Re: [btns] Q: How to deal with connection latch breaks?
Michael Richardson <mcr@sandelman.ottawa.on.ca> Fri, 07 August 2009 16:36 UTC
Return-Path: <mcr@marajade.sandelman.ca>
X-Original-To: btns@core3.amsl.com
Delivered-To: btns@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D9A03A6A89 for <btns@core3.amsl.com>; Fri, 7 Aug 2009 09:36:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.448
X-Spam-Level:
X-Spam-Status: No, score=-0.448 tagged_above=-999 required=5 tests=[AWL=-0.094, BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334, J_BACKHAIR_11=1, J_CHICKENPOX_15=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NEtnRcht4n4i for <btns@core3.amsl.com>; Fri, 7 Aug 2009 09:36:14 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [67.23.6.41]) by core3.amsl.com (Postfix) with ESMTP id 4D5073A6D7E for <btns@ietf.org>; Fri, 7 Aug 2009 09:36:14 -0700 (PDT)
Received: from sandelman.ottawa.on.ca (unknown [209.87.252.247]) by relay.sandelman.ca (Postfix) with ESMTPS id 52E0534580 for <btns@ietf.org>; Fri, 7 Aug 2009 16:36:17 +0000 (UTC)
Received: from marajade.sandelman.ca (localhost [127.0.0.1]) by sandelman.ottawa.on.ca (Postfix) with ESMTP id 2AD703EC5 for <btns@ietf.org>; Fri, 7 Aug 2009 12:36:16 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
To: btns@ietf.org
In-Reply-To: <20090807061512.GG1035@Sun.COM>
References: <5D4C4002AC7C3340987C37B1E4B66A54029A9076@SACMVEXC2-PRD.hq.netapp.com> <20090806215107.GB10982@Sun.COM> <20090807061512.GG1035@Sun.COM>
X-Mailer: MH-E 8.1; nmh 1.1; XEmacs 21.4 (patch 21)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 07 Aug 2009 12:36:16 -0400
Message-ID: <9561.1249662976@marajade.sandelman.ca>
Sender: mcr@marajade.sandelman.ca
Subject: Re: [btns] Q: How to deal with connection latch breaks?
X-BeenThere: btns@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Better-Than-Nothing-Security Working Group discussion list <btns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/btns>
List-Post: <mailto:btns@ietf.org>
List-Help: <mailto:btns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/btns>, <mailto:btns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2009 16:36:15 -0000
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes: Nicolas> We believe that the purist approach to latch breaks in the Nicolas> absence of new APIs (or their non-use) is to treat the Nicolas> situation as packet loss. However, the pragmatic default Nicolas> is to treat latch breaks as a reset (in the TCP case) or Nicolas> ICMP destination unreachable (in the SCTP case, when there Nicolas> are multi-homed end-points, so that path failover may take Nicolas> place sooner). I wanted to post that I am in agreement, but it took me awhile to get why TCP RESET makes sense sometimes. The is the scenario. Assume a stable system (i.e. web server) (W), and an end-point which is mobile (C). C<->W do connection latching (perhaps facilitated by BTNS) and transfer some data. System C goes away (moves, shuts down, etc) from IP-C before it closes all it's TCP/SCTP sessions nicely. System D is now at IP-D. Now, in the absense of BTNS, system W would send a TCP/SCTP segment to IP-C, and system D would return with a TCP RST since it would not recognize the data. Due to connection-latching, one of two things occur: 1) system W sends TCP segments inside ESP, and system D sees it and has no idea what to do. (IKE-INITIAL-CONTACT could kill that SA, as could various birth-certificate proposals) 2) system W's SA with system C expires (or is deleted by INITIAL-CONTACT), and system W sees that has a broken latch. If system D is not doing IPsec (BTNS or otherwise), then the TCP/SCTP just tries until the SA expires. If the ULP times out, then it does ETIMEOUT as it would when a cable is unplugged. If system D is doing IPsec (BTNS), then system C recognizes that the SA is broken to IP-C, and never sends anything. Since it never sends the TCP segment, it never gets a TCP RST. This is why is makes sense for an implementation to pretend a TCP RST has been received if in fact the latch is broken. This is really an on-path TCP RST. In the BGP situation, where TCP RSTs are of concern, this situation can only occur if: a) one router (BGP-speaker) replaces another router at the same IP. b) the new router does IPsec/BTNS and system W is willing to permit the new router's key to assert the old router's IP. (a) points to the fact that the IX has no layer-2/3 security. (i.e. ARP is insecure. Use SEND, or hard code ARP entries...) (b) points to a misconfigured/unsecured PAD for this use. Many in the BGP situation want to use BTNS to create the initial relationships, and then lock the results down (which ceases to be BTNS) via telephone/etc. communication.... -- ] Y'avait une poule de jammé dans l'muffler!!!!!!!!! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] h("Just another Debian GNU/Linux using, kernel hacking, ruby guy"); [
- [btns] Q: How to deal with connection latch break… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Julien Laganier
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Mike Eisler
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams
- Re: [btns] Q: How to deal with connection latch b… Laganier, Julien
- Re: [btns] Q: How to deal with connection latch b… Michael Richardson
- Re: [btns] Q: How to deal with connection latch b… Nicolas Williams