Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Tue, 18 May 2010 21:49 UTC

Return-Path: <ananth@cisco.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 730B93A69BD; Tue, 18 May 2010 14:49:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.799
X-Spam-Level:
X-Spam-Status: No, score=-9.799 tagged_above=-999 required=5 tests=[AWL=0.800, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6Mpspnrbtrt; Tue, 18 May 2010 14:49:39 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 77C983A698F; Tue, 18 May 2010 14:49:39 -0700 (PDT)
Authentication-Results: sj-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEACqo8kurR7Ht/2dsb2JhbACeBXGkbpluhRAEg0A
X-IronPort-AV: E=Sophos;i="4.53,257,1272844800"; d="scan'208";a="256615717"
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-2.cisco.com with ESMTP; 18 May 2010 21:49:31 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o4ILnV87007601; Tue, 18 May 2010 21:49:32 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 18 May 2010 14:49:31 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 18 May 2010 14:49:30 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5809AB7A5B@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F1007C8D4C85F@qtdenexmbm24.AD.QINTRA.COM>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
Thread-Index: Acq5q9zzpcVWcYT4S5OmJS6FWMliJg9DCCygAAH3UGAABKS9MAAARewQ
References: <201003012159.WAA15069@TR-Sys.de><C80820C2-D74A-49B4-AF22-CE16C46A9A7D@nokia.com><4B8C70C0.8090708@gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1007C8D4C7F2@qtdenexmbm24.AD.QINTRA.COM> <0C53DCFB700D144284A584F54711EC5809AB79BB@xmb-sjc-21c.amer.cisco.com> <B01905DA0C7CDC478F42870679DF0F1007C8D4C85F@qtdenexmbm24.AD.QINTRA.COM>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: "Smith, Donald" <Donald.Smith@qwest.com>, <tcpm@ietf.org>, "The IESG" <iesg@ietf.org>
X-OriginalArrivalTime: 18 May 2010 21:49:31.0613 (UTC) FILETIME=[FF5A70D0:01CAF6D3]
Subject: Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2010 21:49:40 -0000

 

> -----Original Message-----
> From: Smith, Donald [mailto:Donald.Smith@qwest.com] 
> Sent: Tuesday, May 18, 2010 2:39 PM
> To: Anantha Ramaiah (ananth); 'tcpm@ietf.org'.org'; 'The IESG'
> Subject: RE: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
> 
> Won't this break syn cookies since the server doesn't keep 
> state on the original syn's sequence number?

Which mitigation are you referring to ?  IMO, none of them should have
any *new* problems with SYN cookies. For example take the case of SYN
mitigation, it increases the scope iof RFC 793 i.e, earlier RFC 793 was
sending RST if in window else send ACK, here we are saying send ACK in
all cases, this way you challenge the SYN in both the cases.

-Anantha