IETF Logo Mail Archive

Re: [tcpm] status of TCP-MD5 after TCP-AO publication

"Smith, Donald" <Donald.Smith@qwest.com> Tue, 04 August 2009 17:20 UTC

Return-Path: <Donald.Smith@qwest.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 57A993A682A; Tue, 4 Aug 2009 10:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90rOz4OcRE2J; Tue, 4 Aug 2009 10:20:40 -0700 (PDT)
Received: from suomp64i.qwest.com (suomp64i.qwest.com [155.70.16.237]) by core3.amsl.com (Postfix) with ESMTP id 52FF93A67F8; Tue, 4 Aug 2009 10:20:40 -0700 (PDT)
Received: from sudnp796.qintra.com (sudnp796.qintra.com [151.116.2.212]) by suomp64i.qwest.com (8.14.0/8.14.0) with ESMTP id n74HKfbS015684; Tue, 4 Aug 2009 12:20:41 -0500 (CDT)
Received: from qtdenexhtm22.AD.QINTRA.COM (localhost [127.0.0.1]) by sudnp796.qintra.com (8.14.0/8.14.0) with ESMTP id n74HKZq7027483; Tue, 4 Aug 2009 11:20:35 -0600 (MDT)
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm22.AD.QINTRA.COM ([151.119.91.231]) with mapi; Tue, 4 Aug 2009 11:20:35 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: "'Chaks Chigurupati (chaks)'" <chaks@cisco.com>, 'Iljitsch van Beijnum' <iljitsch@muada.com>, 'Ron Bonica' <rbonica@juniper.net>
Date: Tue, 04 Aug 2009 11:20:34 -0600
Thread-Topic: [tcpm] status of TCP-MD5 after TCP-AO publication
Thread-Index: AcoVHCcZ8JwlPIP3Qw6VTNwcE8WB5AAAMtNQAAFy8wAAAM/DkA==
Message-ID: <B01905DA0C7CDC478F42870679DF0F100599C37D28@qtdenexmbm24.AD.QINTRA.COM>
References: <6BB76CFA-4134-4D3E-BE20-3A90A5111CBD@nokia.com><FB33B8FD-308B-4 867-902E-131382969C35@muada.com><4A777220.3070507@juniper.net><75E968CA-1D9 A-40BD-9C3E-534518B13BCF@muada.com> <B01905DA0C7CDC478F42870679DF0F100599C37D03@qtdenexmbm24.AD.QINTRA.COM> <3C50EF6BFB256E448286057DABC00CBE0834DB40@xmb-sjc-214.amer.cisco.com>
In-Reply-To: <3C50EF6BFB256E448286057DABC00CBE0834DB40@xmb-sjc-214.amer.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "'tcpm@ietf.org'" <tcpm@ietf.org>, "'iesg@ietf.org'" <iesg@ietf.org>
Subject: Re: [tcpm] status of TCP-MD5 after TCP-AO publication
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2009 17:20:41 -0000

(coffee != sleep) & (!coffee == sleep)
Donald.Smith@qwest.com gcia   

> -----Original Message-----
> From: Chaks Chigurupati (chaks) [mailto:chaks@cisco.com] 
> Sent: Tuesday, August 04, 2009 10:49 AM
> To: Smith, Donald; Iljitsch van Beijnum; Ron Bonica
> Cc: tcpm@ietf.org; iesg@ietf.org
> Subject: RE: [tcpm] status of TCP-MD5 after TCP-AO publication
> 
> One minor comment - Please see inline for [Chaks]
> 
> > -----Original Message-----
> > From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> > Behalf Of Smith, Donald
> > Sent: Tuesday, August 04, 2009 9:27 AM
> > To: 'Iljitsch van Beijnum'; 'Ron Bonica'
> > Cc: 'tcpm@ietf.org'; 'iesg@ietf.org IESG'
> > Subject: Re: [tcpm] status of TCP-MD5 after TCP-AO publication
> > 
> > I believe the rfc2385 should be modified.
> > 
> > http://www.ietf.org/rfc/rfc2385.txt
> > 4.1
> >    A connectionless reset will be ignored by the receiver of 
> > the reset,
> >    since the originator of that reset does not know the key, and so
> >    cannot generate the proper signature for the segment.  
> This means,
> >    for example, that connection attempts by a TCP which is 
> generating
> >    signatures to a port with no listener will time out 
> > instead of being
> >    refused.  Similarly, resets generated by a TCP in response to
> >    segments sent on a stale connection will also be ignored.
> >    Operationally this can be a problem since resets help BGP recover
> >    quickly from peer crashes.
> > 
> > 
> > 
> > An authenticationless reset MUST be ignored by the receiver 
> > of the reset.
> > The originator of that reset knows the key associated with 
> > their bgp neighbor and SHOULD use the key to generate an 
> > authenticated reset if that session has been terminated for 
> > some reason.
> > This means, for example, that connection attempts by a TCP 
> > which is generating signatures to a port with no listener 
> > could be refused with a authenticated reset instead of being 
> > timed out.
> 
> [Chaks] If the listener is not around, it is very likely that the
> listener has withdrawn from TCP the knowledge about the 
> various keys associcated with the neighbors. OR, TCP itself might have
> purged that info as such info is usually "attached" to the listen
> socket. So, it may not be possible for TCP to generate an 
> authenticated
> reset in the absence of a listener.

In ever implementation I have seen there is a shared secret in the BGP configuration.
It might mean "searching" the bgp configuration to find the neighbor's route ID and grab the shared secret associated with that router ID but that plus the incoming packet information (src_port, dst_port, sequence_numbers...) is enough to provide an authenticated reset. 

One issue here is that the reset would probably not be generated by the asic on the line card as it is in many cases today. So this would probably lead to a hit on to the cpu or npu (slow path). Some routers ignore authenticated resets which per the current version of the rfc can be viewed as rfc compliant:(


> 
> Chaks
> 
> > Operationally this would be an improvement over the current 
> > standard since resets help BGP recover quickly from peer crashes.
> > 
> > 
> > 
> > The current rfc compliant behavior doesn't make authenticated 
> > reset work, it makes ALL RESETS fail.
> > We could just as well have a flag that says ignore resets for 
> > bgp. It would have the same value as today's rfc compliant 
> > router implementations.
> > 
> > (coffee != sleep) & (!coffee == sleep)
> > Donald.Smith@qwest.com gcia   
> > 
> > > -----Original Message-----
> > > From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On 
> > > Behalf Of Iljitsch van Beijnum
> > > Sent: Tuesday, August 04, 2009 9:56 AM
> > > To: Ron Bonica
> > > Cc: tcpm@ietf.org; iesg@ietf.org IESG
> > > Subject: Re: [tcpm] status of TCP-MD5 after TCP-AO publication
> > > 
> > > On 4 aug 2009, at 1:26, Ron Bonica wrote:
> > > 
> > > > The HISTORIC nomenclature doesn't mean that there is no 
> longer an
> > > > installed base. It just means that something more recent is 
> > > available.
> > > 
> > > I still think it's premature to change the status of RFC 2385 
> > > before a  
> > > replacement is widely available operationally.
> > > 
> > > And yes, that can take a decade, see 32-bit AS numbers.
> > > 
> > > Iljitsch
> > > _______________________________________________
> > > tcpm mailing list
> > > tcpm@ietf.org
> > > https://www.ietf.org/mailman/listinfo/tcpm
> > > 
> > _______________________________________________
> > tcpm mailing list
> > tcpm@ietf.org
> > https://www.ietf.org/mailman/listinfo/tcpm
> > 
>

v2.23.0 | Report a Bug | By Email