[tcpinc] TCP-ENO - simultaneous open support - Initial consensus

Tue, 08 Dec 2015 16:39:12 -0800 

With the list discussion having run its course, the WG chairs (David and
Kyle in Mirja's absence) have conferred and reviewed the discussion.

The original question was:
----
- Should tcpinc support TCP simultaneous open?  Yes or No
-- If "No," should TCP simultaneous open connection attempts
     be abandoned or proceed unencrypted?
----

The WG chairs believe that the tcpinc's WG's rough consensus is that:

- a) there is no requirement for tcpinc to support all possible TCP-SO
        cases in all circumstances; but
- b) tcpinc should support TCP-SO when it can do so cheaply; and
- c) tcpinc setup failures for TCP-SO should result in proceeding unencrypted.

Disagreements with this should be surfaced on the list.

Two more observations from the WG chairs:

- 1) The above, particularly "when it can do so cheaply" in b), is
  well-aligned with what David Mazieres described as C2:

  C2. Require application configuration and use one bit to detect
     incompatible configurations and fall back to unencrypted TCP (the
     current ENO design, called C2 because it's option #2 in the ENO
     draft section 6.2).

  We (WG chairs) prefer "Encourage" to "Require" as the first word above.

- 2) Bryan Ford reminds us that attackers will be interested in causing
  "fail-open" downgrade-attacks that result in no encryption on connections
  that would otherwise have been encrypted, and points out that making
  active/passive open look like simultaneous open is a possible attack
  vector for doing so.  We do not believe this to be a fatal flaw in the
  a/b/c rough consensus approach stated above, but this is a concern that
  merits careful expert and WG consideration in security analysis of
  tcpinc.

Thanks,
--David
----------------------------------------------------
David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
[email protected]        Mobile: +1 (978) 394-7754
----------------------------------------------------


_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc

Reply via email to