Re: [tcpm] Some comments on tcpsecure
Joe Touch <touch@ISI.EDU> Fri, 04 April 2008 19:56 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 63EEE28C1AE; Fri, 4 Apr 2008 12:56:21 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B2FB828C4AF for <tcpm@core3.amsl.com>; Fri, 4 Apr 2008 12:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ny-YuU-05WUO for <tcpm@core3.amsl.com>; Fri, 4 Apr 2008 12:56:18 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 8D2933A6FA8 for <tcpm@ietf.org>; Fri, 4 Apr 2008 12:55:44 -0700 (PDT)
Received: from [127.0.0.1] (193.sub-70-212-209.myvzw.com [70.212.209.193]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m34Jt0U6020439 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 4 Apr 2008 12:55:02 -0700 (PDT)
Message-ID: <47F68794.6050100@isi.edu>
Date: Fri, 04 Apr 2008 12:55:00 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <200804041832.m34IWTC5025090@venus.xmundo.net>
In-Reply-To: <200804041832.m34IWTC5025090@venus.xmundo.net>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1734783586=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
Fernando Gont wrote: > Folks, > > I have not yet reviewed the entire document (but will do). However, > reading the security considerations section (and at the risk of > sounding our own horn?), I see this document does not reference two > closely related wg documents of the tcpm and tsvwg working groups. > > The first one is the ICMP attacks draft > (draft-ietf-tcpm-icmp-attacks). While tcpsecure mentions the security > implications of ICMP on TCP conenctions, it does not reference the > I-D. IIRC, this had already been pointed out by Joe (?). As far as > the specifications are concerned, you shouldn't bother to fix > TCP-based reset attacks if you don't fix the the ICMP-based ones. Agreed; should this doc recommend filtering out ICMPs as a result? (there's no in-window checks that are meaningful, since ICMPs are not guaranteed to be timely) I.e., something stronger than "there's nothing we can do", which is what is implied in the current security considerations. > The other doc is the port randomization draft > (draft-tsvwg-port-randomization). Also ISN randomization (RFC-1948), for similar reasons. Even though some of the RST attacks span the entire window, knowing the ISN can help during the initial handshake and shortly thereafter. Joe
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- [tcpm] ICMP error origination timeliness Pekka Savola
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] ICMP error origination timeliness Anantha Ramaiah (ananth)
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)