IETF Logo Mail Archive

Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)

"Natarajan, Venkatesh (HP-Networking)" <venkatesh.natarajan@hpe.com> Sat, 24 September 2022 17:15 UTC

Return-Path: <prvs=0266ebfb2d=venkatesh.natarajan@hpe.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74D55C14CF09 for <tcpm@ietfa.amsl.com>; Sat, 24 Sep 2022 10:15:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.375
X-Spam-Level:
X-Spam-Status: No, score=-3.375 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hpe.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZbew3vf1sjO for <tcpm@ietfa.amsl.com>; Sat, 24 Sep 2022 10:15:45 -0700 (PDT)
Received: from mx0b-002e3701.pphosted.com (mx0b-002e3701.pphosted.com [148.163.143.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C84F0C14CEFC for <tcpm@ietf.org>; Sat, 24 Sep 2022 10:15:44 -0700 (PDT)
Received: from pps.filterd (m0150244.ppops.net [127.0.0.1]) by mx0b-002e3701.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 28OG49KS020919; Sat, 24 Sep 2022 17:15:35 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hpe.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=pps0720; bh=72ArMDJ+qOo7BgjZaSFMF366njaSaKsaUECaFMl0vOY=; b=omRHLd74vUX18EBASL1CJpGZ2BfBUe7+pBEqcjsLd6WhwVflESu6WjOoXQrYGHW7bLiV UDsF14JWaBoHMFxV+Rqg9XS/cFidicnoi9pnN1ALePwcoxJrIu38HoUiRCt4GbwXLoF/ MLOgZr6AgHYw9pMpl7LWbeglaL3rmP/FQggDqNUgazLtHRHm9q8WGLuPsyQoSu67FRIx AgJZX85RWVGC/ktphrjfw3VWFrxC6X0E9IL20RmkAx2xrLfMCwgkUB+Sv0FsdJ4BvQ6i vNM2FT1+YwYIEsAuDCFyLFqcI9xFbmUb5xYPxQBpnUCZAiPba3MLXKi9MPX1+aGspeys 6Q==
Received: from p1lg14881.it.hpe.com (p1lg14881.it.hpe.com [16.230.97.202]) by mx0b-002e3701.pphosted.com (PPS) with ESMTPS id 3jt52ur8ka-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 24 Sep 2022 17:15:35 +0000
Received: from p1wg14926.americas.hpqcorp.net (unknown [10.119.18.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by p1lg14881.it.hpe.com (Postfix) with ESMTPS id C9DAF80793B; Sat, 24 Sep 2022 17:15:33 +0000 (UTC)
Received: from p1wg14924.americas.hpqcorp.net (10.119.18.113) by p1wg14926.americas.hpqcorp.net (10.119.18.115) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.15; Sat, 24 Sep 2022 05:15:19 -1200
Received: from p1wg14920.americas.hpqcorp.net (16.230.19.123) by p1wg14924.americas.hpqcorp.net (10.119.18.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.15 via Frontend Transport; Sat, 24 Sep 2022 05:15:19 -1200
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (192.58.206.38) by edge.it.hpe.com (16.230.19.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.15; Sat, 24 Sep 2022 05:15:18 -1200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JdWQUsKr8nY74Iq0ogWMg8lQbFUWVjrG3uZschPBv21d4My5J5ZnNNSDSKLZ2aoSEJqjNL0RAOqiZglHVo8/+sOW57dwTp5OEucZOmziz1/XLLnRcAdaMIQvUFsSZmApVmKVDqb4sH4cH0tyHzsBB0D4t/gQZq1yYjGZOIJ2jO0sZmOL9s3B11zgjS1lPhk3PfZe5Ol3GIYk5Drh8jKd9S1SpZluqEtDz8oY6/VCEFvj7dUG+zYoYUm5fuOt3rzfBpxwB9Pe0KelW7rE3juNjv325FcvV6bShn31JZy/j/HgMzm0mVeCVBKnsH5g3iN1YhdzGAuC3XSi1wFWi1YATQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aE4CrOPEXZRg5M6s6WbMAee1JwGjpY53tEhMG8ScANg=; b=fLbt2Mlqzv5b4E/7JHjWAC8uwp07NgMNY1P1ZH/mHVynrLEj/8V1ubE+fimWrZjgWvNJ7RIAcSOAST2y/UoVAIJD5GQ9pDxm13R/kMd2MvaeYVzbD+YtmqWCp1lVvLEof/QEwfx2hJTzxO5ew2Tiu00IaNannMNSSSzk9BAlH4cFQwu0JquC/n+BIH4t2zY7wYysGPov6QHpVzZ3/jLDPZ4vOY1buz5ZX6wfGqOuamGn7n+RdbPf5rGOt8odJsg6jbevb4GaDFw6pQZVk9tUGMBuiD3DjKEAV9Es7rAJrrLIXW7oe8vL7+l0dHNEAOxT+vGUziDeqAlg/iYayJ0Peg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=hpe.com; dmarc=pass action=none header.from=hpe.com; dkim=pass header.d=hpe.com; arc=none
