From fernando.gont.netbook.win@gmail.com Mon Jun 1 23:13:29 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 834263A6876; Mon, 1 Jun 2009 23:13:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.53 X-Spam-Level: X-Spam-Status: No, score=-1.53 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GurYTANP-dkt; Mon, 1 Jun 2009 23:13:28 -0700 (PDT) Received: from mail-qy0-f114.google.com (mail-qy0-f114.google.com [209.85.221.114]) by core3.amsl.com (Postfix) with ESMTP id 61F073A679F; Mon, 1 Jun 2009 23:13:28 -0700 (PDT) Received: by qyk12 with SMTP id 12so928026qyk.29 for ; Mon, 01 Jun 2009 23:13:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=DC4uBODSWbZI0f6Fjw5Cqb+e3ekhs5he0uRVFq0BPyY=; b=KoB4uUz65nEld3+Is62lCe8XHm+aWK3RXoC3cNn/lDPXmsESu9mt5YE5Mu5X0yRk/B kT+H7zOsUkzFwOJibGgj4xLw4w7sV59eVGmoVw9n3cJ0GY1YyrdtyLEz7rJZUxTpvXfI jtWlEUGnERPWLyf7Zp0wfOatvWM9MZdHd3jAM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=QVZQS4qb62NL6da+cCwMAcZFe6EGYDnsNOuAVjPICrJ2sal7rc15GBvVTzqC/LlZQ4 GNOoNZm0SgSjsen1RUZTXAQDCC5D5JGAyAwxyKAkcRhSa+Lm75Ic6EQU9AMQ4usFyoZZ YOPw3L9+EWzGViPXgJtj+PcCFuisoqmcEhNg4= Received: by 10.224.2.199 with SMTP id 7mr6481398qak.336.1243923205390; Mon, 01 Jun 2009 23:13:25 -0700 (PDT) Received: from ?192.168.0.151? (129-130-17-190.fibertel.com.ar [190.17.130.129]) by mx.google.com with ESMTPS id 2sm713559qwi.33.2009.06.01.23.13.16 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 01 Jun 2009 23:13:23 -0700 (PDT) Sender: Fernando Gont Message-ID: <4A24626E.90805@gont.com.ar> Date: Mon, 01 Jun 2009 20:21:18 -0300 From: Fernando Gont User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Lars Eggert References: <49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <49E3A88F.9060301@gont.com.ar> <49E3ABC0.1050601@isi.edu> <49E3B9BF.1060901@gont.com.ar> <49E3BED9.1030701@isi.edu> <49E4D257.40504@gont.com.ar> <49E4E233.9040609@earthlink.net> <49E5F36D.7020808@earthlink.net> <49EE1873.1090907@gont.com.ar> <88ACD16A-1137-4E55-871F-8F0C992D7A63@nokia.com> In-Reply-To: <88ACD16A-1137-4E55-871F-8F0C992D7A63@nokia.com> X-Enigmail-Version: 0.95.7 OpenPGP: id=D076FFF1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Joel Jaeggli , opsec@ietf.org, tcpm@ietf.org Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2009 06:13:29 -0000 Lars Eggert wrote: >> P.S.: Is there any specific proposal/advice to pursue this effort? >> There's has been some talk about tcpm vs opsec, but so far it is not >> clear to me how to proceed here. > > if the IETF decides to work on this, I believe TCPM would be the most > appropriate group, given that that's where the TCP expertise is. I'm > fully OK with doing this in cooperation with OPSEC, maybe via a joint WG > last call or other means, if they desire this. Any plans on how to proceed? So far we have version -00 of the individual submission, but it's not clear to me how to proceed.... > One question: If the IETF decides to publish a document in this space, > and if you decide to offer draft-gont-tcp-security as a starting point > for this work, are the UK CNPI and you as the author OK with the IETF WG > obtaining change control? The WG consensus process would likely lead to > changes compared to the current version, probably even significant changes. Both UK CPNI and me are OK with the document being modified to reflect IETF consensus. However, we do expect me to continue as the document author, and UK CPNI to continue as the author's affiliation (there's nothing unusual with this... but considering that strictly speaking once a document is accepted by a WG the author may be changed, I'm just clarifying that while neither UK CPNI nor me have problems with the document reflecting WG consensus, we do expect the author (Fernando Gont) and the author's affiliation (UK CPNI) to remain "as is"). Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 From wwwrun@core3.amsl.com Tue Jun 2 09:42:31 2009 Return-Path: X-Original-To: tcpm@ietf.org Delivered-To: tcpm@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 30) id 885F83A6F07; Tue, 2 Jun 2009 09:42:31 -0700 (PDT) X-idtracker: yes From: The IESG To: IETF-Announce Message-Id: <20090602164231.885F83A6F07@core3.amsl.com> Date: Tue, 2 Jun 2009 09:42:31 -0700 (PDT) Cc: tcpm chair , tcpm mailing list , Internet Architecture Board , RFC Editor Subject: [tcpm] Document Action: 'Adding Explicit Congestion Notification (ECN) Capability to TCP's SYN/ACK Packets' to Experimental RFC X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2009 16:42:31 -0000 The IESG has approved the following document: - 'Adding Explicit Congestion Notification (ECN) Capability to TCP's SYN/ACK Packets ' as an Experimental RFC This document is the product of the TCP Maintenance and Minor Extensions Working Group. The IESG contact persons are Lars Eggert and Magnus Westerlund. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-tcpm-ecnsyn-10.txt Technical Summary This draft specifies a modification to RFC 3168 to allow TCP SYN/ACK packets to be ECN-Capable. For TCP, RFC 3168 only specifies setting an ECN-Capable codepoint on data packets, and not on SYN and SYN/ACK packets. However, because of the high cost to the TCP transfer of having a SYN/ACK packet dropped, with the resulting retransmit timeout, this document specifies the use of ECN for the SYN/ACK packet itself, when sent in response to a SYN packet with the two ECN flags set in the TCP header, indicating a willingness to use ECN. Setting the initial TCP SYN/ACK packet as ECN-Capable can be of great benefit to the TCP connection, avoiding the severe penalty of a retransmit timeout for a connection that has not yet started placing a load on the network. The TCP responder (the sender of the SYN/ACK packet) must reply to a report of an ECN-marked SYN/ACK packet by resending a SYN/ACK packet that is not ECN-Capable. If the resent SYN/ACK packet is acknowledged, then the TCP responder reduces its initial congestion window from two, three, or four segments to one segment, thereby reducing the subsequent load from that connection on the network. If instead the SYN/ACK packet is dropped, or for some other reason the TCP responder does not receive an acknowledgement in the specified time, the TCP responder follows TCP standards for a dropped SYN/ACK packet (setting the retransmit timer). This document updates RFC 3168 Working Group Summary The WG process on this document was fairly smooth. The most interesting bump in the road was that after successfully completing the first WG last call, the authors obtained additional simulation results that warranted changes in the document and a 2nd WG last call. Document Quality There are existing implementations. There is (at least) a Linux implementation in addition to the simulation code. No vendors have formally indicated plans to the WG to implement the modifications in the document, but it is a backwards compatible end-host modification, not a full new protocol or one requiring additional infrastructure support. Personnel Wesley Eddy (weddy@grc.nasa.gov) was the document shepherd. Lars Eggert (lars.eggert@nokia.com) reviewed the document for the IESG. From joelja@bogus.com Wed Jun 3 13:49:02 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C51003A6782; Wed, 3 Jun 2009 13:49:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHgZqch8mqR5; Wed, 3 Jun 2009 13:49:01 -0700 (PDT) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id C68633A6AA8; Wed, 3 Jun 2009 13:48:40 -0700 (PDT) Received: from [209.97.124.84] ([209.97.124.84]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id n53KlqTT049645 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 3 Jun 2009 20:48:34 GMT (envelope-from joelja@bogus.com) Message-ID: <4A26E173.6040802@bogus.com> Date: Wed, 03 Jun 2009 13:47:47 -0700 From: Joel Jaeggli User-Agent: Thunderbird 2.0.0.21 (X11/20090409) MIME-Version: 1.0 To: Fernando Gont References: <49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <49E3A88F.9060301@gont.com.ar> <49E3ABC0.1050601@isi.edu> <49E3B9BF.1060901@gont.com.ar> <49E3BED9.1030701@isi.edu> <49E4D257.40504@gont.com.ar> <49E4E233.9040609@earthlink.net> <49E5F36D.7020808@earthlink.net> <49EE1873.1090907@gont.com.ar> <88ACD16A-1137-4E55-871F-8F0C992D7A63@nokia.com> <4A24626E.90805@gont.com.ar> In-Reply-To: <4A24626E.90805@gont.com.ar> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9418/Wed Jun 3 12:18:15 2009 on nagasaki.bogus.com X-Virus-Status: Clean Cc: opsec@ietf.org, tcpm@ietf.org Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jun 2009 20:49:02 -0000 It's a tough question. In part I think the answer is up to you, I think there's some understanding on the part of tcpm that if this work were to progress on a standards track that tcpm (no opsec) is the place for that to happen. That said there's also some question as what sort of general