Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01

Joe Touch <touch@ISI.EDU> Tue, 29 July 2008 22:29 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 972493A6B4A; Tue, 29 Jul 2008 15:29:48 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 298363A6AF8 for <tcpm@core3.amsl.com>; Tue, 29 Jul 2008 15:29:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.483
X-Spam-Level:
X-Spam-Status: No, score=-2.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOAIpIdtRcF8 for <tcpm@core3.amsl.com>; Tue, 29 Jul 2008 15:29:46 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 225353A6ABB for <tcpm@ietf.org>; Tue, 29 Jul 2008 15:29:46 -0700 (PDT)
Received: from [172.16.7.194] ([130.129.65.153]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m6TMTWR0006007 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 29 Jul 2008 15:29:35 -0700 (PDT)
Message-ID: <488F99AB.3090207@isi.edu>
Date: Tue, 29 Jul 2008 15:28:59 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Adam Langley <agl@imperialviolet.org>
References: <20080728042451.C7A174B7AD3@kilo.rtfm.com> <488D6968.9010102@isi.edu> <20080728131254.3DD764B88F7@kilo.rtfm.com> <488DD77D.9070608@isi.edu> <20080728144721.AC9184B905A@kilo.rtfm.com> <488DE021.7070307@isi.edu> <396556a20807280931i257c6597o14cf45f8710611bf@mail.gmail.com> <20080728164235.8DD974B96B6@kilo.rtfm.com> <488E0749.4020402@isi.edu> <396556a20807281106kfe6eb89sdb32d3836e508ea0@mail.gmail.com>
In-Reply-To: <396556a20807281106kfe6eb89sdb32d3836e508ea0@mail.gmail.com>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam,

Adam Langley wrote:
| Some points from the discussion:
|
| Regarding NATs:
|
| Your reasoning, as I understood it, for not including an option to
| exclude the pseudoheader and port numbers for NAT traversal was that
| the host needs these items to lookup the correct key anyway.
|
| There are several situation where this is not the case. (I'll point
| out that I see TCP-AO as being useful outside the domain of securing
| BGP sessions between backbone routers)
|
| 1) A host installs a key on a listening socket with a wildcard
| address.

We don't support this use. There are no wildcard addresses in installed
keys; only the source port can be wildcarded.

| Thus, one can only connect to the socket if you know the key.
| The key probably rotates based on time. This is currently, usually
| done based on "port knocking" - which has always struck me as a messy
| solution. The resulting, ESTABLISHED connection knows the port numbers
| and IP addresses without having to establish it before hand.
|
| 2) An unauthenticated connection is established and the userland code
| wishes to upgrade to TCP-AO. Again, since the connection is
| established the keyset to use are implicit. I didn't know that the
| NONE mac was designed for upgrading like this. In my Linux patches
| there's a TCP_AUTH_LATCH option which means "accept unsigned packets
| until the first signed packet, then require signatures".

That's changing from NONE to a non-NONE MAC.

| Keyids:
|
| I agree that keeping the cryptography in the MAC is a good thing.
| There is an implementation issue about the number of keys that a
| kernel may have to store (80ish bytes per key * 256 keys * number of
| configured hosts), but that's not a spec problem.

Agreed. I'll try to capture that.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiPmasACgkQE5f5cImnZruPvACffvwthv0WF/N3MYbXQgZjt7Ft
lwsAoIXk+Ac9/1YH9xp3xFdlEb/1ym+v
=xP0v
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm