Re: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security

Fernando Gont <fernando@gont.com.ar> Tue, 02 March 2010 04:55 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DC24E28C16A; Mon, 1 Mar 2010 20:55:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBpPcALCrk-5; Mon, 1 Mar 2010 20:55:50 -0800 (PST)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id 9564E3A8BDA; Mon, 1 Mar 2010 20:55:47 -0800 (PST)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 3B88C6B6A63; Tue, 2 Mar 2010 01:55:53 -0300 (ART)
Received: from [192.168.0.100] (129-130-17-190.fibertel.com.ar [190.17.130.129]) (authenticated bits=0) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id o224thR4015965; Tue, 2 Mar 2010 01:55:44 -0300
Message-ID: <4B8C9A51.1000108@gont.com.ar>
Date: Tue, 02 Mar 2010 01:55:45 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Lars Eggert <lars.eggert@nokia.com>
References: <201003012159.WAA15069@TR-Sys.de> <C80820C2-D74A-49B4-AF22-CE16C46A9A7D@nokia.com>
In-Reply-To: <C80820C2-D74A-49B4-AF22-CE16C46A9A7D@nokia.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Tue, 02 Mar 2010 01:55:52 -0300 (ART)
Cc: ah@tr-sys.de, "tcpm@ietf.org WG" <tcpm@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [tcpm] Feedback request on draft-ietf-tcpm-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 04:55:51 -0000

Lars Eggert wrote:

>> Do you really not want to realize that so many folks do not
>> contribute any more to TCPM because work in this WG is continually
>> obstructed?
> 
> Please back this statement up. Who are the "many folks" who have
> stopped to contribute because the WG is "obstructed"?

Some of them have made statements on the mailing-list. See, e.g., this
note by OpenBSD's Theo de Raadt, circa 2005
(http://www.ietf.org/mail-archive/web/tcpm/current/msg01233.html)

>> And maybe by the time we get anywhere, no one will care about the resulting 
>> document, because they will have already solved them (with a "draft", 
>> unfortunately): people want their problems to be solved. They don't care 
>> about labelling their products with "RFC-compliance".
> 
> OpenBSD's tcp-ip stack is not RFC compliant.
> 
> And we are very proud that it is not RFC compliant.
> 
> Beause if it was RFC compliant it would be so vulnerable to so many
> well known attacks.
> 
> IETF is so misguided these days.  Attempts at quality have been thrown
> out the window, and a couple of old farts (mostly with corporate ties)
> run the show to the detriment of a society which needs this stuff to
> work as well as possible.
> 
> Joe, it is people like you keeping TCP broken.


And this other e-mail by Theo de Raadt
(http://www.ietf.org/mail-archive/web/tcpm/current/msg01232.html)

>> For the connection-reset attack, the proposed attack-specific fix is to 
>> treat hard errors as soft errors.
>> BTW, TCP SHOULD (*not* "MUST") abort the connections.
> 
> This is just so ridicilous.
> 
> Any network stack that follows your advice is busted.
> 
> Why do you persist in being so behind the times?


P.S: This last statement by Theo was a response to Joe Touch in one of
the endless threads about the ICMP attacks draft.

Thanks,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1