Re: [tcpm] Some comments on tcpsecure
Ted Faber <faber@ISI.EDU> Tue, 08 April 2008 01:59 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C01028C1D1; Mon, 7 Apr 2008 18:59:35 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0137F3A68EE for <tcpm@core3.amsl.com>; Mon, 7 Apr 2008 18:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpDig3Zf28nD for <tcpm@core3.amsl.com>; Mon, 7 Apr 2008 18:59:33 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id 30F583A683E for <tcpm@ietf.org>; Mon, 7 Apr 2008 18:59:33 -0700 (PDT)
Received: from zod.isi.edu (zod.isi.edu [128.9.168.221]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m381wUON026857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 7 Apr 2008 18:58:31 -0700 (PDT)
Received: (from faber@localhost) by zod.isi.edu (8.14.2/8.14.2/Submit) id m381wUSL094426; Mon, 7 Apr 2008 18:58:30 -0700 (PDT) (envelope-from faber)
Date: Mon, 07 Apr 2008 18:58:30 -0700
From: Ted Faber <faber@ISI.EDU>
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
Message-ID: <20080408015830.GA94097@zod.isi.edu>
References: <20080407212400.GB20562@zod.isi.edu> <0C53DCFB700D144284A584F54711EC5804FA160F@xmb-sjc-21c.amer.cisco.com>
Mime-Version: 1.0
In-Reply-To: <0C53DCFB700D144284A584F54711EC5804FA160F@xmb-sjc-21c.amer.cisco.com>
User-Agent: Mutt/1.4.2.3i
X-url: http://www.isi.edu/~faber
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: faber@zod.isi.edu
Cc: tcpm@ietf.org, Fernando Gont <fernando@gont.com.ar>, Joe Touch <touch@ISI.EDU>
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2118082790=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
On Mon, Apr 07, 2008 at 06:45:53PM -0700, Anantha Ramaiah (ananth) wrote: > Ted, > > > -----Original Message----- > > From: tcpm-bounces@ietf.org [mailto:tcpm-bounces@ietf.org] On > > Behalf Of Ted Faber > > Sent: Monday, April 07, 2008 2:24 PM > > To: Joe Touch > > Cc: tcpm@ietf.org; Fernando Gont > > Subject: Re: [tcpm] Some comments on tcpsecure > > > > On Mon, Apr 07, 2008 at 02:02:26PM -0700, Joe Touch wrote: > > > Fair enough. It can warn - in the security considerations - > > that these > > > protections assume corresponding protections on ICMPs, > > however. I.e., > > > it would be incorrect to recommend, but it can warn that "without > > > corresponding ICMPs, this document may not provide the > > desired protection" > > > > I think the quoted text, including a citation to an > > appropriate document, would be an excellent addition to the > > security concerns section of this document. That's speaking > > as an individual. > > Like it has been pointed out above, it would be incorrect to make any > recommendation about ICMP or any other form of attack vectors in the > tcpsecure doc since this document is not meant to be a repository of all > currently known ( and going to be discovered in the near future ;-) > attacks on TCP. So, IMO the verbiage needs to be chosen carefully if the > consensus is to provide a pointer to the ICMP doc in the security > consideration section. I would like to simply put an informative note > telling "spoofed ICMP packets may also result in TCP connection > stability issues, and this is discussed in more depth in......." or > something of that sort. I'm not writing the document, but Joe's words [lightly edited] look good to me: "Unless implementors address spoofed ICMP messages[], the mitigations specified in this document may not provide the desired protection." Write what you want, but that seems to be exactly what needs to be said, and cut and paste is easy. I have no attachment to those particular words, but capture the thoughts because I'd rather not have this discussion again. -- Ted Faber http://www.isi.edu/~faber PGP: http://www.isi.edu/~faber/pubkeys.asc Unexpected attachment on this mail? See http://www.isi.edu/~faber/FAQ.html#SIG
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- [tcpm] ICMP error origination timeliness Pekka Savola
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] ICMP error origination timeliness Anantha Ramaiah (ananth)
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)