Re: [tcpm] tcp-auth-opt issue: support for NATs
Joe Touch <touch@ISI.EDU> Thu, 07 August 2008 18:36 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D1C73A69AB; Thu, 7 Aug 2008 11:36:02 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 236E83A69AB for <tcpm@core3.amsl.com>; Thu, 7 Aug 2008 11:36:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m1irX5fxY9f2 for <tcpm@core3.amsl.com>; Thu, 7 Aug 2008 11:36:01 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 4EFA73A6935 for <tcpm@ietf.org>; Thu, 7 Aug 2008 11:36:01 -0700 (PDT)
Received: from [192.168.10.101] (auto-66.185.38.62.wirelessworld.vi [66.185.38.62]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m77IaJws021503 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 7 Aug 2008 11:36:21 -0700 (PDT)
Message-ID: <489B407A.6030001@isi.edu>
Date: Thu, 07 Aug 2008 11:35:38 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
References: <4890F4BE.6060302@isi.edu> <396556a20807301622l4cb33deuff73cd13d7a75ba1@mail.gmail.com> <4890FBE8.1020203@isi.edu> <396556a20807311700w1eda50b0o5da7ae52e6c1691a@mail.gmail.com> <48935FFD.4090805@isi.edu> <396556a20808051826w1a839577q956f379f56db1165@mail.gmail.com> <20080806020257.D1C69525D8F@kilo.rtfm.com> <396556a20808061742y19f8f5fh78fe66bfe4d415be@mail.gmail.com> <20080807011812.DDC8050846@romeo.rtfm.com> <396556a20808071047q5bda8acbje7a8fc9f9bf2e597@mail.gmail.com> <20080807180512.77604529E4D@kilo.rtfm.com> <489B3B72.8030604@isi.edu> <20080807182005.04B5B52A03A@kilo.rtfm.com>
In-Reply-To: <20080807182005.04B5B52A03A@kilo.rtfm.com>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: Adam Langley <agl@imperialviolet.org>, tcpm@ietf.org
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Rescorla wrote: ... |> | Because the side doing the passive open doesn't know which client |> | is connecting and it may have multiple instances of the same key-id? |> | I don't understand the purpose of the time. Just do trial verifications |> | with each key. |> |> That's a reason we have a keyID, which, together with the socket pair, |> should exactly specify what key to use and avoids this sort of trial. If |> we can live with trials, we can remove the keyID and things align much |> better. | | Yes, but this only works if you either (1) know the address of | peers in advance or (2) never assign the same key-id to two | different peers. <indiv hat on> If we require the socket pair, then the keyID need be unique only within a connection, and we should never need to test different keys -- even with key rollover, the key used should be deterministic. Supporting NATs can be done in two different ways: 1. require the KMS to determine the socket pair as received, and calculate the hash based on the as-received values this does not require testing different keys, but puts additional burden on the KMS 2. require a mode where the socket pair is not included in the MAC this will require testing different keys, it also requires the KMS install keys in certain ways (i.e., wildcarded on source port and dest IP addr, at least) I have not yet seen a reason to support secure transport connections for NAT'd devices made on this list. If there isn't, perhaps it'd be preferable to leave the protocol simpler and just not support NAT mode. Alternately, perhaps we could note that there could be modes where certain header fields are excluded, but that this would be described in a separeate extension - i.e., not in this doc. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkibQHoACgkQE5f5cImnZrsetwCeNaexL5o20oxq5ay5wT+oi1i2 D80AoKRr37bq5NPnsz+iKEBuD6OzFow6 =9ACi -----END PGP SIGNATURE----- _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Anantha Ramaiah (ananth)
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Ron Bonica
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Ted Faber
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch