IETF Logo Mail Archive

Re: [tcpm] tcp-auth-opt issue: support for NATs

Joe Touch <touch@ISI.EDU> Thu, 07 August 2008 18:15 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CCAAC3A69D4; Thu, 7 Aug 2008 11:15:02 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C16573A683E for <tcpm@core3.amsl.com>; Thu, 7 Aug 2008 11:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dHt+H9MWNb1n for <tcpm@core3.amsl.com>; Thu, 7 Aug 2008 11:15:01 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 12C1A3A6899 for <tcpm@ietf.org>; Thu, 7 Aug 2008 11:15:01 -0700 (PDT)
Received: from [192.168.10.101] (auto-66.185.38.62.wirelessworld.vi [66.185.38.62]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m77IEoVC013999 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 7 Aug 2008 11:14:53 -0700 (PDT)
Message-ID: <489B3B72.8030604@isi.edu>
Date: Thu, 07 Aug 2008 11:14:10 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
References: <4890F4BE.6060302@isi.edu> <396556a20807301622l4cb33deuff73cd13d7a75ba1@mail.gmail.com> <4890FBE8.1020203@isi.edu> <396556a20807311700w1eda50b0o5da7ae52e6c1691a@mail.gmail.com> <48935FFD.4090805@isi.edu> <396556a20808051826w1a839577q956f379f56db1165@mail.gmail.com> <20080806020257.D1C69525D8F@kilo.rtfm.com> <396556a20808061742y19f8f5fh78fe66bfe4d415be@mail.gmail.com> <20080807011812.DDC8050846@romeo.rtfm.com> <396556a20808071047q5bda8acbje7a8fc9f9bf2e597@mail.gmail.com> <20080807180512.77604529E4D@kilo.rtfm.com>
In-Reply-To: <20080807180512.77604529E4D@kilo.rtfm.com>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: Adam Langley <agl@imperialviolet.org>, tcpm@ietf.org
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Eric Rescorla wrote:
| At Thu, 7 Aug 2008 10:47:30 -0700,
| Adam Langley wrote:
|> On Wed, Aug 6, 2008 at 6:18 PM, Eric Rescorla
<ekr@networkresonance.com> wrote:
|>> I'm sorry, I must be missing something. what problem are you trying to
|>> solve?
|> The above was an sketch of how a passive open socket would work with
|> TCP AO such that only clients that knew a master key could connect. If
|> we wish to support a setup, then wildcard key matching would probably
|> be needed.
|
| Because the side doing the passive open doesn't know which client
| is connecting and it may have multiple instances of the same key-id?
| I don't understand the purpose of the time. Just do trial verifications
| with each key.

That's a reason we have a keyID, which, together with the socket pair,
should exactly specify what key to use and avoids this sort of trial. If
we can live with trials, we can remove the keyID and things align much
better.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkibO3IACgkQE5f5cImnZrtOjgCdGj4dGeIrM9wBc6ydd6R0SV/h
cLoAoN9+8nq6sKpwM0mYcWp6RVYb3YTp
=2aDQ
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email