Received: from DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:8:9f::22) by PH7PR84MB1814.NAMPRD84.PROD.OUTLOOK.COM (2603:10b6:510:154::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.22; Sat, 24 Sep 2022 17:15:16 +0000
Received: from DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM ([fe80::1c0:77eb:ce11:4e8]) by DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM ([fe80::1c0:77eb:ce11:4e8%9]) with mapi id 15.20.5654.022; Sat, 24 Sep 2022 17:15:16 +0000
From: "Natarajan, Venkatesh (HP-Networking)" <venkatesh.natarajan@hpe.com>
To: Leonard Crestez <cdleonard@gmail.com>, Joe Touch <touch@strayalpha.com>
CC: RFC Errata System <rfc-editor@rfc-editor.org>, Allison Mankin <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin Duke <martin.h.duke@gmail.com>, Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>, Yoshifumi Nishida <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>, "ianswett@google.com" <ianswett@google.com>, "tcpm@ietf.org" <tcpm@ietf.org>, Dmitry Safonov <dima@arista.com>, Salam Noureddine <noureddine@arista.com>, Francesco Ruggeri <fruggeri@arista.com>, Philip Paeps <philip@trouble.is>
Thread-Topic: [tcpm] [Technical Errata Reported] RFC5925 (7135)
Thread-Index: AQHYyabJ/03nZunh7k+ndThhM4XZxa3kUJmAgACrkaSAAH8uAIAAEUWxgAFNaICAABUF6IAAVuKAgAB+2euAAEj5AIAGlHwAgAAB3tuAADqbiQ==
Date: Sat, 24 Sep 2022 17:14:52 +0000
Message-ID: <DS7PR84MB306176ED05BC991C1EB9E6F3F7509@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM>
References: <DS7PR84MB3061E20930DCEF5E5C867483F74C9@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM> <7C3A53C8-7D86-410A-BBC5-737546127E14@strayalpha.com> <5c4b3a52-259d-08bd-8db8-59a49c6d9504@gmail.com> <DS7PR84MB3061DAE4690E9CF8EFDAFBEFF7509@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM>
In-Reply-To: <DS7PR84MB3061DAE4690E9CF8EFDAFBEFF7509@DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS7PR84MB3061:EE_|PH7PR84MB1814:EE_
x-ms-office365-filtering-correlation-id: 01291cea-b4d2-42aa-f014-08da9e50599a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YZlceHP+6E1804s1MyEC937/9Sc82F1YF/bau8KC7NsN2mmnWNBY770/jVeyUww5qIxcpJyAKSe+W0zgQkrnPjyPBLp3pf0Ix18erQ7HyDEF71K0xspe6B7X9zOC2wUAU1puMH+XSRlPWBkvYlKn408G/hF/cmMaQlFR5OEXLghGyIiReY91fUnu6TdKpuziO8dNrD1h3nXQfcWsa8UMXfxvVLlwFg+E7z7BKPnd5LrQnZFPpW593CELsbUrSRT0VIrQkBilp/kPD0u5ZEHNxUaWFa6eVDn8gvFfMDdJzKuXLBfK/VmS9bqf/untX37fZuOztqFNrVRm/INUIbOZWzeKlzqBKt2Ruj7W6onST4VG3Ti6Z+H6HB/juuJh1c0exB6n4Ki5u813kGQNJl9qk/VToHWMabbb1kvtkWDD1F6Z4591AmU6cc7TcguC9W9jYmDndUe7BayjVQ8qv9VXurFSoRAbJGiR/hyVpv1aMTvwfwPJMUMEMzTmDahKJ5AmtO/aBh7PYR5ookKpJvIN+mllPbn3M7sB6UnsuK/bAR3qvOZNzRlybWfi5BoREJZG1M/HzKYJiBAyxheGLQ4/p07hEFFlyjapDVLliQmj6cZOCq8fQGkz6vThY9JGjjWZhFulymambzZuNOdu7eM85PJfk3fnlCvnp9FExGUQXY/XFkdzwOQrLd6EtnqgQp2EjFZeEh2uAFFhlT3mGoRYVgazYwG8PAzpSzcBbSd4TAM9qEn7/WLGul8IpJKHm0bVbh6y0cfkxdA1PjYmeaXDOFUK4KFhMcY7/TkKJy3on9g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(136003)(366004)(396003)(39860400002)(346002)(376002)(451199015)(53546011)(6666004)(7696005)(966005)(478600001)(71200400001)(6506007)(83380400001)(2940100002)(186003)(2906002)(7416002)(5660300002)(30864003)(26005)(55016003)(9686003)(