"Scharf, Michael (Michael)" <[email protected]> writes:
> If tcpinc specifies yet another scheme to protect the TCP header
> (i.e., other than TCP-AO), I think the interoperability with the
> existing running code has to be considered and
> documented. Specifically, I guess there could be deployment scenarios
> where TCP-based authentication is already in place, but additional
> tcpinc-like encryption is desirable. (Well, probably we are not
> talking here about residential Internet access.)
So as an example, tcpcrypt (section 4.4) specifically excludes options
TSOPT (8), Skeeter (16), Bubba (17), MD5 (19), TCP-AO (29), and MAC
(OPT2) from the header MAC computation. Hence, it is well defined how
to compute a TCP-AO MAC after computing a tcpcrypt MAC. There might be
other drawbacks to using TCP-AO in conjunction with tcpcrypt (e.g.,
making two MAC passes over the payload, wasted option space) and I'm not
sure anyone has ever tried it, but the intention is to avoid making the
two specs incompatible with one another. After all, there could be some
fringe applications that require both.
For those curious about our choice, we found middleboxes tend to mess
with the contents of TSOPT, possibly to thwart host fingerprinting.
However, tcpcrypt offers several mechanisms that provide some of the
same functionality as TSOPT in a secure way. For instance, because
tcpcrypt protects 64-bit sequence numbers, it already natively protects
against sequence number wrapping. We also have a SYNC_REQ/SYNC_ACK
suboption pair to allow clock values to be echoed, for instance to
implement secure keepalives.
Skeeter and Bubba are kind of an inside joke, but someday far in the
future if people want to do something totally crazy like actively
request that middleboxes read and modify information in a tcp option, it
could for backwards compatibility turn out to be useful to have a couple
of reserved options that don't get MACed.
Oh, and we are glad to take requests for other options to exclude from
integrity, if people believe we missed something:
http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-1
David
_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc
