C0257C71E7A3296@NDJSEVS25A.ndc.nasa.gov> <7.1.0.9.2.20081117170325.05214da8@gmail.com>
Mime-Version: 1.0
Message-ID: <49221b7d.1f588c0a.477a.580b@mx.google.com>
Subject: Re: [tcpm] Comments on TCP-AO Draft
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1995258273=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
inline again... At 05:28 PM 11/17/2008, Gregory M. Lebovitz wrote: >inline... > >At 12:06 PM 11/17/2008, Eddy, Wesley M. (GRC-RCN0)[VZ] wrote: >> >-----Original Message----- >> >From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On >> >Behalf Of LANGE Andrew >> >Sent: Monday, November 17, 2008 1:51 PM >> >To: tcpm@ietf.org >> >Subject: [tcpm] Comments on TCP-AO Draft >> > >> > >> >> >>There are a lot of good comments here that will strengthen >>the document. One of them that concerns the wire-format rather >>than text additions, clarifications, and changes that are >>needed, which we should address quickly is: >> >> >> >1.4.1: " IETF-72 topic" sections "No current consensus was >> >reached on this topic, so no change was made." This is a real >> >problem -- the logic is deeply flawed. Allow me to restate: >> >One author of this document has appointed themselves the >> >arbiter of consensus. This author disagrees with other >> >people, and therefore no "consensus" can ever be reached, so >> >the default case this author has chosen is to keep things they >> >way they like it. >> > >> > ... >> > >> >"..omit an explicit algorithm ID..." -- I've said this before, >> >this is a BAD IDEA^tm. The protocol utility of doing this is >> >minimal (1-bit increase in search space), and the operational >> >complexity goes up. Not to mention, it makes it operationally >> >incompatible with existing implementations. BTW, in the reference above, in the newly posted <http://tools.ietf.org/html/./draft-ietf-tcp-auth-opt-02>draft-ietf-tcp-auth-opt-02 this comment regards section 1.3.1, not 1.4.1. Hope it helps, Gregory. >>There was logic given to support each side of the argument. My >>understanding of the summary for each position is: >> >>(position 1 - "include") Including information like algorithm ID >>and k-bit is BAD because it aids in debugging of implementations >>and of configurations. > >Wes, did you mean to say "GOOD" instead of "BAD" in this paragraph? >I'll assume yes. > > >>(position 2 - "don't include") Including this information is BAD >>because it can expose information about the security parameters. >>It doesn't aid in debugging of configuration because operators still >>have to call each other in order to read off and verify keys. >> >>There seemed to be more people around position 2 than position 1, >>but we should flag this and ask during the meeting, as well as >>open this up on the mailing list to see what people prefer. We >>need to pick one and move on. > >I concur with your recollection about the two positions above. I >also concur with your recollection that there was more people (not >100% consensus, but more) around Position 2 than 1. The argument I >made went something like this, and was based on lots of years of >debugging interop issues in both IKEv1/ESP and IKEv2/ESP: > - there is only the case where the connection will be discussed > out of band by system admins before a first connection is made. At > that point, there will be some agreement about config choices. > - if the connection doesn't work, you double check your config > matches your agreement of config choices. > - if the config matches the agreement, then you can try the other > algo, just in case you misheard that part. > - if it doesn't work, then you have to pick up the phone and call > the other guy to double check config parameters. > Conclusion: having the bits on the wire about the config elements > doesn't help practically, and contradicts the basic security > principle of hiding as much about the SA as possible. > >So I am also support Position 2. > >Gregory. > > >>As an individual, and not a co-chair, I'm in the position 2 "don't >>include" camp. >> >> >>_______________________________________________ >>tcpm mailing list >>tcpm@ietf.org >>https://www.ietf.org/mailman/listinfo/tcpm
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Comments on TCP-AO Draft LANGE Andrew
- Re: [tcpm] Comments on TCP-AO Draft Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] Comments on TCP-AO Draft Joe Touch
- Re: [tcpm] Comments on TCP-AO Draft Gregory M. Lebovitz
- Re: [tcpm] Comments on TCP-AO Draft Gregory M. Lebovitz
- Re: [tcpm] Comments on TCP-AO Draft Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] Comments on TCP-AO Draft LANGE Andrew
- Re: [tcpm] Comments on TCP-AO Draft Eric Rescorla