Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20

Eric Rescorla <ekr@rtfm.com> Sun, 14 July 2019 21:28 UTC

MIME-Version: 1.0
References: <156175221593.21875.9525138908968318905@ietfa.amsl.com> <9E6DE124-9262-4870-A920-4E707A38DC08@bangj.com> <CAPDSy+7om=cBW51cyuPea9nabgJuRV3M+++gA7sy8VzfNpkn6Q@mail.gmail.com> <9F8CFF4A-ABC1-4005-AE65-6CE64940B59F@apple.com> <CAPDSy+6V+ooWDe7XezmWA_XKNQXRAOex8DE5CiTnZdz8zc-9CA@mail.gmail.com> <F6DD5CEF-E644-46E3-84B5-18309F6B44C5@apple.com> <270A8516-8BE8-441A-A6CC-4FDE8EFE2B10@fugue.com> <7784.1563138326@dooku.sandelman.ca>
In-Reply-To: <7784.1563138326@dooku.sandelman.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 14 Jul 2019 14:27:54 -0700
Message-ID: <CABcZeBPPaPW1kh8f8KovA_MO0kECJ-1sRaygoOR-u3tFBKn3iA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Ted Lemon <mellon@fugue.com>, Stuart Cheshire <cheshire=40apple.com@dmarc.ietf.org>, DNSSD <dnssd@ietf.org>, draft-ietf-dnssd-push.all@ietf.org, David Schinazi <dschinazi.ietf@gmail.com>, Tom Pusateri <pusateri@bangj.com>, Robert Sparks <rjsparks@nostrum.com>
Content-Type: multipart/alternative; boundary="0000000000002fe83e058daad3e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/NwkgjA3BmAEM9YUm1v17UayREQY>
Subject: Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20
Precedence: list

On Sun, Jul 14, 2019 at 2:05 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Ted Lemon <mellon@fugue.com> wrote:
>     > forging an RST to the server. We should discuss whether this is a
>     > serious concern that we need to take into account. If it is, then
> using
>     > close_notify would protect against this iff the server ignores TCP
> RSTs
>     > for active TLS sessions.
>
> I'm unaware of TCP stacks that can turn off RSTs on a per-socket basis.
> Is this commonly available now and I'm just ignorant of it?
>
> I imagine that is the only way the application could inform the kernel that
> TLS is active.
>
> I guess a filter could drop RSTs to port 853, and assume it's always TLS.
>

I'm not sure how much this would help: if the attacker can inject an invalid
data segment full of random data, then this will likely lead to TLS
connection
failure (i.e., you'll be able to detect the problem but it's not
recoverable).
I'm not sufficiently up to date on the state of TCP injection attacks to
know
whether off-path RST attacks are significantly harder than off-path data
injection
attacks (obviously, on-path attacks are straightforward in both cases).

> Securing TCP against fake RSTs is something the TCP-AO was designed to do.
> AFAIK, we never defined a way to key TCP-AO from TLS.
>

No, we did not. It's theoretically straightforward, but you know what they
say
about the difference between theory and practice. In this particular case,
given the low level of deployment, it seems like it might be easier to just
move to QUIC.

-Ekr

> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        | network
> architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>

[dnssd] Genart last call review of draft-ietf-dns… Robert Sparks via Datatracker
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… David Schinazi
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Robert Sparks
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Robert Sparks
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… David Schinazi
Re: [dnssd] Genart last call review of draft-ietf… Christopher Wood
Re: [dnssd] Genart last call review of draft-ietf… Stuart Cheshire
Re: [dnssd] Genart last call review of draft-ietf… David Schinazi
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Stuart Cheshire
Re: [dnssd] Genart last call review of draft-ietf… David Schinazi
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… David Schinazi
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Stuart Cheshire
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… David Schinazi
Re: [dnssd] Genart last call review of draft-ietf… Tom Pusateri
Re: [dnssd] Genart last call review of draft-ietf… Eric Rescorla
Re: [dnssd] Genart last call review of draft-ietf… Jan Komissar (jkomissa)
Re: [dnssd] Genart last call review of draft-ietf… Michael Richardson
Re: [dnssd] Genart last call review of draft-ietf… Ted Lemon
Re: [dnssd] Genart last call review of draft-ietf… Eric Rescorla