Re: [tcpm] tcp-security: More feedback requested for the document outline

Fernando Gont <fernando@gont.com.ar> Wed, 09 September 2009 07:27 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 49C9928C122 for <tcpm@core3.amsl.com>; Wed, 9 Sep 2009 00:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.278
X-Spam-Level:
X-Spam-Status: No, score=-3.278 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EuKtlYNzUfvq for <tcpm@core3.amsl.com>; Wed, 9 Sep 2009 00:27:21 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id 7176C3A68D9 for <tcpm@ietf.org>; Wed, 9 Sep 2009 00:27:20 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id B15FC6B6620; Wed, 9 Sep 2009 04:27:51 -0300 (ART)
Received: from [192.168.0.167] (129-130-17-190.fibertel.com.ar [190.17.130.129]) (authenticated bits=0) by venus.xmundo.net (8.13.8/8.13.8) with ESMTP id n897RnFb002629; Wed, 9 Sep 2009 04:27:50 -0300
Message-ID: <4AA758F3.1080907@gont.com.ar>
Date: Wed, 09 Sep 2009 04:27:47 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <4AA74452.7060409@gont.com.ar> <4AA74891.4000407@isi.edu>
In-Reply-To: <4AA74891.4000407@isi.edu>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Wed, 09 Sep 2009 04:27:51 -0300 (ART)
Cc: "tcpm-chairs@tools.ietf.org" <tcpm-chairs@tools.ietf.org>, "tcpm@ietf.org" <tcpm@ietf.org>
Subject: Re: [tcpm] tcp-security: More feedback requested for the document outline
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2009 07:27:22 -0000

Hi, Joe,

> It also distinguishes between protocol weaknesses (places where the
> protocol creates a vulnerability, regardless of implementation - e.g.,
> ICMP attacks), implementation choice issues (places where a choice left
> to implementers can cause problems if poorly chosen - e.g., how some
> SHOULDs turn into "don't do this in a secure implementation"), and
> implementation vulnerabilities (implementation issues not related to
> choices in the spec that create problems - e.g., searching the TIME-WAIT
> list linearly).
> 
> Regardless of how we proceed, I believe that this latter issue should be
> considered in the presentation of solutions.

Yes. I think somebody else (David Borman?) already raised this issue.

As we start discussing the technical stuff, I will make sure it is clear
whether it's a protocol issue, an implementation issue, etc., whether
the specs mandate the behavior as a MUST, SHOULD (or whatever), and
whether the countermeasures comply with the specs or go against them.

Thanks!

Kind regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1