Re: [tcpm] tcpsecure: how strong to recommend?

Joe Touch <touch@ISI.EDU> Sat, 29 September 2007 06:09 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IbVW5-00073s-NY; Sat, 29 Sep 2007 02:09:29 -0400
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1IbVW4-00073n-8O for tcpm-confirm+ok@megatron.ietf.org; Sat, 29 Sep 2007 02:09:28 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IbVW3-00073f-V5 for tcpm@ietf.org; Sat, 29 Sep 2007 02:09:27 -0400
Received: from vapor.isi.edu ([128.9.64.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IbVVx-0006qs-MN for tcpm@ietf.org; Sat, 29 Sep 2007 02:09:27 -0400
Received: from [192.168.1.39] (pool-71-106-89-188.lsanca.dsl-w.verizon.net [71.106.89.188]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id l8T691jl020268; Fri, 28 Sep 2007 23:09:01 -0700 (PDT)
Message-ID: <46FDEBF4.5010302@isi.edu>
Date: Fri, 28 Sep 2007 23:08:52 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
Subject: Re: [tcpm] tcpsecure: how strong to recommend?
References: <0C53DCFB700D144284A584F54711EC580409FCEF@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC580409FCEF@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Cc: tcpm@ietf.org, mallman@icir.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1742974292=="
Errors-To: tcpm-bounces@ietf.org


Anantha Ramaiah (ananth) wrote:
>  
>> (FWIW, I still don't get it.  If SHOULD gives the leeway not 
>> to do something for whatever reason you can come up with then 
>> how is it really different from MAY?  I don't know .... I 
>> think there might be a distinction in your head, but I can't 
>> understand it.)
> 
> Ok, I can try a brain dump :-)
> 
> Per RFC 2119
> 
> Should is defined as :
> 
> 3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
>    may exist valid reasons in particular circumstances to ignore a
>    particular item, but the full implications must be understood and
>    carefully weighed before choosing a different course.
> 
> So, the mitigations suggested in TCP secure is RECOMMENDED to have, but
> valid reasons like the ones which I pointed out may exist which can
> preclude it's implementation in a particular stack. Also implications of
> not adopting TCP secure is well understood since one may chose to "live"
> with less robustness. Also the general feeling is that post 9/11
> security has increasingly becoming important in all walks of life,
> increasing robustness of a widely used protocol like TCP is not a bad
> idea, so making these mitigations a SHOULD is not a big deal, IMO.

First, SHOULD is a very big deal. SHOULD with IPR on a core Internet
protocol is a huge deal.

Second, security is increasingly a big deal everywhere. The bigger a
deal it is, the more likely true authentication - in the form of either
IPsec, TCP/MD5, or the latter's successors - would be the appropriate
solution to protect Internet infrastructure.

The more I hear about what this document intends and why it intends it,
the less it sounds like a standards-track anything.

Joe

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm