Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt
Joe Touch <touch@ISI.EDU> Thu, 28 August 2008 21:05 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C1DA83A6915; Thu, 28 Aug 2008 14:05:00 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C5583A6915 for <tcpm@core3.amsl.com>; Thu, 28 Aug 2008 14:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IG2+7jYbWzLJ for <tcpm@core3.amsl.com>; Thu, 28 Aug 2008 14:04:58 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 706F63A68A3 for <tcpm@ietf.org>; Thu, 28 Aug 2008 14:04:58 -0700 (PDT)
Received: from [128.9.176.35] (c1-vpn5.isi.edu [128.9.176.35]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m7SL4UGL004020 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 28 Aug 2008 14:04:32 -0700 (PDT)
Message-ID: <48B7129E.2030409@isi.edu>
Date: Thu, 28 Aug 2008 14:03:26 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: David Borman <david.borman@windriver.com>
References: <FE34F27F-8DDF-4C94-BC6E-E2ABF6000309@windriver.com> <B5A5E01F9387F4409E67604C0257C71E409513@NDJSEVS25A.ndc.nasa.gov> <24D2F5D3-93E7-4B64-BA96-2086F3E5754E@windriver.com>
In-Reply-To: <24D2F5D3-93E7-4B64-BA96-2086F3E5754E@windriver.com>
X-Enigmail-Version: 0.95.7
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: rrs@cisco.com, tcpm@ietf.org, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, mdalal@cisco.com
Subject: Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, all, Some final suggestions: - --- I believe this document should include an informational reference to IPsec and TCP-AO in the applicability statement: ...Examples of such TCP connections are the ones that tend to be long-lived and where the connection end points can be determined, in cases where no auxiliary anti-spoofing protection mechanisms like TCP MD5 [RFC2385] can be deployed. ^TCP-AO [I-D...], or IPsec [RFC4301] - --- concerns with changing TCP behavior should be noted in the applicability statement, in particular: These mitigations MAY be implemented in other cases. , with consideration for the potential implications noted in Section 10. - --- RFC4953 should be cited as a detailed explanation "The feasibility of this methodology (without mitigations) was first shown in [SITW]." , and is explained in detail in [RFC4953]. (retain the subsequent reference to 4953's discussion of probabilities) - ---- section 1.3 can be omitted, as 4953 covers this issue in detail already, as explained already in section 1.2 If retained, then add TCP-AO and IPsec to TCP MD5 as providing protection in: For applications that can use the TCP MD5 option [RFC2385], such as BGP, that option makes the attacks described in this specification effectively impossible. If retained, please omit "draft" from the following: For further details regarding the attacks and the existing techniques, please refer to draft [RFC4953] - -- section 10 should similarly refer to TCP-MD5 and TCP-AO where it refers to IPsec as providing complete protection, The only way to fully protect a TCP connection from both on and off path attacks is by using either IPSEC-AH [RFC4302] or IPSEC-ESP [RFC4303]. IMO, it would be useful to be consistent here, and thus say: IPsec [RFC4301], TCP MD5 [RFC...], or TCP-AO [I-D...] - --- Section 6 should include the context of the recommendation level of the whole document, e.g.: As described in the above sections, recommendation levels for RST, SYN and Data are tagged as SHOULD, SHOULD and MAY respectively. All of the mitigations are subject to the overall recommendations as indicated in the applicability statement in section Z, notably SHOULD use where TCP is vulnerable to off-path attacks and is not otherwise protected, and MAY elsewhere. Joe David Borman wrote: > > Wes and I would like to start the WG Last Call for: > > Title : Improving TCP's Robustness to Blind In-Window Attacks' > Author(s) : A. Ramaiah, R. Stewart & M. Dalal > Filename : draft-ietf-tcpm-tcpsecure-10.txt > Pages : 27 > Date : July 9, 2008 > Intended Status : Proposed Standard > > http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-10.txt > > It is our understanding that all the feedback has been incorporated into > this latest version and that there are no known outstanding issues with > this document. > > Please send feedback to the list, even if it is just a "yes, go ahead > and publish". > > The WGLC will end on Friday, September 5, 2009. > > > David Borman & Wes Eddy, TCPM WG co-chairs > > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAki3Ep4ACgkQE5f5cImnZrsS7wCdEKaxvUg3XiHXEUF/KNiwycZ0 LW0AnjkqKJ8jt0LvjYf8oBMGjnDKzzIe =q2Ph -----END PGP SIGNATURE----- _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Fernando Gont
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Fernando Gont
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Fernando Gont
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt David Borman
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Anantha Ramaiah (ananth)
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Joe Touch
- Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt Ted Faber