Re: [tcpm] 793bis: New security considerations section
Wesley Eddy <wes@mti-systems.com> Fri, 17 November 2017 18:14 UTC
Return-Path: <wes@mti-systems.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5344A1293E0 for <tcpm@ietfa.amsl.com>; Fri, 17 Nov 2017 10:14:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mti-systems-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wNJ4KHfN5TCA for <tcpm@ietfa.amsl.com>; Fri, 17 Nov 2017 10:14:25 -0800 (PST)
Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE40F128DE5 for <tcpm@ietf.org>; Fri, 17 Nov 2017 10:14:24 -0800 (PST)
Received: by mail-it0-x232.google.com with SMTP id 187so2885119iti.1 for <tcpm@ietf.org>; Fri, 17 Nov 2017 10:14:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mti-systems-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=/Uv6we27blAMFDbbReShdqQkRDhgZn4a8yvWSnHHAz4=; b=ggIr7EegeJCSb4gOlX64dXI/9KL8buOMp/m/CHJYhJQikGFbTAA5GNzPHwjMg9PByG D/z6ecdM4tu/+un5c9M8pI4rPyPEZunrmkNENCiiBNRUHp2OVA3edfbXblSaGQjdidrd tBe2qxWQtmKIRNZ6Ot8A7fxg2I7AbD8YYAcA9SRkk6C/li+reE+cF8QSGn9Evcjm8T35 2FhpT4Xvf+K9TB+cnVTUqyAz1r4PM8Q5dX9t9eOlm3oMY06gJ32F9O8n8AcRtjUsQXjx 3+n7z+7VQj3YQkjkh0JflHQpAZHPPpFAmP206N9R1nL8NUTAEZHxBgovmHSJ/42blkHl kjtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=/Uv6we27blAMFDbbReShdqQkRDhgZn4a8yvWSnHHAz4=; b=EMj2FuAYyv4AVQLE787hBYfPPPoPQgyiZzW4BSTVt4XYLpetfX/WpjFp5IVGfmQ7/2 lhzYJTMZFXzSazf2/HDVJ5M6FC+vBSYKBaezDIPlLzjKNf3hXT7vouaHZTUp9mWWaB4h XL6n0gtj590tZGprALfNZF7VlxhJBRpzRttwNzPw9dKjowdvzlAcsOunWsFJu8mUkCrX koYpIajdaCmitqRf23MdijOwHau7r2jBIuhFNwzqxfwox5QNedxa1FMWiQxh4LUm9fPc FE8oKHx/76zjGdYMNvd/SO4kut95nbiu83E583JIpgK4E4GvqTE5gviQjGc5ZdTiIvkW xAUQ==
X-Gm-Message-State: AJaThX5WlNqZWy3FJm/3m45Hcxwn8ukUjHA9zc502idvCEffsTsAQI06 qHSwHUV24XXsPy6AJDfEwT4wkwMUw5I=
X-Google-Smtp-Source: AGs4zMa/FSUfv/JHX5K1mfZhgLdSm+qQ2hefXjP+wDCma6EDDyKRwaAUq0eKhjAP8DtMGx/LaeVCjA==
X-Received: by 10.36.196.85 with SMTP id v82mr8363687itf.136.1510942464168; Fri, 17 Nov 2017 10:14:24 -0800 (PST)
Received: from [192.168.1.105] (cpe-76-188-215-129.neo.res.rr.com. [76.188.215.129]) by smtp.gmail.com with ESMTPSA id m31sm2243976iti.3.2017.11.17.10.14.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Nov 2017 10:14:23 -0800 (PST)
To: Joe Touch <touch@strayalpha.com>, tcpm@ietf.org
References: <5043d1eb-c98b-647d-af66-8fb47def432f@mti-systems.com> <75ac651c-c99b-5923-388e-9f8a957a3ee5@strayalpha.com>
From: Wesley Eddy <wes@mti-systems.com>
Message-ID: <3672e7a6-02d3-07db-78ce-6f9bcd40570c@mti-systems.com>
Date: Fri, 17 Nov 2017 13:14:20 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <75ac651c-c99b-5923-388e-9f8a957a3ee5@strayalpha.com>
Content-Type: multipart/alternative; boundary="------------FBB9DEFB9F84C72B9BAC7FA5"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/Y-fioEa4rmFo5dWMvzfqSTwD9Aw>
Subject: Re: [tcpm] 793bis: New security considerations section
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 18:14:27 -0000
Hi Joe, that is a great point, and I agree that the applicability statement you mention should be noted. Additionally I wanted to mention that the way I currently handled RFC 5961 in the document should be reviewed along with the Errata on 5961. (1) I added references to 5961 added in the relevant places where validations are taking place, and content has been taken from the "Mitigation" subsections of 5961 where the state machine modifications live. (2) I put in errata 5068 on RFC 5961 in order to correct a problem I found, but it isn't yet verified (but I so far assumed that it will be in 793bis). See: https://www.rfc-editor.org/errata_search.php?rfc=5961&eid=5068 My description in the Notes there is: The text in section 3.2 begins by stating a change from RFC 793 for RST bit handling "when in a synchronized state" (which means all states except for LISTEN, SYN-SENT, and SYN-RECEIVED). Later in the section, the same change is described more loosely and text states that it's applicable "In all states except SYN-SENT", and separate behavior is provided for SYN-SENT, but the earlier text leaves uncertainty if the former is supposed to apply to SYN-RECEIVED as well, since the earlier text in the section section begins by discussing only "synchronized" states. Since the check is totally valid for SYN-RECEIVED, and the behavior in steps 1, 2, and 3 are valid for SYN-RECEIVED, it seems appropriate to make sure this is clarified in the earlier text. If there isn't agreement that this should be Verified as an Errata to 5961, then we'll have to change 793bis accordingly. On 11/16/2017 10:47 PM, Joe Touch wrote: > Hi, Wes (et al.), > > It looks OK but appears to omit some of the advice from various > non-cryptographic security methods, notably that they are recommended > only in particular environments (e.g., see RFC 5961 Sec 1.1). IMO, the > same could be said of others that predate that consideration. > > Joe > > On 11/13/2017 11:22 AM, Wesley Eddy wrote: >> Hi, one thing that I want to make the WG aware of in the latest RFC >> 793bis draft is the new security and privacy considerations section. >> >> https://tools.ietf.org/html/draft-ietf-tcpm-rfc793bis-07#section-6 >> >> The original RFC 793 predates security considerations sections, so I >> didn't have much to start from. My goal was to point to relevant >> references without creating dozens of pages of meandering text on >> every little possible security issue (most of which are well-known by >> now). >> >> This is a first crack at it, and it could likely be improved in big >> ways. Your feedback, suggestions, corrections, etc. is appreciated. >> >> >> _______________________________________________ >> tcpm mailing list >> tcpm@ietf.org >> https://www.ietf.org/mailman/listinfo/tcpm