Re: [tcpm] feedcback on tcp-secure-05
Pekka Savola <pekkas@netcore.fi> Thu, 13 July 2006 17:44 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G15Ec-000071-Pw; Thu, 13 Jul 2006 13:44:22 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G15Eb-00006w-Dl for tcpm@ietf.org; Thu, 13 Jul 2006 13:44:21 -0400
Received: from eunet-gw.ipv6.netcore.fi ([2001:670:86:3001::1] helo=netcore.fi) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G15Ea-00014J-T4 for tcpm@ietf.org; Thu, 13 Jul 2006 13:44:21 -0400
Received: from localhost (pekkas@localhost) by netcore.fi (8.12.11.20060614/8.12.11) with ESMTP id k6DHiHpK008965 for <tcpm@ietf.org>; Thu, 13 Jul 2006 20:44:17 +0300
Date: Thu, 13 Jul 2006 20:44:17 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: tcpm@ietf.org
Subject: Re: [tcpm] feedcback on tcp-secure-05
In-Reply-To: <44B682AB.9010702@isi.edu>
Message-ID: <Pine.LNX.4.64.0607132034230.8689@netcore.fi>
References: <44B682AB.9010702@isi.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Virus-Scanned: ClamAV 0.88.2/1594/Wed Jul 12 18:04:34 2006 on otso.netcore.fi
X-Virus-Status: Clean
X-Spam-Status: No, score=-0.0 required=5.0 tests=NO_RELAYS autolearn=failed version=3.1.2
X-Spam-Checker-Version: SpamAssassin 3.1.2 (2006-05-25) on otso.netcore.fi
X-Spam-Score: -2.8 (--)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org
Note: I have not read the spec. I'd intend to do it once it gets into WGLC. But some follow-up to some of Joe's points below, On Thu, 13 Jul 2006, Joe Touch wrote: > The doc continues to have a detailed but somewhat incomplete discussion > of the attack scenario; the point of tcp-antispoof was to provide a much > more detailed version of that discussion that should not be > recapitulated but rather cited. You couldn't just simply cite it without any summary though, as antispoof is heading Informational, and doing so would likely require a down-ref. > No reasoning is given for numeric limits to ACK throttling (why 10 in 5 > seconds? why not a ratio of the number of conventional ACKs provided) Simpler to implement, maybe? > The doc should also indicate that preventing these attacks does NOT > prevent ICMP attacks (and cite Gont's draft in this regard); it would be > useful for the security considerations to address whether ICMPs should > be blocked altogether and what the impact of that would be. Without such > blocking, it's not clear what the utility of this solution would be. First of all, your last comment is correct only in isolation, i.e., when ICMP attack protections have not been implemented but this is. In reality, all vendors have implemented ICMP attack protections for at least about 1.5 years. I do no think this document should be saying anything about blocking ICMPs. On the other hand, reference to ICMP attacks would probably make sense. Whether there should be more extensive discussion of ICMP attacks might or might not make sense, depending on the how heavily this doc would depend on the security discussion of tcp-antispoof. > The specific modifications suggested are given as loosely discussed > recipes rather than a specific list of the modifications to TCP; IMO, > the latter should be required. I'd agree that specific modifications would likely be preferable. In section 3.2 the text says: Instead, this document requires that implementations MUST perform the following steps in place of those specified in [RFC0793](listed above). Just to be clear, I'd rather say: Instead, this document requires that implementations that implement this specification MUST perform the following steps in place of those specified in [RFC0793](listed above). or something like that. This doc is not making the behaviour of 793 incompliant, surely. But rather introducing a specification that, if implemented, must be done in a certain way. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ tcpm mailing list tcpm@ietf.org https://www1.ietf.org/mailman/listinfo/tcpm
- [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Ted Faber
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- RE: [tcpm] feedcback on tcp-secure-05 Mitesh Dalal (mdalal)
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- RE: [tcpm] feedcback on tcp-secure-05 Anantha Ramaiah (ananth)
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Pekka Savola
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Randall Stewart
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05 Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05 Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Fernando Gont
- Re: [tcpm] feedcback on tcp-secure-05: suggested … Ted Faber
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch
- Re: [tcpm] ICMP attacks draft Fernando Gont
- Re: [tcpm] ICMP attacks draft Joe Touch