Re: [tcpm] tcpsecure recommendations
"Tom Petch" <nwnetworks@dial.pipex.com> Mon, 18 February 2008 18:44 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: ietfarch-tcpm-archive@core3.amsl.com
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDC0C28C422; Mon, 18 Feb 2008 10:44:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.393
X-Spam-Level:
X-Spam-Status: No, score=-0.393 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Z-HlFiHjbFD; Mon, 18 Feb 2008 10:44:04 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8EF83A6B73; Mon, 18 Feb 2008 10:44:04 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E65323A6785 for <tcpm@core3.amsl.com>; Mon, 18 Feb 2008 10:44:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBD7qrl+4GDU for <tcpm@core3.amsl.com>; Mon, 18 Feb 2008 10:44:03 -0800 (PST)
Received: from mk-outboundfilter-1.mail.uk.tiscali.com (mk-outboundfilter-1.mail.uk.tiscali.com [212.74.114.37]) by core3.amsl.com (Postfix) with ESMTP id D68CB3A68D8 for <tcpm@ietf.org>; Mon, 18 Feb 2008 10:44:02 -0800 (PST)
X-Trace: 43355414/mk-outboundfilter-1.mail.uk.tiscali.com/PIPEX/$MX-ACCEPTED/pipex-infrastructure/62.241.162.32
X-SBRS: None
X-RemoteIP: 62.241.162.32
X-IP-MAIL-FROM: nwnetworks@dial.pipex.com
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao8CAPpguUc+8aIg/2dsb2JhbACKcqJs
X-IP-Direction: IN
Received: from ranger.systems.pipex.net ([62.241.162.32]) by smtp.pipex.tiscali.co.uk with ESMTP; 18 Feb 2008 18:43:57 +0000
Received: from pc6 (1Cust144.tnt102.lnd4.gbr.da.uu.net [213.116.52.144]) by ranger.systems.pipex.net (Postfix) with SMTP id 2A518E00008E; Mon, 18 Feb 2008 18:43:55 +0000 (GMT)
Message-ID: <01bd01c87255$83c0dae0$0601a8c0@pc6>
From: Tom Petch <nwnetworks@dial.pipex.com>
To: tcpm@ietf.org, Mark Allman <mallman@icir.org>
References: <20080206174017.6977C36516E@lawyers.icir.org>
Date: Mon, 18 Feb 2008 18:32:00 +0100
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Subject: Re: [tcpm] tcpsecure recommendations
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Tom Petch <nwnetworks@dial.pipex.com>
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
(2) my views are the same as last time. Tom Petch ----- Original Message ----- From: "Mark Allman" <mallman@icir.org> To: <tcpm@ietf.org> Sent: Wednesday, February 06, 2008 6:40 PM Subject: [tcpm] tcpsecure recommendations > It'd be good to get some opinions on the new tcpsecure version and get > it finished. The sticking point on this document is how strongly to > recommend TCP stacks implement / use the three mitigations in the draft > (to spoofed RSTs, SYNs and data segments). We had a discussion about > this in Chicago and also on the list. Since it seemed that we were not > converging because there was not WG-wide agreement on the scope of the > document we asked the authors to generate an applicability statement. > They did that, per a previous email from Anantha. The AS reads: > > The mitigations presented in this document talks about some known > in-window attacks and the solutions to the same. The mitigations > suggested in this draft SHOULD (RECOMMENDED) be implemented in > devices where the TCP connections are most vulnerable to the attacks > described in this document. Some examples of such TCP connections > are the ones that tend to be long-lived where the connection end > points can be determined, in cases where no auxiliary anti-spoofing > protection mechanisms like TCP MD5 can be deployed. TCP secure MAY > (OPTIONAL) be implemented in other cases. > > We can recommend each of mitigations with a MAY, SHOULD or MUST. In > Chicago we winnowed the proposals to three three: > > (1) RST spoofing mitigation: MAY > SYN spoofing mitigation: MAY > data injection mitigation: MAY > > (2) RST spoofing mitigation: SHOULD > SYN spoofing mitigation: SHOULD > data injection mitigation: SHOULD > > (3) RST spoofing mitigation: SHOULD > SYN spoofing mitigation: SHOULD > data injection mitigation: MAY > > Nobody has advocated for other permutations of recommendations > (although, clearly if people like some different combination they should > advocate away!). > > Can folks please weigh in on their feeling about how strongly we should > recommend these mitigations given the AS above? It'd be great to get > this document moving and we're sort of stuck here. > > Thanks, > allman > > _______________________________________________ tcpm mailing list tcpm@ietf.org http://www.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] tcpsecure recommendations Mark Allman
- [tcpm] tcpsecure recommendations Mark Allman
- Re: [tcpm] tcpsecure recommendations David Borman
- Re: [tcpm] tcpsecure recommendations Anantha Ramaiah (ananth)
- Re: [tcpm] tcpsecure recommendations Joe Touch
- Re: [tcpm] tcpsecure recommendations Anantha Ramaiah (ananth)
- Re: [tcpm] tcpsecure recommendations Joe Touch
- Re: [tcpm] tcpsecure recommendations Anantha Ramaiah (ananth)
- Re: [tcpm] tcpsecure recommendations Joe Touch
- Re: [tcpm] tcpsecure recommendations Anantha Ramaiah (ananth)
- Re: [tcpm] tcpsecure recommendations Joe Touch
- Re: [tcpm] tcpsecure recommendations Anantha Ramaiah (ananth)
- Re: [tcpm] tcpsecure recommendations Mark Allman
- Re: [tcpm] tcpsecure recommendations Tom Petch