8676002)(316002)(54906003)(110136005)(41300700001)(8936002)(52536014)(76116006)(66946007)(91956017)(66556008)(66446008)(64756008)(66476007)(4326008)(122000001)(38100700002)(38070700005)(82960400001)(166002)(86362001)(33656002)(559001)(579004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IxxrXY4QQCAyj785huBQd3lOMxUHo7N368jY1iKwiOgnA1pNgZfO2DWsBG6pGRA3LdqVKgQiputuqP3GbWoX1Qw0rB2Ux+8n9OD7VmG6p5vxbXzzmsYkU/fASjMtcuOhGuonGfOuJOIT4JS+yCFuhuE4d0DtIBpGlUfkJb+yvYBCe83dDCsiKkL5birGskcR3MDhDhGDDMt2kqHuyCNVvsUfulSleStQimQ41e6VDySSs0/xWny/HCRiDvTtXlhklK3naSRSAz1iAvV3k6Io+JVeWX5GfUx6QQy4OKap8T+QVJEMzavb5Pt9Ei1zB0h/M++Z0wkCC0yuvgl/lE0PG/Rxw2n1RCm0LFDUUil1nlfjARDopCo46DP915+/Id4MAkybJR+O6FFjo14TGtSLY8USUg4WP6akqesjwD69aG/yTK5gH0XPQ/oq4p4QmJ+BfDuK2moHzgZDMe5aNHEzgbPA4oWaMP8V/ew0EkQ0dB3D0q1Rb265r7TqU+xp5vV9YxEulbbNW0Hn18z83z5unQPULV7/PL3PNjZKhIMdc15S2fhDcuWYQDpa2ftploRXX6eL9tLyydzyebiGt+Qlg9+ofSNZ36dSFXJiIl1eDRmM9cSkd41ZQyofUJKwiyPm0uUzC3f/e1HYmG6Y78Hzs3nbydisnR7jxnWuyOb48x5dtXuSChbqa+hbvXzaRNBd3jL6LN89IBsnqMPR9LtQ920AO7py545IXYwvzhBOmwrOg51H8GztOAsDne9X1a7a8B7wb3qG4Zp06wsC7sp22jrXTcA3MUiMjYOLcVb90Oq/X6xyjfvrsSdMwDLtIt53GerdIj1rgkyNcJpRO7rcpzg0+I4LfgXWkVjkCDidKS22NOrll4tB5MDTth+38Sp6SNkbHRQFEybFc3nT0vTYKkPZTAJXUh2zjKU5Q7ddCjSwBjs9ztGN6GnpSfpZXhomwxaP6/dkOjf1o5y8ICMy74k6FVHis/TDMN2qUu0gcS0vtwVL33fW+YmLRNy7YdIvpc24e63SBMoI/I3S1d2KgKoDOMnNwHn2K1jUGQVJXJKeknSFju1csmg+SsmTFQRnG4A6AwHtHYjGoBuoLUsZoJQXbp0mUU3isbnzmA1gJ3Y4qG4fmTBXwmmWaJvLoSkz0lveUhV14GROzScV9r66GrXfn8+QUIpo3D+dB4gskAAEyuJyfNmCw76Sk01tLOJ9OJzAi4SdgKi9BMmxcPyMjvs0Iww00xZcWn7oi1c+AkFXTQJzMkDjCtXcJj/NEas8CFU4iYZre1K9jsb9mFe+Q2zZAsOx8i5EbsW665z90bUnelRRsAosT6uDL+q1trEGBMBsIh2hEOK7Ypt35jUHq9/E3eruISmNdbx8CSKujHPTP7mqrDReQMOGQVStgZ3yYpTz/eX1tyZTQXlrNUj65SD6i80mshSy0Mh3mrFvL1M0mnVEijMnpb7Eu86dYUs2lH/pSnNSMTVSuIvW2cnh7eruWhUo/HRNkdIXRdBUXjSFFtrlgOFl2iq2GjA16xotEIcCKnsblaXzOu9aRQBSQnLSVKQ0qv2BMD35M4BCld1j1dl5cLfz0li4g3lqznmhtJV+y04pVHHJCPvvung/Fg==
Content-Type: multipart/alternative; boundary="_000_DS7PR84MB306176ED05BC991C1EB9E6F3F7509DS7PR84MB3061NAMP_"
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS7PR84MB3061.NAMPRD84.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 01291cea-b4d2-42aa-f014-08da9e50599a
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Sep 2022 17:15:16.3932 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 105b2061-b669-4b31-92ac-24d304d195dc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EsHz7tEjUyNZKOHpf0FzSEIfg83cFnGWvKKjV273SDwZkKbfUP72QrAErQ+wjlVe9pGue9Hh/463ZhCcs1ZuNDgpbideQr1/Vak0qPD385M=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR84MB1814
X-OriginatorOrg: hpe.com
X-Proofpoint-GUID: OyhdhwzCzZXF99hPDYlJRDAUpJ4PDgf8
X-Proofpoint-ORIG-GUID: OyhdhwzCzZXF99hPDYlJRDAUpJ4PDgf8
X-Proofpoint-UnRewURL: 30 URL's were un-rewritten
MIME-Version: 1.0
X-HPE-SCL: -1
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-09-24_08,2022-09-22_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 lowpriorityscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 suspectscore=0 spamscore=0 mlxscore=0 adultscore=0 bulkscore=0 impostorscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000 definitions=main-2209240129
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/Zq1LJPm1QKffvbYdQyuUCiaFQQo>
X-Mailman-Approved-At: Sun, 25 Sep 2022 08:02:57 -0700
Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2022 17:15:49 -0000

