Re: [tcpm] tcpsecure: how strong to recommend?

Joe Touch <touch@ISI.EDU> Wed, 26 September 2007 22:21 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IafFv-0007xc-CA; Wed, 26 Sep 2007 18:21:19 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1IafFu-0007x4-1L for; Wed, 26 Sep 2007 18:21:18 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1IafFo-0001Ua-HZ for; Wed, 26 Sep 2007 18:21:12 -0400
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id l8QMKFeX018523; Wed, 26 Sep 2007 15:20:16 -0700 (PDT)
Message-ID: <>
Date: Wed, 26 Sep 2007 15:20:07 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <>
Subject: Re: [tcpm] tcpsecure: how strong to recommend?
References: <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
Cc:, Tim Shepard <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============0738282480=="

Anantha Ramaiah (ananth) wrote:
> Inline comments....
> - Like someone pointed out MAY is a weak statement, it could also imply
> "MAY not". Why should it be a MAY when we know that the pros of the
> soultion outweigh the cons?

They do not in all cases. If TCP is deployed either where no well-known
connections exist, or where such connections are protected by other
authentication, this solution adds
	a) complexity
	b) chatter during valid RSTs
	c) IPR encumberance

> - to me these recommendations are good to have, 

You're now making decisions for others, i.e., these recommendations are
"good for everyone to have unless they have a reason not to". That's not
what you said before in terms of "let the user/implementer decide".

>> There's no MUST in that logic, any more than 'you MUST deploy 
>> IPsec/BTNS/TCP-MD5++'.
> I am assuming it is a conditional MUST like "if you need security then
> use TCP MD5", correct? Is "conditional MUST = SHOULD" ?

It is a conditional SHOULD, i.e., a SHOULD with a caveat. From the
RFC2119-level, IMO that's a MAY with explanation.


tcpm mailing list