recommendations about hardening tcp would actually be consider acceptable (in narrow use cases a lot more of them may well be). The diligent blacksmith knows that hardening a tool also makes it more brittle... The result of any such effort is likely to be greatly different than what you have today. An alternative track would have the document headed for informational status either as a working group document or as indivdual submission with an understanding of what sort of advice is provided and who should consider it and the limitations of implmentation based on it's recomendations. It still think exposure to a working group is very important and useful in this context, as a purely independant submission it's simply documentary evidence of the uk cpni's effort's at documenting some percieved flaws in tcp and recomned mitigation strategy which is useful but not dramatically better than putting it on a website. Fernando Gont wrote: > Lars Eggert wrote: > >>> P.S.: Is there any specific proposal/advice to pursue this effort? >>> There's has been some talk about tcpm vs opsec, but so far it is not >>> clear to me how to proceed here. >> if the IETF decides to work on this, I believe TCPM would be the most >> appropriate group, given that that's where the TCP expertise is. I'm >> fully OK with doing this in cooperation with OPSEC, maybe via a joint WG >> last call or other means, if they desire this. > > Any plans on how to proceed? So far we have version -00 of the > individual submission, but it's not clear to me how to proceed.... > > > >> One question: If the IETF decides to publish a document in this space, >> and if you decide to offer draft-gont-tcp-security as a starting point >> for this work, are the UK CNPI and you as the author OK with the IETF WG >> obtaining change control? The WG consensus process would likely lead to >> changes compared to the current version, probably even significant changes. > > Both UK CPNI and me are OK with the document being modified to reflect > IETF consensus. However, we do expect me to continue as the document > author, and UK CPNI to continue as the author's affiliation (there's > nothing unusual with this... but considering that strictly speaking once > a document is accepted by a WG the author may be changed, I'm just > clarifying that while neither UK CPNI nor me have problems with the > document reflecting WG consensus, we do expect the author (Fernando > Gont) and the author's affiliation (UK CPNI) to remain "as is"). > > Thanks! > > Kind regards, From wwwrun@core3.amsl.com Thu Jun 4 12:08:57 2009 Return-Path: X-Original-To: tcpm@ietf.org Delivered-To: tcpm@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 30) id 703BE3A70E4; Thu, 4 Jun 2009 12:08:57 -0700 (PDT) X-idtracker: yes To: IETF-Announce From: The IESG Message-Id: <20090604190857.703BE3A70E4@core3.amsl.com> Date: Thu, 4 Jun 2009 12:08:57 -0700 (PDT) Cc: tcpm@ietf.org Subject: [tcpm] Last Call: draft-ietf-tcpm-rfc2581bis (TCP Congestion Control) to Draft Standard X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: ietf@ietf.org List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 19:08:57 -0000 The IESG has received a request from the TCP Maintenance and Minor Extensions WG (tcpm) to consider the following document: - 'TCP Congestion Control ' as a Draft Standard The implementation report supporting the advancement to Draft Standard is at: http://www.ietf.org/mail-archive/web/tcpm/current/msg03133.html The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2009-06-18. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. The file can be obtained via http://www.ietf.org/internet-drafts/draft-ietf-tcpm-rfc2581bis-05.txt Implementation Report can be accessed at http://www.ietf.org/IESG/implementation.html IESG discussion can be tracked via https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=14183&rfc_flag=0 From root@core3.amsl.com Thu Jun 4 13:30:02 2009 Return-Path: X-Original-To: tcpm@ietf.org Delivered-To: tcpm@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 1456F3A6D61; Thu, 4 Jun 2009 13:30:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20090604203002.1456F3A6D61@core3.amsl.com> Date: Thu, 4 Jun 2009 13:30:02 -0700 (PDT) Cc: tcpm@ietf.org Subject: [tcpm] I-D Action:draft-ietf-tcpm-icmp-attacks-05.txt X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 20:30:02 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the TCP Maintenance and Minor Extensions Working Group of the IETF. Title : ICMP attacks against TCP Author(s) : F. Gont Filename : draft-ietf-tcpm-icmp-attacks-05.txt Pages : 37 Date : 2009-06-04 This document discusses the use of the Internet Control Message Protocol (ICMP) to perform a variety of attacks against the Transmission Control Protocol (TCP) and other similar protocols. Additionally, describes a number of widely implemented modifications to TCP's handling of ICMP error messages that help to mitigate these issues. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-tcpm-icmp-attacks-05.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-tcpm-icmp-attacks-05.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-06-04132057.I-D@ietf.org> --NextPart-- From touch@ISI.EDU Sat Jun 6 11:46:22 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 284A328C0D7 for ; Sat, 6 Jun 2009 11:46:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.526 X-Spam-Level: X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h00npPMMRyLq for ; Sat, 6 Jun 2009 11:46:21 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 540A53A68BA for ; Sat, 6 Jun 2009 11:46:21 -0700 (PDT) Received: from [192.168.1.46] (pool-71-106-86-44.lsanca.dsl-w.verizon.net [71.106.86.44]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n56IkAEf026658; Sat, 6 Jun 2009 11:46:12 -0700 (PDT) Message-ID: <4A2AB973.3030203@isi.edu> Date: Sat, 06 Jun 2009 11:46:11 -0700 From: Joe Touch User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: tcpm Extensions WG X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Subject: [tcpm] question about TCP-AO and rekeying X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 18:46:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, all, One open issue remaining is how to express what was formerly a database with a particular structure (TAPD, previously TSAD) in ways that impact rekeying and possibly future master key management protocols. We decided at the last meeting in SFO to do as follows: - require that each segment match only one key - segments for established connections must match only one connection key - segments for new connections (SYNs) must match only one master key Connection keys never overlap; there would never be two connection keys with the same keyID and socket pair. The open issue focuses on master keys, which would more likely be specified with wildcards, masks, or ranges, esp. for remote port numbers, but also potentially for addresses or local port numbers. This issue is particularly relevant for rekeying - - adding new master keys that would result in new connection keys being derived for existing connections - and how an endpoint would be able to ensure uniqueness as above. Do we need additional constraints to ensure that master key descriptions never overlap? As review, the previous description of keys as a database also implied, by its structure, constraints on wildcards/masks/ranges. Each TAPD entry was: a socket pair descriptor which may include wildcards or masks one or more MKTs, each of which includes: sendID recvID crypto info: master key MAC info KDF info The TAPD was defined so that a segment matched at most one socket pair descriptor, and that MKTs within that descriptor had distinct sendIDs and recvIDs. If we remove that data structure, it would most obviously be replaced with MKTs with their own socket descriptors, i.e.: MKT socket pair descriptor (may include wildcards/masks) sendID recvID crypto info The question that remains is whether MKTs that match a segment all have identical socket pair descriptors, even down to their wildcards/ranges/masks (which was previously required). If not, then how do we ensure that MKTs don't interfere? If we throw our hands up and say this is "implementation detail", then IMO we could be hobbling any KMP, since there would be no common data for the KMP to coordinate. So how do we proceed? If we ensure that MKTs that all apply to a given segment all share the same socket pair descriptor, why can't we call that a data structure and describe it? (is the issue just that we call it a database?) If not, how do we describe the MKTs so that we can enable KMPs? Please post thoughts to this list. Thanks, Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoquXMACgkQE5f5cImnZrvPdwCfZOKNvKpraJ5rp2cuIe89g7MU 9lwAn3qfA+dyY7+vtbA6+C6N3FJbBQis =Yp3/ -----END PGP SIGNATURE----- From fernando.gont.netbook.win@gmail.com Tue Jun 9 00:32:35 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 309D23A698D; Tue, 9 Jun 2009 00:32:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHJWI50KU+gn; Tue, 9 Jun 2009 00:32:34 -0700 (PDT) Received: from mail-qy0-f111.google.com (mail-qy0-f111.google.com [209.85.221.111]) by core3.amsl.com (Postfix) with ESMTP id 0CB093A68EC; Tue, 9 Jun 2009 00:32:33 -0700 (PDT) Received: by qyk9 with SMTP id 9so233716qyk.29 for ; Tue, 09 Jun 2009 00:32:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=KYEMqfOea6pUREOtZo7Sx1JsCkUqwlLkzlHqvfj+RbY=; b=OZZuIn6VmzqGfJ0SKgqk2xzaEq4pomIIwYqXF13Ioq7m/E1IiOD2qMB7by5SZSPiSn o0BVJ1a89QWSZYuA1ajJ9X7fjlaPStDx/YowHLxqTjctDpGJg7PXI7+8JBuPd6Yvb8uf 3cFFEMJlPPUPaKnddzszFqiPaLYA8niilFOE8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=Z9/GzxmVLFxTvyxhd/Z2AnLfgfgYRmw5vlh1Ko1zSrLMyWphgn+1TuoU+7GZmlPb9R ykIzokCVXvct99h8s/+WF5+66CLlvDL39cKwDuMqYzda3vDpcXXWpbSWo9X+0jxXD5oZ PG5tyqcaOK5Xe2OP21e9/NJfijPb2KZqYQo80= Received: by 10.224.60.203 with SMTP id q11mr7718504qah.245.1244532756811; Tue, 09 Jun 2009 00:32:36 -0700 (PDT) Received: from ?192.168.0.151? (148-82-231-201.fibertel.com.ar [201.231.82.148]) by mx.google.com with ESMTPS id 8sm981208qwj.34.2009.06.09.00.32.