RE: [tcpm] tcpsecure: how strong to recommend?

<toby.moncaster@bt.com> Wed, 26 September 2007 16:46 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iaa1w-0001qa-4q; Wed, 26 Sep 2007 12:46:32 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iaa1u-0001iY-U6 for tcpm@ietf.org; Wed, 26 Sep 2007 12:46:30 -0400
Received: from smtp1.smtp.bt.com ([217.32.164.137]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Iaa1u-00059s-8S for tcpm@ietf.org; Wed, 26 Sep 2007 12:46:30 -0400
Received: from E03MVZ4-UKDY.domain1.systemhost.net ([193.113.30.65]) by smtp1.smtp.bt.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 26 Sep 2007 17:46:27 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] tcpsecure: how strong to recommend?
Date: Wed, 26 Sep 2007 17:46:49 +0100
Message-ID: <BAB4DC0CD5148948A86BD047A85CE2A703D2B41E@E03MVZ4-UKDY.domain1.systemhost.net>
In-Reply-To: <44F9F627-9A49-4A63-9F38-0006F1FE2BDF@nokia.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] tcpsecure: how strong to recommend?
Thread-Index: Acf/e/jEdAyxcSypQ9uxLKw1OAOZuAA3nHnQ
From: <toby.moncaster@bt.com>
To: <lars.eggert@nokia.com>, <touch@ISI.EDU>
X-OriginalArrivalTime: 26 Sep 2007 16:46:27.0294 (UTC) FILETIME=[C806CFE0:01C8005C]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d2e37451f7f22841e3b6f40c67db0f
Cc: tcpm@ietf.org, mallman@icir.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

Two things that seem clear from this quite long email thread:

1) many of the people expressing opinions on this are the same ones that
expressed opinions at the meeting in Chicago

2) there is definite lack of agreement on the meaning of SHOULD and MAY
(MUST seems pretty clear).

It almost seems that there is a need for a new level of recommendation
somewhere between SHOULD (which many people seem to take to mean "MUST
unless you have a good reason not to") and MAY (which some people take
to mean "may do if you choose to"). What is lacking (as I think Tim was
driving at) is a word to mean "we advise you to do this but don't want
to obligate you".

Obviously some of this confusion can be reduced if proper applicability
statements are used as described by Lars below.

For what its worth I am torn between options 2) and 3). Option 3) is
correct if the applicability is clearly defined to those TCPs where
there is significant risk of harm from these attacks

Toby
________________________________________________________________________
____
Toby Moncaster, <toby.moncaster@bt.com> Networks Research Centre, BT
Research
B54/70 Adastral Park, Martlesham Heath, Ipswich, IP53RE, UK.  +44 1473
648734 


-----Original Message-----
From: Lars Eggert [mailto:lars.eggert@nokia.com] 
Sent: 25 September 2007 14:54
To: ext Joe Touch
Cc: tcpm@ietf.org; mallman@icir.org
Subject: Re: [tcpm] tcpsecure: how strong to recommend?

Hi,

On 2007-9-25, at 1:34, ext Joe Touch wrote:
> I'd encourage others to weigh in on this. I'm uncomfortable with our 
> making recommendations to change TCP's fundamental behavior as a 
> SHOULD on the basis of a handful of representatives.

this brings up an important point we need to clarify. The tcpsecure
document contains a technical specification for multiple TCP mechanisms
to protect against certain attacks.

However, RFC 2026 recommends that technical specifications should also
come with a statement of applicability, i.e., something that says when
the technical specification should or should not be used.  
Many documents don't have this, and often that isn't an issue. The
tcpsecure document is missing this piece, too, but in this case I
believe this is causing some confusion.

For some folks, this lack of a clear applicability statement means that
the tcpsecure mechanisms become part of the "must-implement" set of TCP.
To other folks, the MUST/SHOULD/MAY in the current document
*are* a kind of applicability statement.

I think it would be helpful if we would tease apart applicability
statement and technical specification. What were missing is consensus on
the applicability of the proposed set of mechanisms. During the
discussion around this document, I've heard basically two choices being
expressed:

(1) all TCP stacks should implement tcpsecure

(2) only TCP stacks that expect to support a significant number of
connections for which the described attacks are possible should
implement tcpsecure

This is important to scope the discussion we're currently having on
SHOULD vs. MAY.

If the applicability is (1), a SHOULD with its should-have-a-really-
good-reason-to-ignore semantics is a pretty strong statement that
affects all stacks.

Whereas if the applicability is (2) or something else that is more
restricted than (1), a SHOULD is essentially without effect for stacks
that don't consider themselves to fall under the conditions stated.

Lars

PS: Here is the relevant section from RFC2026:

3.1  Technical Specification (TS)

    A Technical Specification is any description of a protocol, service,
    procedure, convention, or format.  It may completely describe all of
    the relevant aspects of its subject, or it may leave one or more
    parameters or options unspecified.  A TS may be completely self-
    contained, or it may incorporate material from other specifications
    by reference to other documents (which might or might not be
Internet
    Standards).

    A TS shall include a statement of its scope and the general intent
    for its use (domain of applicability).  Thus, a TS that is
inherently
    specific to a particular context shall contain a statement to that
    effect.  However, a TS does not specify requirements for its use
    within the Internet;  these requirements, which depend on the
    particular context in which the TS is incorporated by different
    system configurations, are defined by an Applicability Statement.


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm