Re: [tcpm] [OPSEC] draft-gont-tcp-security
Todd Glassey <tglassey@earthlink.net> Wed, 15 April 2009 14:46 UTC
Return-Path: <tglassey@earthlink.net>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 454E13A6A45; Wed, 15 Apr 2009 07:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAo8UGfzC3Uv; Wed, 15 Apr 2009 07:46:10 -0700 (PDT)
Received: from elasmtp-dupuy.atl.sa.earthlink.net (elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by core3.amsl.com (Postfix) with ESMTP id 434BC3A6944; Wed, 15 Apr 2009 07:46:10 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=Xt1YVas4lT3EYf+o5AS8UQ3T7JFElyyx97LzJ+949KiyIKCXdAWupFW3nKtG6uYA; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [67.180.133.66] (helo=[192.168.1.100]) by elasmtp-dupuy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <tglassey@earthlink.net>) id 1Lu6OU-0001Oy-U2; Wed, 15 Apr 2009 10:47:19 -0400
Message-ID: <49E5F36D.7020808@earthlink.net>
Date: Wed, 15 Apr 2009 07:47:09 -0700
From: Todd Glassey <tglassey@earthlink.net>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Lars Eggert <lars.eggert@nokia.com>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8@NDJSSCC01.ndc.nasa.g ov><49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1004BC4176D0@qtdenexmbm24.AD.QINTRA.COM> <49E3A88F.9060301@gont.com.ar> <49E3ABC0.1050601@isi.edu> <49E3B9BF.1060901@gont.com.ar> <49E3BED9.1030701@isi.edu> <C9E987CC-0213-4C67-BA0A-11C736772EE7@nokia.com> <49E4D257.40504@gont.com.ar> <49E4E233.9040609@earthlink.net> <EC5F7E6A-0393-41CC-B4DF-BCD134FF4EF5@nokia.com>
In-Reply-To: <EC5F7E6A-0393-41CC-B4DF-BCD134FF4EF5@nokia.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec79f67c55b1fa4594b85a5844cb47905a42350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 67.180.133.66
X-Mailman-Approved-At: Wed, 15 Apr 2009 08:02:13 -0700
Cc: "'tcpm@ietf.org'" <tcpm@ietf.org>, "'ietf@ietf.org'" <ietf@ietf.org>, Joe Touch <touch@ISI.EDU>, "Smith, Donald" <Donald.Smith@qwest.com>, 'Joe Abley' <jabley@ca.afilias.info>, "'opsec@ietf.org'" <opsec@ietf.org>, Fernando Gont <fernando@gont.com.ar>
Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2009 14:46:11 -0000
Lars Eggert wrote: > Hi, Todd, > > On 2009-4-14, at 22:21, Todd Glassey wrote: >> Fernando Gont wrote: >>> Lars Eggert wrote: >>>> I agree with Joe that some of the hardening techniques that vendors >>>> are >>>> implementing come with consequences (make TCP more brittle). To me, >>>> this >>>> is a *reason* this document should be published via the IETF (i.e., >>>> TCPM) - we are probably in the best position to correctly evaluate and >>>> classify the impact of various hardening techniques. Stack vendors >>>> have >>>> been putting these mechanisms in to their stacks without clear >>>> specifications and discussions of the potential upsides and downsides >>>> that would let them make an educated decision. It seems clear to me >>>> that >>>> the vendor community is looking for guidance here, and I do believe >>>> the >>>> IETF should give it. >>>> >>> >>> This is the reason for which the output of the CPNI project was >>> submitted as an IETF I-D. >>> >> Yeah - so then this would be tested across all of the local TCP >> implementations including the MS, AT&T *(i.e. Lachman Associates Inc) >> and possibly Mentat's fast system? > > Nothing would be "tested", the IETF isn't in the business of auditing > TCP stacks. Yo Lars Good-morning, let me respond. "Sure it is..." let me amplify - Don't the IETF standards processes "require the development of two or more independent implementations of any given protocol specification and the associated interoperability testing to document that the suite runs as advertised in the specification?" - I generally refer to that as IOT (Inter-Operability Testing). And for what its worth the IETF's mergence towards a leading edge standards process also reinforces the importance of that testing too by the way. By comparison, in trailing edge standards processes the IOT is accomplished in the various implementations which are done in the industry. In leading edge models where there is genesis happening the testing would have to be included in the implementation of any prototypes of the stack or system and its operations. This IMHO is the real issue with the worlds abuse of the IETF's processes - they seem to think that RFC's are standards and there are many here who use that to substantiate their technological advantage in their marketing, meaning that they derive financial value from misrepresenting this to the commercial community as well I think. The fix for that is to make RFC's unreliable for use as a protocol specification for anything other than a Standards Track effort as they should be - a Request For Comments rather than something the Trust's selling access to. Todd Glassey > What we're talking about is describing attack vectors, potential > countermeasures and the the impact (downsides) those countermeasures > might come with. Implementors will need to decide for themselves if > and how to apply any of these techniques to their stacks. Which would be filed as a Use Case Document as a set lf BCP's for a protocol stanadard. This by the way is where the real value of the IETF comes in - in also telling people how to and how not to use these protocols. Todd > > Lars
- [tcpm] draft-gont-tcp-security Eddy, Wesley M. (GRC-RCN0)[Verizon]
- Re: [tcpm] draft-gont-tcp-security Joe Touch
- Re: [tcpm] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] draft-gont-tcp-security Joe Touch
- Re: [tcpm] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Smith, Donald
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Smith, Donald
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joel Jaeggli
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Smith, Donald
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Todd Glassey
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Todd Glassey
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Lars Eggert
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joel Jaeggli
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Fernando Gont
- Re: [tcpm] [OPSEC] draft-gont-tcp-security Joe Touch