Re: [tcpm] exegesis of 'Updates' -- was: ... reviewof draft-ietf-tcpm-tcpsecure[-10]

"Anantha Ramaiah (ananth)" <> Tue, 30 September 2008 23:19 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 6CA793A6B26; Tue, 30 Sep 2008 16:19:19 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id A5DFF3A68DA for <>; Tue, 30 Sep 2008 16:19:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5CmX3dUNqq4r for <>; Tue, 30 Sep 2008 16:19:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 687373A69E1 for <>; Tue, 30 Sep 2008 16:19:16 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.33,341,1220227200"; d="scan'208";a="85047212"
Received: from ([]) by with ESMTP; 30 Sep 2008 23:19:38 +0000
Received: from ( []) by (8.12.11/8.12.11) with ESMTP id m8UNJcvx001701; Tue, 30 Sep 2008 16:19:38 -0700
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id m8UNJcvt005235; Tue, 30 Sep 2008 23:19:38 GMT
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.1830); Tue, 30 Sep 2008 16:19:38 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 30 Sep 2008 16:19:36 -0700
Message-ID: <>
In-Reply-To: <>
Thread-Topic: [tcpm] exegesis of 'Updates' -- was: ... reviewof draft-ietf-tcpm-tcpsecure[-10]
Thread-Index: AckjTDC6+yaiS2DHTIeZTjxJ9pyv5wAA5YEQ
References: <> <>
From: "Anantha Ramaiah (ananth)" <>
To: Joe Touch <touch@ISI.EDU>, Alfred � <>
X-OriginalArrivalTime: 30 Sep 2008 23:19:38.0599 (UTC) FILETIME=[0261C770:01C92353]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4296; t=1222816778; x=1223680778; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20=22Anantha=20Ramaiah=20(ananth)=22=20<ananth@cisco .com> |Subject:=20RE=3A=20[tcpm]=20exegesis=20of=20'Updates'=20-- =20was=3A=20...=20reviewof=09draft-ietf-tcpm-tcpsecure[-10] |Sender:=20; bh=iaYqFBVzaUXxyxZPHucSeL4gWpael5ZfJjwcztxJ4uU=; b=vahSnUFAUiIaDCkg4lLe++nDU5Xn7HR9zroG1bGlz8woqhfqqrmlMTHy3B /2DiXdBeYyd9nREF3Pbp3Qy+pN5SJpDIRrR9yq/T9MyLobK8bq0/JPkIhgeL fmgeXrEuPS;
Authentication-Results: sj-dkim-2;; dkim=pass ( sig from verified; );
Subject: Re: [tcpm] exegesis of 'Updates' -- was: ... reviewof draft-ietf-tcpm-tcpsecure[-10]
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit


> -----Original Message-----
> From: [] On 
> Behalf Of Joe Touch
> Sent: Tuesday, September 30, 2008 3:30 PM
> To: Alfred  
> Cc:;
> Subject: Re: [tcpm] exegesis of 'Updates' -- was: ... 
> reviewof draft-ietf-tcpm-tcpsecure[-10]
> Hash: SHA1
> Alfred   wrote:
> ...
> > Therefore my recommendation:
> > 
> > +++   Be very careful with "Obsoletes", but be generous
> > +++   with "Updates", for the benefit of RFC readers !
> Well, we used to have a general rule:
> 	Be conservative in what you send,
> 	be liberal in what you receive.
> The second rule is bent by tcpsecure, which interprets 
> unexpected segments as attacks needing defense.

You have blown this trumphet from day one, so nothing new, really. Like it has been clarified by many folks umpteen number of times, tcp-secure improves robustness of TCP w.r.t processing in-window RSTs, SYNs and Data injection. If you think by doing so we have punched a hole in "liberality", that is your personal take. Not sure why we are even debating this now, during last call! We have moved on from this line a long time back!

> As a result, we're here considering reasons not to put 
> Updates in the header, to avoid too strongly implying that 
> all TCPs everywhere need to be augmented with an 
> IPR-encumbered poor substitute for true security.

IPR issue was raised when the document was initially presented 3+ years ago!. Scott Bradner made a presentation to clarify the IPR intent and after that this, the IPR issue was never considered as a hindrance for the draft to move forward. Agreed that the IPR issue might have had some influence w.r.t the verbiage on the strength of mitigations. Lars Eggert suggested an applicability statement to be added, we added the same. Not sure why you are bringing this up now, the IPR issue was beaten to death long time back.

Again, my current understanding (which is inline with Alfred) is about "if a draft changes the TCP RFC 793 rules in some way, then it is considered as an update and we should mark it accordingly upfront for easy reference purposes" Also, update doesn't mean that "all TCP's everywhere need to be augumented with the changes". An implementer would read the mitigations, AS and the strength of recommended mitigations and would make his/her own choice!

> My conclusion is that, although I agree with Alfred in 
> spirit, I can't see why we should be more liberal with 
> Updates than we are with segments we receive.

IMO, these two are completely 2 different things!

> Joe
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAkjiqG4ACgkQE5f5cImnZruw4wCcDIHsrjF8mTwwMRM1N8YB7vc0
> SRYAnj6ZXFfzhFgzCzUgIMofGUu2SVgj
> _______________________________________________
> tcpm mailing list
tcpm mailing list