IETF Logo Mail Archive

Re: [tcpm] New Version Notification for draft-touch-tcpm-tcp-edo-01.txt

Joe Touch <touch@isi.edu> Sat, 31 May 2014 20:43 UTC

Return-Path: <touch@isi.edu>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D06681A00A8 for <tcpm@ietfa.amsl.com>; Sat, 31 May 2014 13:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3mnoXAwIgUf1 for <tcpm@ietfa.amsl.com>; Sat, 31 May 2014 13:43:11 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 778D61A00A3 for <tcpm@ietf.org>; Sat, 31 May 2014 13:43:11 -0700 (PDT)
Received: from [192.168.1.91] (pool-71-105-87-112.lsanca.dsl-w.verizon.net [71.105.87.112]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id s4VKgQpC006619 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 31 May 2014 13:42:34 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
Content-Type: text/plain; charset="iso-8859-1"
From: Joe Touch <touch@isi.edu>
In-Reply-To: <5389D15B.80102@uclouvain.be>
Date: Sat, 31 May 2014 13:42:25 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <30A19140-A978-4FE6-9A0E-63F78AF44CF3@isi.edu>
References: <20140425221257.12559.43206.idtracker@ietfa.amsl.com> <2586_1398464386_535ADF82_2586_915_1_535ADF56.9050106@isi.edu> <CF8D8E25-E435-4199-8FD6-3F7066447292@iki.fi> <5363AF84.8090701@mti-systems.com> <5363B397.8090009@isi.edu> <CAO249yeyr5q21-=e6p5azwULOh1_jUsniZ6YPcDYd69av8MMYw@mail.gmail.com> <DCC98F94-EA74-4AAA-94AE-E399A405AF13@isi.edu> <655C07320163294895BBADA28372AF5D2CFE36@FR712WXCHMBA15.zeu.alcatel-lucent.com> <20140503122950.GM44329@verdi> <655C07320163294895BBADA28372AF5D2D009E@FR712WXCHMBA15.zeu.alcatel-lucent.com> <201405221710.s4MHAY4S002037@bagheera.jungle.bt.co.uk> <537E3ACD.5000308@isi.edu> <1AD79820-22C1-4500-84D1-1383F264D68C@weston.borman.com> <201405231213.s4NCDa5P005525@bagheera.jungle.bt.co.uk> <6391C448-A917-4E66-9B73-CB840B193FD7@weston.borman.com> <537F7EE4.4080101@isi.edu> <5388C597.2030202@uclouvain.be> <5388F3E7.9040201@isi.edu> <5389D15B.80102@uclouvain.be>
To: Olivier.Bonaventure@uclouvain.be
X-Mailer: Apple Mail (2.1878.2)
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/y2e6_B1BGvkK_NTq3ndqkHorLhw
Cc: David Borman <dab@weston.borman.com>, "tcpm@ietf.org" <tcpm@ietf.org>
Subject: Re: [tcpm] New Version Notification for draft-touch-tcpm-tcp-edo-01.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 May 2014 20:43:13 -0000

On May 31, 2014, at 5:55 AM, Olivier Bonaventure <Olivier.Bonaventure@uclouvain.be> wrote:

> Joe,
>> 
>> On 5/30/2014 10:53 AM, Olivier Bonaventure wrote:
>> ...
>>> Let me make two rough proposals that could be worth being explored or at
>>> least documented.
>>> 
>>> 1. The TCP option space is limited, but not the IPv6 destination options
>>> in the IPv6 header.
>> 
>> IP option space would not be protected by TCP-AO, and likely not by
>> whatever the TCPUSEC WG creates (e.g.,my proposal is here:
>> http://tools.ietf.org/html/draft-touch-tcp-ao-encrypt-01)
> 
> If the destination option is used to transport TCP options,
> then it would define how AO would need to take into account the TCP option inserted by the sender in the IPv6 option.

TCP doesn't necessarily get the entire IP header. It's not practical to claim that TCP-AO can protect something it might never see - and certainly might not have control over once it's inserted in the IPv6 header.


>> Additionally, DPI, NAT processing, etc. are all impacted by IPv6
>> options, so they're generally discouraged AFAIR.
> 
> 
> IPv6 options are much cleaner than IPv4 options. IPv4 options are discouraged because they impact the forwarding on routers. For IPv6 options, this is easier since the option type indicates that the option should only be processed by the destination. For NATs or DPI, supporting TCP options as an IPv6 destination option or as any other proposal would be the same problem

IPv6 options push the location of TCP port numbers to places that need to be computed, rather than being known in advance - and wired into hardware.

Anything that looks at ports might toss something with *any* IP options - v4 or v6 - to slow-path.

Joe

v2.23.0 | Report a Bug | By Email