Re: [tcpm] poll for adopting draft-gont-tcp-security
"Eddy, Wesley M. (GRC-MS00)[Verizon]" <wesley.m.eddy@nasa.gov> Tue, 30 June 2009 17:25 UTC
Return-Path: <wesley.m.eddy@nasa.gov>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F50028C20F for <tcpm@core3.amsl.com>; Tue, 30 Jun 2009 10:25:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.567
X-Spam-Level:
X-Spam-Status: No, score=-6.567 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xehOtFHVn-re for <tcpm@core3.amsl.com>; Tue, 30 Jun 2009 10:25:54 -0700 (PDT)
Received: from ndmsnpf01.ndc.nasa.gov (ndmsnpf01.ndc.nasa.gov [198.117.0.121]) by core3.amsl.com (Postfix) with ESMTP id 307C73A6CD2 for <tcpm@ietf.org>; Tue, 30 Jun 2009 10:25:54 -0700 (PDT)
Received: from ndjsppt02.ndc.nasa.gov (ndjsppt02.ndc.nasa.gov [198.117.1.101]) by ndmsnpf01.ndc.nasa.gov (Postfix) with ESMTP id BE6B0260366; Tue, 30 Jun 2009 11:20:15 -0500 (CDT)
Received: from ndjshub04.ndc.nasa.gov (ndjshub04.ndc.nasa.gov [198.117.4.163]) by ndjsppt02.ndc.nasa.gov (8.14.3/8.14.3) with ESMTP id n5UGKEm5027990; Tue, 30 Jun 2009 11:20:15 -0500
Received: from NDJSSCC01.ndc.nasa.gov ([198.117.4.166]) by ndjshub04.ndc.nasa.gov ([198.117.4.163]) with mapi; Tue, 30 Jun 2009 11:18:55 -0500
From: "Eddy, Wesley M. (GRC-MS00)[Verizon]" <wesley.m.eddy@nasa.gov>
To: Joe Touch <touch@ISI.EDU>, Fernando Gont <fernando@gont.com.ar>
Date: Tue, 30 Jun 2009 11:18:53 -0500
Thread-Topic: [tcpm] poll for adopting draft-gont-tcp-security
Thread-Index: Acn5lOSH6gGgwBlGRh+H8/0xkHVEKQAAbQmQ
Message-ID: <C304DB494AC0C04C87C6A6E2FF5603DB2217BA03DF@NDJSSCC01.ndc.nasa.gov>
References: <C304DB494AC0C04C87C6A6E2FF5603DB2217B28763@NDJSSCC01.ndc.nasa.gov> <fc0ff13d0906241711k44de4f77u8ec825e1ea151a1e@mail.gmail.com> <4A4317ED.1040905@gont.com.ar> <4A48F60A.7020602@gmail.com> <4A49CA1A.6060702@gont.com.ar> <4A4A2A73.0@isi.edu>
In-Reply-To: <4A4A2A73.0@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-06-30_13:2009-06-25, 2009-06-30, 2009-06-30 signatures=0
Cc: Matt Mathis <mathis@psc.edu>, Matt, tcpm Extensions WG <tcpm@ietf.org>, Mathis <matt.mathis@gmail.com>
Subject: Re: [tcpm] poll for adopting draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2009 17:25:57 -0000
>-----Original Message----- >From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On Behalf Of >Joe Touch >Sent: Tuesday, June 30, 2009 11:09 AM > > ... > >This is a key flaw in the approach taken in this document. A proper scan >of all aspects of TCP for security vulnerabilities would be useful, but >the doc focuses on implementations as if they provide unique or correct >insight into the issue. The state of implementations may provide a >reason to look at this issue, but do not necessarily provide the right >basis for determining how to proceed. > >TCP is not secure; it was not intended to be. We cannot make it secure >simply by dropping vulnerable components. We cannot make it secure by >focusing on poor implementation choices. > >If the WG is to proceed on this, there are two viable choices: > > 1) a from-scratch analysis of every aspect of TCP > for security, not just the ones implementers have > either tripped over or misdesigned > > 2) a from-scratch design of a new secure transport > protocol (in TSVWG) Since 2 is out of our scope in TCPM, we'd have to move that to discussion on TSVWG. Just my personal thoughts here ... not co-chairing yet ... As for from-scratch analysis, my personal thought is that Fernando's list of issues identified is a strong starting point, even if we don't agree about some of the mitigations suggested. I 100% agree with Matt and Joe's warnings that we need to come at the mitigations from the standpoint of reducing risks without closing off our potential to continue innovating, extending, and keeping TCP working as a key part of the Internet. To me, this task resembles some of the BEHAVE working group's work, where we know that people are doing bad things in implementation, so we have need to write guidelines documents to tell the implementers what they should be doing. I think much of Fernando's analysis is quite good, at least in terms of identifying potential areas that can be exploited. However, I do think it could benefit from taking another step back in order to organize and make sure the set of issues and recommendations is complete. As a systems engineer, my first thought is always for requirements, so when I looked at Fernando's document, my question was if we're intending to do a "TCP implementation profile" for security, then what are the actual requirements to build to ... something like: - TCP MUST be able to be implemented in a way free of exploitable conditions leading to: - unbounded memory utilization - unbounded CPU utilization - data injection by off-path third-parties - connection breakage by off-path third-parties - packet amplification by off-path third parties - ... - Recommended mitigations to security issues identified in legacy TCP specifications MUST NOT further limit TCP properties of: - interoperability - scalability (data rates, loss rates, RTT, etc.) - extensibility (new options, congestion control, use of reserved bits, etc.) - ... If we can clearly state the goals like this, then we can both organize the issues found more logically, and we can evaluate the potential harm of the proposed implementation techniques very systematically. --------------------------- Wes Eddy Network & Systems Architect Verizon FNS / NASA GRC Office: (216) 433-6682 ---------------------------
- [tcpm] poll for adopting draft-gont-tcp-security Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Matt Mathis
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Matt Mathis
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Alfred Hönes
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Ilpo Järvinen
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Eddy, Wesley M. (GRC-MS00)[Verizon]
- [tcpm] [Fwd: Re: poll for adopting draft-gont-tcp… Fernando Gont
- [tcpm] [Fwd: Re: poll for adopting draft-gont-tcp… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Christos Zoulas
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Eddy, Wesley M. (GRC-MS00)[Verizon]
- [tcpm] Handling of malformed options (was: Re: po… Fernando Gont
- Re: [tcpm] Handling of malformed options Joe Touch
- Re: [tcpm] Handling of malformed options Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Andrew Yourtchenko
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Dan Wing
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… David Borman