Re: [tcpm] tcpsecure: how strong to recommend?

Joe Touch <touch@ISI.EDU> Sat, 06 October 2007 01:15 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IdyGp-0007fL-LU; Fri, 05 Oct 2007 21:15:55 -0400
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1IdyGn-0007f0-Oe for tcpm-confirm+ok@megatron.ietf.org; Fri, 05 Oct 2007 21:15:53 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IdyGn-0007aP-DZ for tcpm@ietf.org; Fri, 05 Oct 2007 21:15:53 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IdyGf-00042a-4h for tcpm@ietf.org; Fri, 05 Oct 2007 21:15:51 -0400
Received: from [128.9.176.73] (c3-vpn2.isi.edu [128.9.176.73] (may be forged)) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l961EmGo000293; Fri, 5 Oct 2007 18:14:49 -0700 (PDT)
Message-ID: <4706E17F.70903@isi.edu>
Date: Fri, 05 Oct 2007 18:14:39 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Ted Faber <faber@ISI.EDU>
Subject: Re: [tcpm] tcpsecure: how strong to recommend?
References: <0C53DCFB700D144284A584F54711EC580409FD4F@xmb-sjc-21c.amer.cisco.com> <46FF3FFA.4080207@isi.edu> <20071003172326.GE45911@hut.isi.edu> <4703D165.30606@isi.edu> <20071003181553.GF45911@hut.isi.edu> <4703E173.4060007@isi.edu> <20071005165755.GA2845@hut.isi.edu> <1191604898.470672a2ea7cb@webmail.isi.edu> <20071005183931.GB2845@hut.isi.edu>
In-Reply-To: <20071005183931.GB2845@hut.isi.edu>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 386e0819b1192672467565a524848168
Cc: tcpm@ietf.org, "Anantha Ramaiah \(ananth\)" <ananth@cisco.com>, mallman@icir.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0558697607=="
Errors-To: tcpm-bounces@ietf.org


Ted Faber wrote:
> On Fri, Oct 05, 2007 at 10:21:38AM -0700, touch@ISI.EDU wrote:
>>> IMHO, we're already addressing unlikely events - MSL violation or
>>> off-path spoofed RST with known addresses and ports.  I think that the
>>> cost of one packet exchange to validate that the connection is not about
>>> to be terminated by an unlikely event is a reasonable engineering
>>> choice. 
>> TCP was designed to be able to unilaterally terminate a connection with a RST.
>> If you wanted a handshake, why did you not use FIN?
> 
> That's an instructive example.
> 
> If your RST is lost - they're not sent reliably as a FIN is - the packet
> exchange is exactly the one TCPsecure proposes: ACK the last packet.
> (Strictly speaking the lost RST doesn't do it of course - that would be
> a nice trick.  Either new data goes out (ACKing the last packet as
> well), or a retransmission occurs, or a window probe goes off.)
>
> Receiving the ACK triggers a retransmission of the RST and state
> synchronizes.  If all the RSTs are lost, the state still synchronizes
> with a timeout.  I wouldn't call that an authentication (and I know you
> didn't), but the process is very similar to how TCPsecure plays out.

It's not the same, as you point out. If there's no further data to be
sent, then it doesn't necessarily behave like a FIN exchange.

If you want a coordinated endpoint exchange, I suggest using a FIN.

> If we were in a drinking establishment or academic symposium where the
> navel gazing were appropriate, we could discuss whether that RST packet
> "unilaterally terminates the connection" or is a hint that the
> connection has been unilaterally terminated by the destruction of the
> connection state at one endpoint. 

I doubt we would debate that long; I agree with you, I suspect, that the
latter is more precise. It's a hint.

Again, a reason why you either take the hint or not. You don't respond
to it, and you don't gain anything - except over-optimization - by
telling the other end anything to confirm that hint.

> I'm sure you can tell what I
> believe, and I'm suggesting that thinking of both these processes as
> confirming a hint might be less objectionable to you than thinking of
> them as authenticating a message. 

Confirming that it's a hint? Confirming what? That the hint came from
who you thought. Again we're back to authentication.

> But here on the list, I'm hoping that talking about what a "slightly
> unusual" packet is might steer us back toward the
> MAY/SHOULD/MUST/applicability statement discussion.

It walks, looks, and quacks like a duck. Whether you will agree to call
it a duck or not, I won't worry. But I've treated it like a duck in
deciding MUST/MAY/SHOULD.

If we truly want to get back to that discussion, I haven't heard others
address the proposed way forward I offered...

Joe

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm