[tcpm] Secdir last call review of draft-ietf-tcpm-rfc793bis-24

Kyle Rose via Datatracker <noreply@ietf.org> Fri, 30 July 2021 20:35 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: tcpm@ietf.org
Delivered-To: tcpm@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A92353A0F02; Fri, 30 Jul 2021 13:35:57 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Kyle Rose via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: draft-ietf-tcpm-rfc793bis.all@ietf.org, last-call@ietf.org, tcpm@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.35.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <162767735763.27351.5673596060247016004@ietfa.amsl.com>
Reply-To: Kyle Rose <krose@krose.org>
Date: Fri, 30 Jul 2021 13:35:57 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/Ve6uhpvi5EjREiXCD_4p6IsQ86o>
Subject: [tcpm] Secdir last call review of draft-ietf-tcpm-rfc793bis-24
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jul 2021 20:35:58 -0000

Reviewer: Kyle Rose
Review result: Ready

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document is Almost Ready for publication.

The Security and Privacy Considerations section briefly outlines the
implications of TCP's long legacy, stretching back to the halcyon days of a
friendlier internet. The paragraphs outlining layered security (e.g., IPsec,
TLS) and TCP option-based security (e.g., TCP-AO, tcpcrypt) provide a good
summary of the mechanisms since developed to add security to a protocol that
has otherwise met the challenges of an internet that is many orders of
magnitude larger than it was 40 years ago.

The one item I see missing from this section is a mention of lessons learned
and subsequently applied to the design of QUIC. I think it is worth mentioning,
for instance, that TCP's large surface area of cleartext metadata exposes more
information to the path than required to successfully route packets to their
destination, including to on-path adversaries that may be able to use this
metadata to bolster targeted or pervasive surveillance.

There is one more omission, adjacent to (but not explicitly about) security,
that I think warrants some text in this document: that is around ossification.
Given the lengthy back-and-forth I witnessed as chair of the TCPINC WG
regarding the (in)feasibility of protecting segmentation and header values on
the public internet, it is probably worth adding to a 793bis document a section
that briefly outlines the ossification impact of voluminous cleartext and
unprotected/un-GREASEd metadata, maybe with a reference to the wire image as
defined by RFC 8546. The reason I think this is worthwhile is that it would be
good to have the practical limits of TCP extensibility (i.e., in a world with
middleboxes and other deeply TCP-aware network elements) documented where folks
might look for it when thinking about new options or other new functionality. I
would be happy to help flesh out some text here.