Re: [tcpm] Secdir last call review of draft-ietf-tcpm-rfc793bis-24

Wesley Eddy <> Fri, 03 September 2021 19:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 46AFE3A2B87 for <>; Fri, 3 Sep 2021 12:54:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id b11DU9gg_vjN for <>; Fri, 3 Sep 2021 12:54:35 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2149C3A2B83 for <>; Fri, 3 Sep 2021 12:54:35 -0700 (PDT)
Received: by with SMTP id l24so200834qtj.4 for <>; Fri, 03 Sep 2021 12:54:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=FXFQJSVkvl4HWHz4ZxyqlH+VipiY7DLfVKOBQGw4TlQ=; b=HuD69Hi8IeLyCqkKyNm7JlEPZO7hqKCrLAzrftOXRcYwwYj/Eq3w8HaMhoIt2tICbp avsdLbwP+jgfG3NrxKmutkv6E0PxCoGBRJgtt+Uzdb9AzkoUxLDpo9jbY46lTf1c2wky ktEjDzzalo5qWhpT4ehbgYMAeXDDHjksb7rfiCpJRsNptWdpA7MQbsXZ8+T6LYPGN/Px Kux9SovkPqTWt2OPTfNHKAVgUdZzGjaMPOjPiv6XszVwJ87hwbU71gur+QjVJY1yJREA xuuruxY6OPXY95XeLacdvPQ3BWf1PL3Up2e0j+mrz8mRajMtTwRbCKzHi3a2pCMa20v5 8pmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=FXFQJSVkvl4HWHz4ZxyqlH+VipiY7DLfVKOBQGw4TlQ=; b=baP+to65NlLhMJfnXh1wIFi0+8LMJzakrDE2tH7vDg1w9qtlwArzqpsHSqc749E922 cz1Y75zeCa4KGfhmvdiq9CClIfGx5QhEO+kUEYVf8riApOFN4etPGhKvHp2AJysY6wrd zuJzXFennJBj41ww+t9wEpLd5RssfzewwtcI+3273ZVPq0SNArpgXMEBEUb/tPaqiOfB vGHroLVDjFBigBl2oQI3/atjwzhqOiWVzQRuVNaLXNnTKgQRLznWTTObxWn5L63orNXx kjVWH5L+MgzE4jGXb11nXuAy3Sds+xsSgaW+7XrTE+9GD6CToHq+g6lnueodEsFp3+NQ s+pA==
X-Gm-Message-State: AOAM530odV/l5qw40eeO/GSvQrWE4U68eZQzb75GTUkQUVR+mAzOiVn9 P0L96JAbCjXPiqfHcW22jhCdaG+LtaVR8w==
X-Google-Smtp-Source: ABdhPJyUY7lq+htOby+isNE4oyPUAcUjAFQ3WRICJXTqembddxvjwp0QD6NpF1Rr7x5cPK53141Jgg==
X-Received: by 2002:ac8:7491:: with SMTP id v17mr620256qtq.291.1630698872880; Fri, 03 Sep 2021 12:54:32 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id s7sm164895qkp.18.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 03 Sep 2021 12:54:32 -0700 (PDT)
To: Kyle Rose <>, tcpm IETF list <>
References: <> <> <>
From: Wesley Eddy <>
Message-ID: <>
Date: Fri, 3 Sep 2021 15:54:30 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [tcpm] Secdir last call review of draft-ietf-tcpm-rfc793bis-24
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Sep 2021 19:54:39 -0000

Some proposals on how to address the SECDIR last call comments:

On 7/30/2021 5:30 PM, Kyle Rose wrote:
> > The one item I see missing from this section is a mention of lessons 
> learned
> > and subsequently applied to the design of QUIC. I think it is worth 
> mentioning,
> > for instance, that TCP's large surface area of cleartext metadata 
> exposes more
> > information to the path than required to successfully route packets 
> to their
> > destination, including to on-path adversaries that may be able to 
> use this
> > metadata to bolster targeted or pervasive surveillance.

It looks like this is covered pretty well in RFC 8546, which you mention 
below, so I think it might suffice for 793bis to just add a sentence 
noting pretty much exactly what you said above and referring interested 
readers to RFC 8546.

> > There is one more omission, adjacent to (but not explicitly about) 
> security,
> > that I think warrants some text in this document: that is around 
> ossification.
> > Given the lengthy back-and-forth I witnessed as chair of the TCPINC WG
> > regarding the (in)feasibility of protecting segmentation and header 
> values on
> > the public internet, it is probably worth adding to a 793bis 
> document a section
> > that briefly outlines the ossification impact of voluminous 
> cleartext and
> > unprotected/un-GREASEd metadata, maybe with a reference to the wire 
> image as
> > defined by RFC 8546. The reason I think this is worthwhile is that 
> it would be
> > good to have the practical limits of TCP extensibility (i.e., in a 
> world with
> > middleboxes and other deeply TCP-aware network elements) documented 
> where folks
> > might look for it when thinking about new options or other new 
> functionality. I
> > would be happy to help flesh out some text here.

I don't really want to add a whole section for this, since we aren't 
going to actually change anything, however, I think it makes sense to 
add the above-mentioned reference to 8546, plus a little bit more 
expansion that references RFC 8558 as having additional recommendations 
that could be applied with regard to future TCP extensions.

If this sounds okay, I can add a couple of sentences to the draft.