Resending my email on top of Joe’s email  to keep the thread in the received order
-Venkatesh

From: Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com>
Date: Saturday, 24 September 2022 at 10:42 PM
To: Leonard Crestez <cdleonard@gmail.com>, Joe Touch <touch@strayalpha.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Allison Mankin <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin Duke <martin.h.duke@gmail.com>, Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>, Yoshifumi Nishida <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>, ianswett@google.com <ianswett@google.com>, tcpm@ietf.org <tcpm@ietf.org>, Dmitry Safonov <dima@arista.com>, Salam Noureddine <noureddine@arista.com>, Francesco Ruggeri <fruggeri@arista.com>, Philip Paeps <philip@trouble.is>
Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
Hi Leonard

Thanks for looping in the ietf and Arista folks here. I was not sure the ietf members would be interested in a particular OS implementation and hence did you include you in my errata-discussions  with them.

To your statement below;
>>>* accept-ao-mismatch - "This flag indicates whether the receiver should
>>>   accept segments for which the MAC in the incoming TCP AO does not match
>>>  the MAC generated on the receiver"

We initially interpreted the “accept-by-default” in the RFC for a connection when the MKT matches but incoming segment do not contain tcop-ao option. Ofcourse this does not provide any security and is to be configured with caution.
But then later we interpreted as perhaps the intent was to allow for the MKT-Match-But-Keys-Mismatch should be allowed by default and hence raised an Errata ticket for the RFC.

Joe Touch clarified that the RFC text explains for the SYN segments to be accepted for further processing if the MKT matches and obviously the segment would be rejected if the Key-ID or the algorithm does not match to the configured  key-ID/Algo.

So,  for implementation, or for a specific configuration (like for a bgp peer in a peer-group that does not support TCP-AO and perhaps its within the protected network perimeter ) we would need the support for accept-ao-mismatch as how Cisco has implemented (i.e accepting a segment without the tcp-ao option in the tcp header and further responding without the tcp-ao option)

-Venkatesh



From: touch@strayalpha.com <touch@strayalpha.com>
Date: Saturday, 24 September 2022 at 10:10 PM
To: Leonard Crestez <cdleonard@gmail.com>
Cc: Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com>, Dmitry Safonov <dima@arista.com>, Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>, Francesco Ruggeri <fruggeri@arista.com>, Allison Mankin <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Michael Tuexen <tuexen@fh-muenster.de>, tcpm@ietf.org <tcpm@ietf.org>, Salam Noureddine <noureddine@arista.com>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
HI, Leonard,

On Sep 24, 2022, at 6:37 AM, Leonard Crestez <cdleonard@gmail.com<mailto:cdleonard@gmail.com>> wrote:

This behavior is not described by RFC and seems to completely defeat the security provided by TCP-AO by accepting all unsigned packets. There does not appear to be any usefulness outside of debugging

It is explicitly designed to allow either side to decide whether TCP-AO is required or optional on incoming connections. The current default is that both sides allow the connection to support legacy mode either when the option isn’t present or when the key fails.

If that’s not desired, either side can set an override (as already mentioned in the paragraph noted in the errata request. If you want the override to be a default on your system, that’s your choice.

Joe



From: Leonard Crestez <cdleonard@gmail.com>
Date: Saturday, 24 September 2022 at 7:07 PM
To: Joe Touch <touch@strayalpha.com>, Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Allison Mankin <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin Duke <martin.h.duke@gmail.com>, Zaheduzzaman Sarker <zaheduzzaman.sarker@ericsson.com>, Yoshifumi Nishida <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>, ianswett@google.com <ianswett@google.com>, tcpm@ietf.org <tcpm@ietf.org>, Dmitry Safonov <dima@arista.com>, Salam Noureddine <noureddine@arista.com>, Francesco Ruggeri <fruggeri@arista.com>, Philip Paeps <philip@trouble.is>
Subject: Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
Hello,

These questions were raised partially in the context of my
implementation for TCP-AO for Linux, which you can find here:

https://lore.kernel.org/netdev/cover.1662361354.git.cdleonard@gmail.com/

I was contacted by the Aruba folks privately regarding my
implementations and it makes sense to also respond publicly.

My implementation will accept unexpected AO signatures by default (as
required by the RFC) and supports an TCP_AUTHOPT_FLAG_REJECT_UNEXPECTED
to reject everything. It aligns with the expected behavior described by
Joe Touch earlier.

