IETF Logo Mail Archive

Re: [tcpm] tcpsecure recommendations

Joe Touch <touch@ISI.EDU> Thu, 07 February 2008 15:55 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: ietfarch-tcpm-archive@core3.amsl.com
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98D363A7A2B; Thu, 7 Feb 2008 07:55:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from core3.amsl.com ([127.0.0.1]) by localhost (mail.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfroRd9dvuKS; Thu, 7 Feb 2008 07:55:10 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 84D933A7A7D; Thu, 7 Feb 2008 07:54:41 -0800 (PST)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B2E43A7974 for <tcpm@core3.amsl.com>; Thu, 7 Feb 2008 07:54:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from core3.amsl.com ([127.0.0.1]) by localhost (mail.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aSES3bsLzE8h for <tcpm@core3.amsl.com>; Thu, 7 Feb 2008 07:54:39 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id E09133A7A7D for <tcpm@ietf.org>; Thu, 7 Feb 2008 07:51:25 -0800 (PST)
Received: from [127.0.0.1] (pool-71-106-88-149.lsanca.dsl-w.verizon.net [71.106.88.149]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m17FqbgI006663 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 7 Feb 2008 07:52:39 -0800 (PST)
Message-ID: <47AB293D.8040605@isi.edu>
Date: Thu, 07 Feb 2008 07:52:29 -0800
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: mallman@icir.org
References: <20080206174017.6977C36516E@lawyers.icir.org>
In-Reply-To: <20080206174017.6977C36516E@lawyers.icir.org>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] tcpsecure recommendations
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Given the AS's statement below:
|     ... TCP secure MAY
|     (OPTIONAL) be implemented in other cases.
|
| We can recommend each of mitigations with a MAY, SHOULD or MUST.  In
| Chicago we winnowed the proposals to three three:

#3 makes most sense tm oe. #1 weakens the AS statement too much, and #2
covers data plane protection that there are too many other ways to spoof
(overwriting segments, or just writing segments with predicted header
data). This appears to be best applied to an unauthenticated control plane.

Joe

|     (1) RST spoofing mitigation: MAY
|         SYN spoofing mitigation: MAY
|         data injection mitigation: MAY
|
|     (2) RST spoofing mitigation: SHOULD
|         SYN spoofing mitigation: SHOULD
|         data injection mitigation: SHOULD
|
|     (3) RST spoofing mitigation: SHOULD
|         SYN spoofing mitigation: SHOULD
|         data injection mitigation: MAY
|
| Nobody has advocated for other permutations of recommendations
| (although, clearly if people like some different combination they should
| advocate away!).
|
| Can folks please weigh in on their feeling about how strongly we should
| recommend these mitigations given the AS above?  It'd be great to get
| this document moving and we're sort of stuck here.
|
| Thanks,
| allman
|
|
|
|
|
| ------------------------------------------------------------------------
|
| _______________________________________________
| tcpm mailing list
| tcpm@ietf.org
| http://www.ietf.org/mailman/listinfo/tcpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHqyk9E5f5cImnZrsRAsi5AJ942eMHdpBGM7b1sU1N/YZKlfeSUwCgk9II
5mp3ZMUODozwLLajVqB+w3g=
=qo2i
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
http://www.ietf.org/mailman/listinfo/tcpm

v2.14.0 | Report a Bug | By Email