IETF Logo Mail Archive

Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-00

Mahesh Jethanandani <mjethanandani@gmail.com> Tue, 03 November 2020 17:11 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4DF13A0DFB for <tcpm@ietfa.amsl.com>; Tue, 3 Nov 2020 09:11:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkYW5DMiz0eO for <tcpm@ietfa.amsl.com>; Tue, 3 Nov 2020 09:11:49 -0800 (PST)
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4158C3A0DEA for <tcpm@ietf.org>; Tue, 3 Nov 2020 09:11:49 -0800 (PST)
Received: by mail-pg1-x52b.google.com with SMTP id w4so3942043pgg.13 for <tcpm@ietf.org>; Tue, 03 Nov 2020 09:11:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=zpzAaROmCI4YGS3AyurMl2j3jZ3/r7W66vSFCjoBVAo=; b=Z76BKi+LRmLNDo3He6Mp81Hmfu7asW8V6RE3hxwU1yWJIXjPld3mW9Mi5eTLnXJXnR 3jAScIdZkqcODAPLzlsRNLZWUxxgtU0xYJ21Um4dqpogLiKGryGK5/BwQzTF5Ye5RTyf 1wLQ1QqZ3hTLk9f8CsOEa56x4yJvq9wY3vzknVOnrDA1jrLOcJj+YW7XaDEgUjPinl0i KElIS7IVFlh4ER3tFABccxJoFKoI+AnoZGAp6p0ZOtOFYes0Vfsq05/QjdcNWslfDHbv i4+i+nJCF3NvnceUq6LVX3rE2DSNH6yq0g8vyojcL3/IPyMtb4ZCqQWZuNedFk/ooc8d 43Xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=zpzAaROmCI4YGS3AyurMl2j3jZ3/r7W66vSFCjoBVAo=; b=nHYT6AMTFtmbsyMVlaMUwyITwFIxpSdwly2RaHUSsf4sCVHty6Y3cTTMiij+FT2HJa fFWKD6/MhtiK/A9Cis/SjEzG9eiCjkM4bKrAqLGOm8yX/l8tq6hj6YzT2Aj7cuAhYU7u wWVqQV/TiG1RmXlSCpBGfVPQ5OubKtDNeNANm22r7ywiryqXvfDrobjS0iFmOrzNbZe5 0U8qaN1FTT1RhypF9ZQQ4nixF0oSSyYLgdlUQlIsOtpOt0WZejBSi+Nwdy6Yr8TpieWS yx0mYf31se/TU8bd2q8Tw1c39WP1mu4DlCoVlbHz3VQCwIoafq5VV34fslKUiw64if+S e8zQ==
X-Gm-Message-State: AOAM533BO7q5bn+5wZREaWhQg5Oh+E1pUFvH1caxBymTU7ZLZH48lX8X M9HSo5Aym2eiOOIKsQ/mDeo=
X-Google-Smtp-Source: ABdhPJzLjTjYxOesxENLHdyrG66nfBR6l7iRyTIw+52YiTuMvHjaLeC0sGJYuqzKUDPetkqMNHdqrg==
X-Received: by 2002:a17:90a:4684:: with SMTP id z4mr131709pjf.97.1604423508774; Tue, 03 Nov 2020 09:11:48 -0800 (PST)
Received: from ?IPv6:2601:647:5600:5020:8418:b85d:2a3e:6a8? ([2601:647:5600:5020:8418:b85d:2a3e:6a8]) by smtp.gmail.com with ESMTPSA id l2sm3836754pjy.6.2020.11.03.09.11.47 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Nov 2020 09:11:47 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <EB42CDCE-2BF5-462D-8CBF-0589998AC883@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_06980C37-B0AF-43F8-83BC-8CDC6ACA9AEF"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Tue, 03 Nov 2020 09:11:47 -0800
In-Reply-To: <CACS3ZpD7dL=gbZd_mqA21+qX2nvKh7TDj3cx3xJvEUc_bnRZfg@mail.gmail.com>
Cc: tcpm IETF list <tcpm@ietf.org>, Michael SCHARF <Michael.Scharf@hs-esslingen.de>
To: Juhamatti Kuusisaari <juhamatk@gmail.com>
References: <CACS3ZpBJOfctZjW0qUD+2p1vw63p9KeJ+ie15SHE=k_fk6suTw@mail.gmail.com> <CACS3ZpD7dL=gbZd_mqA21+qX2nvKh7TDj3cx3xJvEUc_bnRZfg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/VLW3N2xSrbL81o6-ORU1vTy2bz8>
Subject: Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-00
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 17:11:51 -0000

Hi Juhamatti,

> On Nov 1, 2020, at 1:06 AM, Juhamatti Kuusisaari <juhamatk@gmail.com> wrote:
> 
> Hello,
> 
> My comments included below apply also to draft-ietf-tcpm-yang-tcp-00.
> 
> In brief:
> * include-tcp-options -> ignore-tcp-options with default false
> * accept-ao-mismatch -> accept-key-mismatch
> 
> BR,
> --
> Juhamatti
> 
> 
> ---------- Forwarded message ---------
> From: Juhamatti Kuusisaari <juhamatk@gmail.com>
> Date: Fri, 18 Sep 2020 at 11:53
> Subject: [tcpm] Comments for draft-scharf-tcpm-yang-tcp-06
> To: tcpm IETF list <tcpm@ietf.org>, Scharf, Michael
> <Michael.Scharf@hs-esslingen.de>
> 
> 
> Hello,
> 
> I read through draft-scharf-tcpm-yang-tcp-06 and overall it looks fine to me.
> 
> Nevertheless, there are a couple of items that may need
> clarifications/improvements.
> 
> (1) I believe "leaf include-tcp-options" should be "leaf
> ignore-tcp-options" with a false default as the options are included
> by default in the RFC 5925. In my opinion, this would better emphasize
> the fact that options really should be included by default and not
> including them should be a special case. Change suggestion in detail
> below:
> 
>      leaf include-tcp-options {
>        type boolean;
>        must "../enable-ao = 'true'";
>        description
>          "Include TCP options in HMAC calculation.";
>      }
> =>
>      leaf ignore-tcp-options {
>        type boolean;
>        default "false";
>        must "../enable-ao = 'true'";
>        description
>          "Ignore TCP options in MAC calculation.";
>      }
> 

Would it not be simple to add a ‘default true’ to ‘include-tcp-options’ to achieve the same result? Somehow my head does not comprehend a double negative very well :-).

> Please also note the "HMAC"->"MAC" change suggestion. And yes, I do
> realize that a default could be added to the original "include" leaf.
> After pondering about this, I do think "ignore" leaf would be a better
> end result for the reasons I mentioned above.
> 
> (2) There is now a leaf that says:
> 
>      leaf accept-ao-mismatch {
>        type boolean;
>        must "../enable-ao = 'true'";
>        description
>          "Accept packets with HMAC mismatch.";
>      }
> 
> It is true that RFC 5925 allows non-existing MKT connections that
> should be accepted. Then again, the above configuration and its
> description looks to me that any mismatch would be accepted. So, maybe
> a configuration setting better reflecting RFC 5925 would be something
> on the lines of
> 
>      leaf accept-key-mismatch {
>        type boolean;
>        must "../enable-ao = 'true'";
>        description
>          "Accept TCP segments with a Master Key Tuple (MKT) that is
> not configured.";
>      }
> 
> As this configuration option does not have such a strong default as
> the former one, I do not see a need to change its logic otherwise nor
> add a default. I would assume that most security aware users would
> have "false" there as a setting - especially those users that would
> use a YANG model to do the configuration.

I am fine with making this change.

Thanks

> 
> Best regards,
> --
> Juhamatti
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email