Re: [tcpm] TCP Auth experimental Linux patches

"Adam Langley" <agl@imperialviolet.org> Mon, 28 July 2008 16:19 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5317428C1FE; Mon, 28 Jul 2008 09:19:18 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1F6AE28C1FE for <tcpm@core3.amsl.com>; Mon, 28 Jul 2008 09:19:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R15L3+0qVhi2 for <tcpm@core3.amsl.com>; Mon, 28 Jul 2008 09:19:11 -0700 (PDT)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.233]) by core3.amsl.com (Postfix) with ESMTP id 84F5728C1ED for <tcpm@ietf.org>; Mon, 28 Jul 2008 09:19:11 -0700 (PDT)
Received: by rv-out-0506.google.com with SMTP id b25so3723071rvf.49 for <tcpm@ietf.org>; Mon, 28 Jul 2008 09:19:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=hw+Rxdz7VfiguFJ+1MUPKq1SwGeAgyOCR92/753xq9k=; b=BnjaBy497lL/VMeURIdlwq8oOtW1F62C+GzGY1N6t45sX8powebz6ZsERyRaW8YpCn ZRRJ3UVLLys/pvY3WkK+ub80SQx4zoH8nZgz1nKeJrg+W9KKH3m7nBgU3R0BpviDhwNZ nrQpUlkntZV9I+OkqG/SKGWfNlquuFeoqFB50=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=eLyJw7u7peSyOaLGAOcYBMYQDP7UWiARSrgxLZQkxeRXA3MFFv4YKAoaRfBorvWigh 2wMK9WuFc2l61bW9baKJoyacf5ETUPTRrfh1jQHGx4csbPT29vdqfiaWTKA6AoDb6HZT w/c/eDf3R8UrYVulgc5olEZJKQYPNZUdHuPRE=
Received: by 10.140.136.5 with SMTP id j5mr2464889rvd.27.1217261960847; Mon, 28 Jul 2008 09:19:20 -0700 (PDT)
Received: by 10.141.186.3 with HTTP; Mon, 28 Jul 2008 09:19:20 -0700 (PDT)
Message-ID: <396556a20807280919u5ddb2c5o820f9743344f3093@mail.gmail.com>
Date: Mon, 28 Jul 2008 09:19:20 -0700
From: Adam Langley <agl@imperialviolet.org>
To: LANGE Andrew <Andrew.Lange@alcatel-lucent.com>
In-Reply-To: <66F9363AB70F764C96547BD8A0A3679E154B7C@USDALSMBS05.ad3.ad.alcatel.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <396556a20807181432s2bc50f84kf932b9804c6abf24@mail.gmail.com> <396556a20807181440i438f2696yced3e0c7d713bd1f@mail.gmail.com> <66F9363AB70F764C96547BD8A0A3679E154B7C@USDALSMBS05.ad3.ad.alcatel.com>
X-Google-Sender-Auth: a630eea6c4b4007b
Cc: tcpm@ietf.org
Subject: Re: [tcpm] TCP Auth experimental Linux patches
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

On Mon, Jul 28, 2008 at 5:56 AM, LANGE Andrew
<Andrew.Lange@alcatel-lucent.com> wrote:
> I think it's fantastic that you're working on an implementation of extended
> tcp auth.  However, I fear your efforts may be misdirected. The reason is
> that the settled-down spec in draft-bonica, not the one in the tcpm working
> group draft.  Draft-bonica is implemented, deployed and interops between
> Alcatel, Cisco and Juniper routers.  Implementing draft-bonica, and testing
> against the router implementations would be the right direction to pursue.

The draft-bonica is, indeed *very* similar to TCP-AO (the same
cryptographic weaknesses and all, sadly). In fact, I believe that it
would be about an extra dozen lines of code to add support for it.
Since you claim that it has some deployment, that would certainly seem
to be worthwhile to do.

The patch has seen some work since I first posted it and the userspace
interface is now described in [1]. It would be most helpful if you
could review that. I believe that the only difference is that I have
the MAC function as a property of a keyset, not a key. If you are
intending on key rotation also changing the MAC function then that
would have to change.

Cheers,


[1] http://marc.info/?l=linux-netdev&m=121702166623000&w=2


AGL

-- 
Adam Langley agl@imperialviolet.org http://www.imperialviolet.org
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm