IETF Logo Mail Archive

Re: [tcpm] tcp-auth-opt issue: replay protection

"Eddy, Wesley M. (GRC-RCN0)[VZ]" <wesley.m.eddy@nasa.gov> Wed, 06 August 2008 15:11 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D7733A6BDE; Wed, 6 Aug 2008 08:11:48 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D51543A6BD5 for <tcpm@core3.amsl.com>; Wed, 6 Aug 2008 08:11:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.038
X-Spam-Level:
X-Spam-Status: No, score=-6.038 tagged_above=-999 required=5 tests=[AWL=0.561, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SlYPh-RBvad for <tcpm@core3.amsl.com>; Wed, 6 Aug 2008 08:11:47 -0700 (PDT)
Received: from ndjsnpf01.ndc.nasa.gov (ndjsnpf01.ndc.nasa.gov [198.117.1.121]) by core3.amsl.com (Postfix) with ESMTP id F3BB73A68F7 for <tcpm@ietf.org>; Wed, 6 Aug 2008 08:11:46 -0700 (PDT)
Received: from ndjsppt02.ndc.nasa.gov (ndjsppt02.ndc.nasa.gov [198.117.1.101]) by ndjsnpf01.ndc.nasa.gov (Postfix) with ESMTP id 0395232827C; Wed, 6 Aug 2008 10:12:07 -0500 (CDT)
Received: from ndjsxgw04.ndc.nasa.gov (ndjsxgw04.ndc.nasa.gov [129.166.32.112]) by ndjsppt02.ndc.nasa.gov (8.14.1/8.14.1) with ESMTP id m76FC66E018916; Wed, 6 Aug 2008 10:12:06 -0500
Received: from NDJSEVS25A.ndc.nasa.gov ([129.166.32.124]) by ndjsxgw04.ndc.nasa.gov with Microsoft SMTPSVC(6.0.3790.3959); Wed, 6 Aug 2008 10:12:06 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 06 Aug 2008 10:12:05 -0500
Message-ID: <B5A5E01F9387F4409E67604C0257C71E376AFA@NDJSEVS25A.ndc.nasa.gov>
In-Reply-To: <4899BD4A.9040509@isi.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] tcp-auth-opt issue: replay protection
Thread-Index: Acj31euGnaE4Gq8BR0aOJkhrzu5bigAAGPSw
References: <20080728042451.C7A174B7AD3@kilo.rtfm.com> <488DD77D.9070608@isi.edu> <20080728144721.AC9184B905A@kilo.rtfm.com> <488DE021.7070307@isi.edu> <20080728164013.422D14B9600@kilo.rtfm.com> <F32F8EC5-70C9-4A7B-A2D2-B00CA43AECFA@nokia.com> <20080730213253.B347F4D52E1@kilo.rtfm.com> <4890E9AE.3000607@isi.edu> <20080731001609.6511C4D5E34@kilo.rtfm.com> <489175BD.6040201@isi.edu> <396556a20807311010k78c22981xa0eebd1b46e9f619@mail.gmail.com> <48935983.80701@isi.edu> <3FBA635A-0473-4B58-86E2-C7523A35CE24@nokia.com><20080806133734.7721D527252@kilo.rtfm.com> <4899BD4A.9040509@isi.edu>
From: "Eddy, Wesley M. (GRC-RCN0)[VZ]" <wesley.m.eddy@nasa.gov>
To: Joe Touch <touch@ISI.EDU>, Eric Rescorla <ekr@networkresonance.com>
X-OriginalArrivalTime: 06 Aug 2008 15:12:06.0880 (UTC) FILETIME=[CA476E00:01C8F7D6]
Cc: Adam Langley <agl@imperialviolet.org>, tcpm@ietf.org
Subject: Re: [tcpm] tcp-auth-opt issue: replay protection
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

>-----Original Message-----
>From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
>Behalf Of Joe Touch
>Sent: Wednesday, August 06, 2008 11:04 AM
>To: Eric Rescorla
>
>Eric Rescorla wrote:
>| At Wed, 6 Aug 2008 14:32:02 +0300,
>| Lars Eggert wrote:
>|> On 2008-8-1, at 21:44, ext Joe Touch wrote:
>|>> IMO: retransmitted packets would use the currently active keyID
>|>> (even if
>|>> different from what was previously transmitted).
>|> I agree. TCP retransmits previous data, not previous segments.
>|
>| I agree it should be permissible to use the new key-id, but
>| should it be required? I don't know a lot about
>| TCP stack implementations, but do any of them currently save
>| existing packets and just retransmit them? That's legal, right?
>| If so, this would break that.
>
><indiv hat on>
>Does anyone know what happens to other options? I.e., aren't timestamps
>recomputed, SACK options recalculated, etc.? It seems like the options
>need to be revisited when a segment goes out the door anyway, and a
>stack that just replays segments is what might be considered 
>"broken"...


I think you're 100% correct in assuming the options are recreated for
retransmissions.  The only stacks I've seen that store segments in
order to do a retransmission are oddball ones for teeny-tiny systems,
and they don't do any TCP options in those stacks anyways, so they
definitely would not be concerned with the Auth Option.
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email