Re: [btns] Q: How to deal with connection latch breaks?
Nicolas Williams <Nicolas.Williams@sun.com> Fri, 07 August 2009 06:25 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: btns@core3.amsl.com
Delivered-To: btns@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C54A3A6AAB for <btns@core3.amsl.com>; Thu, 6 Aug 2009 23:25:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.79
X-Spam-Level:
X-Spam-Status: No, score=-5.79 tagged_above=-999 required=5 tests=[AWL=0.256, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSSyWPsyJ-ZJ for <btns@core3.amsl.com>; Thu, 6 Aug 2009 23:25:50 -0700 (PDT)
Received: from sca-ea-mail-1.sun.com (sca-ea-mail-1.Sun.COM [192.18.43.24]) by core3.amsl.com (Postfix) with ESMTP id CCF8F3A6863 for <btns@ietf.org>; Thu, 6 Aug 2009 23:25:45 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n776Pk08023287 for <btns@ietf.org>; Fri, 7 Aug 2009 06:25:46 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n776PkxU044435 for <btns@ietf.org>; Fri, 7 Aug 2009 00:25:46 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n776FDGA011220; Fri, 7 Aug 2009 01:15:13 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n776FC4B011219; Fri, 7 Aug 2009 01:15:12 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Fri, 07 Aug 2009 01:15:12 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: btns@ietf.org
Message-ID: <20090807061512.GG1035@Sun.COM>
References: <5D4C4002AC7C3340987C37B1E4B66A54029A9076@SACMVEXC2-PRD.hq.netapp.com> <20090806215107.GB10982@Sun.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20090624201707.GY1308@Sun.COM>
User-Agent: Mutt/1.5.7i
Cc: "Eisler, Michael" <Michael.Eisler@netapp.com>
Subject: Re: [btns] Q: How to deal with connection latch breaks?
X-BeenThere: btns@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Better-Than-Nothing-Security Working Group discussion list <btns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/btns>
List-Post: <mailto:btns@ietf.org>
List-Help: <mailto:btns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2009 06:25:51 -0000
Michael Richardson, Mike Eisler and I have discussed this issue in e-mail and on the phone and we have come to a consensus. We believe that the purist approach to latch breaks in the absence of new APIs (or their non-use) is to treat the situation as packet loss. However, the pragmatic default is to treat latch breaks as a reset (in the TCP case) or ICMP destination unreachable (in the SCTP case, when there are multi-homed end-points, so that path failover may take place sooner). The pragmatic approach allows an on-path DoS, but not an off-path DoS. This seems acceptable given that an on-path attacker that can pull off a connection reset attack by causing a latch break can also cause bits to stop moving in the "purist" alternative anyways. I.e., there's an on-path DoS attack not matter what, and resetting the connection (or causing failover to another path) sooner seems better than forcing the ULP or the application to timeout first. So we will say that implementors SHOULD provide APIs and MUST choose a default behavior in case of latch breaks when no APIs are available (or can't be used), and we list the set of behaviors that implementors may choose from. We also specify a default behavior: the "pragmatic" one described above. Finally, we combine the relevant text from sections 5.1 and 5.4 into a single new section. The new text, to replace the last paragraph of sections 5.1 and 5.4: See section 5.5. New section 5.5 text (modulo xml2rfc formatting): 5.5 Handling of BROKEN state for TCP and SCTP There are several ways to handle connection latch transitions to the BROKEN state in the case of connection-oriented ULPs like TCP or SCTP: a) Wait for a possible future transition back to the ESTABLISHED state, until which time the ULP will not move data between the two end-points of the connection. ULP and application timeout mechanisms will, of course, trigger in the event of too lengthy a stay in the BROKEN state. SCTP can detect these timeouts and initiate failover, in the case of multi-homed associations. b) Act as though the connection has been reset (RST message received, in TCP, or ABORT message received, in SCTP). c) Act as though an ICMP destination unreachable message had been received (in SCTP such messages can trigger path failover in the case of multi-homed associations). Implementors SHOULD provide APIs for either informing applications (asynchronously or otherwise) of latch breaks, so that they may choose a disposition (wait, close, or proceed with path failover), or by which applications can select a specific disposition a priori (before a latch break happens). Implementors MUST provide a default disposition in the event of a connection latch break. Though (a) is clearly the purist default, we RECOMMEND (b) for TCP and SCTP associations where only a single path remains (one 5-tuple), and (c) for multi-homed SCTP associations. The rationale for this recommendation is as follows: a conflicting SA most likely indicates that the original peer is gone and has been replaced by another, and it's not likely that the original peer will return, thus failing faster seems reasonable. Note that our recommended default behavior does not create off-path reset denial-of-service (DoS) attacks: to break a connection latch an attacker would first have to successfully establish an SA, with one of the connection's end-points, that conflicts with the connection latch, and that requires multiple messages to be exchanged between that end-point and the attacker. Unless the attacker's chosen victim end-point allows the attacker to claim IP address ranges for its SAs then the attacker would have to actually take over the other end-point's addresses, which rules out off-path attacks. Comments? Nico --
- [btns] Q: How to deal with connection latch break… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Julien Laganier
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams