Re: [tcpm] question about TCP-AO and rekeying
Eric Rescorla <ekr@networkresonance.com> Fri, 19 June 2009 13:20 UTC
Return-Path: <ekr@networkresonance.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E8FF93A6AA7 for <tcpm@core3.amsl.com>; Fri, 19 Jun 2009 06:20:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.106
X-Spam-Level:
X-Spam-Status: No, score=-0.106 tagged_above=-999 required=5 tests=[AWL=-0.124, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LAd8rx-lZ+T7 for <tcpm@core3.amsl.com>; Fri, 19 Jun 2009 06:20:47 -0700 (PDT)
Received: from kilo.networkresonance.com (74-95-2-169-SFBA.hfc.comcastbusiness.net [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id 2BAFF3A6A57 for <tcpm@ietf.org>; Fri, 19 Jun 2009 06:20:47 -0700 (PDT)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 0DF111BE198; Fri, 19 Jun 2009 06:21:35 -0700 (PDT)
Date: Fri, 19 Jun 2009 06:21:34 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Joe Touch <touch@ISI.EDU>
In-Reply-To: <4A3B3290.9020906@isi.edu>
References: <4A2AB973.3030203@isi.edu> <20090616131807.75C481BC6EB@kilo.networkresonance.com> <4A37A202.9020500@isi.edu> <20090617054551.A4E0C1BCA23@kilo.networkresonance.com> <4A388C37.3030703@isi.edu> <20090617140939.A3AB61BCC72@kilo.networkresonance.com> <4A390EC0.6070003@isi.edu> <20090617161518.5276C50822@romeo.rtfm.com> <4A3917B7.20301@isi.edu> <20090617232813.1C49D50822@romeo.rtfm.com> <4A39C800.2030901@isi.edu> <20090618051622.719361BDC6B@kilo.networkresonance.com> <4A39CE62.9050201@isi.edu> <20090618135721.164F31BDF06@kilo.networkresonance.com> <4A3A4A5D.2060504@isi.edu> <20090619043328.6C06E1BE12E@kilo.networkresonance.com> <4A3B3290.9020906@isi.edu>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090619132135.0DF111BE198@kilo.networkresonance.com>
Cc: tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] question about TCP-AO and rekeying
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2009 13:20:48 -0000
At Thu, 18 Jun 2009 23:39:12 -0700, Joe Touch wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Eric Rescorla wrote: > ... > >> I agree that non-overlap is necessary to avoid injection. The trouble is > >> that there are different ways to avoid non-overlap which we are > >> currently leaving as "implementation dependent". If we leave them open, > >> I am concerned that KMPs will not be able to ensure that two endpoints > >> will pick corresponding MKTs for a given segment. > > > > Really? I would imagine this is precisely the invariant that some > > putative KMP would enforce. > > If that's where we put that logic, what happens when we don't have a > KMP? How do we know that both ends will do the same thing with a set of > manually entered keys? It was my understanding that the consensus was that we were not going to design a system that attempted to prevent user error. Given that typographical errors in key entry seem far more likely than this kind of misconfiguration, if our intent is to prevent user error, then we should be attacking that first. -Ekr
- [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch