IETF Logo Mail Archive

Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)

Leonard Crestez <cdleonard@gmail.com> Sat, 24 September 2022 13:37 UTC

Return-Path: <cdleonard@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DB24C1522AF for <tcpm@ietfa.amsl.com>; Sat, 24 Sep 2022 06:37:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMqZ1e8K251L for <tcpm@ietfa.amsl.com>; Sat, 24 Sep 2022 06:37:23 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FFF8C1524B1 for <tcpm@ietf.org>; Sat, 24 Sep 2022 06:37:23 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id a26so5809347ejc.4 for <tcpm@ietf.org>; Sat, 24 Sep 2022 06:37:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date; bh=TpiXgpF6/QSrOH4XW8GtQk51U4bGAFZvpX/bF84EB3k=; b=X6gPRI2QcT5IzHt5fo2sbFWcYe9z0PoCPLHe3CDdI4Ha2cI6Zk+u5nhH5oZOXJ9HlN pVqDsLxV4PL2u6M3baFnTRD8XZs8aJnpbhBr5GiujX77ZQ7PlKwAeWtxGiirQD0PflGB vRkzlzcmNwgq/jM51zJa+UwJbrpMjU5wpbULa/LLbrX/NWI50F9I1LXY1rR3GudsyPlb UYPaWXHI+6TNVD8gqNUUTqdBA350lv5QdefA7j2y8G8QCAK+bZER5nPnE0im8n/tIGeN 0TdeorSe268W3TFo9+hqvbPSxS3ttBb6Uh0+FwwqqFRWj1bCZoMWVrgafty5FiO9GAAR kdoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date; bh=TpiXgpF6/QSrOH4XW8GtQk51U4bGAFZvpX/bF84EB3k=; b=HxJOjYF/AuC9WH3exik9ix0EWaYPbsuEg1xJlJKCrGHbI7hQ8IAM5+84PNKkvNJQ6s QsED0WYw3aT9AJjCcEpTb+irLNDtwg0NvYgmTBBskEQPi7TR2L1zX0wteRu5FsLQ7MSP EGcTIAdhsTMo4AekMqGBFfebK6o9tpFXqr2OmqyXmowNo7gOuCBJfCAQ6w4h8de769zP AteUkbaTfJr+kpoAbGVb/WMh6XXD4QC+i1sM+Rjjr9HxVNi6vLU+P9jxTGB/1EIA6hg/ YrwKCxUuadEMUsbRx1m235eHzaT6URjKEaxAbTdOqeE5GbJMveBGN6jV1g/MEtGxKBQ3 mHgw==
X-Gm-Message-State: ACrzQf0EzosI2j/XPqGZ1aXVj5QmXfpZv9Tv/T7SS8g2vOvBwwn6Df4Y jMRqt4fnsGE8ikNnJOz6dEo=
X-Google-Smtp-Source: AMsMyM7h/2kpt5TvSYa9e/tpozMnobrPL3CoH4EURjry0XKcXuou2JCT10bHmFQ/Bcw9FYGnPNVh0A==
X-Received: by 2002:a17:906:a4a:b0:782:686d:a1b6 with SMTP id x10-20020a1709060a4a00b00782686da1b6mr9939312ejf.232.1664026640823; Sat, 24 Sep 2022 06:37:20 -0700 (PDT)
Received: from ?IPV6:2a04:241e:502:a09c:7a72:eb3e:90d0:b446? ([2a04:241e:502:a09c:7a72:eb3e:90d0:b446]) by smtp.gmail.com with ESMTPSA id p16-20020a1709060e9000b007707ec25071sm5404985ejf.220.2022.09.24.06.37.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 24 Sep 2022 06:37:20 -0700 (PDT)
Message-ID: <5c4b3a52-259d-08bd-8db8-59a49c6d9504@gmail.com>
Date: Sat, 24 Sep 2022 16:37:18 +0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Joe Touch <touch@strayalpha.com>, "Natarajan, Venkatesh (HP-Networking)" <venkatesh.natarajan@hpe.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Allison Mankin <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin Duke <martin.h.duke@gmail.com>, Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>, Yoshifumi Nishida <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>, ianswett@google.com, tcpm@ietf.org, Dmitry Safonov <dima@arista.com>, Salam Noureddine <noureddine@arista.com>, Francesco Ruggeri <fruggeri@arista.com>, Philip Paeps <philip@trouble.is>
References: <DS7PR84MB3061E20930DCEF5E5C867483F74C9@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM> <7C3A53C8-7D86-410A-BBC5-737546127E14@strayalpha.com>
From: Leonard Crestez <cdleonard@gmail.com>
In-Reply-To: <7C3A53C8-7D86-410A-BBC5-737546127E14@strayalpha.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/RA60F7KGUX3v5j6MOcEPLSxJnfU>
X-Mailman-Approved-At: Sat, 24 Sep 2022 08:58:18 -0700
Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2022 13:37:28 -0000

