Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
"Smith, Donald" <Donald.Smith@qwest.com> Tue, 18 May 2010 19:19 UTC
Return-Path: <Donald.Smith@qwest.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1607E3A68E8; Tue, 18 May 2010 12:19:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.256
X-Spam-Level:
X-Spam-Status: No, score=-0.256 tagged_above=-999 required=5 tests=[AWL=-0.857, BAYES_50=0.001, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HlOTW2Dq6VQK; Tue, 18 May 2010 12:19:03 -0700 (PDT)
Received: from suomp64i.qwest.com (suomp64i.qwest.com [155.70.16.237]) by core3.amsl.com (Postfix) with ESMTP id E698F3A6AC0; Tue, 18 May 2010 12:18:17 -0700 (PDT)
Received: from suomp60i.qintra.com (suomp60i.qintra.com [151.117.69.27]) by suomp64i.qwest.com (8.14.4/8.14.4) with ESMTP id o4IJI9Ri016278 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 18 May 2010 14:18:09 -0500 (CDT)
Received: from qtdenexhtm21.AD.QINTRA.COM (localhost [127.0.0.1]) by suomp60i.qintra.com (8.14.4/8.14.4) with ESMTP id o4IJI38t017976; Tue, 18 May 2010 14:18:03 -0500 (CDT)
Received: from qtdenexmbm24.AD.QINTRA.COM ([151.119.91.226]) by qtdenexhtm21.AD.QINTRA.COM ([151.119.91.230]) with mapi; Tue, 18 May 2010 13:18:02 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: "'tcpm@ietf.org WG'" <tcpm@ietf.org>, 'The IESG' <iesg@ietf.org>
Date: Tue, 18 May 2010 13:18:00 -0600
Thread-Topic: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
Thread-Index: Acq5q9zzpcVWcYT4S5OmJS6FWMliJg9DCCyg
Message-ID: <B01905DA0C7CDC478F42870679DF0F1007C8D4C7F2@qtdenexmbm24.AD.QINTRA.COM>
References: <201003012159.WAA15069@TR-Sys.de> <C80820C2-D74A-49B4-AF22-CE16C46A9A7D@nokia.com> <4B8C70C0.8090708@gont.com.ar>
In-Reply-To: <4B8C70C0.8090708@gont.com.ar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure-13.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2010 19:19:04 -0000
First throughout this draft the authors refer to sequence number checking where they really mean acknowledgement number checking:( You can't quite do :g/sequence number/s//acknowledgement number/g as in a few places it is the senders sequence number they are discussing. The authors also use "the exact expected sequence number" a lot. I think they mean: last sent sequence number + the data length sent This looks a LOT like gonts draft but may be an attempt to address just one issue identified here. http://tools.ietf.org/html/draft-gont-tcp-security-00#section-3.4 This is slightly incorrect. In window would include an exact match for rcv.net+rcv.wnd so the right side should be =<. The wording for how to do the challenge ack is a bit difficult to follow too. 3) If the RST bit is set and the sequence number does not exactly match the next expected sequence value, yet is within the current receive window (RCV.NXT < SEG.SEQ < RCV.NXT+RCV.WND), TCP MUST send an acknowledgment (challenge ACK): <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK> Ramaiah, et al. Expires November 4, 2010 [Page 9] Internet-Draft TCP Security May 2010 After sending the challenge ACK, TCP MUST drop the unacceptable segment and stop processing the incoming packet further. Further segments destined to this connection will be processed as normal. 3) If the RST bit is set and the sequence number does not exactly match the next expected sequence value, yet is within the current receive window (RCV.NXT < SEG.SEQ =< RCV.NXT+RCV.WND), TCP MUST send an acknowledgment (challenge ACK): <SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK> Ramaiah, et al. Expires November 4, 2010 [Page 9] Internet-Draft TCP Security May 2010 After sending the challenge ACK, TCP MUST silently drop the in window but not exact match segment and stop processing it. Additional segments destined to this connection MUST be processed as normal. That last line is really extraneous. You don't say what happens to the packets before this event I am not sure you have to say handle the next packet per normal behavior;) The authors need to explain exactly what that challenge ACK looks like. I think it is the same 4 tuple, ack = last sent ack, seq = last sent seq (no data). Still on page 9. In all states except SYN-SENT, all reset (RST) segments are validated by checking their SEQ-fields [sequence numbers]. A reset is valid if its sequence number exactly matches the next expected sequence number. If the RST arrives and its sequence number field does NOT match the next expected sequence number but is within the window, then the receiver should generate an ACK. In all other cases where the SEQ-field does not match and is outside the window, the receiver MUST silently discard the segment. Should be: In all states except SYN-SENT, all reset (RST) segments are validated by checking their ACK-fields [acknowledgement numbers]. A reset is valid if its acknowledgement number exactly matches the last sent sequence number + the data length sent. If the RST arrives and its acknowledgement number field does NOT match the last sent sequence number + the data length sent but is within the window, then the receiver SHOULD (or MUST?) generate an ACK. In all other cases where the ACK-field does not match and is outside the window, the receiver MUST silently discard the segment. (coffee != sleep) & (!coffee == sleep) Donald.Smith@qwest.com gcia This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
- [tcpm] Feedback request on draft-ietf-tcpm-tcp-se… Fernando Gont
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Alfred Hönes
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… L.Wood
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Lars Eggert
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Fernando Gont
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Lars Eggert
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Fernando Gont
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Fernando Gont
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… L.Wood
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Alexander Zimmermann
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Fernando Gont
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Fernando Gont
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Eddy, Wesley M. (GRC-MS00)[ASRC AEROSPACE CORP]
- Re: [tcpm] Feedback request on draft-ietf-tcpm-tc… Fernando Gont
- Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure… Smith, Donald
- Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure… Anantha Ramaiah (ananth)
- Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure… Smith, Donald
- Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure… Smith, Donald
- Re: [tcpm] Feedbackt on draft-ietf-tcpm-tcpsecure… Anantha Ramaiah (ananth)