My opinion after studying and implementing this RFC is that this
particular quirk of the RFC can't actually be used for anything useful -
at most you go from "Signed SYN / Drop" to "Signed SYN / Unsigned
SYN-ACK / DROP". I don't understand the rationale.

Documentation from cisco describe additional flags, which I believe
Aruba is trying to implement:

* accept-ao-mismatch-connections - "option to accept the connection as
non-TCP AO connection when receives a connection from peer without TCP
AO option".

This behavior is not described by RFC and seems to completely defeat the
security provided by TCP-AO by accepting all unsigned packets. There
does not appear to be any usefulness outside of debugging

* accept-ao-mismatch - "This flag indicates whether the receiver should
accept segments for which the MAC in the incoming TCP AO does not match
the MAC generated on the receiver"

This again seems to be a debug flag which "accepts everything".

My implementation linux does not support these features and I don't
actually see any valid usecase beyond debugging.

I also added some folks from Arista who have a different competing
implementation so that they are aware of this discussion.

--
Regards,
Leonard

On 9/20/22 12:08, Joe Touch wrote:
> Every RFC could have *some* additional discussion that could benefit
> *someone*. There’s no mechanism for that, other than this list, which is
> archived already.
>
> Joe
>
>> On Sep 19, 2022, at 9:49 PM, Natarajan, Venkatesh (HP-Networking)
>> <venkatesh.natarajan@hpe.com> wrote:
>>
>> 
>>
>> Thanks Joe for your explanation. My only request at this point would
>> be that while we don’t have the errata published, I think this
>> discussion will benefit others in some way when they try to implement
>> this RFC. Can some excerpt or a summary of this discussion be kept in
>> some form so that this is clear to others as well?
>>
>> -Venkatesh
>>
>> *From: *Joe Touch <touch@strayalpha.com>
>> *Date: *Tuesday, 20 September 2022 at 2:44 AM
>> *To: *Natarajan, Venkatesh (HP-Networking) <venkatesh.natarajan@hpe.com>
>> *Cc: *RFC Errata System <rfc-editor@rfc-editor.org>, Allison Mankin
>> <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin Duke
>> <martin.h.duke@gmail.com>, Zaheduzzaman Sarker
>> <zaheduzzaman.sarker@ericsson.com>, Yoshifumi Nishida
>> <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>,
>> ianswett@google.com <ianswett@google.com>, tcpm@ietf.org <tcpm@ietf.org>
>> *Subject: *Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
>>
>> Yes, the connection proceeds past the MKT match step but not the MAC
>> validation step.
>>
>> Joe
>>
>>
>>
>>     On Sep 19, 2022, at 11:34 AM, Natarajan, Venkatesh (HP-Networking)
>>     <venkatesh.natarajan@hpe.com> wrote:
>>
>>     
>>
>>     Ok, I think I get what you are saying..
>>
>>     Just to close this with your confirmation,
>>
>>     >>>In case 3 below, the MKT check will accept the segment but the key check will fail in later steps of the processing.
>>
>>     Though the connection will succeed the session will fail beyond
>>     the point of connection establishment as the tcp-ao hash check
>>     will fail??
>>
>>     -Venkatesh
>>
>>     *From: *touch@strayalpha.com <touch@strayalpha.com>
>>     *Date: *Monday, 19 September 2022 at 8:18 PM
>>     *To: *Natarajan, Venkatesh (HP-Networking)
>>     <venkatesh.natarajan@hpe.com>
>>     *Cc: *RFC Errata System <rfc-editor@rfc-editor.org>, Allison
>>     Mankin <mankin@psg.com>, Ron Bonica <rbonica@juniper.net>, Martin
>>     Duke <martin.h.duke@gmail.com>, Zaheduzzaman Sarker
>>     <Zaheduzzaman.Sarker@ericsson.com>, Yoshifumi Nishida
>>     <nsd.ietf@gmail.com>, Michael Tuexen <tuexen@fh-muenster.de>,
>>     ianswett@google.com <ianswett@google.com>, tcpm@ietf.org
>>     <tcpm@ietf.org>
>>     *Subject: *Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
>>
>>     Hi, Venkatesh,
>>
>>     TCP-AO knows whether to protect a connection at all by the
>>     presence of a match MKT. That’s what the existing text explains.
>>     It says nothing about the key check.
>>
>>     In a protected connection, TCP-AO knows what to do based on
>>     whether the key matches. If an MKT matches but the key fails, the
>>     segment will be dropped and the connection won’t be established.
>>     That’s already explained elsewhere in the doc.
>>
>>     In case 3 below, the MKT check will accept the segment but the key
>>     check will fail in later steps of the processing.
>>
>>     In case 4 below, which side accepts the connection is explained by
>>     the existing text.
>>
>>     In the first sentence, the added  “not matching an MKT” text is
>>     not needed because is that is already what happens when no MKT is
>>     available (a match cannot occur to an item that doesn’t exist).
>>     That doesn’t need over explanation.
>>
>>     The sentence added is incorrect: “In this mode ofoperation, both
>>     the endpoints will not perform TCP-AO validation.”  Each endpoint
>>     makes this decision only for incoming connection establishment;
>>     return packets of connections they initiate with TCP-AO will fail
>>     (due to lack of TCP-AO). There is no clarification of this point
