Re: [tcpm] draft-gont-tcp-security

Fernando Gont <fernando@gont.com.ar> Mon, 13 April 2009 18:30 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 265B33A6E34; Mon, 13 Apr 2009 11:30:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.422
X-Spam-Level:
X-Spam-Status: No, score=-2.422 tagged_above=-999 required=5 tests=[AWL=0.177, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id muTeApU9Jvj6; Mon, 13 Apr 2009 11:30:05 -0700 (PDT)
Received: from mail-gx0-f163.google.com (mail-gx0-f163.google.com [209.85.217.163]) by core3.amsl.com (Postfix) with ESMTP id 0FCDA3A6E2F; Mon, 13 Apr 2009 11:30:04 -0700 (PDT)
Received: by gxk7 with SMTP id 7so428171gxk.13 for <multiple recipients>; Mon, 13 Apr 2009 11:31:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=3IzPFKzKkl4+PsCgLNf1d3Kql2unmMlSf7T0qzasK+I=; b=B30jQHGs9uoLN6y34ozvFJHwJNlvgsRP85uLBOhYn073NGTtTDRNS3bxr3HFnlf2tu Rz5MFmenP5Ffyl5+rPhRRdxQr+m0QNH1fz1to3fwnbhVjE+7XiyxNBIHim6slKL6Ycvz YtkTo8fjt2NLbQBAE31+kGDntkXMK5byDUnuM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=kSE0shl7OI39nZn7iBMCGYcF4Ix2SR0trz2MXIM2JlXdKTHlhTg8odsPmdg3xcPDH8 uq9Agt1NzntQVnyEwjFDu1XUcDun8kq6oS8LUQ4+A4FNw8orEGLq6pO96lqtbL7EaB4J I1k8ATCfPNfsNFpz/2ykjfHVxTwvUuQzdx0zc=
Received: by 10.100.195.11 with SMTP id s11mr8176615anf.44.1239647475526; Mon, 13 Apr 2009 11:31:15 -0700 (PDT)
Received: from ?192.168.0.151? (235-131-17-190.fibertel.com.ar [190.17.131.235]) by mx.google.com with ESMTPS id d12sm17875140and.24.2009.04.13.11.31.08 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 13 Apr 2009 11:31:14 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <49E384E9.1050106@gont.com.ar>
Date: Mon, 13 Apr 2009 15:31:05 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Joe Touch <touch@ISI.EDU>
References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8@NDJSSCC01.ndc.nasa.gov> <49E36AB9.40507@isi.edu>
In-Reply-To: <49E36AB9.40507@isi.edu>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D076FFF1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Joel Jaeggli <joelja@bogus.com>, "tcpm@ietf.org" <tcpm@ietf.org>, ietf@ietf.org, Joe Abley <jabley@ca.afilias.info>
Subject: Re: [tcpm] draft-gont-tcp-security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2009 18:30:06 -0000

Joe Touch wrote:

> I'm not at all clear that the WG needs this document. 

Yes, we still have the option to ignore that vendors have had to figure
out by themselves how to produce a resilient implementation of TCP,
because the current IETF advice regarding this issues is close to null.

So we had tcp-secure in 2004, icmp-attacks in 2005, a claim for a
trivial attack in 2008 (Outpost24/CERT-FI), and we'll probably continue
in this line, because we do nothing about it.


> It summarizes issues already raised by the WG, 

I believe this statement is unfair with respect to our document. e.g.,
has the issues described in Section 4.3, Section 9.2, or Section 10 been
brought to tcpm before???



> and makes recommendations (IMO) in
> excess of what the WG has agreed upon for general use.
> 
> TCP itself is not a secure protocol, nor is it intended to be.

Yeah. But that does not mean that we should not do our best to improve
it. Please talk to vendors. I don't want to reproduce here what seems to
be the consensus among vendors with respect to the current state of
affairs in terms of how up-to-date our specs are.

Please let me know which implementations do not aim at doing this. If
you know of any, please produce a fingerprint for nmap, and post an
announcement to bugtraq/full-disclosure. The ecosystem will probably do
the rest to get them updated.



> IMO, if there are operational issues with deploying TCP in environments
> under attack, that is an OPSEC issue.

Yeah... problems with deploying it in the current Internet....

If tcpm agreed that opsec will be a better venue for this document, I'll
be glad to pursue this effort there. At this point, tcpm and opsec are
two possible options, with no preference for any of the two.

Kind regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1