Re: [tcpm] Comments on TCP-AO Draft
"Gregory M. Lebovitz" <gregory.ietf@gmail.com> Tue, 18 November 2008 01:28 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82C0E3A6922; Mon, 17 Nov 2008 17:28:15 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF9B53A69AF for <tcpm@core3.amsl.com>; Mon, 17 Nov 2008 17:28:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_42=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UboJIvtT3jXS for <tcpm@core3.amsl.com>; Mon, 17 Nov 2008 17:28:13 -0800 (PST)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.236]) by core3.amsl.com (Postfix) with ESMTP id EACB03A6922 for <tcpm@ietf.org>; Mon, 17 Nov 2008 17:28:12 -0800 (PST)
Received: by rv-out-0506.google.com with SMTP id b25so2663860rvf.49 for <tcpm@ietf.org>; Mon, 17 Nov 2008 17:28:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:x-mailer:date:to:from:subject :in-reply-to:references:mime-version:content-type:message-id; bh=664eyGx3jHRLcHVgNAkN0cPk/KtL6zNJRBIZZpEJ7FY=; b=hyh/dRhbDcYAgSy7exzdJXL3NLCCszn+X029rLlKUNaBvwHy+Pm7EDlpkeOohvYvt7 qWk6WBLVN8mjYBEZbrdBp9U8rHK0zQ3gTYB0qOovRD6ER1ui+T81xJFe9nlgGGX8DKIl MjdTqNpQW1pT485E5S2gnoKdTEicvq2UVbm/s=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=x-mailer:date:to:from:subject:in-reply-to:references:mime-version :content-type:message-id; b=pxOaBgL8VOg1DZe35oGrUZoty89egLNOObKi0tupUmSBOoglhhkDaB7hJoTpR64tnZ gdamU3wxg05FmuaPB/8QG/emcnJjk7TtJMlXagBPqTdVC1e6o+KKz2YVd0G5UuDGx4Ug J2/88YCIvRM7FbnaS+E9IqTPSBTf9y0z0plvU=
Received: by 10.141.197.21 with SMTP id z21mr2602301rvp.75.1226971692308; Mon, 17 Nov 2008 17:28:12 -0800 (PST)
Received: from Gregory-T60.gmail.com ([130.129.95.186]) by mx.google.com with ESMTPS id b39sm7540577rvf.0.2008.11.17.17.28.09 (version=SSLv3 cipher=RC4-MD5); Mon, 17 Nov 2008 17:28:11 -0800 (PST)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 17 Nov 2008 17:28:04 -0800
To: "Eddy, Wesley M. (GRC-RCN0)[VZ]" <Wesley.M.Eddy@nasa.gov>, LANGE Andrew <Andrew.Lange@alcatel-lucent.com>, tcpm@ietf.org
From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
In-Reply-To: <B5A5E01F9387F4409E67604C0257C71E7A3296@NDJSEVS25A.ndc.nasa .gov>
References: <66F9363AB70F764C96547BD8A0A3679E154CB4@USDALSMBS05.ad3.ad.alcatel.com> <B5A5E01F9387F4409E67604C0257C71E7A3296@NDJSEVS25A.ndc.nasa.gov>
Mime-Version: 1.0
Message-ID: <49221a2b.27b38c0a.57ac.771b@mx.google.com>
Subject: Re: [tcpm] Comments on TCP-AO Draft
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
inline... At 12:06 PM 11/17/2008, Eddy, Wesley M. (GRC-RCN0)[VZ] wrote: > >-----Original Message----- > >From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On > >Behalf Of LANGE Andrew > >Sent: Monday, November 17, 2008 1:51 PM > >To: tcpm@ietf.org > >Subject: [tcpm] Comments on TCP-AO Draft > > > > > > >There are a lot of good comments here that will strengthen >the document. One of them that concerns the wire-format rather >than text additions, clarifications, and changes that are >needed, which we should address quickly is: > > > >1.4.1: " IETF-72 topic" sections "No current consensus was > >reached on this topic, so no change was made." This is a real > >problem -- the logic is deeply flawed. Allow me to restate: > >One author of this document has appointed themselves the > >arbiter of consensus. This author disagrees with other > >people, and therefore no "consensus" can ever be reached, so > >the default case this author has chosen is to keep things they > >way they like it. > > > > ... > > > >"..omit an explicit algorithm ID..." -- I've said this before, > >this is a BAD IDEA^tm. The protocol utility of doing this is > >minimal (1-bit increase in search space), and the operational > >complexity goes up. Not to mention, it makes it operationally > >incompatible with existing implementations. > > >There was logic given to support each side of the argument. My >understanding of the summary for each position is: > >(position 1 - "include") Including information like algorithm ID >and k-bit is BAD because it aids in debugging of implementations >and of configurations. Wes, did you mean to say "GOOD" instead of "BAD" in this paragraph? I'll assume yes. >(position 2 - "don't include") Including this information is BAD >because it can expose information about the security parameters. >It doesn't aid in debugging of configuration because operators still >have to call each other in order to read off and verify keys. > >There seemed to be more people around position 2 than position 1, >but we should flag this and ask during the meeting, as well as >open this up on the mailing list to see what people prefer. We >need to pick one and move on. I concur with your recollection about the two positions above. I also concur with your recollection that there was more people (not 100% consensus, but more) around Position 2 than 1. The argument I made went something like this, and was based on lots of years of debugging interop issues in both IKEv1/ESP and IKEv2/ESP: - there is only the case where the connection will be discussed out of band by system admins before a first connection is made. At that point, there will be some agreement about config choices. - if the connection doesn't work, you double check your config matches your agreement of config choices. - if the config matches the agreement, then you can try the other algo, just in case you misheard that part. - if it doesn't work, then you have to pick up the phone and call the other guy to double check config parameters. Conclusion: having the bits on the wire about the config elements doesn't help practically, and contradicts the basic security principle of hiding as much about the SA as possible. So I am also support Position 2. Gregory. >As an individual, and not a co-chair, I'm in the position 2 "don't >include" camp. > > >_______________________________________________ >tcpm mailing list >tcpm@ietf.org >https://www.ietf.org/mailman/listinfo/tcpm _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Comments on TCP-AO Draft LANGE Andrew
- Re: [tcpm] Comments on TCP-AO Draft Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] Comments on TCP-AO Draft Joe Touch
- Re: [tcpm] Comments on TCP-AO Draft Gregory M. Lebovitz
- Re: [tcpm] Comments on TCP-AO Draft Gregory M. Lebovitz
- Re: [tcpm] Comments on TCP-AO Draft Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] Comments on TCP-AO Draft LANGE Andrew
- Re: [tcpm] Comments on TCP-AO Draft Eric Rescorla