>>     needed.
>>
>>     Joe
>>
>>     —
>>
>>     Dr. Joe Touch, temporal epistemologist
>>
>>     http://www.strayalpha.com<http://www.strayalpha.com>   <http://www.strayalpha.com  >
>>
>>
>>
>>
>>         On Sep 19, 2022, at 5:40 AM, Natarajan, Venkatesh
>>         (HP-Networking) <venkatesh.natarajan@hpe.com
>>         <mailto:venkatesh.natarajan@hpe.com>> wrote:
>>
>>         Hi Joe,
>>
>>         Sorry I am still not following. I think there is a condition
>>         that is missed. I have captured the permutation/combination in
>>         a table  where both Peer-1 and Peer-2 are TCP-AO capable and
>>         implemented in s/w.
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         ||     | Peer-1                  | Peer-2                  |
>>         Expected Behavior              |
>>         Comments                             ||
>>
>>         |+=====+=========================+=========================+================================+======================================+|
>>
>>         ||     |                         |
>>         |
>>         |                                      ||
>>
>>         || 1   | No-TCP-AO configured    | No TCP-AO Configured    |
>>         Vanilla TCP Session            | No TCP-AO but connection
>>         establishes ||
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         ||     | TCP-AO Configured with  | TCP-AO Configured with  |
>>         TCP-AO session                 | TCP-AO and connection
>>         establishes.   ||
>>
>>         || 2   | Key1                    | Key1
>>         |
>>         |                                      ||
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         ||     | TCP-AO configured with  | TCP-AO configured with  |
>>         Peer-2 will accept connection  | The segments will be accepted
>>         by     ||
>>
>>         ||     | valid Key-1             | valid Key-2             |
>>         from Peer-1 by default for     | default even if there is a
>>         mismatch  ||
>>
>>         ||     | (send-id=recv-id=1)     | (send-id=recv-id=2)     |
>>         mis-match of key               | on
>>         both-ends.                        ||
>>
>>         ||     |                         |
>>         |                                | Agreed, if the default
>>         behaviour at  ||
>>
>>         ||     |                         |                         |
>>         Peer-1 will accept connection  | either peer is changed,
>>         the          ||
>>
>>         ||     |                         |                         |
>>         from Peer-1 by default for     | connection will not be
>>         established.  ||
>>
>>         ||     |                         |                         |
>>         mismatch of key.
>>         |                                      ||
>>
>>         || 3   |                         |                         |
>>                                        | RFC does explain this
>>         point.         ||
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         ||     | TCP-AO configured with  | No TCP-AO configured    |
>>         Peer-2 will accept segments    | The point I have made is for
>>         this    ||
>>
>>         ||     | a valid Key-1           |                         |
>>         if it ignores TCP-AO option.   |
>>         condition                            ||
>>
>>         ||     |                         |                         |
>>         Peer-1 will reject segments
>>         |                                      ||
>>
>>         || 4   |                         |                         |
>>         from Peer-2 (No TCP-AO option)
>>         |                                      ||
>>
>>         |+-----+-------------------------+-------------------------+--------------------------------+--------------------------------------+|
>>
>>         If (3) is allowed why not (4). They both have similar
>>          security exposure if not the same.
>>
>>         -Venkatesh
>>
>>         *From:*touch@strayalpha.com
>>         <mailto:touch@strayalpha.com><touch@strayalpha.com
>>         <mailto:touch@strayalpha.com>>
>>         *Date:*Sunday, 18 September 2022 at 11:23 PM
>>         *To:*Natarajan, Venkatesh (HP-Networking)
>>         <venkatesh.natarajan@hpe.com <mailto:venkatesh.natarajan@hpe.com>>
>>         *Cc:*RFC Errata System <rfc-editor@rfc-editor.org
>>         <mailto:rfc-editor@rfc-editor.org>>, Allison Mankin
>>         <mankin@psg.com <mailto:mankin@psg.com>>, Ron Bonica
>>         <rbonica@juniper.net <mailto:rbonica@juniper.net>>, Martin
>>         Duke <martin.h.duke@gmail.com
>>         <mailto:martin.h.duke@gmail.com>>, Zaheduzzaman Sarker
>>         <Zaheduzzaman.Sarker@ericsson.com
>>         <mailto:Zaheduzzaman.Sarker@ericsson.com>>, Yoshifumi Nishida
>>         <nsd.ietf@gmail.com <mailto:nsd.ietf@gmail.com>>, Michael
>>         Tuexen <tuexen@fh-muenster.de
>>         <mailto:tuexen@fh-muenster.de>>,ianswett@google.com
>>         <mailto:ianswett@google.com><ianswett@google.com
>>         <mailto:ianswett@google.com>>,tcpm@ietf.org
>>         <mailto:tcpm@ietf.org><tcpm@ietf.org <mailto:tcpm@ietf.org>>
