ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [OPSEC] [tcpm] draft-gont-tcp-security

2009-04-13 17:09:54
from [Joe Touch] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Donald,

I'm confused by your post. You appear to believe that TCP is intended to
be secure. Note that TCP does not require either the MD5 or AO extension.

Smith, Donald wrote:


(coffee != sleep) & (!coffee == sleep)
Donald(_dot_)Smith(_at_)qwest(_dot_)com gcia   


-----Original Message-----
From: opsec-bounces(_at_)ietf(_dot_)org 
[mailto:opsec-bounces(_at_)ietf(_dot_)org] 
On Behalf Of Fernando Gont
Sent: Monday, April 13, 2009 1:23 PM
To: Joe Touch
Cc: tcpm(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org; Joe Abley; 
opsec(_at_)ietf(_dot_)org; 
Lars Eggert; Eddy,Wesley M. (GRC-RCN0)[Verizon]
Subject: Re: [OPSEC] [tcpm] draft-gont-tcp-security

Joe Touch wrote:


So we had tcp-secure in 2004, icmp-attacks in 2005, a claim for a
trivial attack in 2008 (Outpost24/CERT-FI), and we'll 

probably continue

in this line, because we do nothing about it.

Whether we have this document or not, we will continue to 

have people

who incorrectly assume that TCP is secure.


Secure is a general term. TCP was intended to address several areas of 
security.
The classic tenets for computer security is:
CIA -> Confidentiality, Integrity and Availability.
TCP doesn't attempt to address Confidentiality.
However it was designed to address integrity and availability so 
failures in those areas should be documented and addressed in some
fashion.


Can you explain this? Where is the integrity protection? Where is the
availability specified?

...

It's security/resiliency can be improved. After all, if that were not
the case, I guess you're wasting your time with TCP-AO. Or is it that
you believe the only way to improve a protocol is to throw 
crypto at it?


Adding crypto improves confidentiality and integrity but is counter
productive to availability as most
crypto engines are prone to fairly low pps resource exhaustion
attacks.


All prevention methods are susceptible to computational resource
attacks, since all increase the operations performed on a packet. It is
commonly assumed that this is a desirable tradeoff, and that the
computational resources can be totally protected with line-rate
dedicated computation (e.g., hardware assist).

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknjqdYACgkQE5f5cImnZruhawCgqqkl3NPljMkNRz8buEYROGUO
R2kAnRHhQmWJVtXq/j2wbNy64q6QWe+u
=OkiS
-----END PGP SIGNATURE-----
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [tcpm] draft-gont-tcp-security, Joe Touch
Next by Date:  Re: [OPSEC] [tcpm] draft-gont-tcp-security, Joe Touch
Previous by Thread:  Re: [tcpm] [OPSEC] draft-gont-tcp-security, Lars Eggert
Next by Thread:  Re: [OPSEC] [tcpm] draft-gont-tcp-security, Joe Touch
Indexes:  [Date] [Thread] [Top] [All Lists]