IETF Logo Mail Archive

Re: [tcpm] RE: TCP secure

Alfred Hönes <ah@tr-sys.de> Fri, 11 January 2008 02:09 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JD9Kd-0001zz-Bu; Thu, 10 Jan 2008 21:09:15 -0500
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1JD9Kc-0001zt-9l for tcpm-confirm+ok@megatron.ietf.org; Thu, 10 Jan 2008 21:09:14 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JD9Kb-0001zl-Vw for tcpm@ietf.org; Thu, 10 Jan 2008 21:09:13 -0500
Received: from gateway.tr-sys.de ([213.178.172.147] helo=WOTAN.TR-Sys.de) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JD9Ka-0003Ti-Qd for tcpm@ietf.org; Thu, 10 Jan 2008 21:09:13 -0500
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3) id AA267747295; Fri, 11 Jan 2008 03:08:15 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id DAA11330; Fri, 11 Jan 2008 03:08:10 +0100 (MEZ)
From: Alfred Hönes <ah@tr-sys.de>
Message-Id: <200801110208.DAA11330@TR-Sys.de>
Subject: Re: [tcpm] RE: TCP secure
To: ananth@cisco.com, rrs@cisco.com, mdalal@cisco.com
Date: Fri, 11 Jan 2008 03:08:10 +0100
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

Hello all,
I generally agree with the recent changes performed for
   draft-ietf-tcpm-tcpsecure-09,

yet in the newly added AS (Section 1.1),
the language should be improved based on the rationale below.

a) "The mitigations presented in" and "talks about" almost mean
   the same, but even worse, combined in the first line, the
   sentence does not parse.  Because "The mitigations" re-occurs
   in the next line, I suggest to drop the first occurrence.

b) "Solutions to .. [attacks]" does not seem to be very meaningful.
   I therefore also suggest to replace "the solutions to the same"
   by "suitable defenses against these".  Hopefully, this will
   increase the clarity, and add to the readability of the text.

c) "... devices where the TCP connections are most vulnerable ..."
   pretends to not admit the co-existence with less vulnerable
   TCP connections and the temporal variation over all the story.
   I suggest to talk about "... devices that regularly have to
   maintain TCP connections of the kind most vulnerable ...".

d) I also suggest to delete the subsequent "Some", because the
   following explanation only details *one* specific kind of TCP
   connections particularly vulnerable.

e) In the middle of the original paragraph, I suggest adding an "and"
   to make the syntax and semantics of the sentence unambiguous.

Taking that into account, I recommend changing:

OLD:

|  The mitigations presented in this document talks about some known in-
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^          ~~~~~~~~~~~
|  window attacks and the solutions to the same.  The mitigations
                      ^^^^^^^^^^^^^^^^^^^^^^^^^
   suggested in this draft SHOULD be implemented in devices where the
                  vvvvv                                    ^^^^^^^^^^
   TCP connections are most vulnerable to the attacks described in this
   document.  Some examples of such TCP connections are the ones that
              ^^^^^
|  tend to be long-lived where the connection end points can be
                        ^
   determined, in cases where no auxiliary anti-spoofing protection
   mechanisms like TCP MD5 [RFC2385] can be deployed.  These mitigations
   MAY be implemented in other cases.

NEW:

|  This document talks about some known in-window attacks and suitable
|  defenses against these.  The mitigations suggested in this draft
|  SHOULD be implemented in devices that regularly need to maintain TCP
|  connections of the kind most vulnerable to the attacks described in
|  this document.  Examples of such TCP connections are the ones that
|  tend to be long-lived and where the connection end points can be
   determined, in cases where no auxiliary anti-spoofing protection
   mechanisms like TCP MD5 [RFC2385] can be deployed.  These mitigations
   MAY be implemented in other cases.


Kind regards,
  Alfred.

-- 

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah@TR-Sys.de                     |
+------------------------+--------------------------------------------+



_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email