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 09 Jun 2009 00:32:34 -0700 (PDT) Sender: Fernando Gont Message-ID: <4A2E1008.4060303@gont.com.ar> Date: Tue, 09 Jun 2009 04:32:24 -0300 From: Fernando Gont User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Joel Jaeggli References: <49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <49E3A88F.9060301@gont.com.ar> <49E3ABC0.1050601@isi.edu> <49E3B9BF.1060901@gont.com.ar> <49E3BED9.1030701@isi.edu> <49E4D257.40504@gont.com.ar> <49E4E233.9040609@earthlink.net> <49E5F36D.7020808@earthlink.net> <49EE1873.1090907@gont.com.ar> <88ACD16A-1137-4E55-871F-8F0C992D7A63@nokia.com> <4A24626E.90805@gont.com.ar> <4A26E173.6040802@bogus.com> In-Reply-To: <4A26E173.6040802@bogus.com> X-Enigmail-Version: 0.95.7 OpenPGP: id=D076FFF1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: opsec@ietf.org, tcpm@ietf.org Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2009 07:32:35 -0000 Hello, Joel, Comments in-line... > It's a tough question. In part I think the answer is up to you, I think > there's some understanding on the part of tcpm that if this work were to > progress on a standards track that tcpm (no opsec) is the place for that > to happen. Ok. My proposal is, that unless there's any alternative proposal, I'd like this document to be pursued as "Informational" within opsec. > That said there's also some question as what sort of general > recommendations about hardening tcp would actually be consider > acceptable (in narrow use cases a lot more of them may well be). > > The diligent blacksmith knows that hardening a tool also > makes it more brittle... This is a nice quote, but... I'd like examples. e.g., start discussing about which specific hardening proposal makes TCP more brittle. > The result of any such effort is likely to be greatly different than > what you have today. That's not a problem. > An alternative track would have the document headed for informational > status either as a working group document or as indivdual submission > with an understanding of what sort of advice is provided and who should > consider it and the limitations of implmentation based on it's > recomendations. It still think exposure to a working group is very > important and useful in this context, Ok. Good. As I mentioned, unless somebody else comes up with an alternative proposal, I'd like the document to target "Informational" at opsec. I guess that at some point tcpm may want to work on some of the stuff in the document on a piecemeal basis. > as a purely independant submission > it's simply documentary evidence of the uk cpni's effort's at > documenting some percieved flaws in tcp and recomned mitigation strategy > which is useful but not dramatically better than putting it on a website. -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 From touch@ISI.EDU Tue Jun 9 06:43:25 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A6FD13A6912; Tue, 9 Jun 2009 06:43:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.164 X-Spam-Level: X-Spam-Status: No, score=-2.164 tagged_above=-999 required=5 tests=[AWL=0.435, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id reyBbxFSvylM; Tue, 9 Jun 2009 06:43:24 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id ACB553A659B; Tue, 9 Jun 2009 06:43:24 -0700 (PDT) Received: from [192.168.1.46] (pool-71-105-84-152.lsanca.dsl-w.verizon.net [71.105.84.152]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n59DgSiA014546; Tue, 9 Jun 2009 06:42:29 -0700 (PDT) Message-ID: <4A2E66C3.6040701@isi.edu> Date: Tue, 09 Jun 2009 06:42:27 -0700 From: Joe Touch User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Fernando Gont References: <49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <49E3A88F.9060301@gont.com.ar> <49E3ABC0.1050601@isi.edu> <49E3B9BF.1060901@gont.com.ar> <49E3BED9.1030701@isi.edu> <49E4D257.40504@gont.com.ar> <49E4E233.9040609@earthlink.net> <49E5F36D.7020808@earthlink.net> <49EE1873.1090907@gont.com.ar> <88ACD16A-1137-4E55-871F-8F0C992D7A63@nokia.com> <4A24626E.90805@gont.com.ar> <4A26E173.6040802@bogus.com> <4A2E1008.4060303@gont.com.ar> In-Reply-To: <4A2E1008.4060303@gont.com.ar> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Cc: Joel Jaeggli , opsec@ietf.org, tcpm@ietf.org Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2009 13:43:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fernando Gont wrote: ... >> That said there's also some question as what sort of general >> recommendations about hardening tcp would actually be consider >> acceptable (in narrow use cases a lot more of them may well be). >> >> The diligent blacksmith knows that hardening a tool also >> makes it more brittle... > > This is a nice quote, but... I'd like examples. e.g., start discussing > about which specific hardening proposal makes TCP more brittle. 1) any security mechanism that increases complexity - of actions, state, or message exchanges - any of which increases the potential for implementation error 2) any security mechanism that has false positives, i.e., that discards messages deemed a security threat when they were sent for legitimate reasons #1 includes basically everything, from TCP MD5 (and TCP-AO) to tcpsecure and ICMP filtering #2 includes anything with nonzero false positives, such as tcpsecure and ICMP filtering I.e., AFAICT, *everything* that makes TCP more secure also makes it brittle, by definition (ditto for metal hardening, FWIW). The key issue is "when/where is the benefit worth the cost". Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkouZsMACgkQE5f5cImnZruBvACeIsbA4PwpE4xyp22+fGzH/5j2 9DYAoOCTLsrjZU7QcfCXsYq5TERlxcYY =ycUl -----END PGP SIGNATURE----- From fernando.gont.netbook.win@gmail.com Tue Jun 9 12:36:27 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6966A3A6D92; Tue, 9 Jun 2009 12:36:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYdiwOeAJAyb; Tue, 9 Jun 2009 12:36:26 -0700 (PDT) Received: from mail-qy0-f111.google.com (mail-qy0-f111.google.com [209.85.221.111]) by core3.amsl.com (Postfix) with ESMTP id 4690A3A69E7; Tue, 9 Jun 2009 12:36:26 -0700 (PDT) Received: by qyk9 with SMTP id 9so15608qyk.29 for ; Tue, 09 Jun 2009 12:36:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=NJI+QIbrhFAwiVLpynQOjRx9LwceLecje5X6C5SY1tQ=; b=b7UardYZaLtBEji2MbmiA18fvRZAnmko/xlBcSY06NhjyM03iF4lsFI6opzY+elkqp otdSEFmtTkIDdmZ0lS5LQHKFfbsPJwCe//62WmlrXGqrDIcvHIlu0I+p89iSSBsUMKNS oqty53ZbclfNZgSZfswrYWs+nSIoDnAqfmEGA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=NMsA4sucpbglw/2ltxdTIj7ETqPqcEuMTTxPMTDWQgfokLRVT5969fY3n9H7+4e0/y pWuLM/ztkKI+Sok7U3kimRmlb33RYO/UrziE3a/Oitj4vKRFp90owE4pb7w898vSPJ0f 4z7j4XWKWqQOlnqSZw+ebNSKAMFjZ3nPY+55Q= Received: by 10.220.100.5 with SMTP id w5mr679252vcn.62.1244576189828; Tue, 09 Jun 2009 12:36:29 -0700 (PDT) Received: from ?190.48.216.129? ([190.48.216.129]) by mx.google.com with ESMTPS id 8sm90027ywg.53.2009.06.09.12.36.26 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 09 Jun 2009 12:36:28 -0700 (PDT) Sender: Fernando Gont Message-ID: <4A2EB9B7.80907@gont.com.ar> Date: Tue, 09 Jun 2009 16:36:23 -0300 From: Fernando Gont User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Joe Touch References: <49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <49E3A88F.9060301@gont.com.ar> <49E3ABC0.1050601@isi.edu> <49E3B9BF.1060901@gont.com.ar> <49E3BED9.1030701@isi.edu> <49E4D257.40504@gont.com.ar> <49E4E233.9040609@earthlink.net> <49E5F36D.7020808@earthlink.net> <49EE1873.1090907@gont.com.ar> <88ACD16A-1137-4E55-871F-8F0C992D7A63@nokia.com> <4A24626E.90805@gont.com.ar> <4A26E173.6040802@bogus.com> <4A2E1008.4060303@gont.com.ar> <4A2E66C3.6040701@isi.edu> In-Reply-To: <4A2E66C3.6040701@isi.edu> X-Enigmail-Version: 0.95.7 OpenPGP: id=D076FFF1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Joel Jaeggli , opsec@ietf.org, tcpm@ietf.org Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2009 19:36:27 -0000 Joe Touch wrote: >>> The diligent blacksmith knows that hardening a tool also >>> makes it more brittle... >> This is a nice quote, but... I'd like examples. e.g., start discussing >> about which specific hardening proposal makes TCP more brittle. > > 1) any security mechanism that increases complexity - of actions, state, > or message exchanges - any of which increases the potential for > implementation error Agreed. > 2) any security mechanism that has false positives, i.e., that discards > messages deemed a security threat when they were sent for legitimate reasons Why would this make e.g., TCP more brittle? In any case, the actual response to such packets may vary (e.g., in the case of ICMP hard errors, discard vs. process as soft errors). I believe that no matter what the recommended response is, it is important to discuss these issues, and try to get consensus on what's the right thing to do in each case. > #1 includes basically everything, from TCP MD5 (and TCP-AO) to tcpsecure > and ICMP filtering ICMP filtering actually decreases complexity. > I.e., AFAICT, *everything* that makes TCP more secure also makes it > brittle, by definition (ditto for metal hardening, FWIW). The key issue > is "when/where is the benefit worth the cost". As I said before, I'd like to have concrete examples from the tcp security i-d that are deemed to make TCP more brittle. Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 From touch@ISI.EDU Tue Jun 9 13:07:22 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE2293A6847; Tue, 9 Jun 2009 13:07:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HK3bRp46oSKg; Tue, 9 Jun 2009 13:07:22 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 980123A6841; Tue, 9 Jun 2009 13:07:10 -0700 (PDT) Received: from [128.9.168.63] (bet.isi.edu [128.9.168.63]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n59K6bob014863; Tue, 9 Jun 2009 13:06:38 -0700 (PDT) Message-ID: <4A2EC0CD.3020505@isi.edu> Date: Tue, 09 Jun 2009 13:06:37 -0700 From: Joe Touch User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Fernando Gont References: <49E36AB9.40507@isi.edu> <49E384E9.1050106@gont.com.ar><49E3878C.9080200@isi.edu> <49E39119.1060902@gont.com.ar> <49E3A88F.9060301@gont.com.ar> <49E3ABC0.1050601@isi.edu> <49E3B9BF.1060901@gont.com.ar> <49E3BED9.1030701@isi.edu> <49E4D257.40504@gont.com.ar> <49E4E233.9040609@earthlink.net> <49E5F36D.7020808@earthlink.net> <49EE1873.1090907@gont.com.ar> <88ACD16A-1137-4E55-871F-8F0C992D7A63@nokia.com> <4A24626E.90805@gont.com.ar> <4A26E173.6040802@bogus.com> <4A2E1008.4060303@gont.com.ar> <4A2E66C3.6040701@isi.edu> <4A2EB9B7.80907@gont.com.ar> In-Reply-To: <4A2EB9B7.80907@gont.com.ar> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Cc: Joel Jaeggli , opsec@ietf.org, tcpm@ietf.org Subject: Re: [tcpm] [OPSEC] draft-gont-tcp-security X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2009 20:07:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fernando Gont wrote: > Joe Touch wrote: > >>>> The diligent blacksmith knows that hardening a tool also >>>> makes it more brittle... >>> This is a nice quote, but... I'd like examples. e.g., start discussing >>> about which specific hardening proposal makes TCP more brittle. >> 1) any security mechanism that increases complexity - of actions, state, >> or message exchanges - any of which increases the potential for >> implementation error > > Agreed. > > > >> 2) any security mechanism that has false positives, i.e., that discards >> messages deemed a security threat when they were sent for legitimate reasons > > Why would this make e.g., TCP more brittle? It makes a TCP that used to work not work anymore. > In any case, the actual response to such packets may vary (e.g., in the > case of ICMP hard errors, discard vs. process as soft errors). I believe > that no matter what the recommended response is, it is important to > discuss these issues, and try to get consensus on what's the right thing > to do in each case. Agreed. In a document that aimes to describe just what has been implemented, there's no goal of gaining community consensus, though. There is still utility, however, in providing the alternate viewpoint on the potential impacts of implementations. >> #1 includes basically everything, from TCP MD5 (and TCP-AO) to tcpsecure >> and ICMP filtering > > ICMP filtering actually decreases complexity. It requires more code to check that an ICMP is in-window than to not check. Nearly everything requires more code, at least. >> I.e., AFAICT, *everything* that makes TCP more secure also makes it >> brittle, by definition (ditto for metal hardening, FWIW). The key issue >> is "when/where is the benefit worth the cost". > > As I said before, I'd like to have concrete examples from the tcp > security i-d that are deemed to make TCP more brittle. I did above in both cases. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKLsDME5f5cImnZrsRAlGWAKCzYpIm7avI7zCezK/qr6+YOmLzogCg+hQe miDFj33au36GsANaWpxiM4w= =6lOt -----END PGP SIGNATURE----- From wesley.m.eddy@nasa.gov Wed Jun 10 21:25:05 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9A2C73A6839 for ; Wed, 10 Jun 2009 21:25:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.381 X-Spam-Level: X-Spam-Status: No, score=-6.381 tagged_above=-999 required=5 tests=[AWL=0.218, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VhJyk4UNz2k3 for ; Wed, 10 Jun 2009 21:25:03 -0700 (PDT) Received: from ndjsnpf01.ndc.nasa.gov (ndjsnpf01.ndc.nasa.gov [198.117.1.121]) by core3.amsl.com (Postfix) with ESMTP id 91C7B3A680A for ; Wed, 10 Jun 2009 21:25:03 -0700 (PDT) Received: from ndjsppt02.ndc.nasa.gov (ndjsppt02.ndc.nasa.gov [198.117.1.101]) by ndjsnpf01.ndc.nasa.gov (Postfix) with ESMTP id A336A328043; Wed, 10 Jun 2009 23:25:10 -0500 (CDT) Received: from ndjshub01.ndc.nasa.gov (ndjshub01.ndc.nasa.gov [198.117.4.160]) by ndjsppt02.ndc.nasa.gov (8.14.3/8.14.3) with ESMTP id n5B4PAA4020883; Wed, 10 Jun 2009 23:25:10 -0500 Received: from NDJSSCC01.ndc.nasa.gov ([198.117.4.166]) by ndjshub01.ndc.nasa.gov ([198.117.4.160]) with mapi; Wed, 10 Jun 2009 23:25:10 -0500 From: "Eddy, Wesley M. (GRC-MS00)[Verizon]" To: "tcpm@ietf.org" Date: Wed, 10 Jun 2009 23:25:15 -0500 Thread-Topic: comments on draft-ietf-tcpm-icmp-attacks-05 Thread-Index: AcnqTJ5N/OQHUFfvTA+OQMGvgkY7Qg== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-06-10_14:2009-06-01, 2009-06-10, 2009-06-10 signatures=0 Cc: Fernando Gont , Fernando Gont Subject: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jun 2009 04:25:06 -0000 As a WG participant (not co-chair), here are some comments I have after reading the latest version of the ICMP attacks draft: 1) (editorial) In Section 2.1, don't capitalize "Architecture", as it makes "Internet Architecture" look like some kind of specific proper noun, which it definitely isn't. 2) (question) In Section 2.1, we have: "When an intermediate router detects a network problem while trying to forward an IP packet, it will usually send an ICMP ..." Do we want "will usually" or "has the option to", or something similar? I'm not aware of the actual statistics on this. 3) (editorial) In Section 3, first sentence, "internet header" -> "IP header" ? 4) (technical) For the last paragraph in section 3, we focus on the lack of IKE usage as a reason why IPsec can't generally be used to authenticate ICMP messages, but I think the bigger problem is that even if we all ran IPsec, we'd need to have routers using certificates with paths compatible for all other hosts on the network ... not too feasible from what I can tell. I think this is more difficult than either the deployment or the embedded devices issue that the draft mentions. 5) (general) Section 5.1, last paragraph, it seems like we should be mentioning TCP-AO as well here, though I don't think it changes any part of the claim. 6) (editorial) Section 5.2, typo "preferebable" 7) (editorial) Section 6.2, "On the other hand, TCP implements its own congestion control mechanisms ..." ... I don't think this is really an "on the other hand", I think it's more of a "Furthermore". 8) (general) In Section 6.2, I think we can be stronger and say that the 1122 requirement to react to source quench is no longer pertinent, as the Internet has moved well beyond needing this. 9) (general) Wow, section 7 takes a much closer look at PMTUD than I ever expected to find here; roughly half the document sits in this topic alone. Is this *really* an attack that we're that worried about in a general case? =20 The modifications in this part of the document seem too complex for what they buy, to me. It seems like in places where there's concern about it, we can just say to ignore these ICMPs and use the PLPMTUD (4821) instead. I can understand that what's in the draft has been implemented, but how valuable is it really when we already have a Proposed Standard in PLPMTUD that can totally answer to this concern by just ignoring the ICMPs in question? --------------------------- Wes Eddy Network & Systems Architect Verizon FNS / NASA GRC Office: (216) 433-6682 --------------------------- From wesley.m.eddy@nasa.gov Wed Jun 10 21:32:46 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C18F03A6858 for ; Wed, 10 Jun 2009 21:32:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.454 X-Spam-Level: X-Spam-Status: No, score=-6.454 tagged_above=-999 required=5 tests=[AWL=0.145, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jO3icUQnd5IM for ; Wed, 10 Jun 2009 21:32:45 -0700 (PDT) Received: from ndjsnpf03.ndc.nasa.gov (ndjsnpf03.ndc.nasa.gov [198.117.1.123]) by core3.amsl.com (Postfix) with ESMTP id 6EEA83A680A for ; Wed, 10 Jun 2009 21:32:45 -0700 (PDT) Received: from ndjsppt03.ndc.nasa.gov (ndjsppt03.ndc.nasa.gov [198.117.1.102]) by ndjsnpf03.ndc.nasa.gov (Postfix) with ESMTP id A3AD62D81E3; Wed, 10 Jun 2009 23:32:52 -0500 (CDT) Received: from ndjshub01.ndc.nasa.gov (ndjshub01.ndc.nasa.gov [198.117.4.160]) by ndjsppt03.ndc.nasa.gov (8.14.3/8.14.3) with ESMTP id n5B4Wq3c000638; Wed, 10 Jun 2009 23:32:52 -0500 Received: from NDJSSCC01.ndc.nasa.gov ([198.117.4.166]) by ndjshub01.ndc.nasa.gov ([198.117.4.160]) with mapi; Wed, 10 Jun 2009 23:32:52 -0500 From: "Eddy, Wesley M. (GRC-MS00)[Verizon]" To: "Eddy, Wesley M. (GRC-MS00)[Verizon]" , "tcpm@ietf.org" Date: Wed, 10 Jun 2009 23:32:57 -0500 Thread-Topic: comments on draft-ietf-tcpm-icmp-attacks-05 Thread-Index: AcnqTJ5N/OQHUFfvTA+OQMGvgkY7QgAAJlzg Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-06-10_14:2009-06-01, 2009-06-10, 2009-06-10 signatures=0 Cc: Fernando Gont , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jun 2009 04:32:46 -0000 As both co-chair and TCPM participant, I'm not really comfortable with Appendix B of this document which reads a lot like an advertisement. Even though I know it's well-intentioned, it seems like we'd set a bad precedent if we got into the habit of putting sponsor-plugs into the appendices of our documents. I don't think we lose anything by leaving that appendix out completely. What does the WG think? To speed analysis, the text in question is: Appendix B. Advice and guidance to vendors Vendors are urged to contact CPNI (vulteam@cpni.gsi.gov.uk) if they think they may be affected by the issues described in this document. As the lead coordination center for these issues, CPNI is well placed to give advice and guidance as required. CPNI works extensively with government departments and agencies, commercial organizations and the academic community to research vulnerabilities and potential threats to IT systems especially where they may have an impact on Critical National Infrastructure's (CNI). Other ways to contact CPNI, plus CPNI's PGP public key, are available at http://www.cpni.gov.uk . --------------------------- Wes Eddy Network & Systems Architect Verizon FNS / NASA GRC Office: (216) 433-6682 --------------------------- From wesley.m.eddy@nasa.gov Wed Jun 10 21:45:48 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17A6C3A6D2B for ; Wed, 10 Jun 2009 21:45:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.49 X-Spam-Level: X-Spam-Status: No, score=-6.49 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fCV8J-R4gZJ for ; Wed, 10 Jun 2009 21:45:46 -0700 (PDT) Received: from ndjsnpf03.ndc.nasa.gov (ndjsnpf03.ndc.nasa.gov [198.117.1.123]) by core3.amsl.com (Postfix) with ESMTP id B8D6B3A6D1E for ; Wed, 10 Jun 2009 21:45:46 -0700 (PDT) Received: from ndjsppt02.ndc.nasa.gov (ndjsppt02.ndc.nasa.gov [198.117.1.101]) by ndjsnpf03.ndc.nasa.gov (Postfix) with ESMTP id A45362D861E; Wed, 10 Jun 2009 23:45:53 -0500 (CDT) Received: from ndjshub01.ndc.nasa.gov (ndjshub01.ndc.nasa.gov [198.117.4.160]) by ndjsppt02.ndc.nasa.gov (8.14.3/8.14.3) with ESMTP id n5B4jrss005933; Wed, 10 Jun 2009 23:45:53 -0500 Received: from NDJSSCC01.ndc.nasa.gov ([198.117.4.166]) by ndjshub01.ndc.nasa.gov ([198.117.4.160]) with mapi; Wed, 10 Jun 2009 23:45:53 -0500 From: "Eddy, Wesley M. (GRC-MS00)[Verizon]" To: "Eddy, Wesley M. (GRC-MS00)[Verizon]" , "tcpm@ietf.org" Date: Wed, 10 Jun 2009 23:45:59 -0500 Thread-Topic: comments on draft-ietf-tcpm-icmp-attacks-05 Thread-Index: AcnqTJ5N/OQHUFfvTA+OQMGvgkY7QgAAZwrg Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-06-10_14:2009-06-01, 2009-06-10, 2009-06-10 signatures=0 Cc: Fernando Gont , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jun 2009 04:45:48 -0000 As both a WG-participant and co-chair, I think that the Appendix A explanations of which ICMPs need to be paid attention to because some of them say things that I'm not sure are totally supported by prior RFCs. For instance, I'm not certain that setting the DF bit is only possible for hosts that support PMTUD ... is there a reference for that? Further, it discusses ambiguity in 1122, that we should be clarifying in the main text rather than an appendix, I think ... what does the rest of the WG think? --------------------------- Wes Eddy Network & Systems Architect Verizon FNS / NASA GRC Office: (216) 433-6682 --------------------------- From fernando.gont.netbook.win@gmail.com Thu Jun 11 01:22:50 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABE883A6C5E for ; Thu, 11 Jun 2009 01:22:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.065 X-Spam-Level: X-Spam-Status: No, score=-2.065 tagged_above=-999 required=5 tests=[AWL=0.535, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gMp3wZE7Egqe for ; Thu, 11 Jun 2009 01:22:49 -0700 (PDT) Received: from mail-qy0-f116.google.com (mail-qy0-f116.google.com [209.85.221.116]) by core3.amsl.com (Postfix) with ESMTP id 732353A6BCE for ; Thu, 11 Jun 2009 01:22:49 -0700 (PDT) Received: by qyk14 with SMTP id 14so23571qyk.29 for ; Thu, 11 Jun 2009 01:22:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=5k4C9RdNOyTYeif+mS1UOwWaQEAlyFLPsbjRbLxiJUo=; b=bHas6bicsakfjyXHGMqrcZ8ZxjRN+HuYoxgtUDXuLa5CtV6cOPKQOlG48ibU0u428L G5ct48W/uNmKpoKyKEuWG+YeqDRM84x/1867/9Iawe+823MBN4/dgKmjVMgHHgKVspQT QS4HmC5R+ukXChtLNwoyx1FcadXNxaN+Ybogk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=mR9noGlAasL63ofa88szXAq/iMrRh0Eop1aeNhWGjBiU/7ge0d/At4f7NMLtsnFyfI gZ8Mdbm4rvYtGPP7d5k0H6JDkW5IeNf53fi/IGpXX8g6qpLSTUEYNkDJhc2ZFzT9mQrV bw5ZFOrTVMJgzfPXFKQ2uTl4NmDyUL9eccqag= Received: by 10.224.37.7 with SMTP id v7mr2884807qad.35.1244708574490; Thu, 11 Jun 2009 01:22:54 -0700 (PDT) Received: from ?192.168.0.151? (129-130-17-190.fibertel.com.ar [190.17.130.129]) by mx.google.com with ESMTPS id 7sm1291265qwf.49.2009.06.11.01.22.51 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 11 Jun 2009 01:22:53 -0700 (PDT) Sender: Fernando Gont Message-ID: <4A30BED6.3050308@gont.com.ar> Date: Thu, 11 Jun 2009 05:22:46 -0300 From: Fernando Gont User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: "Eddy, Wesley M. (GRC-MS00)[Verizon]" References: In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=D076FFF1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "tcpm@ietf.org" , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jun 2009 08:22:50 -0000 Hello, Wesley, Thanks so much for your feedback. Comments-inline... > 1) (editorial) In Section 2.1, don't capitalize > "Architecture", as it makes "Internet Architecture" > look like some kind of specific proper noun, which > it definitely isn't. I think this was capitalized in Dave's Clark paper. But have no problem with the proposed change. > 2) (question) In Section 2.1, we have: > "When an intermediate router detects a network > problem while trying to forward an IP packet, > it will usually send an ICMP ..." Do we > want "will usually" or "has the option to", or > something similar? I'm not aware of the actual > statistics on this. The router will send an ICMP error message, unless rate-limiting prevents it. That's my understanding. And this is what RFC 1812 states. > 3) (editorial) In Section 3, first sentence, > "internet header" -> "IP header" ? Will do. (Although the ICMP spec uses the term "internet header" rather than "IP header"). > 4) (technical) For the last paragraph in section > 3, we focus on the lack of IKE usage as a reason > why IPsec can't generally be used to authenticate > ICMP messages, but I think the bigger problem is > that even if we all ran IPsec, we'd need to have > routers using certificates with paths compatible > for all other hosts on the network ... Sorry. You