[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OPSEC] [tcpm] draft-gont-tcp-security

To: Joe Touch <touch at ISI.EDU>
Subject: Re: [OPSEC] [tcpm] draft-gont-tcp-security
From: Fernando Gont <fernando at gont.com.ar>
Date: Tue, 09 Jun 2009 16:36:23 -0300
Cc: opsec at ietf.org, tcpm at ietf.org
Delivered-to: opsec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=NJI+QIbrhFAwiVLpynQOjRx9LwceLecje5X6C5SY1tQ=; b=b7UardYZaLtBEji2MbmiA18fvRZAnmko/xlBcSY06NhjyM03iF4lsFI6opzY+elkqp otdSEFmtTkIDdmZ0lS5LQHKFfbsPJwCe//62WmlrXGqrDIcvHIlu0I+p89iSSBsUMKNS oqty53ZbclfNZgSZfswrYWs+nSIoDnAqfmEGA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=NMsA4sucpbglw/2ltxdTIj7ETqPqcEuMTTxPMTDWQgfokLRVT5969fY3n9H7+4e0/y pWuLM/ztkKI+Sok7U3kimRmlb33RYO/UrziE3a/Oitj4vKRFp90owE4pb7w898vSPJ0f 4z7j4XWKWqQOlnqSZw+ebNSKAMFjZ3nPY+55Q=
In-reply-to: <4A2E66C3.6040701 at isi.edu>
List-archive: <http://www.ietf.org/mail-archive/web/opsec>
List-help: <mailto:opsec-request@ietf.org?subject=help>
List-id: opsec wg mailing list <opsec.ietf.org>
List-post: <mailto:opsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
Openpgp: id=D076FFF1
References: <C304DB494AC0C04C87C6A6E2FF5603DB221318F5E8 at NDJSSCC01.ndc.nasa.g ov><49E36AB9.40507 at isi.edu> <49E384E9.1050106 at gont.com.ar><49E3878C.9080200 at isi.edu> <49E39119.1060902 at gont.com.ar> <B01905DA0C7CDC478F42870679DF0F1004BC4176D0 at qtdenexmbm24.AD.QINTRA.COM> <49E3A88F.9060301 at gont.com.ar> <49E3ABC0.1050601 at isi.edu> <49E3B9BF.1060901 at gont.com.ar> <49E3BED9.1030701 at isi.edu> <C9E987CC-0213-4C67-BA0A-11C736772EE7 at nokia.com> <49E4D257.40504 at gont.com.ar> <49E4E233.9040609 at earthlink.net> <EC5F7E6A-0393-41CC-B4DF-BCD134FF4EF5 at nokia.com> <49E5F36D.7020808 at earthlink.net> <A9D3331F-FDE6-4500-8650-3F94B0A78C2E at nokia.com> <49EE1873.1090907 at gont.com.ar> <88ACD16A-1137-4E55-871F-8F0C992D7A63 at nokia.com> <4A24626E.90805 at gont.com.ar> <4A26E173.6040802 at bogus.com> <4A2E1008.4060303 at gont.com.ar> <4A2E66C3.6040701 at isi.edu>
Sender: Fernando Gont <fernando.gont.netbook.win at gmail.com>
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Joe Touch wrote:

>>> 	The diligent blacksmith knows that hardening a tool also
>>> 	makes it more brittle...
>> This is a nice quote, but... I'd like examples. e.g., start discussing
>> about which specific hardening proposal makes TCP more brittle.
> 
> 1) any security mechanism that increases complexity - of actions, state,
> or message exchanges - any of which increases the potential for
> implementation error

Agreed.

> 2) any security mechanism that has false positives, i.e., that discards
> messages deemed a security threat when they were sent for legitimate reasons

Why would this make e.g., TCP more brittle?

In any case, the actual response to such packets may vary (e.g., in the
case of ICMP hard errors, discard vs. process as soft errors). I believe
that no matter what the recommended response is, it is important to
discuss these issues, and try to get consensus on what's the right thing
to do in each case.

> #1 includes basically everything, from TCP MD5 (and TCP-AO) to tcpsecure
> and ICMP filtering

ICMP filtering actually decreases complexity.

> I.e., AFAICT, *everything* that makes TCP more secure also makes it
> brittle, by definition (ditto for metal hardening, FWIW). The key issue
> is "when/where is the benefit worth the cost".

As I said before, I'd like to have concrete examples from the tcp
security i-d that are deemed to make TCP more brittle.

Thanks!

Kind regards,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Follow-Ups:
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Joe Touch

References:
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Smith, Donald
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Joe Touch
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Joe Touch
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Lars Eggert
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Todd Glassey
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Lars Eggert
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Todd Glassey
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Lars Eggert
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Lars Eggert
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Joel Jaeggli
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Fernando Gont
- Re: [OPSEC] [tcpm] draft-gont-tcp-security
  - From: Joe Touch

Prev by Date: Re: [OPSEC] FYI draft-ietf-opsec-blackhole-urpf-04
Next by Date: Re: [OPSEC] [tcpm] draft-gont-tcp-security
Previous by thread: Re: [OPSEC] [tcpm] draft-gont-tcp-security
Next by thread: Re: [OPSEC] [tcpm] draft-gont-tcp-security
Index(es):
- Date
- Thread