RE: [tcpm] tcpsecure: how strong to recommend?

"Anantha Ramaiah \(ananth\)" <ananth@cisco.com> Wed, 26 September 2007 18:58 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iac5N-0005SF-0e; Wed, 26 Sep 2007 14:58:13 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iac5L-0005Qc-FX for tcpm@ietf.org; Wed, 26 Sep 2007 14:58:11 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Iac5E-0004Sc-DS for tcpm@ietf.org; Wed, 26 Sep 2007 14:58:11 -0400
X-IronPort-AV: E=Sophos;i="4.21,198,1188802800"; d="scan'208";a="402045786"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-2.cisco.com with ESMTP; 26 Sep 2007 11:58:04 -0700
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l8QIw3VB007853; Wed, 26 Sep 2007 11:58:03 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l8QIvt7p002061; Wed, 26 Sep 2007 18:58:03 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 26 Sep 2007 11:58:02 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] tcpsecure: how strong to recommend?
Date: Wed, 26 Sep 2007 11:58:02 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC5804052246@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <46FAA88C.9040602@isi.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] tcpsecure: how strong to recommend?
Thread-Index: AcgAbVtc1evlqZRtSLqZNAqFF65wBwAAE4ng
From: "Anantha Ramaiah \(ananth\)" <ananth@cisco.com>
To: "Joe Touch" <touch@ISI.EDU>
X-OriginalArrivalTime: 26 Sep 2007 18:58:02.0807 (UTC) FILETIME=[2A1E7C70:01C8006F]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1061; t=1190833083; x=1191697083; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ananth@cisco.com; z=From:=20=22Anantha=20Ramaiah=20\(ananth\)=22=20<ananth@cisco.com> |Subject:=20RE=3A=20[tcpm]=20tcpsecure=3A=20how=20strong=20to=20recommend ? |Sender:=20; bh=IoJWLPE1qN1weKqFsQHyHm4bPWhUqtC2j8cxJD8PF34=; b=WJ6WOSP/HFeUzud5mBAJ3EDlz3plMlinXNkHfkrJcIvi0mRCIRHLPhJPBG45QWGuKaxL4vb+ gHLOiFTklFWawo+a0SBhHpaTvTyRJdgvW+KtzGEvkAyDKXfmWpAcGMDa;
Authentication-Results: sj-dkim-2; header.From=ananth@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 2409bba43e9c8d580670fda8b695204a
Cc: tcpm@ietf.org, Tim Shepard <shep@alum.mit.edu>
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org

> 
> Anantha Ramaiah (ananth) wrote:
> ...
> > If we have to fix multiple layers, lets fix it, I have no problems. 
> > You can do all at once or piecemeal, as simple as that. It doesn't 
> > matter whether spoofing is standalone or not, it is about 
> how well you 
> > can make your TCP stack respond to such malicious attacks, 
> if you care to do so.
> 
> TCP is not a secure protocol. It's not intended for 
> protection from malicious attacks per se; 'fixing' it is to 
> assert your solution on everyone, as below.

I see what you are saying except the "asserting your solution part". 

But you seem to equating some efforts of making TCP more robust to TCP
have an Ipsec like functionality, very far fetched, IMO.

Hmm... It boils to your favorite line of thinking : "Don't make any
robustness changes in TCP, just use IPsec", I thought we have beaten
that to death long time ago. :-)

Anyways, I don't want to side-track this discussion from it's original
intent viz., "strength of mitigations"

-Anantha

_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm