[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OPSEC] [tcpm] draft-gont-tcp-security

To: Joel Jaeggli <joelja at bogus.com>
Subject: Re: [OPSEC] [tcpm] draft-gont-tcp-security
From: Fernando Gont <fernando at gont.com.ar>
Date: Tue, 09 Jun 2009 04:32:24 -0300
Cc: opsec at ietf.org, tcpm at ietf.org
Delivered-to: opsec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=KYEMqfOea6pUREOtZo7Sx1JsCkUqwlLkzlHqvfj+RbY=; b=OZZuIn6VmzqGfJ0SKgqk2xzaEq4pomIIwYqXF13Ioq7m/E1IiOD2qMB7by5SZSPiSn o0BVJ1a89QWSZYuA1ajJ9X7fjlaPStDx/YowHLxqTjctDpGJg7PXI7+8JBuPd6Yvb8uf 3cFFEMJlPPUPaKnddzszFqiPaLYA8niilFOE8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=Z9/GzxmVLFxTvyxhd/Z2AnLfgfgYRmw5vlh1Ko1zSrLMyWphgn+1TuoU+7GZmlPb9R ykIzokCVXvct99h8s/+WF5+66CLlvDL39cKwDuMqYzda3vDpcXXWpbSWo9X+0jxXD5oZ PG5tyqcaOK5Xe2OP21e9/NJfijPb2KZqYQo80=
In-reply-to: <4A26E173.6040802 at bogus.com>
List-archive: <http://www.ietf.org/mail-archive/web/opsec>
List-help: <mailto:opsec-request@ietf.org?subject=help>
List-id: opsec wg mailing list <opsec.ietf.org>
List-post: <mailto:opsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
Openpgp: id=D076FFF1
References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8 at NDJSSCC01.ndc.nasa.g ov><49E36AB9.40507 at isi.edu> <49E384E9.1050106 at gont.com.ar><49E3878C.9080200 at isi.edu> <49E39119.1060902 at gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1004BC4176D0 at qtdenexmbm24.AD.QINTRA.COM> <49E3A88F.9060301 at gont.com.ar> <49E3ABC0.1050601 at isi.edu> <49E3B9BF.1060901 at gont.com.ar> <49E3BED9.1030701 at isi.edu> <C9E987CC-0213-4C67-BA0A-11C736772EE7 at nokia.com> <49E4D257.40504 at gont.com.ar> <49E4E233.9040609 at earthlink.net> <EC5F7E6A-0393-41CC-B4DF-BCD134FF4EF5 at nokia.com> <49E5F36D.7020808 at earthlink.net> <A9D3331F-FDE6-4500-8650-3F94B0A78C2E at nokia.com> <49EE1873.1090907 at gont.com.ar> <88ACD16A-1137-4E55-871F-8F0C992D7A63 at nokia.com> <4A24626E.90805 at gont.com.ar> <4A26E173.6040802 at bogus.com>
Sender: Fernando Gont <fernando.gont.netbook.win at gmail.com>
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Hello, Joel,

Comments in-line...


> It's a tough question. In part I think the answer is up to you, I think
> there's some understanding on the part of tcpm that if this work were to
> progress on a standards track that tcpm (no opsec) is the place for that
> to happen.  

Ok. My proposal is, that unless there's any alternative proposal, I'd
like this document to be pursued as "Informational" within opsec.


> That said there's also some question as what sort of general
> recommendations about hardening tcp would actually be consider
> acceptable (in narrow use cases a lot more of them may well be).
> 
> 	The diligent blacksmith knows that hardening a tool also
> 	makes it more brittle...

This is a nice quote, but... I'd like examples. e.g., start discussing
about which specific hardening proposal makes TCP more brittle.


> The result of any such effort is likely to be greatly different than
> what you have today.

That's not a problem.



> An alternative track would have the document headed for informational
> status either as a working group document or as indivdual submission
> with an understanding of what sort of advice is provided and who should
> consider it and the limitations of implmentation based on it's
> recomendations. It still think exposure to a working group is very
> important and useful in this context, 


Ok. Good. As I mentioned, unless somebody else comes up with an
alternative proposal, I'd like the document to target "Informational" at
opsec. I guess that at some point tcpm may want to work on some of the
stuff in the document on a piecemeal basis.



> as a purely independant submission
> it's simply documentary evidence of the uk cpni's effort's at
> documenting some percieved flaws in tcp and recomned mitigation strategy
> which is useful but not dramatically better than putting it on a website.

-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Follow-Ups:
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Joe Touch

References:
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Smith, Donald
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Joe Touch
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Joe Touch
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Lars Eggert
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Todd Glassey
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Lars Eggert
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Todd Glassey
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Lars Eggert
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Lars Eggert
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Joel Jaeggli

Prev by Date: [OPSEC] FYI draft-ietf-opsec-blackhole-urpf-04
Next by Date: Re: [OPSEC] [tcpm] draft-gont-tcp-security
Previous by thread: Re: [OPSEC] [tcpm] draft-gont-tcp-security
Next by thread: Re: [OPSEC] [tcpm] draft-gont-tcp-security
Index(es):
- Date
- Thread