Hello,

These questions were raised partially in the context of my 
implementation for TCP-AO for Linux, which you can find here:

https://lore.kernel.org/netdev/cover.1662361354.git.cdleonard@gmail.com/

I was contacted by the Aruba folks privately regarding my 
implementations and it makes sense to also respond publicly.

My implementation will accept unexpected AO signatures by default (as 
required by the RFC) and supports an TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED 
to reject everything. It aligns with the expected behavior described by 
Joe Touch earlier.

My opinion after studying and implementing this RFC is that this 
particular quirk of the RFC can't actually be used for anything useful - 
at most you go from "Signed SYN / Drop" to "Signed SYN / Unsigned 
SYN-ACK / DROP". I don't understand the rationale.

Documentation from cisco describe additional flags, which I believe 
Aruba is trying to implement:

* accept-ao-mismatch-connections - "option to accept the connection as 
non-TCP AO connection when receives a connection from peer without TCP 
AO option".

This behavior is not described by RFC and seems to completely defeat the 
security provided by TCP-AO by accepting all unsigned packets. There 
does not appear to be any usefulness outside of debugging

* accept-ao-mismatch - "This flag indicates whether the receiver should 
accept segments for which the MAC in the incoming TCP AO does not match 
the MAC generated on the receiver"

This again seems to be a debug flag which "accepts everything".

My implementation linux does not support these features and I don't 
actually see any valid usecase beyond debugging.

I also added some folks from Arista who have a different competing 
implementation so that they are aware of this discussion.

--
Regards,
Leonard

On 9/20/22 12:08, Joe Touch wrote:
> Every RFC could have *some* additional discussion that could benefit 
> *someone*. There’s no mechanism for that, other than this list, which is 
> archived already.
> 
> Joe
> 
>> On Sep 19, 2022, at 9:49 PM, Natarajan, Venkatesh (HP-Networking) 
>> <venkatesh.natarajan@hpe.com> wrote:
>>
>> 
>>
>> Thanks Joe for your explanation. My only request at this point would 
>> be that while we don’t have the errata published, I think this 
>> discussion will benefit others in some way when they try to implement 
>> this RFC. Can some excerpt or a summary of this discussion be kept in 
>> some form so that this is clear to others as well?
>>
>> -Venkatesh
>>
>> *From: *Joe Touch <touch@strayalpha.com>
>> *Date: *Tuesday, 20 September 2022 at 2:44 AM
>> *To: *Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com>
>> *Cc: *RFC Errata System <rfc-editor@rfc-editor.org>, Allison Mankin 
>> <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin Duke 
>> <martin.h.duke@gmail.com>, Zaheduzzaman Sarker 
>> <zaheduzzaman.sarker@ericsson.com>, Yoshifumi Nishida 
>> <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>, 
>> ianswett@google.com <ianswett@google.com>, tcpm@ietf.org <tcpm@ietf.org>
>> *Subject: *Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
>>
>> Yes, the connection proceeds past the MKT match step but not the MAC 
>> validation step.
>>
>> Joe
>>
>>
>>
>>     On Sep 19, 2022, at 11:34 AM, Natarajan, Venkatesh (HP-Networking)
>>     <venkatesh.natarajan@hpe.com> wrote:
>>
>>     
>>
>>     Ok, I think I get what you are saying..
>>
>>     Just to close this with your confirmation,
>>
>>     >>>In case 3 below, the MKT check will accept the segment but the key check will fail in later steps of the processing.
>>
>>     Though the connection will succeed the session will fail beyond
>>     the point of connection establishment as the tcp-ao hash check
>>     will fail??
>>
>>     -Venkatesh
>>
>>     *From: *touch@strayalpha.com <touch@strayalpha.com>
>>     *Date: *Monday, 19 September 2022 at 8:18 PM
>>     *To: *Natarajan, Venkatesh (HP-Networking)
>>     <venkatesh.natarajan@hpe.com>
>>     *Cc: *RFC Errata System <rfc-editor@rfc-editor.org>, Allison
>>     Mankin <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin
>>     Duke <martin.h.duke@gmail.com>, Zaheduzzaman Sarker
>>     <Zaheduzzaman.Sarker@ericsson.com>, Yoshifumi Nishida
>>     <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>,
>>     ianswett@google.com <ianswett@google.com>, tcpm@ietf.org
>>     <tcpm@ietf.org>
>>     *Subject: *Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
>>
>>     Hi, Venkatesh,
>>
>>     TCP-AO knows whether to protect a connection at all by the
>>     presence of a match MKT. That’s what the existing text explains.
>>     It says nothing about the key check.
>>
>>     In a protected connection, TCP-AO knows what to do based on
>>     whether the key matches. If an MKT matches but the key fails, the
>>     segment will be dropped and the connection won’t be established.
>>     That’s already explained elsewhere in the doc.
>>
>>     In case 3 below, the MKT check will accept the segment but the key
>>     check will fail in later steps of the processing.
>>
>>     In case 4 below, which side accepts the connection is explained by
>>     the existing text.
>>
>>     In the first sentence, the added  “not matching an MKT” text is
>>     not needed because is that is already what happens when no MKT is
>>     available (a match cannot occur to an item that doesn’t exist).
>>     That doesn’t need over explanation.
>>
>>     The sentence added is incorrect: “In this mode ofoperation, both
>>     the endpoints will not perform TCP-AO validation.”  Each endpoint
>>     makes this decision only for incoming connection establishment;
>>     return packets of connections they initiate with TCP-AO will fail
>>     (due to lack of TCP-AO). There is no clarification of this point
>>     needed.
>>
>>     Joe
>>
>>     —
>>
>>     Dr. Joe Touch, temporal epistemologist
>>
>>     www.strayalpha.com <http://www.strayalpha.com>
>>
>>
>>
>>
>>         On Sep 19, 2022, at 5:40 AM, Natarajan, Venkatesh
>>         (HP-Networking) <venkatesh.natarajan@hpe.com
>>         <mailto:venkatesh.natarajan@hpe.com>> wrote:
>>
>>         Hi Joe,
>>
>>         Sorry I am still not following. I think there is a condition
>>         that is missed. I have captured the permutation/combination in
>>         a table  where both Peer-1 and Peer-2 are TCP-AO capable and
>>         implemented in s/w.
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         ||     | Peer-1                  | Peer-2                  |
>>         Expected Behavior              |
>>         Comments                             ||
>>