>>         *Subject:*Re: [tcpm] [Technical Errata Reported] RFC5925 (7135)
>>
>>         Hi, Venkatesh,
>>
>>         TCP-AO is designed so that it requires a MKT to operate - even
>>         to discard traffic that lacks TCP-AO headers.
>>
>>         That means that TCP’s behavior doesn’t change UNLESS there’s
>>         an MKT. So anything that matches no MKT is allowed, by default
>>         - even if TCP-AO is in the header.
>>
>>         That’s intentional - it’s “opt-in” on both sides. Let’s look
>>         at the 4 cases, where “client” implies the party initiation
>>         the connection. Assume both sides implement TCP-AO:
>>
>>         - client and server do not have MKTs at all
>>
>>         neither side will match their MKTs, TCP-AO is not used and the
>>         connection proceeds as usual
>>
>>         - client has an MKT that matches, but not the server
>>
>>         Client sends TCP-AO, but server doesn’t check and sends a
>>         SYN-ACK without TCP-AO
>>
>>         Client will now discard any returning packets because they
>>         won’t have TCP-AO
>>
>>         The connection will fail
>>
>>         - client lacks an MKT but server has an MKT that matches
>>
>>         Client sends without TCP-AO, but SYN matches an MKT
>>
>>         Server will drop the SYN because it matches an MKT but fails
>>         the TCP-AO check (it has to - it has no TCP-AO option)
>>
>>         connection will fail
>>
>>         - both sides have MTS that match
>>
>>         everything works
>>
>>         So we don’t need to change the text to handle the case where
>>         the endpoints differ in whether they want to use TCP-AO on a
>>         connection.
>>
>>         The “default accept” is per side, but the total effect is
>>         “default deny unless both sides use it and have the right keys”.
>>
>>         Joe
>>
>>         —
>>
>>         Dr. Joe Touch, temporal epistemologist
>>
>>         http://www.strayalpha.com<http://www.strayalpha.com>   <http://www.strayalpha.com/  >
>>
>>
>>
>>
>>
>>             On Sep 18, 2022, at 5:31 AM, Natarajan, Venkatesh
>>             (HP-Networking) <venkatesh.natarajan@hpe.com
>>             <mailto:venkatesh.natarajan@hpe.com>> wrote:
>>
>>             Hi Joe,
>>
>>             Thank you for reviewing the Errata submission.
>>
>>             The whole point of having a default-accept for a MKT
>>             mismatch is to allow a mismatch-key-TCP-AO connection
>>             establishment even if the TCP-AO was the intended use.  If
>>             only one endpoint between the two is configured for TCP-AO
>>             , then also it is the same condition where there is no
>>             authentication. I do not understand the differentiation
>>             that is being brought out by the 7.3 section in the RFC
>>             for allowing a mismatch-key tcp-ao and when the tcp-ao
>>             option itself is not present. How is one different from
>>             the other in term of security. Both are offering
>>             unsecured/unprotected connection.
>>
>>             What do you think is the reason for a unsecure connection
>>             be allowed by default?  I can reason to some extent that
>>             such a behavior be implemented iff there is a transition
>>             period for  Non-TCP-AO to TCP-AO and say the server has
>>             migrated to TCP-AO but some of the clients are yet to be
>>             upgraded/migrated to use TCP-AO. Its in this mode that the
>>             acceptance of a connection from a non-tcp-ao client
>>             (segment having no-tcp-oa option) even makes sense.
>>
>>             -Venkatesh
>>
>>             *From:*touch@strayalpha.com
>>             <mailto:touch@strayalpha.com><touch@strayalpha.com
>>             <mailto:touch@strayalpha.com>>
>>             *Date:*Sunday, 18 September 2022 at 5:33 AM
>>             *To:*RFC Errata System <rfc-editor@rfc-editor.org
>>             <mailto:rfc-editor@rfc-editor.org>>
>>             *Cc:*Dr. Joe Touch <touch@isi.edu <mailto:touch@isi.edu>>,
>>             Allison Mankin <mankin@psg.com <mailto:mankin@psg.com>>,
>>             Ron Bonica <rbonica@juniper.net
>>             <mailto:rbonica@juniper.net>>, Martin Duke
>>             <martin.h.duke@gmail.com
>>             <mailto:martin.h.duke@gmail.com>>, Zaheduzzaman Sarker
>>             <Zaheduzzaman.Sarker@ericsson.com
>>             <mailto:Zaheduzzaman.Sarker@ericsson.com>>, Yoshifumi
>>             Nishida <nsd.ietf@gmail.com <mailto:nsd.ietf@gmail.com>>,
>>             Michael Tuexen <tuexen@fh-muenster.de
>>             <mailto:tuexen@fh-muenster.de>>,ianswett@google.com
>>             <mailto:ianswett@google.com><ianswett@google.com
>>             <mailto:ianswett@google.com>>, Natarajan, Venkatesh
>>             (HP-Networking) <venkatesh.natarajan@hpe.com
>>             <mailto:venkatesh.natarajan@hpe.com>>,tcpm@ietf.org
>>             <mailto:tcpm@ietf.org><tcpm@ietf.org <mailto:tcpm@ietf.org>>
>>             *Subject:*Re: [tcpm] [Technical Errata Reported] RFC5925
>>             (7135)
>>
>>             Hi, all,
>>
>>             I disagree with this errata.
>>
>>             The decision is based on whether the segments match an
