Re: [tcpm] tcpsecure: how strong to recommend?

Joe Touch <touch@ISI.EDU> Wed, 26 September 2007 18:14 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IabPJ-0007cB-Vh; Wed, 26 Sep 2007 14:14:45 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1IabPI-0007be-Gc for; Wed, 26 Sep 2007 14:14:44 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1IabPI-0000WX-2m for; Wed, 26 Sep 2007 14:14:44 -0400
Received: from [] ( []) by (8.13.8/8.13.8) with ESMTP id l8QIE5Tb024128; Wed, 26 Sep 2007 11:14:06 -0700 (PDT)
Message-ID: <>
Date: Wed, 26 Sep 2007 11:13:58 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <>
Subject: Re: [tcpm] tcpsecure: how strong to recommend?
References: <>
In-Reply-To: <>
X-Enigmail-Version: 0.95.3
X-ISI-4-43-8-MailScanner: Found to be clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc:, Tim Shepard <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============0769757647=="

Anantha Ramaiah (ananth) wrote:
> Few points :-
> - It is true that TCP secure recommendations might be useful for long
> lived sessions like BGP. But there are many applications using TCP which
> also could benefit from the proposed changes.

As an aside, it would be useful to provide in your doc an example of
such an application, e.g., where the endpoints and port numbers are
known or reasonably guessable.

> The TCP secure changes
> needs to be viewed as a standalone thing, since it focusses in providing
> robustness to TCP connections w.r.t some spoofing attacks. 

The real point is that spoofing isn't a standalone thing. Putting
protections into TCP without locking down ICMP isn't sufficient, and
inferring authentication from header properties just narrows the window
of attack.

> - TCP secure, TCP MD5, TCP advanced security algorithms, IPsec are all
> different tools with varying degrees of complexity and usage. A user can
> chose to use one of them depending on his/her requirements. Telling
> people to only use IPsec is akin to saying "always fly in business
> class". Yes I have used this analogy before, but this is one whih popped
> up in mind after today's coffee :-)

If we agree that users should be able to choose the solution that fits,
let's go with MAYs all around.

Otherwise, aren't you dictating your solution as fitting everyone's needs?


tcpm mailing list