Re: [btns] Q: How to deal with connection latch breaks?

Michael Richardson <mcr@sandelman.ottawa.on.ca> Fri, 07 August 2009 16:36 UTC

Return-Path: <mcr@marajade.sandelman.ca>
X-Original-To: btns@core3.amsl.com
Delivered-To: btns@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D9A03A6A89 for <btns@core3.amsl.com>; Fri, 7 Aug 2009 09:36:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.448
X-Spam-Level:
X-Spam-Status: No, score=-0.448 tagged_above=-999 required=5 tests=[AWL=-0.094, BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334, J_BACKHAIR_11=1, J_CHICKENPOX_15=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NEtnRcht4n4i for <btns@core3.amsl.com>; Fri, 7 Aug 2009 09:36:14 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [67.23.6.41]) by core3.amsl.com (Postfix) with ESMTP id 4D5073A6D7E for <btns@ietf.org>; Fri, 7 Aug 2009 09:36:14 -0700 (PDT)
Received: from sandelman.ottawa.on.ca (unknown [209.87.252.247]) by relay.sandelman.ca (Postfix) with ESMTPS id 52E0534580 for <btns@ietf.org>; Fri, 7 Aug 2009 16:36:17 +0000 (UTC)
Received: from marajade.sandelman.ca (localhost [127.0.0.1]) by sandelman.ottawa.on.ca (Postfix) with ESMTP id 2AD703EC5 for <btns@ietf.org>; Fri, 7 Aug 2009 12:36:16 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
To: btns@ietf.org
In-Reply-To: <20090807061512.GG1035@Sun.COM>
References: <5D4C4002AC7C3340987C37B1E4B66A54029A9076@SACMVEXC2-PRD.hq.netapp.com> <20090806215107.GB10982@Sun.COM> <20090807061512.GG1035@Sun.COM>
X-Mailer: MH-E 8.1; nmh 1.1; XEmacs 21.4 (patch 21)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Date: Fri, 07 Aug 2009 12:36:16 -0400
Message-ID: <9561.1249662976@marajade.sandelman.ca>
Sender: mcr@marajade.sandelman.ca
Subject: Re: [btns] Q: How to deal with connection latch breaks?
X-BeenThere: btns@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Better-Than-Nothing-Security Working Group discussion list <btns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/btns>
List-Post: <mailto:btns@ietf.org>
List-Help: <mailto:btns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2009 16:36:15 -0000

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes:
    Nicolas> We believe that the purist approach to latch breaks in the
    Nicolas> absence of new APIs (or their non-use) is to treat the
    Nicolas> situation as packet loss.  However, the pragmatic default
    Nicolas> is to treat latch breaks as a reset (in the TCP case) or
    Nicolas> ICMP destination unreachable (in the SCTP case, when there
    Nicolas> are multi-homed end-points, so that path failover may take
    Nicolas> place sooner).

I wanted to post that I am in agreement, but it took me awhile to get
why TCP RESET makes sense sometimes.

The is the scenario. Assume a stable system (i.e. web server) (W), and an
end-point which is mobile (C).

C<->W do connection latching (perhaps facilitated by BTNS) and transfer
      some data. 
System C goes away (moves, shuts down, etc) from IP-C before it closes
       all it's TCP/SCTP sessions nicely.
System D is now at IP-D. 

Now, in the absense of BTNS, system W would send a TCP/SCTP segment to 
     IP-C, and system D would return with a TCP RST since it would not
     recognize the data.

Due to connection-latching, one of two things occur:
    1) system W sends TCP segments inside ESP, and system D sees it
       and has no idea what to do. (IKE-INITIAL-CONTACT could kill that
       SA, as could various birth-certificate proposals)

    2) system W's SA with system C expires (or is deleted by
       INITIAL-CONTACT), and system W sees that has a broken latch.

If system D is not doing IPsec (BTNS or otherwise), then the TCP/SCTP
just tries until the SA expires.  If the ULP times out, then it does
ETIMEOUT as it would when a cable is unplugged.

If system D is doing IPsec (BTNS), then system C recognizes that the SA
is broken to IP-C, and never sends anything. Since it never sends the
TCP segment, it never gets a TCP RST.  This is why is makes sense for an
implementation to pretend a TCP RST has been received if in fact the
latch is broken.

This is really an on-path TCP RST.

In the BGP situation, where TCP RSTs are of concern, this situation can
only occur if:
  a) one router (BGP-speaker) replaces another router at the same IP.
  b) the new router does IPsec/BTNS and system W is willing to permit
     the new router's key to assert the old router's IP.

(a) points to the fact that the IX has no layer-2/3 security. (i.e. ARP
    is insecure. Use SEND, or hard code ARP entries...)

(b) points to a misconfigured/unsecured PAD for this use.

Many in the BGP situation want to use BTNS to create the initial
relationships, and then lock the results down (which ceases to be BTNS)
via telephone/etc. communication.... 

-- 
]     Y'avait une poule de jammé dans l'muffler!!!!!!!!!        |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
]    h("Just another Debian GNU/Linux using, kernel hacking,    ruby  guy");  [