Re: [tcpm] tcpsecure recommendations

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Wed, 06 February 2008 18:49 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: ietfarch-tcpm-archive@core3.amsl.com
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9132A3A701B; Wed, 6 Feb 2008 10:49:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from core3.amsl.com ([127.0.0.1]) by localhost (mail.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8k8-MHifqeYi; Wed, 6 Feb 2008 10:49:12 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1BA83A703D; Wed, 6 Feb 2008 10:49:11 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F8A93A6CB0 for <tcpm@core3.amsl.com>; Wed, 6 Feb 2008 10:49:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from core3.amsl.com ([127.0.0.1]) by localhost (mail.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id deyLSuyJ1NUX for <tcpm@core3.amsl.com>; Wed, 6 Feb 2008 10:49:09 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id F2FB93A6F21 for <tcpm@ietf.org>; Wed, 6 Feb 2008 10:49:08 -0800 (PST)
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 06 Feb 2008 10:50:37 -0800
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m16IobmY010644; Wed, 6 Feb 2008 10:50:37 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id m16IobOK012615; Wed, 6 Feb 2008 18:50:37 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 6 Feb 2008 10:50:37 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 6 Feb 2008 10:50:22 -0800
Message-ID: <0C53DCFB700D144284A584F54711EC5804A741C1@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <16384D1F-7536-4522-B1C9-2F9D90164537@windriver.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] tcpsecure recommendations
Thread-Index: Acho8DfW20dGSvStSQ20qOKQ6dopJQAAB7Nw
References: <20080206174017.6977C36516E@lawyers.icir.org> <16384D1F-7536-4522-B1C9-2F9D90164537@windriver.com>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: "David Borman" <david.borman@windriver.com>, <mallman@icir.org>
X-OriginalArrivalTime: 06 Feb 2008 18:50:37.0470 (UTC) FILETIME=[299E33E0:01C868F1]
Authentication-Results: sj-dkim-2; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: tcpm@ietf.org
Subject: Re: [tcpm] tcpsecure recommendations
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

I think it would be help if folks can also narrate the reason for
chosing a particular permutation.

My few cents,

-Anantha 

> -----Original Message-----
> From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> Behalf Of David Borman
> Sent: Wednesday, February 06, 2008 10:42 AM
> To: mallman@icir.org
> Cc: tcpm@ietf.org
> Subject: Re: [tcpm] tcpsecure recommendations
> 
> I think the applicability statement is a great addition.  I'm 
> in favor of (3), SHOULD/SHOULD/MAY.
> 			-David Borman
> 
> On Feb 6, 2008, at 11:40 AM, Mark Allman wrote:
> 
> >
> > Folks-
> >
> > It'd be good to get some opinions on the new tcpsecure 
> version and get 
> > it finished.  The sticking point on this document is how 
> strongly to 
> > recommend TCP stacks implement / use the three mitigations in the 
> > draft (to spoofed RSTs, SYNs and data segments).  We had a 
> discussion 
> > about this in Chicago and also on the list.  Since it 
> seemed that we 
> > were not converging because there was not WG-wide agreement on the 
> > scope of the document we asked the authors to generate an 
> > applicability statement.
> > They did that, per a previous email from Anantha.  The AS reads:
> >
> >    The mitigations presented in this document talks about some known
> >    in-window attacks and the solutions to the same. The mitigations
> >    suggested in this draft SHOULD (RECOMMENDED) be implemented in
> >    devices where the TCP connections are most vulnerable to the 
> > attacks
> >    described in this document.  Some examples of such TCP 
> connections
> >    are the ones that tend to be long-lived where the connection end
> >    points can be determined, in cases where no auxiliary 
> anti-spoofing
> >    protection mechanisms like TCP MD5 can be deployed. TCP 
> secure MAY
> >    (OPTIONAL) be implemented in other cases.
> >
> > We can recommend each of mitigations with a MAY, SHOULD or 
> MUST.  In 
> > Chicago we winnowed the proposals to three three:
> >
> >    (1) RST spoofing mitigation: MAY
> >        SYN spoofing mitigation: MAY
> >        data injection mitigation: MAY
> >
> >    (2) RST spoofing mitigation: SHOULD
> >        SYN spoofing mitigation: SHOULD
> >        data injection mitigation: SHOULD
> >
> >    (3) RST spoofing mitigation: SHOULD
> >        SYN spoofing mitigation: SHOULD
> >        data injection mitigation: MAY
> >
> > Nobody has advocated for other permutations of recommendations 
> > (although, clearly if people like some different combination they 
> > should advocate away!).
> >
> > Can folks please weigh in on their feeling about how strongly we 
> > should recommend these mitigations given the AS above?  
> It'd be great 
> > to get this document moving and we're sort of stuck here.
> >
> > Thanks,
> > allman
> >
> >
> >
> > _______________________________________________
> > tcpm mailing list
> > tcpm@ietf.org
> > http://www.ietf.org/mailman/listinfo/tcpm
> 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> http://www.ietf.org/mailman/listinfo/tcpm
> 
_______________________________________________
tcpm mailing list
tcpm@ietf.org
http://www.ietf.org/mailman/listinfo/tcpm