IETF Logo Mail Archive

Re: [tcpm] tcp-auth-opt issue: support for NATs

"Dan Wing" <dwing@cisco.com> Fri, 08 August 2008 01:46 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA38228C1C3; Thu, 7 Aug 2008 18:46:31 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8EDEF28C1C0 for <tcpm@core3.amsl.com>; Thu, 7 Aug 2008 18:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iqipX6QvQyMM for <tcpm@core3.amsl.com>; Thu, 7 Aug 2008 18:46:29 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 416DC28C1C4 for <tcpm@ietf.org>; Thu, 7 Aug 2008 18:46:29 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.31,323,1215388800"; d="scan'208";a="73383797"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-2.cisco.com with ESMTP; 08 Aug 2008 01:46:29 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m781kTrt008128; Thu, 7 Aug 2008 18:46:29 -0700
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m781kSK5008397; Fri, 8 Aug 2008 01:46:28 GMT
From: Dan Wing <dwing@cisco.com>
To: "'Anantha Ramaiah (ananth)'" <ananth@cisco.com>, 'Eric Rescorla' <ekr@networkresonance.com>, 'Joe Touch' <touch@ISI.EDU>
References: <4890F4BE.6060302@isi.edu><396556a20807301622l4cb33deuff73cd13d7a75ba1@mail.gmail.com><4890FBE8.1020203@isi.edu><396556a20807311700w1eda50b0o5da7ae52e6c1691a@mail.gmail.com><48935FFD.4090805@isi.edu><396556a20808051826w1a839577q956f379f56db1165@mail.gmail.com><20080806020257.D1C69525D8F@kilo.rtfm.com><396556a20808061742y19f8f5fh78fe66bfe4d415be@mail.gmail.com><20080807011812.DDC8050846@romeo.rtfm.com><396556a20808071047q5bda8acbje7a8fc9f9bf2e597@mail.gmail.com><20080807180512.77604529E4D@kilo.rtfm.com><489B3B72.8030604@isi.edu><20080807182005.04B5B52A03A@kilo.rtfm.com><489B407A.6030001@isi.edu><20080807185224.3A46750846@romeo.rtfm.com> <0C53DCFB700D144284A584F54711EC5805984F7B@xmb-sjc-21c.amer.cisco.com>
Date: Thu, 07 Aug 2008 18:46:28 -0700
Message-ID: <21e601c8f8f8$936ef740$d35d150a@cisco.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Thread-Index: Acj4vXBFEKM/zXCAT3ePXvJtIbx7DwAGO5ygAAhHswA=
In-Reply-To: <0C53DCFB700D144284A584F54711EC5805984F7B@xmb-sjc-21c.amer.cisco.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3602; t=1218159989; x=1219023989; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[tcpm]=20tcp-auth-opt=20issue=3A=20supp ort=20for=20NATs |Sender:=20; bh=Nkz2D7Xwy3YwV9uwGKbevHXdw5FsIFvtBcj2fPyRHKU=; b=Nn6V5TqTrFrghGIjRGmk4Y4h5RHSNTydp1oDSsXfUjK4gngLT/revpDiXH KbOWzSuVGwXFLn710Fc0wVCaKEqLw0LuhM/QCW7uQCQwyRyDmt0muqydkKB8 13C9m+uXey;
Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: 'Adam Langley' <agl@imperialviolet.org>, tcpm@ietf.org
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

 

> -----Original Message-----
> From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> Behalf Of Anantha Ramaiah (ananth)
> Sent: Thursday, August 07, 2008 2:46 PM
> To: Eric Rescorla; Joe Touch
> Cc: Adam Langley; tcpm@ietf.org
> Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
> 
> 
> While we are at this subject ("supporting NAT's") did we answer the
> basic questions :-
> 
> - Is this a mandatory? Since BGP, LDP and MSDP who are going 
> to be major users of this option, NAT is not going to be in picture.

Those are going to be the major consumers now, but if we aren't
able to keep ahead of various out-of-window TCP attacks, it would
be reasonable for other applications to want to use TCP AO.  I
believe a TLS-over-TCP connection can be destroyed with a bogus
in-window packet; preventing such an attack with TCP AO would be 
valuable if such attacks become easier in the future.

> - Ok, assume you are deciding to support NAT, where do you draw the
> line? Are you also talking about embedded IP addr in the 
> payload (ALG)? Or we don't care?

No ALGs.

-d


> I haven't heard concrete responses (if any) to these above questions.
> Not meant to derail the crypto focus that is currently prevailing in
> this thread.
> 
> -Anantha
> 
> > -----Original Message-----
> > From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> > Behalf Of Eric Rescorla
> > Sent: Thursday, August 07, 2008 11:52 AM
> > To: Joe Touch
> > Cc: Adam Langley; tcpm@ietf.org
> > Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
> > 
> > At Thu, 07 Aug 2008 11:35:38 -0700,
> > Joe Touch wrote:
> > > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > 
> > > 
> > > Eric Rescorla wrote:
> > > ...
> > > |> | Because the side doing the passive open doesn't know 
> > which client 
> > > |> | is connecting and it may have multiple instances of 
> > the same key-id?
> > > |> | I don't understand the purpose of the time. Just do trial 
> > > |> | verifications with each key.
> > > |>
> > > |> That's a reason we have a keyID, which, together with 
> the socket 
> > > |> pair, should exactly specify what key to use and avoids 
> > this sort 
> > > |> of trial. If we can live with trials, we can remove the 
> > keyID and 
> > > |> things align much better.
> > > |
> > > | Yes, but this only works if you either (1) know the 
> > address of peers 
> > > | in advance or (2) never assign the same key-id to two different 
> > > | peers.
> > > 
> > > <indiv hat on>
> > > 
> > > If we require the socket pair, then the keyID need be unique only 
> > > within a connection, and we should never need to test 
> > different keys 
> > > -- even with key rollover, the key used should be deterministic.
> > > 
> > > Supporting NATs can be done in two different ways:
> > 
> > I think this is at least potentially an issue even aside from 
> > NAT. When I install keys on my host, you're proposing that I 
> > need to configure both the peer IP address and the key-id. 
> > This isn't necessarily bad, but it does mean that if (for 
> > instance) the other side decides to renumber, nothing will 
> > work absent manual reconfiguration. Is that something people want?
> > 
> > -Ekr
> > _______________________________________________
> > tcpm mailing list
> > tcpm@ietf.org
> > https://www.ietf.org/mailman/listinfo/tcpm
> > 
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email