>>         |+=====+=========================+=========================+================================+======================================+|
>>
>>         ||     |                         |                        
>>         |                               
>>         |                                      ||
>>
>>         || 1   | No-TCP-AO configured    | No TCP-AO Configured    |
>>         Vanilla TCP Session            | No TCP-AO but connection
>>         establishes ||
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         ||     | TCP-AO Configured with  | TCP-AO Configured with  |
>>         TCP-AO session                 | TCP-AO and connection
>>         establishes.   ||
>>
>>         || 2   | Key1                    | Key1                   
>>         |                               
>>         |                                      ||
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         ||     | TCP-AO configured with  | TCP-AO configured with  |
>>         Peer-2 will accept connection  | The segments will be accepted
>>         by     ||
>>
>>         ||     | valid Key-1             | valid Key-2             |
>>         from Peer-1 by default for     | default even if there is a
>>         mismatch  ||
>>
>>         ||     | (send-id=recv-id=1)     | (send-id=recv-id=2)     |
>>         mis-match of key               | on
>>         both-ends.                        ||
>>
>>         ||     |                         |                        
>>         |                                | Agreed, if the default
>>         behaviour at  ||
>>
>>         ||     |                         |                         |
>>         Peer-1 will accept connection  | either peer is changed,
>>         the          ||
>>
>>         ||     |                         |                         |
>>         from Peer-1 by default for     | connection will not be
>>         established.  ||
>>
>>         ||     |                         |                         |
>>         mismatch of key.              
>>         |                                      ||
>>
>>         || 3   |                         |                         |
>>                                        | RFC does explain this
>>         point.         ||
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         ||     | TCP-AO configured with  | No TCP-AO configured    |
>>         Peer-2 will accept segments    | The point I have made is for
>>         this    ||
>>
>>         ||     | a valid Key-1           |                         |
>>         if it ignores TCP-AO option.   |
>>         condition                            ||
>>
>>         ||     |                         |                         |
>>         Peer-1 will reject segments   
>>         |                                      ||
>>
>>         || 4   |                         |                         |
>>         from Peer-2 (No TCP-AO option)
>>         |                                      ||
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         If (3) is allowed why not (4). They both have similar
>>          security exposure if not the same.
>>
>>         -Venkatesh
>>
>>         *From:*touch@strayalpha.com
>>         <mailto:touch@strayalpha.com><touch@strayalpha.com
>>         <mailto:touch@strayalpha.com>>
>>         *Date:*Sunday, 18 September 2022 at 11:23 PM
>>         *To:*Natarajan, Venkatesh (HP-Networking)
>>         <venkatesh.natarajan@hpe.com <mailto:venkatesh.natarajan@hpe.com>>
>>         *Cc:*RFC Errata System <rfc-editor@rfc-editor.org
>>         <mailto:rfc-editor@rfc-editor.org>>, Allison Mankin
>>         <mankin@psg.com <mailto:mankin@psg.com>>, Ron Bonica
>>         <rbonica@juniper.net <mailto:rbonica@juniper.net>>, Martin
>>         Duke <martin.h.duke@gmail.com
>>         <mailto:martin.h.duke@gmail.com>>, Zaheduzzaman Sarker
>>         <Zaheduzzaman.Sarker@ericsson.com
>>         <mailto:Zaheduzzaman.Sarker@ericsson.com>>, Yoshifumi Nishida
>>         <nsd.ietf@gmail.com <mailto:nsd.ietf@gmail.com>>, Michael
>>         Tuexen <tuexen@fh-muenster.de
>>         <mailto:tuexen@fh-muenster.de>>,ianswett@google.com
>>         <mailto:ianswett@google.com><ianswett@google.com
>>         <mailto:ianswett@google.com>>,tcpm@ietf.org
>>         <mailto:tcpm@ietf.org><tcpm@ietf.org <mailto:tcpm@ietf.org>>
>>         *Subject:*Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
>>
>>         Hi, Venkatesh,
>>
>>         TCP-AO is designed so that it requires a MKT to operate - even
>>         to discard traffic that lacks TCP-AO headers.
>>
>>         That means that TCP’s behavior doesn’t change UNLESS there’s
>>         an MKT. So anything that matches no MKT is allowed, by default
>>         - even if TCP-AO is in the header.
>>
>>         That’s intentional - it’s “opt-in” on both sides. Let’s look
>>         at the 4 cases, where “client” implies the party initiation
>>         the connection. Assume both sides implement TCP-AO:
>>
>>         - client and server do not have MKTs at all
>>
>>         neither side will match their MKTs, TCP-AO is not used and the
>>         connection proceeds as usual
>>
>>         - client has an MKT that matches, but not the server
>>
>>         Client sends TCP-AO, but server doesn’t check and sends a
>>         SYN-ACK without TCP-AO
>>
>>         Client will now discard any returning packets because they
>>         won’t have TCP-AO
>>
>>         The connection will fail
>>
>>         - client lacks an MKT but server has an MKT that matches
>>
>>         Client sends without TCP-AO, but SYN matches an MKT
>>
>>         Server will drop the SYN because it matches an MKT but fails
>>         the TCP-AO check (it has to - it has no TCP-AO option)
>>
>>         connection will fail
>>
>>         - both sides have MTS that match
>>
>>         everything works
>>
>>         So we don’t need to change the text to handle the case where
>>         the endpoints differ in whether they want to use TCP-AO on a
>>         connection.
>>
>>         The “default accept” is per side, but the total effect is
>>         “default deny unless both sides use it and have the right keys”.
>>
>>         Joe
>>
>>         —
>>
>>         Dr. Joe Touch, temporal epistemologist
>>
>>         www.strayalpha.com <http://www.strayalpha.com/>
>>
>>
>>
>>
>>
>>             On Sep 18, 2022, at 5:31 AM, Natarajan, Venkatesh
>>             (HP-Networking) <venkatesh.natarajan@hpe.com
>>             <mailto:venkatesh.natarajan@hpe.com>> wrote:
>>
>>             Hi Joe,
>>
>>             Thank you for reviewing the Errata submission.
>>
>>             The whole point of having a default-accept for a MKT
>>             mismatch is to allow a mismatch-key-TCP-AO connection
>>             establishment even if the TCP-AO was the intended use.  If
>>             only one endpoint between the two is configured for TCP-AO
>>             , then also it is the same condition where there is no
>>             authentication. I do not understand the differentiation
>>             that is being brought out by the 7.3 section in the RFC
>>             for allowing a mismatch-key tcp-ao and when the tcp-ao
>>             option itself is not present. How is one different from
>>             the other in term of security. Both are offering
>>             unsecured/unprotected connection.
>>
>>             What do you think is the reason for a unsecure connection
>>             be allowed by default?  I can reason to some extent that
>>             such a behavior be implemented iff there is a transition
>>             period for  Non-TCP-AO to TCP-AO and say the server has
>>             migrated to TCP-AO but some of the clients are yet to be
>>             upgraded/migrated to use TCP-AO. Its in this mode that the
>>             acceptance of a connection from a non-tcp-ao client
>>             (segment having no-tcp-oa option) even makes sense.
>>
>>             -Venkatesh
>>
>>             *From:*touch@strayalpha.com
>>             <mailto:touch@strayalpha.com><touch@strayalpha.com
>>             <mailto:touch@strayalpha.com>>
>>             *Date:*Sunday, 18 September 2022 at 5:33 AM
>>             *To:*RFC Errata System <rfc-editor@rfc-editor.org
>>             <mailto:rfc-editor@rfc-editor.org>>
>>             *Cc:*Dr. Joe Touch <touch@isi.edu <mailto:touch@isi.edu>>,
>>             Allison Mankin <mankin@psg.com <mailto:mankin@psg.com>>,
>>             Ron Bonica <rbonica@juniper.net
>>             <mailto:rbonica@juniper.net>>, Martin Duke
>>             <martin.h.duke@gmail.com
>>             <mailto:martin.h.duke@gmail.com>>, Zaheduzzaman Sarker
>>             <Zaheduzzaman.Sarker@ericsson.com
>>             <mailto:Zaheduzzaman.Sarker@ericsson.com>>, Yoshifumi
>>             Nishida <nsd.ietf@gmail.com <mailto:nsd.ietf@gmail.com>>,
>>             Michael Tuexen <tuexen@fh-muenster.de
>>             <mailto:tuexen@fh-muenster.de>>,ianswett@google.com
>>             <mailto:ianswett@google.com><ianswett@google.com
>>             <mailto:ianswett@google.com>>, Natarajan, Venkatesh
>>             (HP-Networking) <venkatesh.natarajan@hpe.com
>>             <mailto:venkatesh.natarajan@hpe.com>>,tcpm@ietf.org
>>             <mailto:tcpm@ietf.org><tcpm@ietf.org <mailto:tcpm@ietf.org>>
>>             *Subject:*Re: [tcpm] [Technical Errata Reported] RFC5925
>>             (7135)
>>
>>             Hi, all,
>>
>>             I disagree with this errata.
>>
>>             The decision is based on whether the segments match an
>>             MKT. If TCP-AO is required, an MKT would have been
>>             configured; packets with the option would match the MKT
>>             and proceed. Packets without the option would not match
>>             the MKT - because an MKT requires info in the option.
>>
>>             Recommend reject.
>>
>>             Joe
>>
>>             —
>>
>>             Dr. Joe Touch, temporal epistemologist
>>
>>             www.strayalpha.com <http://www.strayalpha.com/>
>>
>>
>>
>>
>>                 On Sep 16, 2022, at 1:31 AM, RFC Errata System
>>                 <rfc-editor@rfc-editor.org
>>                 <mailto:rfc-editor@rfc-editor.org>> wrote:
>>
>>                 The following errata report has been submitted for
>>                 RFC5925,
>>                 "The TCP Authentication Option".
>>
>>                 --------------------------------------
>>                 You may review the report below and at:
>>                 https://www.rfc-editor.org/errata/eid7135
>>                 <https://www.rfc-editor.org/errata/eid7135>
>>
>>                 --------------------------------------
>>                 Type: Technical
>>                 Reported by: Venkatesh Natarajan
>>                 <venkatesh.natarajan@hpe.com
>>                 <mailto:venkatesh.natarajan@hpe.com>>
>>
>>                 Section: 7.3
>>
>>                 Original Text
>>                 -------------
>>
>>
>>                         A TCP-AO implementation MUST allow for
>>                         configuration of the
>>
>>                   behavior of segments with TCP-AO but that do not
>>                 match an MKT.  The
>>                   initial default of this configuration SHOULD be to
>>                 silently accept
>>                   such connections.  If this is not the desired case,
>>                 an MKT can be
>>                   included to match such connections, or the
>>                 connection can indicate
>>                   that TCP-AO is required.  Alternately, the
>>                 configuration can be
>>                   changed to discard segments with the AO option not
>>                 matching an MKT.
>>
>>                 Corrected Text
>>                 --------------
>>
>>
>>                         A TCP-AO implementation MUST allow for
>>                         configuration of the
>>
>>                   behavior of segments with TCP-AO but that do not
>>                 match any MKT or
>>                   no MKT is available. The initial default of this
>>                 configuration
>>                   SHOULD be to silently accept such connections. In
>>                 this mode of
>>                   operation, both the endpoints will not perform
>>                 TCP-AO validation.
>>                   If this is not the desired case, an MKT can be
>>                 included to match such
>>                   connections, or the connection can indicate that
>>                 TCP-AO is required.
>>                   Alternately, the configuration can be changed to
>>                 discard segments
>>                   with the AO option not matching an MKT.
>>
>>                 Notes
>>                 -----
>>                 The RFC does not clearly draw out the distinction
>>                 between treatment of segments with TCP-AO and without
>>                 TCP-AO option.
>>                 Note that in the case of MKT mismatch as per existing
>>                 RFC text, if either endpoint does TCP-AO validation,
>>                 the session would not get established.
>>
>>                 Instructions:
>>                 -------------
>>                 This erratum is currently posted as "Reported". If
>>                 necessary, please
>>                 use "Reply All" to discuss whether it should be
>>                 verified or
>>                 rejected. When a decision is reached, the verifying party
>>                 can log in to change the status and edit the report,
>>                 if necessary.
>>
>>                 --------------------------------------
>>                 RFC5925 (draft-ietf-tcpm-tcp-auth-opt-11)
>>                 --------------------------------------
>>                 Title               : The TCP Authentication Option
>>                 Publication Date    : June 2010
>>                 Author(s)           : J. Touch, A. Mankin, R. Bonica
>>                 Category            : PROPOSED STANDARD
>>                 Source              : TCP Maintenance and Minor Extensions
>>                 Area                : Transport
>>                 Stream              : IETF
>>                 Verifying Party     : IESG
>>
>>                 _______________________________________________
>>                 tcpm mailing list
>>                 tcpm@ietf.org <mailto:tcpm@ietf.org>
>>                 https://www.ietf.org/mailman/listinfo/tcpm
>>                 <https://www.ietf.org/mailman/listinfo/tcpm>
>>

v2.23.0 | Report a Bug | By Email