meant that all the routers in the path should be using certificates? > not too > feasible from what I can tell. I think this is > more difficult than either the deployment or the > embedded devices issue that the draft mentions. Agreed. > 5) (general) Section 5.1, last paragraph, it > seems like we should be mentioning TCP-AO as > well here, though I don't think it changes any > part of the claim. Agreed. Maybe this is also an indication that TCP-AO *should* change something in this respect! > 6) (editorial) Section 5.2, typo "preferebable" Will do. > 7) (editorial) Section 6.2, "On the other hand, > TCP implements its own congestion control > mechanisms ..." ... I don't think this is > really an "on the other hand", I think it's > more of a "Furthermore". Will do. ("english as a second language" here. :-( ) > 8) (general) In Section 6.2, I think we can be > stronger and say that the 1122 requirement to > react to source quench is no longer pertinent, > as the Internet has moved well beyond needing > this. I fully agree with you. However, at some point in the past there was all these discussions that the document was "going against the standards", and that it was "too strong", being an "Informational" document. Hence it's not as strong as I would have liked it to be. That said, the internet has moved beyond reseting established connections in response to hard errors, too. :-) > 9) (general) Wow, section 7 takes a much closer > look at PMTUD than I ever expected to find here; > roughly half the document sits in this topic > alone. Yes. And it could have been worse. Because for the other two vulnerabilities, it all boils down to "ignore source quenches" and "process hard errors as soft errors if they are received for connections in any of the synchronized states". But you cannot ignore "frag needed" messages. > Is this *really* an attack that we're > that worried about in a general case? Yes. See the "Acknowledgement" section of the I-D -- it was reviewed by people from Free', Net', and OpenBSD, Solaris and opensolaris, Cisco, Extremenetworks, and others. Yes, that's not the world... but I'd argue that a good sample. Without the TCP seq check, is trivial (and with an advertised MTU of 0 it even crashed some implementations). With the TCP SEQ check, things are not so bad... but the windows keep increasing. That said, the document is informational, and documents what has been done in the industry. And the stuff in Section 7 is implemented in a number of systems and deployed already in the Internet. > The modifications in this part of the document > seem too complex for what they buy, to me. I did the patch myself for OpenBSD in a few hours (and it was probably my first commit to the tree). Conceptually speaking, it's even simpler: Before you know data has successfully been transferred to the remote endpoint, just validate the ICMP error messages by checking the TCP SEQ. Once you have successfully transferred data, check for progress on the connection before honoring the ICMP error messages). > It > seems like in places where there's concern about > it, we can just say to ignore these ICMPs and use > the PLPMTUD (4821) instead. I can understand > that what's in the draft has been implemented, > but how valuable is it really when we already > have a Proposed Standard in PLPMTUD that can > totally answer to this concern by just ignoring > the ICMPs in question? I have already been told by a number of developers that they would not implement the ICMP-free version of PLPMTUD, because of its convergence time. They are more willing to implement it for icmp blackhole detection. Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 From fernando.gont.netbook.win@gmail.com Thu Jun 11 01:30:15 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 48DCB3A6853 for ; Thu, 11 Jun 2009 01:30:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.332 X-Spam-Level: X-Spam-Status: No, score=-2.332 tagged_above=-999 required=5 tests=[AWL=0.267, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MM2L02lhJnGK for ; Thu, 11 Jun 2009 01:30:14 -0700 (PDT) Received: from mail-qy0-f116.google.com (mail-qy0-f116.google.com [209.85.221.116]) by core3.amsl.com (Postfix) with ESMTP id 34CFA3A6803 for ; Thu, 11 Jun 2009 01:30:14 -0700 (PDT) Received: by qyk14 with SMTP id 14so23780qyk.29 for ; Thu, 11 Jun 2009 01:30:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=LYtbSzvp5TY5U0kPBY+QIWlL5HaUdMGkWy7e2dwHpWg=; b=sTRgEQaZK3z3SyvDYxEPN+BFlEabefF6eqAeKppPL87lS6GFcuKNV1+cJJqfZE+uA5 MOhsYzhxFPz4kmLoEAkvFy1WN5zqaUH6rsYxc2D3l7N6cmHCetHO/rFrbiabuErAptfM /RIz7yj9Ss0XuYM1H/LuKnaoeQCpdZLyLwTfg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=SJ/1ct1Hk3GwXLsLdLz6U3u7gMYIrcjWh17mwOR4aF5Nkkq38Lik6LnirpUqbr66TZ EbqgenASSuWwLInIZx805XuNukablpeC1Z3Td8bB4H7zvRQgreLJ+D4fMFkj3LvNcPVd QppRB+7rqFwqWg+OuCPx2jfIJyp1Jmk+rvfCI= Received: by 10.224.74.84 with SMTP id t20mr2859023qaj.328.1244709019418; Thu, 11 Jun 2009 01:30:19 -0700 (PDT) Received: from ?192.168.0.151? (129-130-17-190.fibertel.com.ar [190.17.130.129]) by mx.google.com with ESMTPS id 7sm1800296qwb.46.2009.06.11.01.30.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 11 Jun 2009 01:30:18 -0700 (PDT) Sender: Fernando Gont Message-ID: <4A30C093.5060408@gont.com.ar> Date: Thu, 11 Jun 2009 05:30:11 -0300 From: Fernando Gont User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: "Eddy, Wesley M. (GRC-MS00)[Verizon]" References: In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=D076FFF1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "tcpm@ietf.org" , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jun 2009 08:30:15 -0000 Hello, Wes, Comments in-line.... > As both a WG-participant and co-chair, I think that the > Appendix A explanations of which ICMPs need to be paid > attention to because some of them say things that I'm > not sure are totally supported by prior RFCs. Any specific issues? > For > instance, I'm not certain that setting the DF bit is > only possible for hosts that support PMTUD ... is there > a reference for that? What's the reason for setting the DF flag for IP packets carrying TCP segments if you don't implement PMTUD? Actually, if you don't implement PMTUD, "frag needed" becomes a hard error. So setting the DF flag would be sort of dumb, as in the event one of your segments needs to be fragmented, you'd received an ICMP "frag needed" message, which would reset your connection. > Further, it discusses ambiguity > in 1122, that we should be clarifying in the main text > rather than an appendix, I think ... what does the rest > of the WG think? The appendix was at some point part of the main text. I moved the text into an appendix probably on request of somebody, but not because I thought the text should be there. So I have no problem moving the entirre appendix (or part of it) back into the main part of the document. Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 From gf@erg.abdn.ac.uk Thu Jun 11 03:58:30 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 22BF228C1BB for ; Thu, 11 Jun 2009 03:58:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rTu+ufmy-FH for ; Thu, 11 Jun 2009 03:58:29 -0700 (PDT) Received: from erg.abdn.ac.uk (dee.erg.abdn.ac.uk [IPv6:2001:630:241:204:203:baff:fe9a:8c9b]) by core3.amsl.com (Postfix) with ESMTP id F0FFD28C193 for ; Thu, 11 Jun 2009 03:58:28 -0700 (PDT) Received: from 24-237-wf.tnc2009.rediris.es (ra-gorry.erg.abdn.ac.uk [139.133.204.42]) (authenticated bits=0) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id n5BAwTlU008456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 11 Jun 2009 11:58:30 +0100 (BST) Message-ID: <4A30E355.1040704@erg.abdn.ac.uk> Date: Thu, 11 Jun 2009 12:58:29 +0200 From: Gorry Fairhurst User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: David Borman , tcpm@ietf.org References: <4A12C9C9.9060404@gont.com.ar> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-ERG-MailScanner: Found to be clean X-ERG-MailScanner-From: gf@erg.abdn.ac.uk Cc: tcpm-chairs@tools.ietf.org Subject: Re: [tcpm] urgent data draft (draft-gont-tcpm-urgent-data-01.txt) X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jun 2009 10:58:30 -0000 I supported this in the meeting, and still do. I think a statement that this not recommended for new applications (3) is good, combined with (4). Best wishes, Gorry David Borman wrote: > I think I forgot to follow up on this, sorry! > > So, with my WG co-chair hat on: > > The agreement at the San Francisco IETF meeting on the Urgent Pointer > definition was: > > 1) Adopt this document as a WG item > > 2) Change the definition of the Urgent Pointer (defined in RFC 1122) > to match the definition on page 17 of RFC 793, which is what most > implementations use. > > 3) New applications should be discouraged from using the Urgent Pointer > > 4) TCP implementations still need to implement the Urgent Pointer for > existing applications that use it > > 5) All applications that do make use of the Urgent Pointer must use > the SO_OOBINLINE socket option to keep all of the data in sequence; > applications that don't use SO_OOBINLINE and continue to use the old, > broken BSD implementation that actually removes bytes of data from > data stream are out of scope for the IETF, since that is not part of > the TCP protocol. > > Please respond with whether you do or do not support adopting this as > a WG item, even if you were at the meeting, so that we have a record > on the mailing list. > > > Now with my WG chair hat off: > > I support adopting this as a WG item. > > -David Borman, TCPM WG co-chair > > > > On May 19, 2009, at 10:01 AM, Fernando Gont wrote: > >> Hello, folks, >> >> I'm planning to work on a revision of the urgent data I-D anytime soon. >> I was wondering if there are any plans for proceeding with this I-D. >> >> There was some discussion on-list about TCP urgent data, and IIRC Dave >> Borman had suggested (hat off) that this I-D be adopted as a WG item. >> >> Thoughts? Plans? >> >> Thanks! >> >> Kind regards, >> -- >> Fernando Gont >> e-mail: fernando@gont.com.ar || fgont@acm.org >> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm > > From touch@ISI.EDU Fri Jun 12 13:41:25 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0D72D3A68EB for ; Fri, 12 Jun 2009 13:41:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCRpIdCmlzq5 for ; Fri, 12 Jun 2009 13:41:24 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 27FF63A68BC for ; Fri, 12 Jun 2009 13:41:24 -0700 (PDT) Received: from [75.213.50.109] (109.sub-75-213-50.myvzw.com [75.213.50.109]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n5CKf4YI028383; Fri, 12 Jun 2009 13:41:07 -0700 (PDT) Message-ID: <4A32BD5F.5030503@isi.edu> Date: Fri, 12 Jun 2009 13:41:03 -0700 From: Joe Touch User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Fernando Gont References: <4A30BED6.3050308@gont.com.ar> In-Reply-To: <4A30BED6.3050308@gont.com.ar> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Cc: "tcpm@ietf.org" , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2009 20:41:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fernando Gont wrote: ... >> 5) (general) Section 5.1, last paragraph, it >> seems like we should be mentioning TCP-AO as >> well here, though I don't think it changes any >> part of the claim. > > Agreed. Maybe this is also an indication that TCP-AO *should* change > something in this respect! TCP-AO already addresses ICMP attacks in the security considerations section, and requires there to be a way to disable reaction to ICMPs. Like IPsec, though, we don't make a-priori assessments as to whether ICMPs should be blocked or not on connections on which TCP-AO (or IPsec) is used. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoyvV8ACgkQE5f5cImnZruTxACeO2Q8KULcvKQOK07tBxmHiPNa Gr0An1RGq74/6xx4XlQ1Sz3XcvGwGuEU =aMxa -----END PGP SIGNATURE----- From touch@ISI.EDU Fri Jun 12 13:45:04 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C35313A68EB for ; Fri, 12 Jun 2009 13:45:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.775 X-Spam-Level: X-Spam-Status: No, score=-1.775 tagged_above=-999 required=5 tests=[AWL=-0.824, BAYES_00=-2.599, FRT_TODAY2=1.648] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vSOddx2miDrT for ; Fri, 12 Jun 2009 13:45:03 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id E267D3A68BC for ; Fri, 12 Jun 2009 13:45:03 -0700 (PDT) Received: from [75.213.50.109] (109.sub-75-213-50.myvzw.com [75.213.50.109]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n5CKiwUJ029246; Fri, 12 Jun 2009 13:45:00 -0700 (PDT) Message-ID: <4A32BE4A.1090903@isi.edu> Date: Fri, 12 Jun 2009 13:44:58 -0700 From: Joe Touch User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Fernando Gont References: <4A30C093.5060408@gont.com.ar> In-Reply-To: <4A30C093.5060408@gont.com.ar> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Cc: "tcpm@ietf.org" , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2009 20:45:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fernando Gont wrote: ... >> For >> instance, I'm not certain that setting the DF bit is >> only possible for hosts that support PMTUD ... is there >> a reference for that? > > What's the reason for setting the DF flag for IP packets carrying TCP > segments if you don't implement PMTUD? There are systems that just don't want to implement reassembly, due to the cost and potential for the attack at the receiver of receiving large numbers of partial packets. small devices do this to save compute/storage space - the Sony CLIE was one of these a few years ago, even though PMTUD was common even at the time. > Actually, if you don't implement PMTUD, "frag needed" becomes a hard > error. So setting the DF flag would be sort of dumb, as in the event one > of your segments needs to be fragmented, you'd received an ICMP "frag > needed" message, which would reset your connection. That's what happened when running TCP from a CLIE over a tunnel. Not desirable from the user's view, but definitely intended. >> Further, it discusses ambiguity >> in 1122, that we should be clarifying in the main text >> rather than an appendix, I think ... what does the rest >> of the WG think? This doc should not be clarifying anything in 1122 - that, IMO, would be for a standards-track doc, not an informational. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoyvkoACgkQE5f5cImnZrvn6gCfTPEk9wRTfXTxFT5Lmj44lx21 k+MAoIhEwTg0vY+T0dojcGGD9u9GEsyH =iPPb -----END PGP SIGNATURE----- From wesley.m.eddy@nasa.gov Sat Jun 13 08:42:11 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59C5028C0DF for ; Sat, 13 Jun 2009 08:42:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.512 X-Spam-Level: X-Spam-Status: No, score=-6.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4Aa9+QgS9fR for ; Sat, 13 Jun 2009 08:42:10 -0700 (PDT) Received: from ndjsnpf01.ndc.nasa.gov (ndjsnpf01.ndc.nasa.gov [198.117.1.121]) by core3.amsl.com (Postfix) with ESMTP id 5C5B428C0DC for ; Sat, 13 Jun 2009 08:42:10 -0700 (PDT) Received: from ndjsppt02.ndc.nasa.gov (ndjsppt02.ndc.nasa.gov [198.117.1.101]) by ndjsnpf01.ndc.nasa.gov (Postfix) with ESMTP id 087923280C7; Sat, 13 Jun 2009 10:42:19 -0500 (CDT) Received: from ndjshub03.ndc.nasa.gov (ndjshub03.ndc.nasa.gov [198.117.4.162]) by ndjsppt02.ndc.nasa.gov (8.14.3/8.14.3) with ESMTP id n5DFgI7i025088; Sat, 13 Jun 2009 10:42:18 -0500 Received: from NDJSSCC01.ndc.nasa.gov ([198.117.4.166]) by ndjshub03.ndc.nasa.gov ([198.117.4.162]) with mapi; Sat, 13 Jun 2009 10:42:19 -0500 From: "Eddy, Wesley M. (GRC-MS00)[Verizon]" To: Fernando Gont Date: Sat, 13 Jun 2009 10:42:26 -0500 Thread-Topic: comments on draft-ietf-tcpm-icmp-attacks-05 Thread-Index: AcnqbtvMta3haP3uS+WiqVnJlgQglABzNapg Message-ID: References: <4A30C093.5060408@gont.com.ar> In-Reply-To: <4A30C093.5060408@gont.com.ar> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.7400:2.4.4, 1.2.40, 4.0.166 definitions=2009-06-13_02:2009-06-01, 2009-06-13, 2009-06-12 signatures=0 Cc: "tcpm@ietf.org" , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Jun 2009 15:42:11 -0000 >-----Original Message----- >From: Fernando Gont [mailto:fernando.gont.netbook.win@gmail.com] On >Behalf Of Fernando Gont >Sent: Thursday, June 11, 2009 4:30 AM >Hello, Wes, > >> As both a WG-participant and co-chair, I think that the >> Appendix A explanations of which ICMPs need to be paid >> attention to because some of them say things that I'm >> not sure are totally supported by prior RFCs. > >Any specific issues? I'll go one-by-one through them and follow up with any in addition to the one we already started talking about: >> For >> instance, I'm not certain that setting the DF bit is >> only possible for hosts that support PMTUD ... is there >> a reference for that? > >What's the reason for setting the DF flag for IP packets carrying TCP >segments if you don't implement PMTUD? I know of a number of embedded OS kernels and real-time systems that either don't implement IP reassembly or disable it. Some of the stacks geared towards real-time will also set DF on the packets that they send as the frag/reassembly is presumed to be an impediment to guaranteeing their delay bounds. >> Further, it discusses ambiguity >> in 1122, that we should be clarifying in the main text >> rather than an appendix, I think ... what does the rest >> of the WG think? > >The appendix was at some point part of the main text. I moved the text >into an appendix probably on request of somebody, but not because I >thought the text should be there. So I have no problem moving the >entirre appendix (or part of it) back into the main part of the >document. Oh, I didn't realize