Re: [tcpm] tcpsecure recommendations

"Tom Petch" <nwnetworks@dial.pipex.com> Mon, 18 February 2008 18:44 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: ietfarch-tcpm-archive@core3.amsl.com
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDC0C28C422; Mon, 18 Feb 2008 10:44:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.393
X-Spam-Level:
X-Spam-Status: No, score=-0.393 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Z-HlFiHjbFD; Mon, 18 Feb 2008 10:44:04 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8EF83A6B73; Mon, 18 Feb 2008 10:44:04 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E65323A6785 for <tcpm@core3.amsl.com>; Mon, 18 Feb 2008 10:44:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBD7qrl+4GDU for <tcpm@core3.amsl.com>; Mon, 18 Feb 2008 10:44:03 -0800 (PST)
Received: from mk-outboundfilter-1.mail.uk.tiscali.com (mk-outboundfilter-1.mail.uk.tiscali.com [212.74.114.37]) by core3.amsl.com (Postfix) with ESMTP id D68CB3A68D8 for <tcpm@ietf.org>; Mon, 18 Feb 2008 10:44:02 -0800 (PST)
X-Trace: 43355414/mk-outboundfilter-1.mail.uk.tiscali.com/PIPEX/$MX-ACCEPTED/pipex-infrastructure/62.241.162.32
X-SBRS: None
X-RemoteIP: 62.241.162.32
X-IP-MAIL-FROM: nwnetworks@dial.pipex.com
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao8CAPpguUc+8aIg/2dsb2JhbACKcqJs
X-IP-Direction: IN
Received: from ranger.systems.pipex.net ([62.241.162.32]) by smtp.pipex.tiscali.co.uk with ESMTP; 18 Feb 2008 18:43:57 +0000
Received: from pc6 (1Cust144.tnt102.lnd4.gbr.da.uu.net [213.116.52.144]) by ranger.systems.pipex.net (Postfix) with SMTP id 2A518E00008E; Mon, 18 Feb 2008 18:43:55 +0000 (GMT)
Message-ID: <01bd01c87255$83c0dae0$0601a8c0@pc6>
From: Tom Petch <nwnetworks@dial.pipex.com>
To: tcpm@ietf.org, Mark Allman <mallman@icir.org>
References: <20080206174017.6977C36516E@lawyers.icir.org>
Date: Mon, 18 Feb 2008 18:32:00 +0100
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Subject: Re: [tcpm] tcpsecure recommendations
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Tom Petch <nwnetworks@dial.pipex.com>
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

(2) my views are the same as last time.

Tom Petch


----- Original Message ----- 
From: "Mark Allman" <mallman@icir.org>
To: <tcpm@ietf.org>
Sent: Wednesday, February 06, 2008 6:40 PM
Subject: [tcpm] tcpsecure recommendations


> It'd be good to get some opinions on the new tcpsecure version and get
> it finished.  The sticking point on this document is how strongly to
> recommend TCP stacks implement / use the three mitigations in the draft
> (to spoofed RSTs, SYNs and data segments).  We had a discussion about
> this in Chicago and also on the list.  Since it seemed that we were not
> converging because there was not WG-wide agreement on the scope of the
> document we asked the authors to generate an applicability statement.
> They did that, per a previous email from Anantha.  The AS reads:
> 
>     The mitigations presented in this document talks about some known
>     in-window attacks and the solutions to the same. The mitigations
>     suggested in this draft SHOULD (RECOMMENDED) be implemented in
>     devices where the TCP connections are most vulnerable to the attacks
>     described in this document.  Some examples of such TCP connections
>     are the ones that tend to be long-lived where the connection end
>     points can be determined, in cases where no auxiliary anti-spoofing
>     protection mechanisms like TCP MD5 can be deployed. TCP secure MAY
>     (OPTIONAL) be implemented in other cases.
> 
> We can recommend each of mitigations with a MAY, SHOULD or MUST.  In
> Chicago we winnowed the proposals to three three:
> 
>     (1) RST spoofing mitigation: MAY
>         SYN spoofing mitigation: MAY
>         data injection mitigation: MAY
> 
>     (2) RST spoofing mitigation: SHOULD
>         SYN spoofing mitigation: SHOULD
>         data injection mitigation: SHOULD
> 
>     (3) RST spoofing mitigation: SHOULD
>         SYN spoofing mitigation: SHOULD
>         data injection mitigation: MAY
> 
> Nobody has advocated for other permutations of recommendations
> (although, clearly if people like some different combination they should
> advocate away!).  
> 
> Can folks please weigh in on their feeling about how strongly we should
> recommend these mitigations given the AS above?  It'd be great to get
> this document moving and we're sort of stuck here.
> 
> Thanks,
> allman
> 
>
_______________________________________________
tcpm mailing list
tcpm@ietf.org
http://www.ietf.org/mailman/listinfo/tcpm