Re: [tcpm] Some comments on tcpsecure
Joe Touch <touch@ISI.EDU> Tue, 08 April 2008 20:31 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C0E628C408; Tue, 8 Apr 2008 13:31:32 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E64A228C395 for <tcpm@core3.amsl.com>; Tue, 8 Apr 2008 13:31:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvA5710lEBXc for <tcpm@core3.amsl.com>; Tue, 8 Apr 2008 13:31:29 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 09DD428C36A for <tcpm@ietf.org>; Tue, 8 Apr 2008 13:31:26 -0700 (PDT)
Received: from [127.0.0.1] (61.sub-75-215-238.myvzw.com [75.215.238.61]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m38KVLpi003147 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 8 Apr 2008 13:31:23 -0700 (PDT)
Message-ID: <47FBCDD9.2090201@isi.edu>
Date: Tue, 08 Apr 2008 12:56:09 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <200804041832.m34IWTC5025090@venus.xmundo.net> <47F68794.6050100@isi.edu> <200804042012.m34KCk8U022643@venus.xmundo.net> <47F68DC7.2050303@isi.edu> <200804050557.m355vAjU013266@venus.xmundo.net> <47F7B43E.6010004@isi.edu> <200804052024.m35KOlmj018418@venus.xmundo.net> <47F7E2D0.8010802@isi.edu> <200804052353.m35NrdO1031661@venus.xmundo.net> <47F82129.2000603@isi.edu> <200804061042.m36AgYGx028003@venus.xmundo.net> <47F92D13.4020809@isi.edu> <200804062241.m36MfGKx010325@venus.xmundo.net> <47F9AB92.80405@isi.edu> <200804071517.m37FHcq4022232@venus.xmundo.net> <47FA4057.7050206@isi.edu> <200804081912.m38JCQAM008441@venus.xmundo.net>
In-Reply-To: <200804081912.m38JCQAM008441@venus.xmundo.net>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Some comments on tcpsecure
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0631882371=="
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
Fernando Gont wrote: ... >> But this is still somewhat off topic if there's a way to get 95% of >> the way there without doing a seq check, which is what I'm suggesting. >> That would correct the *intent* of the current code without *needing >> to change the current specs* (which is the only way to *require* >> timely ICMPs). > > ICMP code has been for a long time (>20+ years, in some cases) to do > "hard errors -> soft errors". The TCP SEQ check was originally > implemented in Linux as a general validation check. Then applied in > virtually all stacks for the same reason. > The TCP SEQ check is particularly useful as a mitigation against PMTUD > attacks... and some have seen as something quicker/easier to implement > than the mechanism proposed in my draft (although FWIW, I implemented > the mechanism myself for OpenBSD, and it wasn't what pne would call > "complex" at all...) I'd like to see a mechanism that's sufficiently easy to implement that accomplishes the intent, even if it differs from what's currently deployed. That presumes we're trying to find a good solution, rather than document the existing deployed solution. ... >> Robustness also allows signalled connection faults to recover quickly, >> rather than on the same timescale as a 'no message' timeout. Yes, >> though, the devil is in the detail of what that timeout would be. > > You say it allows a connection to recover quickly, but... why would it > actually recover, if you are not affecting the path that packets follow? Recovery could involve the application terminating a poor connection in favor of a better alternate, e.g., to a different IP address. By prolonging the agony, we're failing to indicate that the connection is having a substantial problem. Joe
_______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- [tcpm] ICMP error origination timeliness Pekka Savola
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] ICMP error origination timeliness Anantha Ramaiah (ananth)
- Re: [tcpm] ICMP error origination timeliness Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)
- Re: [tcpm] Some comments on tcpsecure Ted Faber
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Joe Touch
- Re: [tcpm] Some comments on tcpsecure Fernando Gont
- Re: [tcpm] Some comments on tcpsecure Anantha Ramaiah (ananth)