Re: [tcpm] RE: TCP secure
Alfred Hönes <ah@tr-sys.de> Fri, 11 January 2008 02:09 UTC
Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JD9Kd-0001zz-Bu; Thu, 10 Jan 2008 21:09:15 -0500
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1JD9Kc-0001zt-9l for tcpm-confirm+ok@megatron.ietf.org; Thu, 10 Jan 2008 21:09:14 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JD9Kb-0001zl-Vw for tcpm@ietf.org; Thu, 10 Jan 2008 21:09:13 -0500
Received: from gateway.tr-sys.de ([213.178.172.147] helo=WOTAN.TR-Sys.de) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JD9Ka-0003Ti-Qd for tcpm@ietf.org; Thu, 10 Jan 2008 21:09:13 -0500
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3) id AA267747295; Fri, 11 Jan 2008 03:08:15 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id DAA11330; Fri, 11 Jan 2008 03:08:10 +0100 (MEZ)
From: Alfred Hönes <ah@tr-sys.de>
Message-Id: <200801110208.DAA11330@TR-Sys.de>
Subject: Re: [tcpm] RE: TCP secure
To: ananth@cisco.com, rrs@cisco.com, mdalal@cisco.com
Date: Fri, 11 Jan 2008 03:08:10 +0100
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
Hello all, I generally agree with the recent changes performed for draft-ietf-tcpm-tcpsecure-09, yet in the newly added AS (Section 1.1), the language should be improved based on the rationale below. a) "The mitigations presented in" and "talks about" almost mean the same, but even worse, combined in the first line, the sentence does not parse. Because "The mitigations" re-occurs in the next line, I suggest to drop the first occurrence. b) "Solutions to .. [attacks]" does not seem to be very meaningful. I therefore also suggest to replace "the solutions to the same" by "suitable defenses against these". Hopefully, this will increase the clarity, and add to the readability of the text. c) "... devices where the TCP connections are most vulnerable ..." pretends to not admit the co-existence with less vulnerable TCP connections and the temporal variation over all the story. I suggest to talk about "... devices that regularly have to maintain TCP connections of the kind most vulnerable ...". d) I also suggest to delete the subsequent "Some", because the following explanation only details *one* specific kind of TCP connections particularly vulnerable. e) In the middle of the original paragraph, I suggest adding an "and" to make the syntax and semantics of the sentence unambiguous. Taking that into account, I recommend changing: OLD: | The mitigations presented in this document talks about some known in- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~~~~~~~~~ | window attacks and the solutions to the same. The mitigations ^^^^^^^^^^^^^^^^^^^^^^^^^ suggested in this draft SHOULD be implemented in devices where the vvvvv ^^^^^^^^^^ TCP connections are most vulnerable to the attacks described in this document. Some examples of such TCP connections are the ones that ^^^^^ | tend to be long-lived where the connection end points can be ^ determined, in cases where no auxiliary anti-spoofing protection mechanisms like TCP MD5 [RFC2385] can be deployed. These mitigations MAY be implemented in other cases. NEW: | This document talks about some known in-window attacks and suitable | defenses against these. The mitigations suggested in this draft | SHOULD be implemented in devices that regularly need to maintain TCP | connections of the kind most vulnerable to the attacks described in | this document. Examples of such TCP connections are the ones that | tend to be long-lived and where the connection end points can be determined, in cases where no auxiliary anti-spoofing protection mechanisms like TCP MD5 [RFC2385] can be deployed. These mitigations MAY be implemented in other cases. Kind regards, Alfred. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+ _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] TCP secure Anantha Ramaiah (ananth)
- [tcpm] RE: TCP secure Anantha Ramaiah (ananth)
- Re: [tcpm] RE: TCP secure Alfred Hönes
- Re: [tcpm] RE: TCP secure Joe Touch
- RE: [tcpm] RE: TCP secure Anantha Ramaiah (ananth)