Catching up - sorry if this has been discussed already elsewhere already: I think there is quite some running code for protecting the TCP header, using TCP-AO or predecessors, albeit that running code seems to be used mostly in special environments, e.g., where RST attacks matter.
If tcpinc specifies yet another scheme to protect the TCP header (i.e., other than TCP-AO), I think the interoperability with the existing running code has to be considered and documented. Specifically, I guess there could be deployment scenarios where TCP-based authentication is already in place, but additional tcpinc-like encryption is desirable. (Well, probably we are not talking here about residential Internet access.) I haven't fully thought of all details, but for schemes other than draft-touch-tcp-ao-encrypt some questions would come into my mind: - If a TCP stack has to select either TCP-AO or tcpinc header encryption, which one should be used? Would TCP-AO have precedence, i.e., would there be a recommendation to disable the tcpinc header protection if TCP-AO is negotiated on a connection? Would it be prohibited to use both header protection schemes simultaneously? If so, how would one deal with applications explicitly asking for tcpinc header protection (e.g., TCP_CRYPT_RSTCHK in tcpcrypt)? - If a TCP stack is told to use both TCP-AO and a tcpinc header protection (assuming header protection is part of the tcpinc protocol, not based on TCP-AO, and simultaneous use is allowed by the spec), in which order would both schemes be applied? What happens if there both protocols disagree regarding the validity of a header? I think such questions can be sorted out, i.e., it is not clearly an argument for or against. But TCP-AO interoperability seems to require discussion if tcpinc indeed should work out yet another TCP header protection. Michael ________________________________________ Von: Tcpinc [tcpinc-boun...@ietf.org]" im Auftrag von "marcelo bagnulo braun [marc...@it.uc3m.es] Gesendet: Montag, 28. Juli 2014 08:57 An: tcpinc@ietf.org Betreff: [tcpinc] Protect or not the TCP header Hi, As we discussed in the meeting, we should try to make some design decisions for TCPINC. One of them is whether to protect or not the TCP header. I would like to start the discussion on this topic. Arguments on one way or the other? regards, marcelo _______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc _______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc
