Re: [tcpm] (no subject)
Anantha Ramaiah <ananth@cisco.com> Thu, 22 April 2004 00:40 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA05444 for <tcpm-archive@odin.ietf.org>; Wed, 21 Apr 2004 20:40:45 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BGS8z-00083S-CE for tcpm-archive@odin.ietf.org; Wed, 21 Apr 2004 20:32:45 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i3M0Wji7030957 for tcpm-archive@odin.ietf.org; Wed, 21 Apr 2004 20:32:45 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BGRy4-00048i-IP for tcpm-web-archive@optimus.ietf.org; Wed, 21 Apr 2004 20:21:28 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA04008 for <tcpm-web-archive@ietf.org>; Wed, 21 Apr 2004 20:21:26 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BGRy2-00028p-J6 for tcpm-web-archive@ietf.org; Wed, 21 Apr 2004 20:21:26 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BGRxB-0001vy-00 for tcpm-web-archive@ietf.org; Wed, 21 Apr 2004 20:20:34 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BGRwL-0001it-00 for tcpm-web-archive@ietf.org; Wed, 21 Apr 2004 20:19:41 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BGRp2-0007pQ-Il; Wed, 21 Apr 2004 20:12:08 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BGRee-0000jC-2i for tcpm@optimus.ietf.org; Wed, 21 Apr 2004 20:01:24 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA02476 for <tcpm@ietf.org>; Wed, 21 Apr 2004 20:01:22 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BGRec-0005Si-5E for tcpm@ietf.org; Wed, 21 Apr 2004 20:01:22 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BGRdg-0005Hj-00 for tcpm@ietf.org; Wed, 21 Apr 2004 20:00:25 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx with esmtp (Exim 4.12) id 1BGRcx-0004w9-00 for tcpm@ietf.org; Wed, 21 Apr 2004 19:59:40 -0400
Received: from sj-core-5.cisco.com (171.71.177.238) by sj-iport-2.cisco.com with ESMTP; 21 Apr 2004 16:09:46 +0000
Received: from mira-sjc5-c.cisco.com (IDENT:mirapoint@mira-sjc5-c.cisco.com [171.71.163.17]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id i3LNx7W9001964; Wed, 21 Apr 2004 16:59:08 -0700 (PDT)
Received: from cisco.com (ananth-u5.cisco.com [128.107.162.225]) by mira-sjc5-c.cisco.com (MOS 3.4.5-GR) with ESMTP id ATG37318; Wed, 21 Apr 2004 16:59:06 -0700 (PDT)
Message-ID: <40870ACA.48D7295E@cisco.com>
Date: Wed, 21 Apr 2004 16:59:06 -0700
From: Anantha Ramaiah <ananth@cisco.com>
Organization: Cisco Systems
X-Mailer: Mozilla 4.77 [en] (X11; U; SunOS 5.6 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: Yogesh.Swami@nokia.com
CC: fw@deneb.enyo.de, tcpm@ietf.org
Subject: Re: [tcpm] (no subject)
References: <025E7DD4182874489CC2F61EE0FA19CE02885697@daebe004.americas.nokia.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: tcpm-admin@ietf.org
Errors-To: tcpm-admin@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Having alternative crypto methods for securing a TCP connection has been discussed before. Also RFC 2385 suggests the provision of having an algorithm type field to be negotiated instead of MD5 and states the reason why that was not pursued at that time.. -Anantha Yogesh.Swami@nokia.com wrote: > > > > then maybe routers can use IPSec with a well known permanent shared > > > key with different session keys. This will be more secure, compared > > > to this draft, and faster to deploy.) > > > > I don't think IPsec on core routers is faster to deploy. RFC 2385 > > should be enough for now, but also has got its issues (higher CPU > > consumption for processing packets). IPsec would share these issues > > or would result in even more overhead. > > > > I don't know much about router architectures, so I can't really comment whether IPSec or changing TCP is a better solution. But if I were to choose between a well defined protocol and a protocol that is still under discussion in the IETF, I would choose the former. > > > > Moreover, it will also be useful to specify if the proposed > > solutions > > > can use cryptography or not. Many people are not comfortable with > > > cryptographic techniques partly because of throughput reasons. > > > > Exactly. Keep in mind that 200 MHz MIPS CPUs are widely deployed. > > > > > But in many cases it might be useful to have a low computation > > > cryptographic methods to solve the problems without hurting the > > > throughput. For example, a TCP sender with Time Stamp option could > > > just encrypt the 32 bit timestamp using AES, and practically solve > > > all the problems in this draft. > > > > What about a new TCP option which contains a few random bytes that are > > constant for each connection? This option could be checked very > > cheaply, maybe some day even by those ASICs which operate at > > wirespeed. > > Will work too, but remember that DOFF only allows 15, 32 bit words for TCP options. With SACK, timestamps etc, there is not a lot of room left for new options. Of course this is not too big of a problem. > > > > > > (I am not saying we should do this). Encrypting a 32 bit > > > number doesn't take a lot of time/computation and the > > receiver doesn't > > > need to keep states to make this work. And, in principle it's not > > > different from having a challenge response cookie.) > > > > You have to encrypt a full 128 bit block, and I doubt it would be much > > cheaper than MD5/RFC 2385. > > > > Yes it will be much cheaper. With MD5/RFC 2385, you compute the hash on the entire ~1400 byte packet. With AES or a different stream cipher, it could be a lot less computation. > > --Yogesh > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www1.ietf.org/mailman/listinfo/tcpm _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] (no subject) Ted Faber
- [tcpm] (no subject) Yogesh.Swami
- Re: [tcpm] (no subject) Florian Weimer
- RE: [tcpm] (no subject) Yogesh.Swami
- Re: [tcpm] (no subject) Anantha Ramaiah
- [tcpm] (no subject) Anantha Ramaiah (ananth)
- [tcpm] TCP persist state issue. Anantha Ramaiah (ananth)
- Re: [tcpm] TCP persist state issue. John Heffner
- Re: [tcpm] TCP persist state issue. Anantha Ramaiah (ananth)
- Re: [tcpm] TCP persist state issue. Joe Touch
- Re: [tcpm] TCP persist state issue. Anantha Ramaiah (ananth)
- [tcpm] (no subject) Eddy, Wesley M. (GRC-MS00)[Verizon]