Re: [tcpm] SHA-2 auth draft on TCP-AO
Brandon Williams <brandon.williams@akamai.com> Wed, 18 June 2014 13:29 UTC
Return-Path: <brandon.williams@akamai.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B226C1A0247 for <tcpm@ietfa.amsl.com>; Wed, 18 Jun 2014 06:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Level:
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nUgHQt5hQB9M for <tcpm@ietfa.amsl.com>; Wed, 18 Jun 2014 06:29:52 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (prod-mail-xrelay02.akamai.com [72.246.2.14]) by ietfa.amsl.com (Postfix) with ESMTP id 763FD1A01E8 for <tcpm@ietf.org>; Wed, 18 Jun 2014 06:29:52 -0700 (PDT)
Received: from prod-mail-xrelay02.akamai.com (localhost [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 10A90285B6 for <tcpm@ietf.org>; Wed, 18 Jun 2014 13:29:52 +0000 (GMT)
Received: from prod-mail-relay07.akamai.com (prod-mail-relay07.akamai.com [172.17.121.112]) by prod-mail-xrelay02.akamai.com (Postfix) with ESMTP id F31A4285AE for <tcpm@ietf.org>; Wed, 18 Jun 2014 13:29:51 +0000 (GMT)
Received: from [172.28.115.172] (bowill.kendall.corp.akamai.com [172.28.115.172]) by prod-mail-relay07.akamai.com (Postfix) with ESMTP id E27CE8004B for <tcpm@ietf.org>; Wed, 18 Jun 2014 13:29:51 +0000 (GMT)
Message-ID: <53A1944F.2070003@akamai.com>
Date: Wed, 18 Jun 2014 09:29:51 -0400
From: Brandon Williams <brandon.williams@akamai.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tcpm@ietf.org
References: <CFB37264.5CEF3%sua@cisco.com>
In-Reply-To: <CFB37264.5CEF3%sua@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/VXE8vVeXoEKMnJoKXNNrI8f2ApY
Subject: Re: [tcpm] SHA-2 auth draft on TCP-AO
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: brandon.williams@akamai.com
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jun 2014 13:29:53 -0000
Hi Sunjeet, The mac lengths of the algorithms specified here increase the option size, don't they? There is a detailed discussion of the option space tradeoffs for tcp-ao in rfc5925 section 7.6, which is based on the fact that all mac lengths would be 96 bits. An I.D. that increases the possible mac lengths should probably revisit that discussion. In particular, the use of a 256 bit mac length would mean that the most commonly used TCP options must be discarded in favor of TCP-AO. On the SYN, you would have just enough room for MSS and that's it. On systems that word align options, there isn't even enough space available for a 128 bit mac length on the SYN, and such systems would also be unable to support both timestamps and SACK. Regards, --Brandon On 06/03/2014 03:21 AM, Sujeet Nayak A (sua) wrote: > Hi, > In the last few months, we have been seeing a lot of customer interest > for SHA-2 based auth on TCP-AO enabled connections. In this regard, we > (Brian Weis and myself) have posted a draft for the same: > http://tools.ietf.org/html/draft-nayak-tcp-sha2-00 > > Pl. review and let me know your valuable comments. > > Regards, > > Sujeet Nayak A. -- Brandon Williams; Senior Principal Software Engineer Emerging Products Engineering; Akamai Technologies Inc. -- Brandon Williams; Senior Principal Software Engineer Emerging Products Engineering; Akamai Technologies Inc.
- [tcpm] SHA-2 auth draft on TCP-AO Sujeet Nayak A (sua)
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Sujeet Nayak A (sua)
- Re: [tcpm] SHA-2 auth draft on TCP-AO Brandon Williams
- Re: [tcpm] SHA-2 auth draft on TCP-AO Brian Weis
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Brian Weis
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Brian Weis
- Re: [tcpm] SHA-2 auth draft on TCP-AO Joe Touch
- Re: [tcpm] SHA-2 auth draft on TCP-AO Gregory Lebovitz