Re: [tcpm] poll for adopting draft-gont-tcp-security
Fernando Gont <fernando@gont.com.ar> Sat, 04 July 2009 06:54 UTC
Return-Path: <fernando@gont.com.ar>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 442903A67F5 for <tcpm@core3.amsl.com>; Fri, 3 Jul 2009 23:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.919
X-Spam-Level:
X-Spam-Status: No, score=-2.919 tagged_above=-999 required=5 tests=[AWL=0.680, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvfs8H4C8BLF for <tcpm@core3.amsl.com>; Fri, 3 Jul 2009 23:54:41 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id 53DC63A65A6 for <tcpm@ietf.org>; Fri, 3 Jul 2009 23:53:55 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 041006B6747; Sat, 4 Jul 2009 03:52:23 -0300 (ART)
Received: from [192.168.0.156] (129-130-17-190.fibertel.com.ar [190.17.130.129]) (authenticated bits=0) by venus.xmundo.net (8.14.1/8.14.1) with ESMTP id n646q0SZ002813; Sat, 4 Jul 2009 03:52:00 -0300
Message-ID: <4A4EDFEB.4030008@gont.com.ar>
Date: Sat, 04 Jul 2009 03:51:55 -0100
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <C304DB494AC0C04C87C6A6E2FF5603DB2217B28763@NDJSSCC01.ndc.nasa.gov> <fc0ff13d0906241711k44de4f77u8ec825e1ea151a1e@mail.gmail.com> <4A4317ED.1040905@gont.com.ar> <4A48F60A.7020602@gmail.com> <4A49CA1A.6060702@gont.com.ar> <4A4A2A73.0@isi.edu> <C304DB494AC0C04C87C6A6E2FF5603DB2217BA03DF@NDJSSCC01.ndc.nasa.gov> <4A4A3F1F.1060904@isi.edu> <4A4A56F5.30806@gont.com.ar> <4A4A5A23.1010009@isi.edu> <D04557F4-BEAF-4885-AF33-D9643AF5D049@surrey.ac.uk> <4A4EA787.4090004@isi.edu> <528F1AE1-67BC-42EA-AFF7-44A231970342@surrey.ac.uk> <4A4EF1C4.50305@isi.edu>
In-Reply-To: <4A4EF1C4.50305@isi.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Sat, 04 Jul 2009 03:52:21 -0300 (ART)
Cc: tcpm Extensions WG <tcpm@ietf.org>, Lloyd Wood <L.Wood@surrey.ac.uk>
Subject: Re: [tcpm] poll for adopting draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jul 2009 06:54:42 -0000
Joe Touch wrote: > If this document contained only information of decided WG issues, > including WG consensus on those issues, you would be correct. A very large part of draft-gont-tcp-security is about stuff that has never been discussed by this wg, but that you dismiss with arguments such as "who TCP needs not be implemented in a secure way", etc. Also, draft-gont-tcp-security is based on the idea of giving advice for implementing TCP as good resiliency as possible. And one might argue that this is a different context as that of draft-ietf-icmp-attacks, which I guess that was meant for the general case ("general case" probably being that case in which we are happy to be vulnerable to obvious and trivial attacks, I guess). > I have pointed out several cases where that is not the case - and > that has been (and remains) my concern. The only case for which you raised this is for the ICMP attacks stuff. Will you support draft-gont-tcp-security if, say, I were to remove the entire ICMP section, or replace it with a summary of what's in draft-ietf-icmp-attacks? <sidetrack> As for the ICMP stuff itself: there have been arguments against checking ICMPs to be "in window". However, I don't seem to recall people arguing against the idea of "hard errors should be processes as soft errors when received for connections in any of the synchronized states" (*this* is what has been implemented in virtually all stacks for more than 20 years as the main counter-measure for icmp-based reset attacks). Has anybody argued against ignoring ICMP source quenches meant for TCP connections? (this is the main countermeasure for source quench attacks, and what has been implemented in most stacks). The "in-window" check is useful as a mitigation technique for the PMTU counter-measure -- however, the one described in the I-D is mainly based on the idea of "check for progress on the connection", which I believe parallels the idea in PLPMTUD. -- and I don't recall people arguing against that idea, either. Also, see the reviewers in the Acks of the I-D.. that's people from most of the major TCP implementations. And the ideas in the I-D are the running code we have and we use. However, we are so full of ourselves that we tell implementers that the code they have implemented, which has been running the Internet for the last 20 years or so, is "buggy", backed on how we think the code should be (despite it doesn't run in that way, and in some cases has not done it that way for ages (if it ever did)). Want to now what the industry did in response? -- The have ignored our consensus. </sidetrack> Thanks, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- [tcpm] poll for adopting draft-gont-tcp-security Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Matt Mathis
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Matt Mathis
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Alfred Hönes
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Ilpo Järvinen
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Eddy, Wesley M. (GRC-MS00)[Verizon]
- [tcpm] [Fwd: Re: poll for adopting draft-gont-tcp… Fernando Gont
- [tcpm] [Fwd: Re: poll for adopting draft-gont-tcp… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Christos Zoulas
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Eddy, Wesley M. (GRC-MS00)[Verizon]
- [tcpm] Handling of malformed options (was: Re: po… Fernando Gont
- Re: [tcpm] Handling of malformed options Joe Touch
- Re: [tcpm] Handling of malformed options Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Fernando Gont
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Joe Touch
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Lloyd Wood
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Andrew Yourtchenko
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… Dan Wing
- Re: [tcpm] poll for adopting draft-gont-tcp-secur… David Borman