>>             MKT. If TCP-AO is required, an MKT would have been
>>             configured; packets with the option would match the MKT
>>             and proceed. Packets without the option would not match
>>             the MKT - because an MKT requires info in the option.
>>
>>             Recommend reject.
>>
>>             Joe
>>
>>             —
>>
>>             Dr. Joe Touch, temporal epistemologist
>>
>>             http://www.strayalpha.com<http://www.strayalpha.com>   <http://www.strayalpha.com/  >
>>
>>
>>
>>
>>                 On Sep 16, 2022, at 1:31 AM, RFC Errata System
>>                 <rfc-editor@rfc-editor.org
>>                 <mailto:rfc-editor@rfc-editor.org>> wrote:
>>
>>                 The following errata report has been submitted for
>>                 RFC5925,
>>                 "The TCP Authentication Option".
>>
>>                 --------------------------------------
>>                 You may review the report below and at:
>>                 https://www.rfc-editor.org/errata/eid7135<https://www.rfc-editor.org/errata/eid7135>
>>                 <https://www.rfc-editor.org/errata/eid7135  >
>>
>>                 --------------------------------------
>>                 Type: Technical
>>                 Reported by: Venkatesh Natarajan
>>                 <venkatesh.natarajan@hpe.com
>>                 <mailto:venkatesh.natarajan@hpe.com>>
>>
>>                 Section: 7.3
>>
>>                 Original Text
>>                 -------------
>>
>>
>>                         A TCP-AO implementation MUST allow for
>>                         configuration of the
>>
>>                   behavior of segments with TCP-AO but that do not
>>                 match an MKT.  The
>>                   initial default of this configuration SHOULD be to
>>                 silently accept
>>                   such connections.  If this is not the desired case,
>>                 an MKT can be
>>                   included to match such connections, or the
>>                 connection can indicate
>>                   that TCP-AO is required.  Alternately, the
>>                 configuration can be
>>                   changed to discard segments with the AO option not
>>                 matching an MKT.
>>
>>                 Corrected Text
>>                 --------------
>>
>>
>>                         A TCP-AO implementation MUST allow for
>>                         configuration of the
>>
>>                   behavior of segments with TCP-AO but that do not
>>                 match any MKT or
>>                   no MKT is available. The initial default of this
>>                 configuration
>>                   SHOULD be to silently accept such connections. In
>>                 this mode of
>>                   operation, both the endpoints will not perform
>>                 TCP-AO validation.
>>                   If this is not the desired case, an MKT can be
>>                 included to match such
>>                   connections, or the connection can indicate that
>>                 TCP-AO is required.
>>                   Alternately, the configuration can be changed to
>>                 discard segments
>>                   with the AO option not matching an MKT.
>>
>>                 Notes
>>                 -----
>>                 The RFC does not clearly draw out the distinction
>>                 between treatment of segments with TCP-AO and without
>>                 TCP-AO option.
>>                 Note that in the case of MKT mismatch as per existing
>>                 RFC text, if either endpoint does TCP-AO validation,
>>                 the session would not get established.
>>
>>                 Instructions:
>>                 -------------
>>                 This erratum is currently posted as "Reported". If
>>                 necessary, please
>>                 use "Reply All" to discuss whether it should be
>>                 verified or
>>                 rejected. When a decision is reached, the verifying party
>>                 can log in to change the status and edit the report,
>>                 if necessary.
>>
>>                 --------------------------------------
>>                 RFC5925 (draft-ietf-tcpm-tcp-auth-opt-11)
>>                 --------------------------------------
>>                 Title               : The TCP Authentication Option
>>                 Publication Date    : June 2010
>>                 Author(s)           : J. Touch, A. Mankin, R. Bonica
>>                 Category            : PROPOSED STANDARD
>>                 Source              : TCP Maintenance and Minor Extensions
>>                 Area                : Transport
>>                 Stream              : IETF
>>                 Verifying Party     : IESG
>>
>>                 _______________________________________________
>>                 tcpm mailing list
>>                 tcpm@ietf.org <mailto:tcpm@ietf.org>
>>                 https://www.ietf.org/mailman/listinfo/tcpm<https://www.ietf.org/mailman/listinfo/tcpm>
>>                 <https://www.ietf.org/mailman/listinfo/tcpm  >
>>

v2.23.0 | Report a Bug | By Email