Re: [tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)

Joe Touch <touch@ISI.EDU> Wed, 17 June 2009 00:14 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 737693A696F for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 17:14:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PH103tY8uI+b for <tcpm@core3.amsl.com>; Tue, 16 Jun 2009 17:14:52 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) by core3.amsl.com (Postfix) with ESMTP id 9E69B3A68AD for <tcpm@ietf.org>; Tue, 16 Jun 2009 17:14:52 -0700 (PDT)
Received: from [128.9.168.63] (bet.isi.edu [128.9.168.63]) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id n5H0Dj7o021799; Tue, 16 Jun 2009 17:13:46 -0700 (PDT)
Message-ID: <4A383539.3080403@isi.edu>
Date: Tue, 16 Jun 2009 17:13:45 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221796D53C@NDJSSCC01.ndc.nasa.gov> <4A30BED6.3050308@gont.com.ar> <4A32BD5F.5030503@isi.edu> <4A379700.3070808@gont.com.ar> <4A37A551.60800@isi.edu> <4A37D6FC.4040005@gont.com.ar> <4A37E494.60904@isi.edu> <4A37EDEC.1030908@gont.com.ar> <4A38078F.2040703@isi.edu> <4A38191D.4010604@gont.com.ar> <4A382448.7080705@isi.edu> <4A382A08.1020302@gont.com.ar>
In-Reply-To: <4A382A08.1020302@gont.com.ar>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-MailScanner-ID: n5H0Dj7o021799
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "tcpm@ietf.org" <tcpm@ietf.org>, Fernando Gont <fernando.gont@gmail.com>
Subject: Re: [tcpm] TCP-AO and ICMP attacks (was Re: comments on draft-ietf-tcpm-icmp-attacks-05)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2009 00:14:53 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think we both agree that the text on ICMP handling should be moved out
of the security considerations section and put it its own section. The
question is what to put there.

You prefer defaults, and are recommending ICMP handling similar to that
in documents the WG has decided not to recommend for TCP not running AO.

I want to leave TCP-AO's handling of ICMPs the same as IPsec's - up to
the user.

Can others please weigh in?

Joe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKODU5E5f5cImnZrsRAi6eAKDmiAcJtGlmECbmMU60CVkzAeSREQCdGBjE
hMsnjO6e2fhEoik8DiaA6kU=
=fqHB
-----END PGP SIGNATURE-----