we'd already juggled it around :). It makes sense to me to analyze the different message types this way as motivation for the recommendations on how to treat them, which is why I expected it to be in the body, but if there was already consensus to have it as an appendix, then that's fine too. --------------------------- Wes Eddy Network & Systems Architect Verizon FNS / NASA GRC Office: (216) 433-6682 --------------------------- From fernando.gont.netbook.win@gmail.com Sat Jun 13 17:32:41 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 425923A6800 for ; Sat, 13 Jun 2009 17:32:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Vu0Ie04H5Io for ; Sat, 13 Jun 2009 17:32:40 -0700 (PDT) Received: from mail-qy0-f125.google.com (mail-qy0-f125.google.com [209.85.221.125]) by core3.amsl.com (Postfix) with ESMTP id 3C6B83A6904 for ; Sat, 13 Jun 2009 17:32:40 -0700 (PDT) Received: by qyk31 with SMTP id 31so101635qyk.29 for ; Sat, 13 Jun 2009 17:32:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=SvyLD8EmofJSA/YZufGEqkGzgplnO/5R6n680OODM6o=; b=oP9fYRqEaPVg29WrAcVxO/p0iV7l96v/dKtAOTlYwnA2BTLPjNVb23hPhAkhEYKxKJ mH1EXKHqq6b8oIXWy87yw9NFEzxMqa3JXSX5+w5p30TgueJDgQACI6Uu3WtRfCeS/oXc M0Ftwkicp75+x2oICGkIudtxp8t4UsSLphdFg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=E+mFzlJpe/FzsroEJxoNI2gER/jUr6nIJfKzddBLx3MK3/izAilE3fV6C/bwg3lJYx Cjn0SQ4akZh56xikF+Mxt0q3NWuh+OSuwBdIAy//jUC2T+2Ch7EEMfSZVyhGhGQDuSF4 DDgtl00nRf77amEKKabCQZoPHCJxdtG5b50u4= Received: by 10.224.60.194 with SMTP id q2mr5859508qah.135.1244939566149; Sat, 13 Jun 2009 17:32:46 -0700 (PDT) Received: from ?192.168.0.151? (148-82-231-201.fibertel.com.ar [201.231.82.148]) by mx.google.com with ESMTPS id 7sm1579315qwf.19.2009.06.13.17.32.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 13 Jun 2009 17:32:45 -0700 (PDT) Sender: Fernando Gont Message-ID: <4A344528.5060907@gont.com.ar> Date: Sat, 13 Jun 2009 21:32:40 -0300 From: Fernando Gont User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: "Eddy, Wesley M. (GRC-MS00)[Verizon]" References: <4A30C093.5060408@gont.com.ar> In-Reply-To: X-Enigmail-Version: 0.95.7 OpenPGP: id=D076FFF1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "tcpm@ietf.org" , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jun 2009 00:32:41 -0000 Eddy, Wesley M. (GRC-MS00)[Verizon] wrote: >>> For >>> instance, I'm not certain that setting the DF bit is >>> only possible for hosts that support PMTUD ... is there >>> a reference for that? >> What's the reason for setting the DF flag for IP packets carrying TCP >> segments if you don't implement PMTUD? > > I know of a number of embedded OS kernels and real-time systems > that either don't implement IP reassembly or disable it. Some > of the stacks geared towards real-time will also set DF on the > packets that they send as the frag/reassembly is presumed to be > an impediment to guaranteeing their delay bounds. What do these systems do when they receive a "frag needed" ICMP error message? If they adapt the segment size, they implement some form of PMTUD. If frag was needed (As indicated in the ICMP error message), and they keep sending at the same segment size, the connection would time-out (not good). If they don't do any of these, and follow RFC1122 instead, they should reset the connection (not good, either). >> The appendix was at some point part of the main text. I moved the text >> into an appendix probably on request of somebody, but not because I >> thought the text should be there. So I have no problem moving the >> entirre appendix (or part of it) back into the main part of the >> document. > > Oh, I didn't realize we'd already juggled it around :). > It makes sense to me to analyze the different message > types this way as motivation for the recommendations on > how to treat them, which is why I expected it to be in > the body, but if there was already consensus to have it > as an appendix, then that's fine too. No, I don't think there was consensus to move that stuff to an appendix. It was probably the result of me honoring a suggestion I had received from some folk. Thanks, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 From fw@deneb.enyo.de Sun Jun 14 06:35:03 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9790228C0E1 for ; Sun, 14 Jun 2009 06:35:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.644 X-Spam-Level: X-Spam-Status: No, score=-1.644 tagged_above=-999 required=5 tests=[AWL=0.605, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NtzG4Lql1kA for ; Sun, 14 Jun 2009 06:35:03 -0700 (PDT) Received: from mail.enyo.de (mail.enyo.de [212.9.189.167]) by core3.amsl.com (Postfix) with ESMTP id CC8CE28C0DD for ; Sun, 14 Jun 2009 06:35:01 -0700 (PDT) Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1MFprW-0001Zw-Dz; Sun, 14 Jun 2009 15:35:06 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from ) id 1MFprW-0005OO-0f; Sun, 14 Jun 2009 15:35:06 +0200 From: Florian Weimer To: "Eddy\, Wesley M. \(GRC-MS00\)\[Verizon\]" References: Date: Sun, 14 Jun 2009 15:35:05 +0200 In-Reply-To: (Wesley M. Eddy's message of "Wed, 10 Jun 2009 23:32:57 -0500") Message-ID: <87ljnvey5y.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "tcpm@ietf.org" Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jun 2009 13:35:03 -0000 * Wesley M. Eddy: > As both co-chair and TCPM participant, I'm not really > comfortable with Appendix B of this document which > reads a lot like an advertisement. Even though I > know it's well-intentioned, it seems like we'd set > a bad precedent if we got into the habit of putting > sponsor-plugs into the appendices of our documents. > I don't think we lose anything by leaving that > appendix out completely. > > What does the WG think? I think it should go. (Disclaimer: I don't like the way UNIRAS/CPNI handled some disclosures, but I think this isn't important in this context.) From fw@deneb.enyo.de Sun Jun 14 06:37:45 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 49E4428C0E1 for ; Sun, 14 Jun 2009 06:37:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.705 X-Spam-Level: X-Spam-Status: No, score=-1.705 tagged_above=-999 required=5 tests=[AWL=0.544, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWxv80vsAffi for ; Sun, 14 Jun 2009 06:37:44 -0700 (PDT) Received: from mail.enyo.de (mail.enyo.de [212.9.189.167]) by core3.amsl.com (Postfix) with ESMTP id 8C6B728C0DD for ; Sun, 14 Jun 2009 06:37:44 -0700 (PDT) Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1MFpu9-0001b7-Pt; Sun, 14 Jun 2009 15:37:49 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from ) id 1MFpu9-0005Os-4q; Sun, 14 Jun 2009 15:37:49 +0200 From: Florian Weimer To: Fernando Gont References: <4A30C093.5060408@gont.com.ar> Date: Sun, 14 Jun 2009 15:37:49 +0200 In-Reply-To: <4A30C093.5060408@gont.com.ar> (Fernando Gont's message of "Thu, 11 Jun 2009 05:30:11 -0300") Message-ID: <87hbyjey1e.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "tcpm@ietf.org" , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Jun 2009 13:37:45 -0000 * Fernando Gont: >> For instance, I'm not certain that setting the DF bit is only >> possible for hosts that support PMTUD ... is there a reference for >> that? > > What's the reason for setting the DF flag for IP packets carrying TCP > segments if you don't implement PMTUD? You don't have to put randomness into the IP ID field (at least in theory; in practice, DF=1 packets get fragmented, too). From touch@ISI.EDU Sun Jun 14 07:57:12 2009 Return-Path: X-Original-To: tcpm@core3.amsl.com Delivered-To: tcpm@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 249E728C0F8 for ; Sun, 14 Jun 2009 07:57:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.003 X-Spam-Level: X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[AWL=-0.487, BAYES_00=-2.599, URIBL_RHS_DOB=1.083] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFz56v-3E6Lu for ; Sun, 14 Jun 2009 07:57:11 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 48FD828C0ED for ; Sun, 14 Jun 2009 07:57:11 -0700 (PDT) Received: from [192.168.1.46] (pool-71-105-84-152.lsanca.dsl-w.verizon.net [71.105.84.152]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n5EEuqe3023977; Sun, 14 Jun 2009 07:56:53 -0700 (PDT) Message-ID: <4A350FB3.1090008@isi.edu> Date: Sun, 14 Jun 2009 07:56:51 -0700 From: Joe Touch User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Florian Weimer References: <4A30C093.5060408@gont.com.ar> <87hbyjey1e.fsf@mid.deneb.enyo.de> In-Reply-To: <87hbyjey1e.fsf@mid.deneb.enyo.de> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Cc: "tcpm@ietf.org" , Fernando Gont , Fernando Gont Subject: Re: [tcpm] comments on draft-ietf-tcpm-icmp-attacks-05 X-BeenThere: tcpm@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: TCP Maintenance and Minor Extensions Working Group List-Unsubscribe: , List-Archive: List-Post: