Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt

Joe Touch <touch@ISI.EDU> Thu, 28 August 2008 21:05 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C1DA83A6915; Thu, 28 Aug 2008 14:05:00 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C5583A6915 for <tcpm@core3.amsl.com>; Thu, 28 Aug 2008 14:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IG2+7jYbWzLJ for <tcpm@core3.amsl.com>; Thu, 28 Aug 2008 14:04:58 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 706F63A68A3 for <tcpm@ietf.org>; Thu, 28 Aug 2008 14:04:58 -0700 (PDT)
Received: from [128.9.176.35] (c1-vpn5.isi.edu [128.9.176.35]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m7SL4UGL004020 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 28 Aug 2008 14:04:32 -0700 (PDT)
Message-ID: <48B7129E.2030409@isi.edu>
Date: Thu, 28 Aug 2008 14:03:26 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: David Borman <david.borman@windriver.com>
References: <FE34F27F-8DDF-4C94-BC6E-E2ABF6000309@windriver.com> <B5A5E01F9387F4409E67604C0257C71E409513@NDJSEVS25A.ndc.nasa.gov> <24D2F5D3-93E7-4B64-BA96-2086F3E5754E@windriver.com>
In-Reply-To: <24D2F5D3-93E7-4B64-BA96-2086F3E5754E@windriver.com>
X-Enigmail-Version: 0.95.7
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: rrs@cisco.com, tcpm@ietf.org, "Anantha Ramaiah \(ananth\)" <ananth@cisco.com>, mdalal@cisco.com
Subject: Re: [tcpm] WGLC: draft-ietf-tcpm-tcpsecure-10.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, all,

Some final suggestions:

- --- I believe this document should include an informational reference to
IPsec and TCP-AO in the applicability statement:

   ...Examples of such TCP connections are the ones that
   tend to be long-lived and where the connection end points can be
   determined, in cases where no auxiliary anti-spoofing protection
   mechanisms like TCP MD5 [RFC2385] can be deployed.
                                    ^TCP-AO [I-D...], or IPsec [RFC4301]

- --- concerns with changing TCP behavior should be noted in the
applicability statement, in particular:

   These mitigations
   MAY be implemented in other cases.

, with consideration for the potential implications noted in Section 10.

- --- RFC4953 should be cited as a detailed explanation

"The feasibility of
 this methodology (without mitigations) was first shown in [SITW]."
, and is explained in detail in [RFC4953].

(retain the subsequent reference to 4953's discussion of probabilities)

- ---- section 1.3 can be omitted, as 4953 covers this issue in detail
already, as explained already in section 1.2

If retained, then add TCP-AO and IPsec to TCP MD5 as providing
protection in:

   For applications that can use the TCP MD5 option [RFC2385], such as
   BGP, that option makes the attacks described in this specification
   effectively impossible.

If retained, please omit "draft" from the following:

   For further details regarding the attacks and
   the existing techniques, please refer to draft [RFC4953]

- -- section 10 should similarly refer to TCP-MD5 and TCP-AO where it
refers to IPsec as providing complete protection,

   The only way to fully protect a TCP connection from both on and off
   path attacks is by using either IPSEC-AH [RFC4302] or IPSEC-ESP
   [RFC4303].

IMO, it would be useful to be consistent here, and thus say:
	IPsec [RFC4301], TCP MD5 [RFC...], or TCP-AO [I-D...]

- --- Section 6 should include the context of the recommendation level of
the whole document, e.g.:

   As described in the above sections, recommendation levels for RST,
   SYN and Data are tagged as SHOULD, SHOULD and MAY respectively.

All of the mitigations are subject to the overall recommendations as
indicated in the applicability statement in section Z, notably SHOULD
use where TCP is vulnerable to off-path attacks and is not otherwise
protected, and MAY elsewhere.

Joe

David Borman wrote:
> 
> Wes and I would like to start the WG Last Call for:
> 
>  Title           : Improving TCP's Robustness to Blind In-Window Attacks'
>  Author(s)       : A. Ramaiah, R. Stewart & M. Dalal
>  Filename        : draft-ietf-tcpm-tcpsecure-10.txt
>  Pages           : 27
>  Date            : July 9, 2008
>  Intended Status : Proposed Standard
> 
> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-10.txt
> 
> It is our understanding that all the feedback has been incorporated into
> this latest version and that there are no known outstanding issues with
> this document.
> 
> Please send feedback to the list, even if it is just a "yes, go ahead
> and publish".
> 
> The WGLC will end on Friday, September 5, 2009.
> 
> 
>         David Borman & Wes Eddy, TCPM WG co-chairs
> 
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAki3Ep4ACgkQE5f5cImnZrsS7wCdEKaxvUg3XiHXEUF/KNiwycZ0
LW0AnjkqKJ8jt0LvjYf8oBMGjnDKzzIe
=q2Ph
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm