IETF Logo Mail Archive

Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-00

"Scharf, Michael" <Michael.Scharf@hs-esslingen.de> Sun, 01 November 2020 08:14 UTC

Return-Path: <Michael.Scharf@hs-esslingen.de>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B0EA3A0F44 for <tcpm@ietfa.amsl.com>; Sun, 1 Nov 2020 01:14:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hs-esslingen.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gu07VIPs2609 for <tcpm@ietfa.amsl.com>; Sun, 1 Nov 2020 01:14:48 -0700 (PDT)
Received: from mail.hs-esslingen.de (mail.hs-esslingen.de [134.108.32.78]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 441673A0BFF for <tcpm@ietf.org>; Sun, 1 Nov 2020 01:14:47 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.hs-esslingen.de (Postfix) with ESMTP id 1E2A125A13; Sun, 1 Nov 2020 09:14:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hs-esslingen.de; s=mail; t=1604218486; bh=XuGw/ewBjnL0h+sw0/bqfiiTKQhiNxv8E64dRL4SRTw=; h=From:To:Subject:Date:References:In-Reply-To:From; b=nmvXoeOZB5yFEaHREIbfH98CmUU7Y+N0srUZKBNFPyrUaSFdGmylw/V2lKysW/arO WF3MT+He1I3wwbrXrcjA+8rbichjWbHKXciAII1cIMeZgEeXVo2cbGp9UEIZCiLEsR j4AHhTqpMzp+kdF93CH4hlr9zcKMPb+pFpiixAQo=
X-Virus-Scanned: by amavisd-new-2.7.1 (20120429) (Debian) at hs-esslingen.de
Received: from mail.hs-esslingen.de ([127.0.0.1]) by localhost (hs-esslingen.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QuBP4rULnJBi; Sun, 1 Nov 2020 09:14:45 +0100 (CET)
Received: from rznt8202.rznt.rzdir.fht-esslingen.de (rznt8202.hs-esslingen.de [134.108.48.165]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hs-esslingen.de (Postfix) with ESMTPS; Sun, 1 Nov 2020 09:14:45 +0100 (CET)
Received: from rznt8202.rznt.rzdir.fht-esslingen.de (134.108.48.165) by rznt8202.rznt.rzdir.fht-esslingen.de (134.108.48.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Sun, 1 Nov 2020 09:14:45 +0100
Received: from rznt8202.rznt.rzdir.fht-esslingen.de ([fe80::aca4:171a:3ee1:57e0]) by rznt8202.rznt.rzdir.fht-esslingen.de ([fe80::aca4:171a:3ee1:57e0%3]) with mapi id 15.01.1979.006; Sun, 1 Nov 2020 09:14:45 +0100
From: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
To: Juhamatti Kuusisaari <juhamatk@gmail.com>, tcpm IETF list <tcpm@ietf.org>
Thread-Topic: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-00
Thread-Index: AQHWsCX18jC/qcTIsEiT0l55wWW0SKmy7E5A
Date: Sun, 01 Nov 2020 08:14:44 +0000
Message-ID: <8f2a68f8b4e34f2fa568d9182f23c812@hs-esslingen.de>
References: <CACS3ZpBJOfctZjW0qUD+2p1vw63p9KeJ+ie15SHE=k_fk6suTw@mail.gmail.com> <CACS3ZpD7dL=gbZd_mqA21+qX2nvKh7TDj3cx3xJvEUc_bnRZfg@mail.gmail.com>
In-Reply-To: <CACS3ZpD7dL=gbZd_mqA21+qX2nvKh7TDj3cx3xJvEUc_bnRZfg@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [134.108.140.248]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/XHl8dQ95Sro3R1x43z1PKgojgQc>
Subject: Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-00
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Nov 2020 08:14:51 -0000

Hi Juhamatti,

Addressing your comments is on my TODO list. Please stay tuned.

The version draft-ietf-tcpm-yang-tcp-00 is just a copy of the previous version in order to simplify future change tracking. Version -01 will address your feedback as well as other comments.

Thanks, and sorry for the delayed response

Michael

> -----Original Message-----
> From: Juhamatti Kuusisaari <juhamatk@gmail.com>
> Sent: Sunday, November 1, 2020 9:07 AM
> To: tcpm IETF list <tcpm@ietf.org>; Scharf, Michael <Michael.Scharf@hs-
> esslingen.de>
> Subject: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-00
> 
> Hello,
> 
> My comments included below apply also to draft-ietf-tcpm-yang-tcp-00.
> 
> In brief:
>  * include-tcp-options -> ignore-tcp-options with default false
>  * accept-ao-mismatch -> accept-key-mismatch
> 
> BR,
> --
>  Juhamatti
> 
> 
> ---------- Forwarded message ---------
> From: Juhamatti Kuusisaari <juhamatk@gmail.com>
> Date: Fri, 18 Sep 2020 at 11:53
> Subject: [tcpm] Comments for draft-scharf-tcpm-yang-tcp-06
> To: tcpm IETF list <tcpm@ietf.org>, Scharf, Michael
> <Michael.Scharf@hs-esslingen.de>
> 
> 
> Hello,
> 
> I read through draft-scharf-tcpm-yang-tcp-06 and overall it looks fine to me.
> 
> Nevertheless, there are a couple of items that may need
> clarifications/improvements.
> 
> (1) I believe "leaf include-tcp-options" should be "leaf
> ignore-tcp-options" with a false default as the options are included
> by default in the RFC 5925. In my opinion, this would better emphasize
> the fact that options really should be included by default and not
> including them should be a special case. Change suggestion in detail
> below:
> 
>       leaf include-tcp-options {
>         type boolean;
>         must "../enable-ao = 'true'";
>         description
>           "Include TCP options in HMAC calculation.";
>       }
> =>
>       leaf ignore-tcp-options {
>         type boolean;
>         default "false";
>         must "../enable-ao = 'true'";
>         description
>           "Ignore TCP options in MAC calculation.";
>       }
> 
> Please also note the "HMAC"->"MAC" change suggestion. And yes, I do
> realize that a default could be added to the original "include" leaf.
> After pondering about this, I do think "ignore" leaf would be a better
> end result for the reasons I mentioned above.
> 
> (2) There is now a leaf that says:
> 
>       leaf accept-ao-mismatch {
>         type boolean;
>         must "../enable-ao = 'true'";
>         description
>           "Accept packets with HMAC mismatch.";
>       }
> 
> It is true that RFC 5925 allows non-existing MKT connections that
> should be accepted. Then again, the above configuration and its
> description looks to me that any mismatch would be accepted. So, maybe
> a configuration setting better reflecting RFC 5925 would be something
> on the lines of
> 
>       leaf accept-key-mismatch {
>         type boolean;
>         must "../enable-ao = 'true'";
>         description
>           "Accept TCP segments with a Master Key Tuple (MKT) that is
> not configured.";
>       }
> 
> As this configuration option does not have such a strong default as
> the former one, I do not see a need to change its logic otherwise nor
> add a default. I would assume that most security aware users would
> have "false" there as a setting - especially those users that would
> use a YANG model to do the configuration.
> 
> Best regards,
> --
>  Juhamatti

v2.23.0 | Report a Bug | By Email