Re: [tcpm] Q&C regarding tcpsecure-09 recommendations
Joe Touch <touch@ISI.EDU> Wed, 04 June 2008 23:53 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 420193A6880; Wed, 4 Jun 2008 16:53:09 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 29C8C3A6880 for <tcpm@core3.amsl.com>; Wed, 4 Jun 2008 16:53:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y30hvVLhKLk6 for <tcpm@core3.amsl.com>; Wed, 4 Jun 2008 16:53:07 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 0D0243A6810 for <tcpm@ietf.org>; Wed, 4 Jun 2008 16:53:07 -0700 (PDT)
Received: from [127.0.0.1] (32.sub-70-213-140.myvzw.com [70.213.140.32]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m54NmrOd001563 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 4 Jun 2008 16:48:57 -0700 (PDT)
Message-ID: <484729E5.4010101@isi.edu>
Date: Wed, 04 Jun 2008 16:48:53 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: Andre Oppermann <andre@freebsd.org>
References: <48432005.2070201@freebsd.org> <48449321.5000609@isi.edu> <00BC7F35-5CE5-4142-AF30-7EDDB70A29D5@nokia.com> <4846FFFF.9090309@isi.edu> <48470949.3030904@networx.ch> <4847100A.4060003@isi.edu> <48471EDA.5020504@freebsd.org>
In-Reply-To: <48471EDA.5020504@freebsd.org>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Q&C regarding tcpsecure-09 recommendations
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1207349757=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
Andre Oppermann wrote: > Joe Touch wrote: >> Andre Oppermann wrote: >> ... >>>> 2. adding these mitigations complicates the TCP implementation, >>>> and makes it less robust to legitimate RSTs, esp. in the >>>> presence of reordering; it can increase the time needed to >>>> reset a connection by one or more RTTs >>> >>> Agreed for the second part about the potential for the time increase. >>> Not agreed to the first part. All kinds of mitigations make TCP >>> implementations more complex. Port randomization does, TCP-MD5 does, >>> IPsec does and so on. You can trust me on this one. ;-) >> >> IPsec has nothing to do with the TCP implementation; it may make the >> stack more complex, but not TCP. Port randomization is a one-time >> event during SYN creation, and should be easy to factor out as a >> separate call. TCP MD5 is complex, but already implemented. > > Port randomization is complex to implement. It's already implemented. See my other reply. >> The complexity I'm referring to is reflected in the exchange on >> details and corner cases you've posted to this list. > > There are just as many corner cases with (true) port randomization. > Have a look at its CVS history in the BSDs. Or Linux. Took a couple > iterations. Multiple iterations is not an indication of difficult corner cases. >>> Repeating myself: >>> >>> The extra time it may take in an edge case is not terribly high. Most >>> RSTs will match and do their thing. >> >> Actually, you've already indicated cases where that might not be true; >> if RSTs are used to shut down typical connections "just in case", if >> any of the in-transit data was lost, then these will trigger the ACK >> exchange and extra RTT. This costs extra time, extra packets, and >> extra processing on both ends - all for a NON MALICIOUS CASE. > > Normally the connection is in an idle state. It is primarily observed > with web servers where either the client or server wants to do persistent > connections and the other end does not. Or it times out. There would be > no extra round-trip for the RST to be come effective. It's also been observed in web servers that want to reduce the amount of TIME_WAIT state they hold - and thus kernel memory they tie up - for connections that clients close by normal means. Joe
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Anantha Ramaiah (ananth)
- [tcpm] Q&C regarding tcpsecure-09 recommendations Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Anantha Ramaiah (ananth)
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Lars Eggert
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Andre Oppermann
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Joe Touch
- Re: [tcpm] Q&C regarding tcpsecure-09 recommendat… Anantha Ramaiah (ananth)