IETF Logo Mail Archive

Re: [tcpm] TCP-AO review comments.

Eric Rescorla <ekr@networkresonance.com> Wed, 06 August 2008 15:06 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 752EE28C3A1; Wed, 6 Aug 2008 08:06:02 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8DFD128C3A0 for <tcpm@core3.amsl.com>; Wed, 6 Aug 2008 08:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.684
X-Spam-Level:
X-Spam-Status: No, score=-1.684 tagged_above=-999 required=5 tests=[AWL=0.915, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aylKFJKVSzHB for <tcpm@core3.amsl.com>; Wed, 6 Aug 2008 08:05:59 -0700 (PDT)
Received: from romeo.rtfm.com (romeo.rtfm.com [74.95.2.173]) by core3.amsl.com (Postfix) with ESMTP id ACADC28C392 for <tcpm@ietf.org>; Wed, 6 Aug 2008 08:05:59 -0700 (PDT)
Received: from romeo.rtfm.com (localhost.rtfm.com [127.0.0.1]) by romeo.rtfm.com (Postfix) with ESMTP id 00C3B50846; Wed, 6 Aug 2008 08:15:33 -0700 (PDT)
Date: Wed, 06 Aug 2008 08:15:33 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Caitlin Bestler <cait@asomi.com>
In-Reply-To: <4899AE0C.6080206@asomi.com>
References: <0C53DCFB700D144284A584F54711EC58058C2FD4@xmb-sjc-21c.amer.cisco.com> <48939933.3030601@isi.edu> <C4CB96A1-6990-48A2-AF3E-A429C0DBE312@nokia.com> <4899AE0C.6080206@asomi.com>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Message-Id: <20080806151534.00C3B50846@romeo.rtfm.com>
Cc: tcpm@ietf.org, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, ext Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] TCP-AO review comments.
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

At Wed, 06 Aug 2008 06:58:36 -0700,
Caitlin Bestler wrote:
> 
> Lars Eggert wrote:
> > On 2008-8-2, at 2:16, ext Joe Touch wrote:
> >> |    I have problem with the term "obsoletes 2385" [ I did bring this up
> >> | before] It is going to be a long time before deployments move over to
> >> | the new TCP auth option.
> >>
> >> Practically, "obsoletes" doesn't obsolete anything. It does indicate
> >> that the IETF wants a protocol to be replaced by something else. That
> >> doesn't mean the older one can't be used for legacy support, e.g.,
> >> AFAICT - and that clearly should apply here. If the IESG thinks that
> >> this is consistent with "Obsoltes", would that be OK?
> > 
> > We need to distinguish between one RFC obsoleting another RFC, and 
> > moving an RFC to "historic". Unfortunately, neither is very clearly 
> > defined.
> > 
> > Here's my current thinking: Obsoleting is typically used when one RFC is 
> > a drop-in replacement for another RFC. For example, bug-fix revisions of 
> > an RFC typically obsolete the previous RFC, as do minor 
> > backwards-compatible implementations. That isn't quite the case for AO 
> > and TCP-MD5. AO is a replacement for TCP-MD5, but it isn't a simple 
> > revision or extension of TCP-MD5, it's a new mechanism to provide 
> > similar functionality in a (slightly) different way.
> > 
> > So, my current thinking is that AO should maybe move TCP-MD5 to 
> > "historic". That would indicate that new implementations shouldn't 
> > implement TCP-MD5 and existing ones are encouraged to move away from it. 
> > But this isn't a clear -cut case. Comments?
> > 
> 
> I have always viewed a new TCP-Auth RFC as a drop-in replacement
> for TCP-MD5.
> 
> Basically, this is an application layer problem being foisted upon
> the transport layer. It creates unneeded clutter at the transport
> layer that is not of general utility.
>
> The fact that it is replacing an existing option is the only real
> justification for doing it. Stare decisis is good for constitutional
> law, it makes sense for standards as well.
> 
> But we need to be clear that we are not creating an *additional*
> transport layer encryption solution to solve poor application design,
> we're just replacing an existing problem.

Hmm... I'm not sure I agree with this assessment. What do you think
the application layer problem in question is?

-Ekr


_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.15.0 | Report a Bug | By Email