IETF Logo Mail Archive

Re: [tcpm] status of TCP-MD5 after TCP-AO publication

"Smith, Donald" <Donald.Smith@qwest.com> Tue, 04 August 2009 16:26 UTC

Return-Path: <Donald.Smith@qwest.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B1D4F3A6CDC; Tue, 4 Aug 2009 09:26:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gqUzZEuZEbQZ; Tue, 4 Aug 2009 09:26:51 -0700 (PDT)
Received: from sudnp799.qwest.com (sudnp799.qwest.com [155.70.32.99]) by core3.amsl.com (Postfix) with ESMTP id B34F13A6A9F; Tue, 4 Aug 2009 09:26:51 -0700 (PDT)
Received: from suomp61i.qintra.com (suomp61i.qintra.com [151.117.69.28]) by sudnp799.qwest.com (8.14.0/8.14.0) with ESMTP id n74GQrhS009868; Tue, 4 Aug 2009 10:26:53 -0600 (MDT)
Received: from qtdenexhtm21.AD.QINTRA.COM (localhost [127.0.0.1]) by suomp61i.qintra.com (8.14.0/8.14.0) with ESMTP id n74GQkJH026698; Tue, 4 Aug 2009 11:26:48 -0500 (CDT)
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm21.AD.QINTRA.COM ([151.119.91.230]) with mapi; Tue, 4 Aug 2009 10:26:46 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: 'Iljitsch van Beijnum' <iljitsch@muada.com>, 'Ron Bonica' <rbonica@juniper.net>
Date: Tue, 04 Aug 2009 10:26:45 -0600
Thread-Topic: [tcpm] status of TCP-MD5 after TCP-AO publication
Thread-Index: AcoVHCcZ8JwlPIP3Qw6VTNwcE8WB5AAAMtNQ
Message-ID: <B01905DA0C7CDC478F42870679DF0F100599C37D03@qtdenexmbm24.AD.QINTRA.COM>
References: <6BB76CFA-4134-4D3E-BE20-3A90A5111CBD@nokia.com><FB33B8FD-308B-4 867-902E-131382969C35@muada.com><4A777220.3070507@juniper.net> <75E968CA-1D9A-40BD-9C3E-534518B13BCF@muada.com>
In-Reply-To: <75E968CA-1D9A-40BD-9C3E-534518B13BCF@muada.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "'tcpm@ietf.org'" <tcpm@ietf.org>, "'iesg@ietf.org IESG'" <iesg@ietf.org>
Subject: Re: [tcpm] status of TCP-MD5 after TCP-AO publication
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2009 16:26:52 -0000

I believe the rfc2385 should be modified.

http://www.ietf.org/rfc/rfc2385.txt
4.1
   A connectionless reset will be ignored by the receiver of the reset,
   since the originator of that reset does not know the key, and so
   cannot generate the proper signature for the segment.  This means,
   for example, that connection attempts by a TCP which is generating
   signatures to a port with no listener will time out instead of being
   refused.  Similarly, resets generated by a TCP in response to
   segments sent on a stale connection will also be ignored.
   Operationally this can be a problem since resets help BGP recover
   quickly from peer crashes.



An authenticationless reset MUST be ignored by the receiver of the reset.
The originator of that reset knows the key associated with their bgp neighbor and SHOULD use the key to generate 
an authenticated reset if that session has been terminated for some reason.
This means, for example, that connection attempts by a TCP which is generating
signatures to a port with no listener could be refused with a authenticated reset instead of being timed out.
Operationally this would be an improvement over the current standard since resets help BGP recover
quickly from peer crashes.



The current rfc compliant behavior doesn't make authenticated reset work, it makes ALL RESETS fail.
We could just as well have a flag that says ignore resets for bgp. It would have the same value as today's rfc compliant router implementations.

(coffee != sleep) & (!coffee == sleep)
Donald.Smith@qwest.com gcia   

> -----Original Message-----
> From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> Behalf Of Iljitsch van Beijnum
> Sent: Tuesday, August 04, 2009 9:56 AM
> To: Ron Bonica
> Cc: tcpm@ietf.org; iesg@ietf.org IESG
> Subject: Re: [tcpm] status of TCP-MD5 after TCP-AO publication
> 
> On 4 aug 2009, at 1:26, Ron Bonica wrote:
> 
> > The HISTORIC nomenclature doesn't mean that there is no longer an
> > installed base. It just means that something more recent is 
> available.
> 
> I still think it's premature to change the status of RFC 2385 
> before a  
> replacement is widely available operationally.
> 
> And yes, that can take a decade, see 32-bit AS numbers.
> 
> Iljitsch
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm
>

v2.23.0 | Report a Bug | By Email