Re: [tcpm] tcpsecure: how strong to recommend?

Joe Touch <touch@ISI.EDU> Tue, 02 October 2007 20:30 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcoNn-0008MF-7x; Tue, 02 Oct 2007 16:30:19 -0400
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1IcoNl-0008LB-Od for tcpm-confirm+ok@megatron.ietf.org; Tue, 02 Oct 2007 16:30:17 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IcoNk-0008Fc-PP for tcpm@ietf.org; Tue, 02 Oct 2007 16:30:17 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IcoNe-0005Cf-72 for tcpm@ietf.org; Tue, 02 Oct 2007 16:30:16 -0400
Received: from [70.213.158.20] (20.sub-70-213-158.myvzw.com [70.213.158.20]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l92KTOQ6015611; Tue, 2 Oct 2007 13:29:28 -0700 (PDT)
Message-ID: <4702AA12.2000301@isi.edu>
Date: Tue, 02 Oct 2007 13:29:06 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
Subject: Re: [tcpm] tcpsecure: how strong to recommend?
References: <0C53DCFB700D144284A584F54711EC58040A0474@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC58040A0474@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b5d20af10c334b36874c0264b10f59f1
Cc: tcpm@ietf.org, "Edward A. Gardner" <eag@ophidian.com>, "Mitesh Dalal \(mdalal\)" <mdalal@cisco.com>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0942033839=="
Errors-To: tcpm-bounces@ietf.org

Notes below....

Anantha Ramaiah (ananth) wrote:
>> As a way forward, the following captures the 
>> SHOULD/SHOULD/MAY which was
>>  most supported in Chicago:
>>
>> --------------------------------------------------------------
>> -------------
>>
>> tcpsecure SHOULD be implemented in TCP stacks supporting router.
>> Notable exceptions include deployments where routers are known to use
>> other antispoofing protection, e.g., IPsec, TCP/MD5 and its 
>> successors.
>>
>> tcpsecure MAY be implemented in other TCP stacks.
>>
>> ----
> 
> 
>> within tcpsecure:
>>
>> RST protection MUST be supported
>>
>> SYN protection MUST be supported
>>
>> data segment (i.e., non-RST, non-SYN) protection MAY be supported
>>
>> -------------------------------------------
> 
> I think you got it wrong. 
> 
> Most supported in Chicago was about [SHOULD/SHOULD/MAY] WITHOUT the
> applicability statement in place.

Agreed. I was trying to capture Chicago in the bottom portion.

> It was "STANDALONE" question raised by
> the chairs for which the consensus seemed to be in favour of S/S/M.  Now
> WITH the applicability statement in place, it completely changes the
> entire equation. 

I don't think it does. Even with a qualified SHOULD on the overall set,
data segment protection is still a MAY. What it changes is the SHOULDs
on the RST and SYN to MUSTs, to say that you shouldn't implement one or
the other as desired *if* you decide to implement the set.

...
> So, the game plan moving forward is, to generate the AS and revisit the
> mitigation strengths. 

I tried to do that above.

> Also, just in case you missed, some of responses
> in this list have indicated no issues with "MUST'ing" all the
> mitigations provided there is a proper applicability statement in place.

I know - that was one of the set discussed. OK, so here's what I'm
specifically asking:

1) is the AS above reasonable?

2) regarding the RST/SYN/data components:
	- are the MUST/MUST/MAY above reasonable?
	- Or should they be SHOULD/SHOULD/MAY?
	- or something else

Joe

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm