Re: [tcpm] Some comments on tcpsecure

Ted Faber <faber@ISI.EDU> Mon, 07 April 2008 20:58 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DC43928C379; Mon, 7 Apr 2008 13:58:47 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 925D03A6D86 for <tcpm@core3.amsl.com>; Mon, 7 Apr 2008 13:58:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-M-ho00wmpL for <tcpm@core3.amsl.com>; Mon, 7 Apr 2008 13:58:45 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id 6E96D3A6B94 for <tcpm@ietf.org>; Mon, 7 Apr 2008 13:58:45 -0700 (PDT)
Received: from zod.isi.edu (zod.isi.edu [128.9.168.221]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m37KvBgP005245 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 7 Apr 2008 13:57:12 -0700 (PDT)
Received: (from faber@localhost) by zod.isi.edu (8.14.2/8.14.2/Submit) id m37KvBtw042575; Mon, 7 Apr 2008 13:57:11 -0700 (PDT) (envelope-from faber)
Date: Mon, 07 Apr 2008 13:57:11 -0700
From: Ted Faber <faber@ISI.EDU>
To: Joe Touch <touch@ISI.EDU>
Message-ID: <20080407205711.GF68982@zod.isi.edu>
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <47F68794.6050100@isi.edu> <200804042012.m34KCk8U022643@venus.xmundo.net> <47F68DC7.2050303@isi.edu> <20080407183359.GB68982@zod.isi.edu> <47FA84A0.1070904@isi.edu>
Mime-Version: 1.0
In-Reply-To: <47FA84A0.1070904@isi.edu>
User-Agent: Mutt/1.4.2.3i
X-url: http://www.isi.edu/~faber
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: faber@zod.isi.edu
Cc: tcpm@ietf.org, Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1010016966=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

On Mon, Apr 07, 2008 at 01:31:28PM -0700, Joe Touch wrote:
> Ted Faber wrote:
> >On Fri, Apr 04, 2008 at 01:21:27PM -0700, Joe Touch wrote:
> >>ICMPs are already filtered out for security reasons at firewalls. The 
> >>key here is whether to recommend that action or not.
> >
> >And, IMHO, hat off, we're not.  Not here anyway.
> 
> If that's the case, then what's the point of protecting TCP this way?
> 
> If ICMPs aren't filtered out, then they remain a simpler attack vector, 
> and thus the protections afforded are moot.

You understand, of course, that our hypothetical network architect might
read these documents in the other order - ICMP protections/ingress
filtering first, then tcpsecure.   In that sequence the point is closing
the hole remaining after ICMP is blocked and assuming that IPSec (or
however it's spelled) is ruled out.

Again, the purpose of this document is to standardize a protocol
extension that makes a specific attack more difficult.  It is not a
primer on securing TCP against all attacks - or even all spoofing
attacks.  It's not the job of a standards document to mandate all
possible (or even all relevant) countermeasures to all related attacks.
This document needs to point to the ICMP document - perhaps strongly -
but needn't RECOMMEND, in a 2119 sense, anything therein.  And given that
this is a standards document, I don't think it should recommend them
either.

-- 
Ted Faber
http://www.isi.edu/~faber           PGP: http://www.isi.edu/~faber/pubkeys.asc
Unexpected attachment on this mail? See http://www.isi.edu/~faber/FAQ.html#SIG
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm