Re: [tcpm] Some comments on tcpsecure

Ted Faber <faber@ISI.EDU> Mon, 07 April 2008 20:58 UTC

Return-Path: <>
Received: from (localhost []) by (Postfix) with ESMTP id DC43928C379; Mon, 7 Apr 2008 13:58:47 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 925D03A6D86 for <>; Mon, 7 Apr 2008 13:58:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id h-M-ho00wmpL for <>; Mon, 7 Apr 2008 13:58:45 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6E96D3A6B94 for <>; Mon, 7 Apr 2008 13:58:45 -0700 (PDT)
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id m37KvBgP005245 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 7 Apr 2008 13:57:12 -0700 (PDT)
Received: (from faber@localhost) by (8.14.2/8.14.2/Submit) id m37KvBtw042575; Mon, 7 Apr 2008 13:57:11 -0700 (PDT) (envelope-from faber)
Date: Mon, 07 Apr 2008 13:57:11 -0700
From: Ted Faber <faber@ISI.EDU>
To: Joe Touch <touch@ISI.EDU>
Message-ID: <>
References: <> <> <> <> <> <>
Mime-Version: 1.0
In-Reply-To: <>
User-Agent: Mutt/
X-ISI-4-43-8-MailScanner: Found to be clean
Cc:, Fernando Gont <>
Subject: Re: [tcpm] Some comments on tcpsecure
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============1010016966=="

On Mon, Apr 07, 2008 at 01:31:28PM -0700, Joe Touch wrote:
> Ted Faber wrote:
> >On Fri, Apr 04, 2008 at 01:21:27PM -0700, Joe Touch wrote:
> >>ICMPs are already filtered out for security reasons at firewalls. The 
> >>key here is whether to recommend that action or not.
> >
> >And, IMHO, hat off, we're not.  Not here anyway.
> If that's the case, then what's the point of protecting TCP this way?
> If ICMPs aren't filtered out, then they remain a simpler attack vector, 
> and thus the protections afforded are moot.

You understand, of course, that our hypothetical network architect might
read these documents in the other order - ICMP protections/ingress
filtering first, then tcpsecure.   In that sequence the point is closing
the hole remaining after ICMP is blocked and assuming that IPSec (or
however it's spelled) is ruled out.

Again, the purpose of this document is to standardize a protocol
extension that makes a specific attack more difficult.  It is not a
primer on securing TCP against all attacks - or even all spoofing
attacks.  It's not the job of a standards document to mandate all
possible (or even all relevant) countermeasures to all related attacks.
This document needs to point to the ICMP document - perhaps strongly -
but needn't RECOMMEND, in a 2119 sense, anything therein.  And given that
this is a standards document, I don't think it should recommend them

Ted Faber           PGP:
Unexpected attachment on this mail? See
tcpm mailing list