[tcpm] tcp-auth-opt issue: support for NATs

Joe Touch <touch@ISI.EDU> Wed, 30 July 2008 23:10 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F28993A69FD; Wed, 30 Jul 2008 16:10:33 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D3CA33A69FD for <tcpm@core3.amsl.com>; Wed, 30 Jul 2008 16:10:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YbEIDnqvDguW for <tcpm@core3.amsl.com>; Wed, 30 Jul 2008 16:10:31 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 2653A3A6875 for <tcpm@ietf.org>; Wed, 30 Jul 2008 16:10:31 -0700 (PDT)
Received: from [128.9.176.37] (c1-vpn7.isi.edu [128.9.176.37]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m6UNAPrG020623 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 30 Jul 2008 16:10:28 -0700 (PDT)
Message-ID: <4890F4BE.6060302@isi.edu>
Date: Wed, 30 Jul 2008 16:09:50 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: tcpm@ietf.org
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Subject: [tcpm] tcp-auth-opt issue: support for NATs
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Langley raised the issue of support for NATs.

The TSAD is indexed by the socket pair of the incoming/outgoing packet
(addr/port pair). There is no provision for a separate key identifier
that would be unique across all connections.

As a result, the KMS must populate the TSAD with the appropriate
connection information - it must know the source/dest used at both
endpoints, even if they differ.

<individual contributor hat on>
(I should have indicated this in some parts of other posts, FWIW)

Suppose they do differ; the KMS could then put both sides' views of the
src/dst info on each side's TSAD:
	src/dst addr/port as sent
	src/dst addr/port as rec'd

The TSAD would be indexed by the "as sent" info, but the MAC would be
calculated using the "as rec'd" info.

<hat off>

Should the document:

a) require the socket pair info always be included in the MAC, i.e., be
protected

b) allow a TSAD entry to indicate that the socket pair is excluded from
the MAC?

Finally, does (b) help, given the current keying requirements?

Comments?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiQ9L4ACgkQE5f5cImnZruvmwCglVgXBbN9hSgiuoa1p/r+1FGP
0lQAn0FBL8te0c5UD6eK+q/BwDtcQbAG
=kusE
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm