Re: [tcpm] [OPSEC] draft-gont-tcp-security
Joe Touch <touch@ISI.EDU> Mon, 13 April 2009 21:08 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7CDA53A6A06; Mon, 13 Apr 2009 14:08:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.242
X-Spam-Level:
X-Spam-Status: No, score=-2.242 tagged_above=-999 required=5 tests=[AWL=-0.243, BAYES_00=-2.599, J_CHICKENPOX_46=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id np9EJSfzLIk1; Mon, 13 Apr 2009 14:08:12 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id AB7B23A6924; Mon, 13 Apr 2009 14:08:12 -0700 (PDT)
Received: from [75.215.162.89] (89.sub-75-215-162.myvzw.com [75.215.162.89]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n3DL8dSh029094; Mon, 13 Apr 2009 14:08:41 -0700 (PDT)
Message-ID: <49E3A9D6.4030504@isi.edu>
Date: Mon, 13 Apr 2009 14:08:38 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: "Smith, Donald" <Donald.Smith@qwest.com>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8@NDJSSCC01.ndc.nasa.g ov><49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1004BC4176D0@qtdenexmbm24.AD.QINTRA.COM>
In-Reply-To: <B01905DA0C7CDC478F42870679DF0F1004BC4176D0@qtdenexmbm24.AD.QINTRA.COM>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "'tcpm@ietf.org'" <tcpm@ietf.org>, "'ietf@ietf.org'" <ietf@ietf.org>, 'Joe Abley' <jabley@ca.afilias.info>, "'opsec@ietf.org'" <opsec@ietf.org>, 'Fernando Gont' <fernando@gont.com.ar>
Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2009 21:08:13 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Donald, I'm confused by your post. You appear to believe that TCP is intended to be secure. Note that TCP does not require either the MD5 or AO extension. Smith, Donald wrote: > > (coffee != sleep) & (!coffee == sleep) > Donald.Smith@qwest.com gcia > >> -----Original Message----- >> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] >> On Behalf Of Fernando Gont >> Sent: Monday, April 13, 2009 1:23 PM >> To: Joe Touch >> Cc: tcpm@ietf.org; ietf@ietf.org; Joe Abley; opsec@ietf.org; >> Lars Eggert; Eddy,Wesley M. (GRC-RCN0)[Verizon] >> Subject: Re: [OPSEC] [tcpm] draft-gont-tcp-security >> >> Joe Touch wrote: >> >>>> So we had tcp-secure in 2004, icmp-attacks in 2005, a claim for a >>>> trivial attack in 2008 (Outpost24/CERT-FI), and we'll >> probably continue >>>> in this line, because we do nothing about it. >>> Whether we have this document or not, we will continue to >> have people >>> who incorrectly assume that TCP is secure. > > Secure is a general term. TCP was intended to address several areas of security. > The classic tenets for computer security is: > CIA -> Confidentiality, Integrity and Availability. > TCP doesn't attempt to address Confidentiality. > However it was designed to address integrity and availability so > failures in those areas should be documented and addressed in some > fashion. Can you explain this? Where is the integrity protection? Where is the availability specified? ... >> It's security/resiliency can be improved. After all, if that were not >> the case, I guess you're wasting your time with TCP-AO. Or is it that >> you believe the only way to improve a protocol is to throw >> crypto at it? > > Adding crypto improves confidentiality and integrity but is counter > productive to availability as most > crypto engines are prone to fairly low pps resource exhaustion > attacks. All prevention methods are susceptible to computational resource attacks, since all increase the operations performed on a packet. It is commonly assumed that this is a desirable tradeoff, and that the computational resources can be totally protected with line-rate dedicated computation (e.g., hardware assist). Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknjqdYACgkQE5f5cImnZruhawCgqqkl3NPljMkNRz8buEYROGUO R2kAnRHhQmWJVtXq/j2wbNy64q6QWe+u =OkiS -----END PGP SIGNATURE-----
- [tcpm] draft-gont-tcp-security Eddy, Wesley M. (GRC-RCN0)[Verizon]
- Re: [tcpm] draft-gont-tcp-security Joe Touch
- Re: [tcpm] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] draft-gont-tcp-security Joe Touch
- Re: [tcpm] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Smith, Donald
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Smith, Donald
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joel Jaeggli
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Smith, Donald
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Todd Glassey
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Todd Glassey
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joel Jaeggli
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch